VPN audits: what do they mean and why are they important?

(Image credit: Shutterstock)

Install a VPN and you're asking that provider to protect all your most important online activities, so it's vital to pick a company you can trust.

How can you know who lives up to their privacy promises, though, and who might be secretly selling your browsing history on the side?

Providers used to hope you'd take their word for it, so if they said 'WE ARE A NO LOG VPN' on the website, in a really big font, you'd believe them and sign up.

Unfortunately, regular news stories about major VPN security failures have seriously damaged confidence in the industry, and user trust is in very short supply.

The top providers understand the problem, at least, and many now try to provide evidence of their honesty by putting themselves through an independent VPN audit. But what does this mean, and what can a VPN audit really tell you about how the software works?

What is a VPN audit?

A VPN audit is a process where a provider calls in an experienced independent company like PricewaterhouseCoopers to check an aspect or some aspects of its service.

Exactly which aspects are investigated depends on the scope of the report. 

Take Surfshark, for example. In its 2018 audit, only the service's browser extensions were audited. The results were good, but couldn't tell customers much about the VPN as a whole. And if you never use the VPN extensions, then the audit really told you nothing at all.

In May 2021, though, Surfshark had its servers audited, a much wider and more interesting test. 

ExpressVPN, on the other hand, had a full no log audit carried out that saw PricewaterhouseCoopers check its servers, source code, configurations, even interview its staff. And TunnelBear goes further than most, putting itself through a comprehensive audit of its servers, apps and backend systems every year. 

When you next read a VPN boasting about its latest audit, check the areas the auditor inspected, and the information they could access. If they looked at the mobile VPN apps, for instance, did they see the source code. Or were they only able to install and run the apps like regular users? 

Generally, the more areas put under the microscope and the more access given to internal systems, the more significant an audit should be, with TunnelBear's 'look at everything' approach the high watermark.

Where is the VPN audit report?

The best VPN audits result in a very detailed report about everything the auditor found, and this should ideally be available for everyone to download.

Sometimes the report is only available to customers, but that's usually a condition enforced by the auditors more than the VPN trying to be sneaky. It's not ideal, but as long as it's available somewhere, that's what counts. That's because if the audit report isn't accessible, you're left to rely solely on the VPN's interpretation of the results. 

The company might have published some really enthusiastic blog post about how brilliantly it did, for instance, but has it really listed everything the audit found? If it just says, 'the audit didn't uncover any serious problems', how can you be sure that's true? 

Without access to the report, all you can do is take the VPN's word on trust, which is the very problem the audit was supposed to solve in the first place.

Interpreting VPN audit results

If you can read the audit report or the VPN does accurately summarize it, then the results often seem alarming. We've seen reports which talk about finding 10, 15 or even more problems with a service, which sounds like it could be a very big deal.

Don't rely solely on numbers, though. The best independent audits often report on tiny details with minimal or no security impact. We've seen one report point out that an internal VPN function wasted a little memory by allocating 128KB of RAM when it only needed 64KB, for instance. That's an issue, but only a very small one, yet it was enough to get listed in the audit report.

What's more interesting is to see how many issues have been classed as critical - the most dangerous vulnerabilities. Usually, the report says the provider has fixed these, but that's not entirely reassuring. If a VPN made some big security blunders before the audit, it's entirely likely they'll make new ones after it.

How important are VPN audits, really?

The most impressive VPN audits cover all key areas of a service, including the apps, the servers, and the infrastructure that ties everything together. The more access the auditor was given, the more relevant the results should be.

Don't completely rule out smaller audits, though - they might still give you a general idea of what a provider can do. If an auditor only looks at Android VPN app but says they're amongst the best it's seen, that suggests this VPN has real expertise, and there's an above-average chance that's the case in other areas, too.

Always check the date of an audit, too. A provider might boast that it's 'fully audited', but if that was two or three years ago, it might not say much about how the service works now. 

Overall, though, we think every audit deserves some credit, no matter how narrow the scope, or whether you can read the report or not. At least the provider is making some effort to show you it's trustworthy, and that's more than you can say about many VPNs.

Read more:

• Get protected online for less with a great cheap VPN...
• ...and with market-leading antivirus software
• Ensure online anonymity with a no log VPN