Deloitte Audits and Certifies PIA’s No Logs Policy

One of the world's biggest auditing firms reviewed PIA's server environment and found that it stores no logs...

Deloitte audits PIA

Beyond making its source code open and releasing regular Transparency Reports, Private Internet Access (PIA) is working to make further its service stand out on the market. To that end, the company announced that its No Logs policy has been audited by a Big Four firm. It was Deloitte and it reviewed PIA’s server environment and found that it stores no logs and no details that could be used to identify its users or pinpoint their activities.

How did Deloitte test PIA’s infrastructure?

PIA invited Deloitte Audit Romania to review its VPN server network and management systems and to examine how it maintains a zero-log VPN service, in order to confirm that server configurations align with internal privacy policies and are not designed to identify users or pinpoint their activities. As part of the project, Deloitte inspected PIA’s server configuration and examined how it maintains a zero-log VPN service. The auditing firm found that server configurations align as of June 30, 2022, with internal privacy policies and are not designed to identify users or pinpoint their activities.

The audit has been conducted in accordance with the International Standard on Assurance Engagements 3000 applicable to Assurance Engagements Other Than Audits or Reviews of Historical Financial Information (ISAE 3000) established by the International Auditing and Assurance Standards Board (“IAASB”).

What does this mean for PIA customers?

Simply put – this means that PIA’s claims are true. It doesn’t store anything on its servers, which BTW, are RAM only — featuring no storage of any kind (like hard drives). These servers boot on a read-only image and use RAM modules, as opposed to hard disks, and with every reboot or power outage – all data is immediately deleted.

As such, this network architecture prevents data retention. Furthermore, PIA says that the US government can’t force US-based VPN providers to violate a zero-log policy because of consumer protection laws. Unfortunately, they have other ways of collecting data about all of us.

Back to PIA… Its announcement continues with the description of its security systems that are meant to ensure third-party entities can’t force their way into the network. One way it does this is by disabling all error logs and debugging information. So if PIA engineers ever require error logs for development purposes, they create an entirely new traffic server inside an isolated environment. Despite potential drawbacks to the developing and debugging processes, it is an acceptable trade-off to securing user data.

Even PIA’s dedicated IP service is built as a token-based system to prevent any association with a specific user. This token is only saved in the client, which isn’t enough for a server-side association.

Staying committed to users’ privacy…

PIA says that this latest audit is just one piece of the puzzle to protect the privacy and anonymity of its users. In fact, the company has been subpoenaed multiple times for logs in the past, and each time it had no data to share. Also, as mentioned above, its code is available for anyone to inspect and analyze.

Recently, in light of India’s No. 20(3)/2022-CERT-In directive, PIA was one of the VPN providers that pulled out its servers in the country and replaced them with virtual server locations. This decision was made to circumvent mandatory logging laws, as it (and a few other VPNs, for that matter) refused to compromise its service and no logs commitment.

In the US, PIA launched the 50 Servers in 50 States campaign to help Americans protect their online privacy and secure their traffic from malicious actors.

The announcement ends with a promise for additional updates to PIA’s infrastructure. And you bet we’ll cover PIA once they have something new to share. Stay tuned in the meantime, or sign-up for PIA if you’re looking for a great VPN (and, for some reason, still don’t have one).

Private Internet Access
Our score:
Price from: $3.33/mo
30-day money-back guarantee

Pros

Cons

  • Fast, reliable download and upload speeds
  • Works great for Netflix and torrenting
  • Dedicated Chrome and Firefox extensions
  • Connect 10 devices simultaneously
  • Doesn't work well in China