Are VPN audits all they’re cracked up to be? In this article I’m going to look at the pros and cons of VPN audits and if you should even be relying on them at all.
While VPN audits are portrayed by some as the panacea for online security, being totally honest, a VPN audit can never fully guarantee you are protected. I’m going to go into the reasons why this is, and how to overcome it.
But first I want to point out something: VPN audits actually are (despite my skepticism) definitely a welcome thing overall. They may not be the optimum solution but here at VPN Hound we’re glad that VPN companies do them.
Companies that don’t offer themselves up to VPN auditing – for example like IPVanish – will never truly win over the most privacy-aware or paranoid users. Perhaps that’s the sort of customer they’re looking to avoid, so it makes sense, but I’m glad that most companies undertake audits.
οΈβπ₯Best Audited VPNs
- Tunnel Bear
NordVPN
Top 3 Audited VPNs (Updated)
#1 TunnelBear – Best audited VPN
VPN company TunnelBear is the king of the VPN audit.
The main reason for this is because it commissions audits every single year, which TunnelBear argue is the best way to guarantee the safety and anonymity of its user’s data.
| β VPN Hound User Rating: | 4.2 |
| π No logs policy: | No logs |
| π― Money-back guarantee: | 30 days |
| πΏ Streaming services: | Netflix, Hulu, YouTube TV |
| π΅ Cheapest price: | $2.49/month (24 month plan) |
| π₯ Current deal: | Click here for 60% OFF at TunnelBear |
Limited Offer: β οΈ Click here for 60% OFF at TunnelBear — today only!
The earliest audit was done all the way back in 2016 when the company recruited Cure53, an independent German security testing company, to do a full security assessment of its servers, apps, and infrastructure.
At the time, multiple flaws were found, particularly in the TunnelBear Chrome extension. They promptly fixed these issues before commissioning a second security audit in 2017 – you can read that report here, but in short, a handful of vulnerabilities were found, ranging in severity from low to critical. TunnelBear immediately fixed these, and the subsequent audit indicated significant progress in the company’s efforts to improve the overall integrity and security of its service.
In 2019, TunnelBear released another VPN security audit, which found a few more issues – again, these were promptly fixed. Interestingly, the audit concluded that TunnelBear had made significant strides towards enhancing the security of its service as a result of the efforts of its internal team.
They were audited again in 2020 – see the results here.
The audit results for both 2021 and 2022 have been completely clear of major issues.
So, TunnelBear has clearly proven that it’s dedicated to user security by funding loads of independent security audits – which aren’t cheap. In fact, no other VPN provider has done as many audits as TunnelBear, so this is why they’re our number 1 here at VPN Hound. An annual commitment to a security audit like this should be top of every VPN provider’s list, frankly.
Read my full review of TunnelBear VPN here.
The good vs. the bad
| TunnelBear 🏆 | NordVPN | IPVanish VPN 👎 | |
|---|---|---|---|
| Audit Policy | Publicly audited | Publicly audited | No public audits |
| Data Retention | No logs policy | No logs policy | No logs policy |
| Encryption | AES-256 bit encryption | AES-256 bit encryption | AES-256 bit encryption |
| Protocols | OpenVPN, IKEv2 | OpenVPN, IKEv2, WireGuard | OpenVPN, IKEv2, L2TP/IPsec |
#2 ExpressVPN – A Decent Runner Up
| β VPN Hound User Rating: | 4.8 |
| π No logs policy: | No logs |
| π― Money-back guarantee: | 30 days |
| πΏ Streaming services: | Netflix, Hulu, YouTube TV |
| π΅ Cheapest price: | $6.67/month (12 month plan) |
| π₯ Current deal: | Sign up Now for 60% OFF at ExpressVPN |
Limited Offer: β οΈ Sign up Now for 60% OFF at ExpressVPN — today only!
ExpressVPN might be famed for their features, or for being a so-called ‘premium VPN’, so of course it follows that they don’t scrimp on security audits.
In 2022, the firm asked Cure53 to conduct their most recent, comprehensive security audit of its VPN services.
