PwC audits ExpressVPN to confirm no log privacy protections

ExpressVPN audit

In recent months, a number of premium VPNs have taken to getting their privacy policies independently audited to confirm their authenticity.

Up until now, ExpressVPN has not gone down that route with the exception of a security audit which was carried out at the end of last year by cybersecurity firm Cure 53.

But, as you would expect from what is currently our number one recommended VPN, when they do hold an independent audit, they have seriously raised the bar.

PwC audits ExpressVPN

Today, ExpressVPN has announced an independent audit of its VPN servers by PricewaterhouseCoopers (PwC). For those not familiar, PwC is one of the so-called ‘big four’ auditing firms with a long track record of auditing some of the world’s largest and most influential companies.

PwC has exhaustively examined ExpressVPN’s code and interviewed numerous members of the ExpressVPN team.

Their objective was to confirm that ExpressVPN’s servers were in compliance with their stated privacy policy. In particular, they were checking that the servers were indeed complying with the companies much heralded no user logs guarantee.

Readers may also recall that earlier this year, ExpressVPN launched their TrustedServer technology. This means that ExpressVPN’s servers now run on volatile memory (RAM) rather than hard drives, which ExpressVPN claim is more private and more reliable.

TrustedServer ensures that all data is wiped with every reboot and also delivers greater security by reinstalling the entire software stack fresh every time a server reboots.

PwC has also examined this technology to confirm that it does indeed deliver what ExpressVPN claims.

The fact that the report covers TrustedServer makes this audit an industry first. It is the only audit of a VPN to date that formally validates key security technologies and innovations, rather than just examining only their privacy-policy compliance

If you want to find out more about the full scope of the PwC audit, ExpressVPN has released a handy summary which you can read here.

How the audit worked

The PwC audit of ExpressVPN took more than a month to carry out. As part of the process, the PwC team were given extensive access to ExpressVPN’s systems, its code, and its staff.

PwC auditors interviewed staff responsible for server management, they dug down into the source code that underpins ExpressVPN’s service, and they inspected their technical log files and configurations. They also examined ExpressVPN’s server configuration and deployment processes.

The result is a comprehensive and detailed audit which covers all of the core aspects of ExpressVPN’s service.

So, what were the results?

Unfortunately, PwC were explicit in their demand that the results of the audit should not be published individually or as excerpts. Their reasoning for this is that they are adamant that the results must not be taken out of context. This is PwC’s standard practice for reports of this nature.

It is not great for ExpressVPN, who would no doubt like to be running some sensationalised headlines about the positive outcomes of the audit.

But it is good news for the integrity of the audit as a whole because it means that ExpressVPN customers can be confident in its findings.

If you want to find out what the PwC concluded about ExpressVPN, you will need to read the independent audit in full. To do this, you will need to be an ExpressVPN customer. They can just log into their account and then visit the Privacy and Security audits page of the ExpressVPN website.

What this audit means

Audits like this are crucially important for the VPN industry. At a time when both authoritarian and democratic governments are seeking to undermine encryption and online rights for their own benefit and question-marks about the ownership of some VPN providers persist, the sector is already facing unprecedented scrutiny.

Under such pressure, it is vital that providers go all out to reassure customers that they are a genuine security and privacy tool. Using an auditor such as PwC to deliver an audit of this scope is a cast-iron way for providers like ExpressVPN to do this.

VPN users need to have trust in their provider. To give this trust, providers need to be transparent and open about how they work and what protections they deliver. ExpressVPN is doing exactly that and they deserve tremendous credit for going to these lengths.

They have also raised the bar for the rest of the VPN sector too. It will be interesting to see how many other providers follow their lead.

Leave a Reply

Your email address will not be published. Required fields are marked *