VPN: is a security audit a guarantee of reliability?

No-log policy, inviolable anonymity and confidentiality are invariably part of the commercial discourse of service providers. VPN. But how can you ensure the veracity of their promises and the security of a VPN?

According to all existing VPN services, none collect or store the personal information of their users. However, upon registration, the Internet user is forced to reveal part of his identity wisely stored in a customer file. Subsequently, the need to control bandwidth usage, verify the number of devices connected to the service and ensure reactive maintenance suggests that these same providers log more private data than they want. well admit it. And this practice is most often implemented for free VPNs.

How does a VPN work?

A VPN acts as an intermediary between a machine and the rest of the Web by creating a secure connection tunnel through which encrypted data flows. By passing through this tunnel, the user’s traffic is isolated from the rest of the Internet traffic circulating on the public network: invisible in this way, it is difficult to intercept and impossible to decipher – provided you have opted for a strong encryption algorithm like AES and a reliable protocol like OpenVPN.

By taking this virtual path, the connection data passes through the VPN servers before querying the servers of the requested websites and platforms. In order to correctly redirect the request, the VPN servers decrypt the traffic initially encrypted on the user’s terminal. As connection relays, they therefore occupy a strategic place in the circuit set up to conceal and protect personal information. In fact, unlike third-party entities which can theoretically no longer establish a link between the user’s identity and their online activities, the VPN is aware of all of this data: name and contact details communicated at the time of the contract. subscription, IP address, content of requests, connection times and dates.

It is therefore not complicated to understand the issues raised by this omniscience granted to VPN providers: how can we guarantee the confidentiality of personal data when a link in the security chain is itself aware of it? There is no truly satisfactory answer apart from the trust placed in the service subscribed to.

No-log policy: promise vs reality

It is difficult, however, to place your trust in a private service without certified and verifiable counterpart. Certain elements can nevertheless guide the user’s choice, starting with the guarantee of non-logging of data, also called no-log policy.

The number one argument put forward by the vast majority of VPNs, the no-log policy implies that the service does not record or retain any personal information relating to the online activities of Internet users. We are talking here about the user’s real IP address, times and dates of connection to the VPN, websites visited, amounts of data exchanged.

Please note, however: when you subscribe to a VPN service, you necessarily agree to provide your name, first name, pseudonym, contact details (postal, email, banking, possibly telephone) which the provider keeps in a customer database. This is a non-negotiable step in the development of the contract, which must be dissociated from online activities passing through the VPN servers.

In other words, a conscientious provider agrees not to use this information to identify and track the user. Hence the importance of an uncompromising no-log policy on the logging and storage of connection data to the VPN servers.

But between the promise of total anonymity, formulated on the service’s home page, and the content of its confidentiality policy and/or its conditions of use, there is sometimes – often – a world of difference. For example, ProtonVPN (“ […] We store nothing but just your last login attempt timestamp […] ») temporarily retains the timestamp of the last connection. The same goes for ExpressVPN which does not hesitate to further contextualize this information (“ […] We may know, for example, that our customer John had connected to our New York VPN location on Tuesday and had transferred an aggregate of 823 MB of data across a 24-hour period […] »).

On a similar model, CyberGhost records so-called anonymized data (not associated with a user, in theory), but whose precision leaves one wondering (“ Connection attempt: We collect this information to know the usage request made to our Service on a particular hourly/daily/weekly/monthly interval, country of origin, your Cyberghost VPN version, etc. […] »).

More worrying, HideMyAss services (VPN and VPN Proxy extensions) collect and log source IP address, connection timestamps and bandwidth usage.

It has also happened in the past that certain scandals have highlighted the collection and logging of data even though the services in question claimed the opposite. This is particularly the case in 2016, when IPVanish transmitted user identities, source IP addresses, email addresses, and connection timestamps to the FBI as part of an investigation into a child crime network. However, the service claimed not to retain any of this information.

The audit: proof of honesty?

The no-logs label is therefore in no way a guarantee of confidentiality, some VPN services still allow themselves to record and retain information relating to the connection to the available servers.

To show off, the most popular providers also put forward the security audit argument. By submitting their infrastructure to an assessment conducted by a third-party company, they intend to prove their honesty about the strict no-logging policy they promise to apply. Note that these audits obviously only have value if they are carried out regularly by independent firms and are subsequently made public.

A good student, NordVPN can boast of having had its service audited twice, in 2018 and in 2020. PricewaterhouseCoopers (PwC), the firm in charge of the audits, enjoys a solid reputation in its field of expertise. The review methods and conclusions are publicly available on the VPN provider’s website… But no trace of the original report.

Same observation for ExpressVPN which has its new infrastructures audited by PwC and its browser extensions by Cure53. The conclusions are made public in 2019 on the supplier’s website, but not on that of the firms that carried out the audits. However, it is possible to access certain expert reports on the Cure53 site, among which we find the results of recent audits for Mullvad, TunnelBear or Surfshark.

In conclusion, an audit, yes, publicly revealed in its original version, even better.

The Private Internet Access case

And there are, however, counter-examples, with services which, despite the absence of an audit or any other academic proof of their good faith, have been able to demonstrate their honesty without it being possible to challenge it today. .

This is the case of Private Internet Access, twice ordered to transmit to the American justice system all the logs it had, the first time in 2016, the second in 2018. In both cases, the service was never able to execute. Consistent with its strict no-logging policy, PIA (based in the United States) had in fact not recorded anything nor retained any connection data of its users. A privacy policy that the VPN service was able to prove in court twice, thereby attesting to its seriousness in terms of anonymity, security and confidentiality.