There seems to be a new wave flowing through the VPN community: independent audits of popular VPN services. It first started with TunnelBear in the summer of 2017, then Mullvad, continuing with Surfshark’s audit of its browser VPN in November. Last week it spread to NordVPN, which released findings of its no-log policy audit by the “Big 4” auditing firm PwC (Pricewaterhouse Coopers).

And now, VyprVPN has come out and stated that they also had an independent audit performed to ensure that users’ Personally Identifiable Information (PII) is not collected in their service.

This new trend in the VPN industry is important since VPN services are always making big claims, and in our extensive VPN reviews, we find that those claims are often met, but sometimes exaggerated.

Independent audits of various parts of their VPN services will prove to the world that they can actually back up their claims with a working product that delivers privacy and security.

However, it’s important to note that there are two different types of audits that can be performed:

  • security audit: the VPN service gives their app’s source code to an independent auditor, who investigates the code and tries to simulate attacks to identify vulnerabilities
  • no-logging audit: this more difficult audit requires a lot more access, since the auditor will check what information is stored on the VPN’s servers

Both types of audits are important; however, we’d still place a bit more importance on the no-logging audit since it ensures that their data privacy claims are true.

So let’s take a quick look at how the movement started, and where we hope it’s heading.

August 7, 2017: TunnelBear completes industry-first VPN security audit

Type of audit: security audit

At the end of 2016, TunnelBear hired the independent German web security testers, Cure53, to perform a complete security audit of their servers, apps and infrastructure. It was originally planned to be used internally only, but TunnelBear felt the industry needed a boost of confidence after multiple security crises.

The blog post is dated for August 2017, although that is the date of the second security audit. The first had been completed in 2016 and found multiple vulnerabilities in their Chrome extension, which TunnelBear worked to fix before the audit of 2017. Therefore, these two iterations should be seen as two sections of one larger audit.

They’ve now released their VPN security audit for 2018. In this one, Cure53 discovered 2 “critical,” 5 “high,” 3 “medium,” 7 “low,” and a few “informational” issues across TunnelBear’s service.

These issues have been “promptly fixed” by TunnelBear. In general, the 2018 audit [pdf] states that the audit had:

“revealed great progress that the TunnelBear has made over the recent years. This is clearly enabled by the incessant efforts of the in-house team, which manages to introduce subsequent improvements to the overall integrity and security…”

Overall, that’s a great start to the new movement.

September 24, 2018: Mullvad gets a security audit for its app

Type of audit: security audit

In September 2018, the relatively lesser-known Swedish VPN service Mullvad published the results of its security audit. Once again, Cure53 was used to check the code and look for vulnerabilities.

The Cure53 Mullvad report [pdf] showed that there were 7 issues found, one rated “critical” and another rated “high.”  The auditors went on to claim that the issues were:

“an exceptionally small number given the complex field of the VPN software and the connected, vast attack surface.”

However, one important aspect was noted by Cure53: the security audit wasn’t comprehensive, as only the front-end had been checked:

“It needs to be noted, however, that in this instance only applications and supporting features were checked, meaning that no verdict can be made on the security posture of the server-side and backend.”

While there are some problems with this incomplete security audit, including that it doesn’t check how user data is collected and processed, it was nonetheless has some significance as the second independent audit.

November 20, 2018: Surfshark gets a VPN browser extension audit

Type of audit: security audit

In their blog post less than two weeks ago, Surfshark let the world know that its VPN browser extension had been audited by Cure53. That audit (available here [pdf]) consisted of both a penetration test and a code audit of Surshark’s Chrome and Firefox browser extensions.

Cure53 claimed that the tests showed Surfshark’s Chrome and Firefox extensions provided:

“a very robust impression and are not exposed to any issues, neither in  the privacy nor in the more general security realms.”

This is great news for Surfshark, as its claims of privacy seem to have been met – for its browser extensions. This audit, however, did not look at its VPN clients for desktop or mobile, so that’s something to remember.

November 22, 2018: NordVPN gets a no-log policy audit

Type of audit: no-logging policy audit

That’s when the big boys, NordVPN, stepped in, and a week later released initial findings from the PwC audit of their no-log policy. We gave our own in-depth analysis of their independent audit here, but suffice it to say that we still believe it’s a big deal, especially considering the high reputation of the auditing firm PwC.

In an attempt to settle people’s fears about what kind of data VPN providers are actually logging, especially giants like NordVPN, they went ahead and hired a giant in its own right, at least in the auditing world: PwC. This audit actually took place in August.

NordVPN simply wanted to prove to the world that they’re trustworthy, and the PwC audit seems to show that. In a leaked version of the report, PwC stated:

“a) the accompanying description fairly presents Tefincom S.A.’s no-log NordVPN service, and

b) the NordVPN service is suitably designed and implemented as of 1 November 2018.”

They just happened to publish their blog post about the results after Surfshark.

November 29, 2018: VyprVPN’s audit

Type of audit: no-logging policy audit

And then we get to VyprVPN’s recent blog post about their no-logging policy audit.

Rather than simply saying, “We also got an independent audit,” in what seems like a purely marketing stunt, they’re also claiming that they are “the world’s first publicly audited No Log VPN Provider.” This seemed odd seeing that it came out after NordVPN’s no-log policy audit blog post.

But VyprVPN representative Jim Crooks says the timing of the release was purely coincidental:

Please understand that in order to effectively complete an audit of this magnitude, it takes significant time. We have been actively working both internally to ensure our services are No Log, followed by an active relationship with our auditors Leviathan Security to test and address any issues raised throughout our shift to No Log. Although we understand our timing might be a tad odd considering the release of NordVPN’s announcement, please understand this was purely coincidental.”

This seems like a reasonable enough reason, and more or less explains the idea behind the title of the article.

Nonetheless, the Leviathian Security audit [pdf] concluded that:

“Connections are logged during authentication, but logs that could identify users are kept only for a short time. By using open source or widely-used applications for server and client components, they have reduced the risk of unintentionally adding a weakness into the software themselves.”

That is great news – and something we hope will set fire to the greater VPN industry.

Who’s next?

In order for a trend or movement to work, it needs to continue steadily and grow rapidly. And although the movement is just starting, we’re still waiting on some of the other VPN giants to at least declare their own independent audits. These include:

  • ExpressVPN
  • TorGuard
  • CyberGhost
  • PrivateVPN
  • Private Internet Access
  • IPVanish
  • HideMyAss
  • and pretty much every other VPN

For that reason, we recommend you join us in making sure this movement continues. We need to keep the momentum going, and we need to do it collectively.

We want you to join us in our own #wheresyouraudit movement – every single week, we need to tweet and mention all the big VPN providers and ask them:

#wheresyouraudit?

If they care about privacy, if they care about security, if they want to prove to the world that they can be trusted, we need receipts. We need audits, or at least to let us know when the audits will be happening. We need them to publicly declare that they are safe, that we can trust them, that the VPNs are absolutely not logging, selling, or leaking our data for whatever reason.

Only then can we make sure that we’re safely exploring the internet, with full privacy, security and control.

Will you join us?