They have a strong history of audits:
- An audit by KPMG of no-logs policy (September 2022)
- An audit by Cure53 of Linux app (August 2022)
- An audit by Cure53 of macOS app (July 2022)
- A security audit by Cure53 of ExpressVPN’s TrustedServer (May 2022)
ExpressVPN’s servers, applications, and infrastructure are all frequently audited, including their mobile apps, and the results showed no signs of security flaws, leaks, or compromises. ExpressVPN’s privacy policy has been found to be effective by the auditors, who also confirmed that the company did not keep any user logs that could be used to identify users nor track their online activity.
The 2022 audit follows three other “full audit” reviews of ExpressVPN in 2016, 2017 and 2019. In the latter, German web security auditing firm Cure53 found only minor issues, all of which were fixed quickly after being reported.
The only downside is that, unlike TunnelBear, it does not commit itself to yearly full auditing, and seems to do them mostly on a bi-annual basis.
#3 NordVPN – On the Up
| β VPN Hound User Rating: | 4.7 |
| π No logs policy: | No logs |
| π― Money-back guarantee: | 30 days |
| πΏ Streaming services: | Netflix, Hulu, YouTube TV |
| π΅ Cheapest price: | $3.71/month (2-year plan) |
| π₯ Current deal: | Get 75% OFF + 3 Months FREE at NordVPN |
Limited Offer: β οΈ Get 75% OFF + 3 Months FREE at NordVPN — today only!
It may be a surprise to see NordVPN in this list, given that in the past it has had a checkered history – including a data breach in 2018 (more on this later).
The issue with NordVPN has historically been that they insisted on using obscure auditing firms – leading many to question why that is. Thankfully, they’ve started using Deloitte in recent years, a huge accounting firm, but that still doesn’t excuse previous behavior.
For example, in 2018 NordVPN underwent an audit by VerSprite, a relatively unknown cybersecurity consulting firm. However, VerSprite had previously worked closely with another VPN service owned by the same company, and even shared ex-employees, which raised questions about the independence of that particular audit.
Since then, though, they’ve started using either PwC or Deloitte for audits, who both have huge reputations in the industry to uphold. This highlights the importance of VPN providers like NordVPN needing to be fully transparent about their auditing practices, including the firms they work with and the methodologies they use.
Why You Can Trust VPN Hound
We're completely independent from any VPN provider or company. We've spent thousands of hours curating and hand-testing all the big & small VPN services, and have been doing so since 2018.VPNs tested:
82Total hours testing:
602Terabytes used:
300+IPs banned:
3Torrents tested:
1,200+Funds spent on testing:
$8,500+
Are VPN audits over-rated?
| Pros and Cons of VPN Audits | ||
|---|---|---|
| 👍 Pros | Increased transparency | Helps build trust with users |
| Identifies vulnerabilities and areas for improvement | Can help prevent security breaches and data leaks | |
| May be required to meet industry standards | ||
| 👎 Cons | Expensive and time-consuming | Can only test a limited scope of VPN |
| Auditing firms may have ties to the VPN industry | May not be up-to-date | |
| Doesn’t guarantee complete security | May give a false sense of security |
Now that I’ve reviewed the best audited VPNs, I’m going to fire a shot across their bows, so to speak.
From a technical viewpoint, VPN audits aren’t always that useful. In fact, some people even consider them a waste of time since they can focus on the wrong things. It really depends on the audit and who is doing it, so don’t rush to judge just yet.
But audits are ultimately only a minor part of the overall security picture.
Here’s an example: most VPN audits are aimed towards ensuring that the VPN provider is employing secure protocols and encryption, which are absolutely crucial – don’t get me wrong. But these are ultimately only a minor part of the overall security picture.
VPN audits usually fail to take into account other crucial areas of security too, such as the security of the underlying operating system, the security of the user’s endpoint device, and the security of the network infrastructure used to transmit data. All of these are significant weak points that are vulnerable to exploitation. It’s not strictly speaking a drawback of VPN auditing, more of VPNs in general, so it may seem unfair to include these here.
But these are all key components of a secure VPN ecosystem that should be at least assessed (or, even better, fully audited), yet they are often ignored in favor of a narrow focus on the VPN itself.
Is the audited data reliable?
Well, VPN audits often rely on self-reported information from the VPN provider, which can of course be misleading or even incomplete.
