Back in November 2018, NordVPN published a blog post that brought into light the abridged results of an audit conducted, which focused primarily on NordVPN’s stringent no-log policies.
The revelations made in the blog post came at the most opportune moment, since it was earlier on in 2018 when the otherwise well-reputed VPN provider had to face a series of allegations regarding their connection with a Lithuanian tech company Tesonet- a tech company believed to be involved in data mining practices, along with running a residential proxy network.
The third-party security audit of NordVPN’s no-log policies, which was performed by one of the Big Four auditing firms, later revealed as PricewaterhouseCoopers (PwC) auditing firm, was not exposed to the public in its complete form; instead, the findings were ‘summarized’ in the blog post linked above.
As stated by NordVPN’s Daniel Markuson, the primary goal of the audit performed by PwC was to analyze the code and servers of the VPN provider, and cross-check whether NordVPN lives up to the claims it makes, specifically the claims they’ve made regarding their no-log policy.
It is also worth mentioning that NordVPN believes that it has “passed the test.”
What was the result of the PwC audit?
As far as the results of the audit report are concerned, it lines up with NordVPN’s belief and reaffirms that the VPN provider does not store any personal IP addresses or keep tabs on its customer’s browsing habits. (In simpler terms: a no-log policy).
With that said, similar to other reputable VPN providers, NordVPN does collect a tiny fraction of user information from functioning properly. Usually, the data collected by NordVPN is limited to a user’s concurrent active user sessions and is stored for 15 minutes on the VPN’s servers.
According to a leaked copy of the PwC audit report published on Reddit (which has since been taken down), the security auditing team from PwC had conducted several procedures as part of the audit, which included interviews with the staff responsible, inspection of log files on a sample of VPN servers, along with the overall examination of NordVPN’s infrastructure, including the analysis of relevant databases.
If we were to make an assumption based on the procedures employed by the security auditors from PwC, the argument that some people seem to make, which demeans the entirety of the security audit as nothing more than a PR stunt, falls apart.
The procedure followed by the PwC auditors makes it clear that they were thorough and immaculate in their examination and analyzed all relevant aspects of NordVPN’s servers before declaring the description of their logging policy as a fair and accurate representation to the services they offer.
Why does the PwC audit of NordVPN’s logging policies matter?
The notion of transparency and trust is a big deal in the cybersecurity world, even more so when VPNs are concerned. Although NordVPN certainly isn’t the first VPN provider to turn to independent auditing firms for security analysis (a more recent example being PwC’s audit of ExpressVPN), it holds much more significance in retrospect.
The biggest reason for the significance of the NordVPN security audit is the timing. Although we’ve skimmed over the NordVPN-Tesonet allegations, the issue created a significant dent in the otherwise immaculate reputation for the VPN provider.
Furthermore, there were even rumors circulated in cybersecurity regarding NordVPN being owned by the Lithuanian tech company. The result of the security audit performed by PwC cleared up any misconception that might have lingered about NordVPN’s logging policies.
Given the fact that an independent third party conducted the security audit, it also did a lot to help mend the trust that had been broken in the aftermath of the Tesonet speculation. The audit report also provided the company with the rare chance to respond to the allegations in a manner that benefited them from a marketing perspective as well.
Are there any criticisms of the PwC audit report?
Despite many prominent VPN providers, such as Surfshark, ExpressVPN, and Tunnelbear VPN, having jumped on the independent security audit ship- there’s still a lot of backlash VPN providers face, especially when there’s money concerned.
Usually, the most common criticism faced by VPN providers after hiring independent security auditors is that their efforts are labeled as superfluous or as “PR bait.” Some other critiques cybersecurity journalists and researchers have with the PwC security audit of NordVPN include the following:
- The confidentiality surrounding the report
As stated on their blog post, NordVPN has only published an abridged version of the audit report, instead of the actual report, on their website. For many people, this raises questions about the integrity of the blog post they published and the reasons behind keeping the results secret.
Instead of basing their suspicions on pure hearsay, consumers and researchers should know that the publication of the audit reports from the “Big Four” audit firms always falls under strict legal regulations, primarily to prevent excerpts being manipulated by the media in an unsuitable context.
- Where is NordVPN based in exactly?
A fair criticism that has risen out of the report has to do with the location NordVPN is, or at least claims to be based in. The PwC report states that Tefincom S.A Cyprus ordered the no-log security audit; a location miles away from Panama, where NordVPN claims to be based in.
This shocking revelation asks more questions than it answers and deserves clarification from NordVPN as well.
Final Words
Although NordVPN isn’t the first VPN provider to hire an independent auditing firm, their attempts further the importance of transparency and trust in the VPN industry.
Moreover, the security auditing conducted by PwC in regards to NordVPN’s logging policies also shines a light on the importance of coming clean to modern consumers, who won’t be content with “empty promises” anymore.
At the end of the article, we can only hope that this trend continues and VPN providers start to see third-party security auditing as a useful tool rather than an obligation.