The Independent’s journalism is supported by our readers. When you purchase through links on our site, we may earn commission. Why trust us?
- CAR INSURANCE
- CAR INSURANCE
- TOOLS
- PROVIDERS
- GUIDES
- BROADBAND
- HOME SERVICES
- VPN
- HEALTH
There are a number of reasons you may want to use a Virtual Private Network (VPN), but generally speaking, with different internet restrictions around the world and higher cybercrime rates, most hope a VPN will give them both browsing freedom and security.
It’s a competitive market, and while the best VPNs may have some unique selling points, the majority will want to hammer home to consumers that they are running a secure service that doesn’t mess around with customers’ data.
In an ideal world, this would always be the case, however there’s no shortage of data breaches nowadays, and we’ve seen worrying cases of free VPN services leaking user data online. The latest case with SuperVPN further amped up the argument that free VPNs are often not worth the security risk, but it also opens a wider conversation about what you should look for in a VPN provider and how to know whether you can trust yours or not.
There are two main types of VPN audits: privacy and security reviews. Security audits will mostly look at a provider’s infrastructure. It may test certain apps and other areas of its service to find out if it’s in good health and that there are no vulnerabilities that could put user data at risk, such as weaknesses that could be exploited by hackers.
On the other hand, privacy reviews focus on a provider’s no-log policy and the way it informs customers of how their data is collected, stored and used, verifying whether a company adheres to how it claims to operate.
Most reputable VPN providers will aim to do both, but depending on what you’re using the service for, you may need to do more digging to find out exactly what claims have been verified by a reputable external source.
VPN audits will typically look for any vulnerabilities in systems or what data a VPN provider logs, but it will also offer ways to further secure a system and verify whether the claims a company is making about its logging policy are true or false. In a privacy policy review, the third-party auditor will typically look at a provider’s no-logs policy, as well as any data saved on their servers. They will then release a report detailing their findings, outlining whether the policy wording matches up to the data held on servers, if any.
The process may involve on-site visits at the provider’s main headquarters or data processing centre for a number of days. This allows time to fully review and assess internal operations and procedures as well as server configurations, which could also mean speaking with staff, before writing up a report of the findings with recommended actions.
Most customers look for no-log policies when searching for a VPN, and many companies claim to have such a system in place. However, privacy policies are sometimes see as the “green washing” of the cybersecurity world, because it is virtually impossible for a VPN server to not log any data (to verify the speed of its service and make sure user experience is maintained). Instead, the type of data collected and how it is used is what’s important to look out for in privacy policies.
Furthermore, it can be difficult for users to trust a provider that claims to operate a no-logs policy but is yet to back it up with an independent audit.
Nick Seaver, cyber risk partner at Deloitte – one of the Big Four auditing firms (more on that later) – comments on the type of data VPN providers typically store:
“Many VPN providers claim to maintain a no-logging policy, which generally means at a minimum they do not store any data relating to user internet activity. But they often store much less than this. The data that is logged by some VPN services can include the time users connect and disconnect from the VPN, their real IP address and the address of the VPN server, the volume of data transmitted and connection information, such as your device, operating system and VPN software.
“Note that logging policies aren’t all the same – the specifics can vary significantly, and if consumers are concerned about their privacy, it’s a good idea to read the service provider’s privacy policy carefully. The policy should clearly explain what data the VPN does and does not log, and why, as well as whether it shares it with anyone and how long it retains the data for.”
Here are some of the types of most common types of data logs you’ll find in VPN logging policies:
Details collected in connection logs will mostly be used to optimise a service, but this can include connection times, IP addresses, crash diagnostic data and server connections within your VPN, which can compromise users’ privacy. If a VPN provider claims to have a no-log policy despite collecting this type of data, that’s a red flag. Generally speaking, you’ll want a provider that doesn’t track your real IP address.
Usage logs are more of a privacy concern for most users, and this is usually what a VPN provider will be referring to when they claim to be a no-log operator. You’ll want to choose a service that doesn’t track usage logs since this can compile data on the websites you visit, along with your real IP address. It can also track unencrypted messages and any apps or services saved on the devices you connect to with the VPN, all of which defeat the object of a VPN in the first place.
Seaver comments: “The importance of no-logging policies depends on why the users want to use a VPN. If it’s for enhanced privacy and security, then no-logging policies are important. But there are other uses of VPNs – such as bypassing geo-restrictions when accessing things like news websites or video streams not allowed from your location, or avoiding internet service provider (ISP) throttling which is when your ISP deliberately restricts your internet bandwidth or speed without telling you, for specific services such as video streaming.
“For people who are using VPNs to keep their online activities confidential and secure, the provider’s logging policies are important. And it’s important to get into the detail of what the provider actually logs specifically, for what purpose and the duration the logs are kept. Logging policies potentially enable the provider to track and store information about users’ internet activity. If providers log your activities in detail, they can track your internet activity and potentially share it with others. If users want a VPN for privacy and security, it’s important to choose a provider with an appropriate no-logging policy.”
While the audit itself is important, the company that performs the review and how it is conducted is also key to increase trust and value in the VPN brand. An independent, third-party audit is important, as there will be no vested interest in a positive outcome, unlike an internal audit. Here are some of the main auditing firms that have specialised in VPN privacy and security audits over the past few years:
You’ll often see VPN providers tout the fact their audits were performed by one of the “Big Four” consulting firms, which includes Deloitte, KPMG, PwC and EY. This is because they are the largest, most sought-after auditing firms in the world, and having their name attached to verification of a no-logs policy is a good sign of trust for consumers.
