ExpressVPN gets audited by third-party PwC

Following the emerging trend of promoting the principles of transparency and accountability, ExpressVPN allowed it’s infrastructure to be independently audited by PwC.

As stated on the blog post highlighting the audit examination, ExpressVPN reimburses the idea of trust and security, going as far as to say that the well-reputed VPN provider is “fanatical” about their user’s privacy.

The third-party audit conducted by PwC set out to examine ExpressVPN’s servers and code, to confirm whether or not the VPN provider grandiose claims of transparency and security made in their privacy policy.

How can the claims made by ExpressVPN be trusted?

In an attempt to further boost the trust that most users place in ExpressVPN, the VPN provider called in security audit experts from one of the “Big Four” auditing firms, PwC (PricewaterhouseCoopers).

The team of the third-party security auditors were then tasked with examining ExpressVPN’s code, along with conducting extensive interviews of team members in order to determine whether the VPN servers were working in alignment with the stated privacy policy.

Moreover, the third-party auditors were also assigned with the hefty task of cross-checking and analyzing whether or not the VPN servers were compliant with ExpressVPN’s stringent no-log policy, along with looking into the recently implemented TrustedServer, which ensures that a user’s browsing history is erased each time a server is rebooted. Further details regarding the assessment conducted by PwC can be found here.

Although the report is available to customers, reviewers and journalists, the full results of the audit have not yet been disclosed publicly, primarily because PwC does not allow extracts from the report to be shared, for the purpose of a result being taken out of context and misunderstood by the VPN-using public.

As mentioned in their blog post, existing customers of ExpressVPN can access the findings of the audit by logging in and visiting the Privacy and Security Audits page, whereas members of the press and media can email and request a copy of the report.

What process did the security auditors follow?

As far as the principles of transparency are concerned, the efforts made by ExpressVPN to come through clean deserve to be applauded, particularly as far as the access they gave to the third-party security auditors from PwC.

To enable PwC to conduct a thorough analysis of their servers, ExpressVPN provided them with complete access to their code, servers and system information for the course of a month. Throughout the month, the security audit team conducted interviews with the staff responsible for managing VPN servers, along with inspecting technical log files, source code and configurations and server deployment processes.

What did ExpressVPN’s third-party audit establish?

As we mentioned above, at the time of writing this, the full extent of the findings of the report are only accessible to those individuals who acknowledge PwC’s terms and conditions before accessing it.

With that said, however, the third-party audit conducted by PwC is definitely a step in the right direction, as far as transparency is concerned in the VPN industry. As mentioned in ExpressVPN’s blog, online security and privacy have never been more essential as they are today, in the ever-evolving threat landscape facing most internet users today.

Unlike the previous audit conducted by Cure53, PwC’s security audit of ExpressVPN validates the fundamental security components of the VPN providers, instead of simply checking for compliance with the described privacy policy.

Moreover, the audit also signifies the prevalence that the recent trend of third-party security audits has gained in the Virtual Private Network market. Several other VPN providers, including the likes of Tunnelbear, Surfshark, NordVPN and VyprVPN, have also jumped in on the bandwagon and have conducted independent security audits as well.

As far as the security audit teams are concerned, most VPN providers turn to one of the “Big Four” for the independent analysis of their servers, however, some VPN providers have turned to Cure53 (including ExpressVPN) – a German penetration testing specialist, which focuses more on the security aspect of VPNs, unlike the audit done by PwC, which took a more holistic approach and examined the infrastructure of said VPN providers.

Parting Words

Although the primary reason behind conducting an independent audit is to have a third-party examine a VPN provider’s infrastructure thoroughly, it also serves as an effective marketing tool. Despite being costly and time-consuming, a third-party audit sets a VPN provider apart from its competition and helps build a solid community of loyal customers, as demonstrated by the recent inspection conducted on ExpressVPN.