Folow us
Youtube
Twitter
Menu
We may earn affiliate commissions for the recommended products. Learn more

VPNproThe VPNpro Blog

Why PwC audit of NordVPN no-log policy is a big deal

Last updated Jan 5, 2021 at 5AM ET
2
Kevin Marlowe
Kevin Marlowe
Nord VPN no logs policy

The VPN industry is built on (often empty) promises of privacy. But users are smart – telling them you’re a “no-logging VPN” is no longer enough. After all, everyone says it!

NordVPN came face to face with this skepticism just a few months ago when they were accused of data-mining, logging user data, and worse.

Of course, healthy skepticism doesn‘t mean the industry now lives in a post-factual world. There are good ways to prove your promises are not empty. Sometimes, claims get tested by law enforcement or intelligence agencies – a blessing in disguise for those who follow their own Privacy Policy. But there’s another way, too.

NordVPN has decided to prove its worth by hiring an authoritative independent auditor – one of the “big 4” in the business – PricewaterhouseCoopers (PwC). The stated goal of the audit was to investigate how NordVPN’s practices follow its stated “strict no-logging” policy.

In this article, we’ll take a look at what exactly the PwC report says and what it means.

The findings of the PwC report

No VPN service has ever submitted itself to an audit of its logging policy. Naturally, many were wondering how exactly it would go down. Well, according to the leaked audit report, PwC performed the following procedures as part of the audit:

• Interview with responsible employees
• Observation of process to deploy configurations to VPN servers
• Inspection of relevant configurations for a sample of VPN servers
• Inspection of a sample of relevant configurations for all VPN servers
• Inspection of log files on a sample of VPN servers
• Inspection of relevant configuration on a sample of central infrastructure servers/services relevant for the NordVPN service
• Inspection of a sample of relevant configurations for all central infrastructure servers/services relevant for the NordVPN service
• Inspection of log files on a sample of central infrastructure servers/services relevant for the NordVPN service
• Inspection of databases on central databases relevant for the NordVPN service

This looks like a thorough regimen of tests and even competitors should find it difficult to claim NordVPN have bought themselves a PR stunt. As we shall see, those who criticize the audit don’t do so on the grounds that the audit procedures were too easy or fail to “look in the right place.”

Some may find it concerning that PwC did not investigate the security of data within the NordVPN service or its specialized servers, such as double VPN, obfuscated, and Tor servers. However, we feel that the former is outside the scope of a logging audit, whereas the latter is a minor issue.

Having performed the outlined procedures, PwC concludes that NordVPN’s description of their no-logging policy is fair and accurate.

So we can put this all to rest, right? Well, not quite.

Criticisms of the NordVPN logging audit

Criticisms of the NordVPN logging audit

As we all know, there’s always a fight if money is involved. This is no different: competitors and simple users were quick to find angles of attack on the NordVPN audit. Let’s discuss the main ones:

  • The confidentiality of the report.

Publicly, NordVPN has only published a blog post about the report, rather than the report itself. Many have found this suspicious – why would the auditing agency want the report to be confidential?

Well, firstly, the publication of audit reports from “big 4” agencies is always placed under strict legal regulation. As for the reason the report is confidential and only available to users of the NordVPN service, consider that this is the first such report ever. PwC is smart to safeguard its reputation in this way.

Also, it’s not so difficult to find the leaked version of the report, which is what was undoubtedly expected in the first place.

  • Session information.

The report says that:

Session information is periodically sent to the NordVPN authentication server for as long as the session is active. The information contains the username and the timestamp of the last session status. The aforementioned information is used to limit the amount of concurrent active user sessions and is deleted within 15 minutes after a session is terminated.

People are finding this problematic because it is, technically, logging. While that is true, it ignores the pragmatic reality of the VPN market and the significance of this data. Suffice to say if this is a VPN user’s only problem, then he/she is the most carefree VPN user in the world.

  • Panama, Cyprus – where are you based?

The PwC report says the audit was ordered by Tefincom S.A. Cyprus, although the NordVPN company claims to be owned by a Panama-based company. Not much to say here – international companies have international subsidiaries precisely for the purpose of making procedures (such as ordering an audit from PwC) simpler.

Conclusion

Poking holes in alibis is fun – we understand that. However, on this occasion we’d just like to recognize some facts that we should all celebrate:

A world-renowned company has performed the first-ever audit of a VPN’s logging policies and the report confirmed these policies were being followed.

This is a big milestone in the industry that other service providers will hopefully feel obliged to answer. Not by sowing doubts, but by asking for their own audits.

Recommended read

NordVPN review

avatar
Kevin Marlowe
2 comments
default-avatar.

Your email address will not be published.   Required fields are marked *

  1. catfish1997
    catfish1997 January 29, 2019 at 2PM

    I feel that no matter how hard companies like these try to convince they’re transparent and no-log, there’s always something fishy going on. I really want to believe that most VPNs are really what they say, but it seems that a big part isn’t.

  2. Matti
    Matti November 28, 2018 at 5PM

    Not sure if this is the first ever though. I recall TunnelBear, before McAfee bought them, also having an external entity performing an audit. No idea if the results were published or not though.

Jump to section:
Best VPN deals
1. NordVPN
9.8 / 10
Get 74% off now!
2. Surfshark VPN
9.5 / 10
Get 86% off now!
Disclaimer: Affiliate links help us produce good content. Learn more.
Thanks for your opinion!
Jump to section