What you should know about VPN audits

A VPN audit is when the provider calls upon an independent company to verify its policies. There are two main types of audits: privacy reviews and security reviews.

Security audits test the provider’s apps for vulnerabilities. Through testing security features and the overall health of the service, the auditor diligently checks for weaknesses that could make the service susceptible to a data breach or cyber-attack.

Privacy audits focus on the VPN provider’s no-log policy. The independent auditor assesses how the VPN provider collects, stores and uses data. A no-log policy is supposed to protect users against their data being stored or used in negligent ways. This is the primary selling point used by most VPN providers.

The VPN market is heavily congested with very convincing security and privacy marketing speak. Any VPN provider can claim to have a no-log policy (meaning it doesn’t store, record, or process any user data), but without any tangible proof of this, why should you trust the service?

A VPN audit creates trust between the service and its customers. It’s up to the VPN service which type of audit it chooses to conduct – privacy or security – but most aim to do both. Typically, a VPN’s audit report is available on its website, and it clearly outlines what has been verified and notes any issues found.

A VPN audit can cover as little or as much of the service as the provider wishes. It largely depends on how much access the VPN service grants the auditor. The auditor may inspect the VPN’s apps, servers, and infrastructure. A VPN’s no-log policy should be a big focus of the audit, with the aim to prove or disprove whether the service logs or stores users’ data. 

The audit process might involve on-site visits to the company’s headquarters or data processing center. The auditor could assess internal operations, review policies, and inspect server configurations. They may also speak to members of staff to gather relevant information. Once the audit is complete, a report is written to outline the findings. If necessary, the report will include ways to reduce vulnerabilities and weaknesses.  

A no-log policy typically states that a VPN service doesn’t log users’ data, store it, or sell it to third parties. Nobody wants their data to be sold to a third party – it’s never used for anything good. It could also increase your chances of falling victim to identity fraud, scams, or cybercrime.

VPN websites are flooded with no-log policy marketing language. It’s become somewhat of a cybersecurity buzzword. It can be tricky to sift through marketing ploys and genuine privacy features. Despite the policy’s name, a VPN must log a few things, but these should never reveal your identity. They include:

• Dates when connected to the VPN service (but not timestamps.)
• Server location.
• Data usage (but not how you use it.)
• Which app version you use and are any app updates.

These are some examples of what is safe to log and doesn’t infringe on your privacy. The most trustworthy VPN providers only log information relating to data usage and what’s required to ensure your app is running as it should. This information is then discarded after each session. 

Where privacy and security are concerned, it’s important to stick to trusted companies – this goes for both VPN services and independent auditors. Internal audits should be avoided, as they may lack objectivity and cause biases. A reputable third-party auditing firm will provide a non-biased and honest report of the security and privacy of the VPN service. The most trusted auditing firms are referred to as the “Big Four.” 

It’s common to see VPN providers advertise that their audit has been conducted by one of the Big Four consulting firms. The Big Four comprises Deloitte, Klynveld Peat Marwick Goerdeler (KPMG), PricewaterhouseCoopers (PwC) and Ernst & Young (EY). These firms own the stage when it comes to audits – they’re the largest and most popular in the world. The most common VPN providers, and even some lesser-known ones, have been audited by one of the Big Four.

Internet privacy is among the most important concerns of most organizations, as well as citizens. Many regulations have codified the importance of privacy. However, not all nations adhere to the regulations, and in some cases, an internet service provider will institute its own rules about internet browsing.  It makes sense to take measures to ensure your privacy as best as possible by using a VPN. Since all VPNs do not practice equal levels of security, you should examine whether the VPN provider has been audited and whether the privacy levels give you the level of comfort you are seeking prior to subscribing to the service.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.