The VPN industry is built on (often empty) promises of privacy. But users are smart – telling them you’re a “no-logging VPN” is no longer enough. After all, everyone says it!
NordVPN came face to face with this skepticism just a few months ago when they were accused of data-mining, logging user data, and worse.
Of course, healthy skepticism doesn‘t mean the industry now lives in a post-factual world. There are good ways to prove your promises are not empty. Sometimes, claims get tested by law enforcement or intelligence agencies – a blessing in disguise for those who follow their own Privacy Policy. But there’s another way, too.
NordVPN has decided to prove its worth by hiring an authoritative independent auditor – one of the “big 4” in the business – PricewaterhouseCoopers (PwC). The stated goal of the audit was to investigate how NordVPN’s practices follow its stated “strict no-logging” policy.
In this article, we’ll take a look at what exactly the PwC report says and what it means.
The findings of the PwC report
No VPN service has ever submitted itself to an audit of its logging policy. Naturally, many were wondering how exactly it would go down. Well, according to the leaked audit report, PwC performed the following procedures as part of the audit:
• Interview with responsible employees
• Observation of process to deploy configurations to VPN servers
• Inspection of relevant configurations for a sample of VPN servers
• Inspection of a sample of relevant configurations for all VPN servers
• Inspection of log files on a sample of VPN servers
• Inspection of relevant configuration on a sample of central infrastructure servers/services relevant for the NordVPN service
• Inspection of a sample of relevant configurations for all central infrastructure servers/services relevant for the NordVPN service
• Inspection of log files on a sample of central infrastructure servers/services relevant for the NordVPN service
• Inspection of databases on central databases relevant for the NordVPN service
This looks like a thorough regimen of tests and even competitors should find it difficult to claim NordVPN have bought themselves a PR stunt. As we shall see, those who criticize the audit don’t do so on the grounds that the audit procedures were too easy or fail to “look in the right place.”
Some may find it concerning that PwC did not investigate the security of data within the NordVPN service or its specialized servers, such as double VPN, obfuscated, and Tor servers. However, we feel that the former is outside the scope of a logging audit, whereas the latter is a minor issue.
Having performed the outlined procedures, PwC concludes that NordVPN’s description of their no-logging policy is fair and accurate.
So we can put this all to rest, right? Well, not quite.
Criticisms of the NordVPN logging audit
As we all know, there’s always a fight if money is involved. This is no different: competitors and simple users were quick to find angles of attack on the NordVPN audit. Let’s discuss the main ones:
- The confidentiality of the report.
Publicly, NordVPN has only published a blog post about the report, rather than the report itself. Many have found this suspicious – why would the auditing agency want the report to be confidential?
Well, firstly, the publication of audit reports from “big 4” agencies is always placed under strict legal regulation. As for the reason the report is confidential and only available to users of the NordVPN service, consider that this is the first such report ever. PwC is smart to safeguard its reputation in this way.
Also, it’s not so difficult to find the leaked version of the report, which is what was undoubtedly expected in the first place.
- Session information.
The report says that:
Session information is periodically sent to the NordVPN authentication server for as long as the session is active. The information contains the username and the timestamp of the last session status. The aforementioned information is used to limit the amount of concurrent active user sessions and is deleted within 15 minutes after a session is terminated.
People are finding this problematic because it is, technically, logging. While that is true, it ignores the pragmatic reality of the VPN market and the significance of this data. Suffice to say if this is a VPN user’s only problem, then he/she is the most carefree VPN user in the world.
- Panama, Cyprus – where are you based?
The PwC report says the audit was ordered by Tefincom S.A. Cyprus, although the NordVPN company claims to be owned by a Panama-based company. Not much to say here – international companies have international subsidiaries precisely for the purpose of making procedures (such as ordering an audit from PwC) simpler.
Conclusion
Poking holes in alibis is fun – we understand that. However, on this occasion we’d just like to recognize some facts that we should all celebrate:
A world-renowned company has performed the first-ever audit of a VPN’s logging policies and the report confirmed these policies were being followed.
This is a big milestone in the industry that other service providers will hopefully feel obliged to answer. Not by sowing doubts, but by asking for their own audits.
I feel that no matter how hard companies like these try to convince they’re transparent and no-log, there’s always something fishy going on. I really want to believe that most VPNs are really what they say, but it seems that a big part isn’t.
Not sure if this is the first ever though. I recall TunnelBear, before McAfee bought them, also having an external entity performing an audit. No idea if the results were published or not though.