VyprVPN, definitely one of the older VPN players in the market, has had its no-log policy audited by Leviathan Security. This is a great achievement, and one that we certainly hope catches on in the VPN industry in general.
Founded in 2009, Golden Frog (the creator of VyprVPN) actually has an interesting history with its no-log policy. In fact, there wasn’t really a no-log policy to begin with.
VyprVPN’s yes-logging policy
Up until recently – in the summer of 2018 – its policy was to log certain user data that it needed in order to offer the best services. When we asked the question: does VyprVPN keep logs, the answer was always: well, yeah.
This data was logged for 30 days, and included the following information:
- the user’s real IP address
- the IP address VyperVPN assigned to the user
- the connection start and end times
- the total number of bytes used
While this was a pretty transparent look at what user data VyprVPN was actually logging, many were taken back by the revelations. For them, any logging was bad, and this policy brought VyprVPN some regular criticism.
In fact, in their blog post announcing their no-log policy audit, Vypr’s Sunday Yokubaitis lists a missed a spot in Wirecutter’s ranking of their favorite VPN services because of Vypr’s metadata retention policy.
— Mark Smirniotis (@marksmirniotis) April 30, 2018
This seemed to have been the last straw, and Vypr then enlisted Leviathan Security’s service in auditing their new no-logging policy.
Does VyprVPN keep logs? Now, no
Very fresh on the heels of NordVPN’s own no-log policy audit by PwC, VyprVPN had Leviathan Security check to “ensure that no Personally Identifiable Information (PII) is collected, with respect to the use of the VyprVPN service.”
Leviathan worked with VyprVPN’s team of engineers to address and fix errors discovered during the auditing process. According to the full audit [pdf],
“While vigilance against logging is necessary to complete the process of implementing “No Log”, we feel that this assessment achieved its goal of uncovering weaknesses in Golden Frog’s implementation. The project revealed a limited number of issues that Golden Frog quickly fixed. As a result, it can provide VyprVPN users with the assurance that the company is not logging their VPN activity.”
That’s great assurance from an independent entity that VyprVPN does not log users’ VPN activity. Leviathan continued to work to make sure the fixes actually fixed the mistakes. Te report goes on to state,
“Golden Frog worked to remediate all no-log-related findings concurrently with the assessment. Once it had completed this, we performed a retest and verified that all of the fixes were effective.”
Why is the no-log policy audit important?
We mentioned before how excited we are about the new trend in the VPN industry: the independent audit, including the VyprVPN logs audit.
Up to this point, there have been only 5 independent audits, and only 2 of those – NordVPN and VyprVPN – had it done on their no-log policy.
This is a great trend nonetheless, since independent audits allow us to confirm what pretty much every VPN company is always saying: we’re safe, secure, private, and we won’t sell or give away your personal data.
While that’s all nice, we can’t really know if that’s true – and unfortunately we can’t really trust companies to tell us the absolute truth, especially when that absolute truth can deeply impact their profits.
For that reason, we love the fact that VyprVPN not only changed from their minimal logging to their new no-logging policy, but they also went ahead and had that independently verified.
We hope that many, many other VPN services will follow.
How do you feel about the rise of independent audits? Let us know in the comments below!