VPN services may exaggerate the safety of their connections or omit data that could make their service look bad. Furthermore, audits may only be performed once and may not accurately portray the VPN provider’s ongoing security posture.
VPN audits also have the distinct problem of ignoring the role that end-user actions play in compromising network security. In other words, users could unknowingly jeopardize VPN security if, for instance, they use easily-guessed passwords or don’t keep their endpoint devices up to date. VPN audits simply cannot account for these factors, which can greatly impact the overall security of the system.
Are there examples of VPN audits being misleading?
Sadly, there are a few.
The NordVPN case is a particular eye-opener. Back in 2019, NordVPN claimed that its service had never been hacked or compromised.
Unfortunately for NordVPN, a data breach had already occurred in March 2018 but went undetected for over a year. This breach exposed the private keys used by NordVPN to secure most of its VPN connections, potentially compromising the entire thing: i.e. the security of its users. Not all users were compromised, but it’s still a scary thought.
Another example is the case of PureVPN. In 2017, PureVPN was accused of providing information to the FBI that famously led to the arrest of a man suspected of cyber stalking. PureVPN had claimed in its privacy policy, up to that point, that it didn’t keep logs of user activity. But it was later revealed that the company had in fact provided logs that identified the suspect’s IP address, among other details.
These instances demonstrate the fallibility of VPN providers’ self-reported data and why you should be cautious. Don’t get blindsided by the marketing spiel telling you that VPN audits are bulletproof; remember that they rely solely on the provider’s self-reported information, which is notoriously unreliable.
Your browser is probably leaking too…
It’s a truism that, while many people are aware of the importance of using a VPN, they often overlook the privacy issues posed by their own web browser.
This is because modern browsers are equipped with numerous APIs or modules that can “leak” data about your computer and operating environment. This information includes things like screen resolution, installed fonts and languages, browser version, operating system version, timezone, touch support, canvassing, WebGL rendering on a graphics card, battery level, accelerometer data, and more.
Gathering enough of these type(s) of data can enable the construction of a unique fingerprint of the user, even if they haven’t logged in or provided their explicit approval.
Don’t believe me? To test the uniqueness of your browser fingerprint, head over to the Cover Your Tracks service by the EFF, which employs several test methods to ascertain if you’re using a unique browser profile (i.e. if you’re unique or not).
Surprisingly, even with privacy-enhancing measures like Do Not Track and Enhanced Tracking Protection enabled, a unique browser fingerprint can still be used to track your activity online.
Don’t use the same browser
If you use the same browser profile for both “clear” surfing and VPN usage, you could be unwittingly exposing your real IP address and VPN IP address to the servers you visit. This is because the cookies and preferences stored in your browser could act as a “identity” and enable tracking across sites, particularly for services like Google and Facebook. An easy workaround is to use separate browsers – but not many people do that.
And while some browsers can be configured to block scripting that enables the collection of this data, doing so can break the functionality of many websites. Which is annoying. As a result, blocking such scripts is no longer a viable defence for most folk π
If you’re worried about fingerprinting, using a VPN can be a partial solution to prevent it, but make sure to follow safe & secure practices at all times.
Do Free VPNs do audits?
Generally, no.
This is because free VPNs do not have the same level of commitment to user privacy, and in fact I’ve warned for years that people should avoid using Free VPNs if at all possible. If you’re looking for an affordable VPN on a budget, that has been audited, then TunnelBear are again my number 1 choice here.
Mullvad isn’t a free VPN, but it does offer a free trial. I’m pleased to say that they’ve recently announced that they’re also going to start auditing.
Mullvad VPN server audit completed by Assured AB, with no information leakage or logging of customer data detected. https://t.co/lREPYFzi0j
— Mullvad.net (@mullvadnet) June 22, 2022
Verdict
So in summary, a VPN audit is only as good as the data that is audited. Don’t expect a miracle and don’t over-rely on a VPN audit to keep you safe. You should always practice ‘safe browsing’ if you’re concerned about online privacy, even when using a VPN.
That said, teh top VPNs in the world should all be committing themselves to an audit every so often, just to give their customer’s peace of mind. I’m fairly cynical about VPN audits in general, but I still think it’s better to have them than not.
