ExpressVPN this week announced the results of an audit carried out on its virtual private network service by PricewaterhouseCoopers (PwC). The leading provider said that the audit represented a significant step towards a more transparent industry.
The audit provides valuable insight into the essential privacy protections promised by ExpressVPN in its privacy policy.
The guiding principle behind ExpressVPN’s privacy policy is that they “only collect the minimal data required to operate a world-class VPN service at scale.”
ExpressVPN clearly states that it does not collect logs of your activity, including no logging of browsing history, traffic destination, data content, or DNS queries. They also never store connection logs, meaning no logs of your IP address, your outgoing VPN IP address, connection timestamp, or session duration.
But saying this and proving it are two very different things, which is why ExpressVPN turned to the leading professional services firm.
The PwC audit looked specifically at ExpressVPN’s technology stack and processes in order to ascertain whether they complied with the policies.
We believe that publishing such audits are crucial for trust and transparency in the industry, as they provide independent verification of the privacy and security commitments we make to customers. Simply put, they give confidence to consumers that they can trust ExpressVPN
PwC also audited ExpressVPN’s TrustedServer technology. For those unaware, ExpressVPN’s VPN servers now run entirely on volatile memory (RAM), not on conventional hard drives. Since RAM requires power to store data and is not in any way persistent, this guarantees that all data on a server is wiped every time it is powered off and on again.
This, in theory, dramatically reduces the risks inherent to VPN server architecture. Not only is their less chance of sensitive data falling into the wrong hands, but because the entire software stack is reinstalled fresh on every server at startup, ExpressVPN is able to ensure that all servers are kept up-to-date, patched and running securely.
As is always the case with any service that is configurable and subject to change, the results of the audit are not a perpetual guarantee of privacy for users; but rather a snapshot of ExpressVPN services at the time of the audit.
Nevertheless, ExpressVPN’s willingness to open its books to one of the world’s most respected auditing firms is an admirable move and is another step towards building a more transparent, sustainable and open industry for all of us.
Anybody who is interested in finding out more about the audit can see complete details of what was covered here (PDF).