Deloitte: Deloitte offers consulting, auditing and tax services. It has a big reputation in the auditing world, so a VPN provider that has contracted the company to perform its audits tends to be fairly trustworthy. Both NordVPN and CyberGhost used its services for recent no-log audits.
KPMG: This worldwide firm serves 143 countries with audit, tax, consulting and financial advisory services to major corporations. It recently tested ExpressVPN’s privacy policy.
PwC: Another international consulting firm, PwC provides a range of services in finance, legal, forensics, risk, and sustainability, among other sectors. It’s one of the more sought-after Big Four firms when it comes to VPN audits, having performed reviews for NordVPN and ExpressVPN in the past.
EY: Ernst & Young, more commonly known as EY, is a global consulting firm offering services across finance, people management, tax, and law. It also conducts audits in the technology sector, including server and security reviews for VPNs.
Not all providers will consult with a Big Four firm on their VPN audits, but there are a growing number of other companies being mentioned in reports more often. Many of these are cybersecurity specialists performing both privacy and security audits.
Cure53: This Berlin-based auditor conducts deeper research into the security of different VPN provider apps and websites, as well as servers and general infrastructure to reveal any vulnerabilities that could put user data at risk. It recently conducted app and infrastructure audits for NordVPN and ExpressVPN, complementing their no-log policy audits with other conductors for a more complete assessment of the health of their services. Back in 2021, Cure53 also confirmed the good health of Surfshark’s server infrastructure for the second time, with the first review of its service taking place in 2018.
MDSec: Similar to Cure53, MDSec provides detailed cybersecurity advice and services to global companies, and it recently carried out security health checks for Atlas VPN, looking specifically at its Windows app.
VerSprite: Is a global independent cybersecurity consultancy firm that was founded in 2007. It conducted tests on Atlas VPN’s iOS app in 2021, which identified some medium-to-low-risk issues that would not compromise user data safety. Atlas has since implemented fixes for all of the issues uncovered in the review.
Securitum: Is a leading European auditing firm that runs hundreds of tests to measure the security of IT systems across different firms. It recently ran a security audit for Proton VPN.
Leviathan: Leviathan Security Group is a Seattle-based cybersecurity firm that provides security and privacy compliance audits for VPNs. It recently completed a review of IPVanish’s no-logs policy.
Although a VPN provider may say the privacy of its users is their first concern, being able to back any claims up with an independent audit is essential to build trust with users. The below table outlines what some of the VPN providers we’ve reviewed have to show in terms of how they protect your data and monitor the general health of the service they provide.
| VPN provider | Privacy/no-logs audit? | Security audit? |
|---|---|---|
| NordVPN | Yes – Deloitte, 2022 | Yes – Cure53, 2022 |
| Surfshark | Yes – Deloitte, 2022 | Yes – Cure53, 2021 |
| ExpressVPN | Yes – KPMG, 2022 | Yes – Cure53, 2022 |
| CyberGhost | Yes – Deloitte, 2022 | No |
| Proton VPN | Yes – Securitum, 2022 | Yes – Securitum, 2022 |
| Private Internet Access | Yes – Deloitte, 2022 | No |
| Atlas VPN | No | Yes – MDSec, 2022 (Windows app) and VerSprite, 2021 (iOS app) |
| Windscribe | No | Yes |
| PrivadoVPN | No | No |
| IPVanish | Yes – Leviathan, 2022 | No |
| StrongVPN | No | No |
| HMA | Yes – VerSprite, 2020 | Yes – VerSprite, 2020 |
| TunnelBear | No | Yes – Cure53, 2022 |
| VPNSecure | No | No |
| Hide.me | Yes – DefenseCode Ltd, 2015 | No |
When looking for a VPN, you always want to look for a reputable provider that is transparent about how it safeguards your data. Companies are not obliged to release the findings following an audit, however most reputable VPN providers will publish results to boost their company reputation.
“VPN providers are not obliged to release the findings of a privacy or security review to the public,” says Deloitte’s Seaver. “However, many reputable VPN providers choose to publish the results of these reviews as a way to show potential and existing users that they are committed to maintaining high standards of security and privacy.”
He further notes the scope and coverage of the audits are not the same. “If users are going to rely on these audits where available, it’s important to ensure they are comprehensive and really do show a strong commitment to user privacy.”
Results, if published, are usually available online and summarised in an article or company blog post that outlines the main findings and areas they are actively working on to resolve any issues. Sometimes you can find the full reports to trawl through, which is something to look for when searching for a trustworthy VPN provider. Other green flags are when providers note when audits are conducted to recognised standards. CyberGhost, for example, highlighted its auditor carried out tests to ISAE 3000 (Revised) applicable to Assurance Engagements Other Than Audits or Reviews of Historical Financial Information.
As well as a speedy service that is good value for money, looking for a VPN provider that is transparent with its privacy policy and security practices is key.
“The data stored by VPN services varies significantly, and is much more driven by the individual company’s policies and practices rather than the country of operation,” says Seaver. However, it can help to look for VPN companies that are based in countries with strong data privacy laws, like Switzerland and Bucharest, where they are not mandated to keep any logs by law.
“If the VPN is for privacy and security, a no-logging policy is important – but also look for the details of what no logging actually means and the provider’s commitment to privacy on the VPN’s website and terms of service,” continues Seaver, who also advises to check whether the VPN uses modern, robust encryption (AES-256 is the current standard), as well as reading customer reviews and making the most of any VPN free trials before committing to a subscription.
As tempting as a free VPN option may be, the way these providers usually make money is unfortunately by selling data to third-party advertisers, and they often don’t have the money to invest in better security infrastructure, making users more vulnerable to data breaches and related cybercrimes.
