NordVPN shared the results of an audit into its ‘no-logs’ policy with customers yesterday. The audit, conducted by one of the Big 4 accounting firms, was triggered by damaging allegations earlier this year. The results, however, suggest that NordVPN is living up to its no-logging promises.
Earlier this year a series of allegations were lodged against NordVPN.
The company was being linked to Lithuanian tech company Tesonet, which offers a wide range of services and products. According to the allegations, Tesonet owns NordVPN, a claim the latter denied.
The issue raised alarm bells with some people because Tesonet is involved in data mining practices, and the company also runs a residential proxy network. There is no evidence that NordVPN is involved in any of that, but it was enough to feed speculation.
When we reported on the saga, NordVPN committed to hiring a prominent third-party auditing firm to test its “no-logging” claims. The result of this audit was released with customers yesterday, and a few journalists also got a chance to read it.
As part of an agreement with the auditing firm, the report can’t be published in public. NordVPN can’t cite from it either so the company released a blog post with a summary instead.
“The auditors’ goal was to see if our service lives up to our claims of providing a no-logs VPN service, and we believe we’ve passed the test,” NordVPN’s Daniel Markuson writes.
TorrentFreak has seen a copy of the report which is relatively concise. It’s limited in the sense that it only reviews the situation at the time of the audit, which may change at any given time.
Overall, it confirms that the company doesn’t store personal IP-address logs of users, nor does it keep track of subscribers’ Internet activities. This is what’s typically understood to be a ‘no-log’ policy.
That said, NordVPN, like other VPNs, does process some personal information. For example, it keeps track of the user’s concurrent active user sessions. This information is stored for 15 minutes. There is no sign of any proxying services.
It’s unfortunate that the information can’t be shared with a broader public. However, users who had a NordVPN account before November 1st can read it in full in their user panel.
According to NordVPN, this is the first time a VPN’s no-logging policy has been audited. However, VPN audits are not uncommon. Earlier today, Surfshark announced the results of an audit of its browser extensions, for example. To date, TunnelBear has also conducted two security audits.
While these efforts are laudable, the various audits are not hard to compare. NordVPN focused on its logs, not looking at security flaws, while the other audits are more security focused. Such audits may help to build trust, of course, but there are no guarantees.
Even if a company’s own services and policies are all in check, it is possible that some vulnerabilities will remain.
While audits have some value, it’s not a given that audited companies are any better than non-audited ones. In this case, NordVPN wanted to reassure users following several damning allegations.
TF note: We don’t intend to make a habit of reporting on audits. Considering the earlier controversy and the fact that NordVPN is one of our sponsors, we chose to address it in this case. This article was written independently, as per standard TF policy..