Reading Time: 3 minutes

PureVPN has recently undergone a much-needed independent audit of their “no logs” claim. I say much-needed both because transparency is something that the VPN industry as a whole is in dire need of and PureVPN’s own controversies in the past called for a thorough house-cleaning.

After a number of VPNs like ExpressVPN, NordVPN, TunnelBear, and VyprVPN, PureVPN is now the latest provider to receive an auditor’s validation to further strengthen user trust.

Altius IT, the California-based network security auditing firm, summed up its 18-day long inspection of PureVPN’s no-logs policy in these words:

“[Altius IT] did not find any evidence of system configurations and/or system/service log files that independently, or collectively, could lead to identifying a specific person and/or the person’s activity when using the PureVPN service.”

However, there is still a lot of ambiguity surrounding logging policies of VPNs in general, something that PureVPN specifically has received unwarranted flak for over the years. The truth is, it’s simply impossible for any VPN to operate with no records about their customers at all.

As such, it is important to classify logs into two types: logs having the power to undermine your online privacy (usage logs) and logs that are simply harmless as far as the preservation of your privacy is concerned (account credentials).

It is the former i.e. logs containing personally identifiable information (PII) such as names, email addresses, personal IP addresses etc. that no legitimate VPN has any business storing.

The independent audit that PureVPN has undergone proves that, as far as PII is concerned, all the no-logging guarantees the company has been giving to customers are perfectly legitimate.

Given PureVPN’s history, however, this might raise a few eyebrows among those who have prior familiarity with the brand, particularly in relation to the FBI case that occurred in 2017.

We believe this audit has afforded the perfect moment for PureVPN to come clean and set the record straight concerning the company’s whole stance on user privacy. This is why we reached out to PureVPN with a few questions of our own:

 

Q.1 Why did PureVPN wait until now to get this independent audit undertaken? Is this a silent confession that the company was storing logs before?

“This Audit is a series of steps that we are taking to further cement our commitment to true privacy.

Prior to 25th May 2018, which happens to be the date of GDPR law as well, we were following a different privacy policy. That policy allowed us to cooperate with the law enforcement in case of serious crimes such as child pornography, terrorist activities, and the likes. We called it “Zero Browsing Logs” policy. That old policy was described and explained very clearly in our response to the FBI event back in Oct 2017.

However, following Apple’s stance with the FBI iPhone case and with the advent of GDPR, we felt that we are seeing enough global support to move from “Zero Browsing Logs” policy to “Zero User Logs” policy; key difference being timestamps and incoming (original) ISP IP Addresses.

So with effect from 25th May 2018, we are following a different version of Privacy Policy (Zero Logs policy with absolutely no browsing logs, no individual timestamps of connect/disconnect and no logging of incoming original ISP IP addresses or it’s association in any form with masked VPN IP addresses). Since then, PureVPN has gone through a series of audits focusing on different aspects of the service from security, privacy, logging policy.

Here’s the latest privacy policy: You can read PureVPN’s privacy policy here:

https://www.purevpn.com/privacy-policy.php

 

Q.2 This audit seems limited in scope as it only took into account the logging aspect of your service. Is there any reason the audit did not holistically inspect your complete infrastructure to identify underlying strengths and weaknesses?

This is not a limited scope audit. It’s a full-scope extensive audit. We allowed and provisioned all accesses for them to pick up and inspect whichever systems they wanted at their will. They looked at everything from our VPN servers, configurations, systems services, and APIs. They also looked at our databases and traced the entire data flows to ensure that no user identifiable information was stored nowhere.

PureVPN has gone through a series of audits for security, privacy, and logs. We keep engaging independent reputable auditors from time to time to provide better services and assurance to our customers in over 140 countries worldwide. Apart from being the first to comply with GDPR and having the most transparent Privacy Policy, PureVPN is the first and only provider to have a public paid bug bounty program (Bugcrowd.com/purevpn) where 90,000+ strong community of white hat hackers continuously test and strengthen our service. We strive day and night to deliver more and more value to millions of subscribers in over 140 countries who trust their security and privacy with us.”

 

Q.3) Many of your servers are located in countries that may have mandatory data retention requirements such as the US. How do you ensure adherence to your “no logging” policy when users are connected to these servers?

We are based in Hong Kong and there is no mandatory data retention law here. Furthermore, we carefully choose the data centers that suit our privacy policy. Any non-compliance to our requirements is accordingly informed and settled within the contracts we do with third party data centers before acquisition of services in those countries.”

 

Q.4) What is the company’s response in the event that you receive a warrant or court order to disclose a customer’s information?

“We have openly mentioned in our privacy policy that:

PureVPN specifically chose Hong Kong (HK) for its headquarter because there are “No Mandatory Data Retention Laws” in Hong Kong. We are, therefore, not legally obliged to store user data and share it with anyone. Moreover, as stated above, we have no worthwhile data to share with any law enforcement agency from any particular country in the world. Even if we receive subpoenas that are legally upheld in the court of law in Hong Kong, we won’t be of much help since we have almost nothing of value to share.”

 

Q.5) Considering the existing situation in Hong Kong – the region you are based in – and the threat from China to the region’s sovereignty, how could this affect PureVPN’s commitment to staying a log-free VPN in the future?

“We are aware of that, at present however we don’t see anything that may impact PureVPN. We are constantly on the watch here and will take necessary action when time or circumstances demand.”

Final Thoughts

PureVPN has certainly come a long way. With the auditing firm now confirming PureVPN’s logging claim, the company is all set to take a brand new start and strengthen their reputation as a company that respects user’s privacy above all else.

Perhaps that is what separates forward-thinking, customer-centric companies from those that inevitably languish in irrelevance – a fate PureVPN is continuing to make significant headway against.