VPN giant NordVPN announces the findings of a new audit, conducted by consulting firm PricewaterhouseCoopers. This aimed to verify whether what is announced in its privacy policy, namely to store nothing on Internet users and their activities, is properly applied.
Location of servers, speed or even connection stability: when it comes to evaluating VPN offers, there is no shortage of comparison criteria. But the performance of the service and the path taken by the Internet connection are not the only elements that are considered by Internet users: other points are sometimes taken into account, such as confidentiality.
Briefly summarized, a VPN is a virtual private network that encapsulates the connection in an encrypted tunnel, to protect it from any interception or alteration, and to pass it through one or more intermediate servers, generally located abroad. So the site or service at the other end only sees the IP address of the last intermediate server, not yours – which muddies the trail.
In this area, ProtonVPN stood out at the start of the year by announcing the opening of the source code for all of its mobile applications and shared the results of several security audits. This time, it’s NordVPN’s turn to play its card, highlighting the conclusions of an audit conducted by PricewaterhouseCoopers, a leading consulting firm, on its data retention policy.
An audit to verify that NordVPN does not keep anything
More specifically, the audit aimed to confirm NordVPN’s assertion that it does provide a VPN service without history or activity log (no-logs policy). The audit validated the allegation that the company puts forward on its website, at least during the evaluation period of PricewaterhouseCoopers. This took place from May 20 to 28, 2020, specifies NordVPN.
In its commercial communication, the company claims to keep nothing: IP addresses, online activities, bandwidth usage data, session information or connection time stamps. Therefore, in principle, NordVPN is not expected to provide much in the event of an application, including in legal matters – which is not entirely neutral.
In detail, the audit included interviews with employees, inspections of server configuration, checks of technical logs and visits to other servers used by NordVPN. PricewaterhouseCoopers also verified that the configurations that were reviewed were indeed those that were used for the customers of the VPN operator.
This type of audit is not entirely new. NordVPN had already driven an identical one in 2018 and one of its competitors, ExpressVPN, had also requested the participation of an independent auditor – in this case, it was already PricewaterhouseCoopers – in 2019 to show that what is announced in its privacy policy is well enforced by the VPN.
According to NordVPN, this new review ” was much wider ” Among other things, it has been extended to its specialized servers and services that had not been included in the past. This includes obfuscated servers and services (offered in the event of significant restrictions in terms of Internet access), Double VPN (to benefit from double encryption) and P2P (for P2P exchanges, precisely).
However, this does not mean that NordVPN knows absolutely nothing: some elements are kept, if only to be able to have an account (an email is required) and for the subscription (NordVPN is not free ). Other data is also kept, such as exchanges with customer service or temporary time stamping of connections, to avoid excessive sharing of the same account.
If legitimate considerations can lead to using a VPN, to have peace on the Internet without being followed by targeted advertising for example, much less avowable motivations also play an important driving role: pirating cultural content on P2P networks without get caught, for example.
