PureVPN has recently undergone a much-needed independent audit of their “no logs” claim. I say much-needed both because transparency is something that the VPN industry as a whole is in dire need of and PureVPN’s own controversies in the past called for a thorough house-cleaning.
After a number of VPNs like ExpressVPN, NordVPN, TunnelBear, and VyprVPN, PureVPN is now the latest provider to receive an auditor’s validation to further strengthen user trust.
“[Altius IT] did not find any evidence of system configurations and/or system/service log files that independently, or collectively, could lead to identifying a specific person and/or the person’s activity when using the PureVPN service.”
However, there is still a lot of ambiguity surrounding logging policies of VPNs in general, something that PureVPN specifically has received unwarranted flak for over the years. The truth is, it’s simply impossible for any VPN to operate with no records about their customers at all.
As such, it is important to classify logs into two types: logs having the power to undermine your online privacy (usage logs) and logs that are simply harmless as far as the preservation of your privacy is concerned (account credentials).
It is the former i.e. logs containing personally identifiable information (PII) such as names, email addresses, personal IP addresses etc. that no legitimate VPN has any business storing.
The independent audit that PureVPN has undergone proves that, as far as PII is concerned, all the no-logging guarantees the company has been giving to customers are perfectly legitimate.
Given PureVPN’s history, however, this might raise a few eyebrows among those who have prior familiarity with the brand, particularly in relation to the FBI case that occurred in 2017.
We believe this audit has afforded the perfect moment for PureVPN to come clean and set the record straight concerning the company’s whole stance on user privacy. This is why we reached out to PureVPN with a few questions of our own:
Q.1 Why did PureVPN wait until now to get this independent audit undertaken? Is this a silent confession that the company was storing logs before?
“This Audit is a series of steps that we are taking to further cement our commitment to true privacy.
However, following Apple’s stance with the FBI iPhone case and with the advent of GDPR, we felt that we are seeing enough global support to move from “Zero Browsing Logs” policy to “Zero User Logs” policy; key difference being timestamps and incoming (original) ISP IP Addresses.
Q.2 This audit seems limited in scope as it only took into account the logging aspect of your service. Is there any reason the audit did not holistically inspect your complete infrastructure to identify underlying strengths and weaknesses?
“This is not a limited scope audit. It’s a full-scope extensive audit. We allowed and provisioned all accesses for them to pick up and inspect whichever systems they wanted at their will. They looked at everything from our VPN servers, configurations, systems services, and APIs. They also looked at our databases and traced the entire data flows to ensure that no user identifiable information was stored nowhere.
Q.3) Many of your servers are located in countries that may have mandatory data retention requirements such as the US. How do you ensure adherence to your “no logging” policy when users are connected to these servers?
Q.4) What is the company’s response in the event that you receive a warrant or court order to disclose a customer’s information?
PureVPN specifically chose Hong Kong (HK) for its headquarter because there are “No Mandatory Data Retention Laws” in Hong Kong. We are, therefore, not legally obliged to store user data and share it with anyone. Moreover, as stated above, we have no worthwhile data to share with any law enforcement agency from any particular country in the world. Even if we receive subpoenas that are legally upheld in the court of law in Hong Kong, we won’t be of much help since we have almost nothing of value to share.”
Q.5) Considering the existing situation in Hong Kong – the region you are based in – and the threat from China to the region’s sovereignty, how could this affect PureVPN’s commitment to staying a log-free VPN in the future?
“We are aware of that, at present however we don’t see anything that may impact PureVPN. We are constantly on the watch here and will take necessary action when time or circumstances demand.”
PureVPN has certainly come a long way. With the auditing firm now confirming PureVPN’s logging claim, the company is all set to take a brand new start and strengthen their reputation as a company that respects user’s privacy above all else.
Perhaps that is what separates forward-thinking, customer-centric companies from those that inevitably languish in irrelevance – a fate PureVPN is continuing to make significant headway against.