Private Internet Access has its no logs policy independently audited

Hand with magnifying glass over server illustration

VPNs are rooted in trust, but their users are increasingly looking for more than just the word of the provider when it comes to security and privacy.

That is why VPNs are increasingly using independent auditors to road-test their security and privacy claims and reassure users that they do exactly what it says on the tin.

The latest to sign up for this trend is Private Internet Access, one of the biggest names in the VPN market, but one whose reputation has slipped a little in recent years as other providers have surged past them with improved offerings and widespread independent audits.

Now Private Internet Access is hitting back with one of its own. They have got no lesser name than Deloitte, one of the big four auditing firms, to take a look at their server environment to provide a full and frank assessment of Private Internet Access’ no user logs policy.

What Private Internet Access claims

Private Internet Access has always claimed to have a robust privacy policy that includes a watertight no user logs policy.

They have been clear and consistent that they keep zero logs, that they also retain no metadata, and even that they have never had cause to share any data with authorities (presumably because they don’t hold it).

But they are also aware that making these claims on their own is not enough in this day and age. So, they called in Deloitte Audit Romania to review their VPN server network and management systems to look into how Private Internet Access maintains a zero-log VPN service.

The audit was intended to confirm that their server configurations aligned with these internal privacy policies and are not capable of identifying users or pinpointing their activities.

What Deloitte Audit Romania found

Deloitte Audit Romania undertook a full assurance engagement project, inspecting Private Internet Access’ server configuration and examining how they go about maintaining their zero-log VPN service.

The audit was conducted in accordance with the International Standard on Assurance Engagements 3000 (Revised), and the results were extremely encouraging.

Deloitte concluded that, as of 30th June 2022, when the audit took place, all Private Internet Access server configurations were in alignment with their stated no user logs policy.

In layman’s terms, this means there was nothing on Private Internet Access’ server capable of logging user data and no indication that any such data had been or was being logged.

According to Private Internet Access, this is because they run their system on RAM-only servers, which are regularly rebooted, meaning that any data stored on them is permanently deleted.

They also noted that they have robust security procedures in place to ensure that third parties cannot access their server network too. Among these procedures is disabling all error logs and debug information which has an impact on development but is described by Private Internet Access as “an acceptable trade-off to securing user data.”

They also note that their Dedicated IP service was built as a token-based system which is also specifically designed to prevent any association with individual users. The token is only saved in the client, and this isn’t enough for a server-side association.

What this audit means for Private Internet Access users

The clear results of this independent audit will offer further reassurance for Private Internet Access users.

Their privacy protections have always been considered pretty sound, but this independent audit will offer the extra bit of reassurance that many users will appreciate.

Private Internet Access is actually one of only a handful of VPNs that has had its no logs claims tested in court. By their own admission, Private Internet Access has been subpoenaed on a number of occasions and each time, they had no data to share, and this was accepted in court.

An authenticated no-user logs guarantee is not the only reassurance that Private Internet Access can offer its users too.

They are one of only a few VPNs that offer 100% open-source apps meaning that anyone can access the code that underpins their apps and check it for vulnerabilities of anything that contradicts the security and privacy claims they make.

They are also transparent about all changes to their server network and where they use virtual servers as opposed to physical ones. This is another positive feature that not all premium VPNs offer.

Here at VPNCompare, we are delighted to see Private Internet Access going down the route of conducting independent audits.

We believe these audits are very much in the interests of customers. In the current marketplace, where there are still dubious providers, especially those offering free VPN servers, it is vital that customers don’t just have to take VPN providers at their word.

Private Internet Access has long been a solid VPN provider, and this audit has certainly pushed it considerably higher in our estimations, even if it does still have some way to go to challenge our top overall-rated VPN service providers.

Author: David Spencer

Cyber-security & Technology Reporter, David, monitors everything going on in the privacy world. Fighting for a less restricted internet as a member of the VPNCompare team for over 7 years.

Away from writing, he enjoys reading and politics. He is currently learning Mandarin too... slowly.

Leave a Reply

Your email address will not be published. Required fields are marked *