ProtonVPN announced the completion of a third-party audit of its infrastructure that confirmed the company’s strict no-logs policy. Now, when they say they are a no-logs VPN, it is not just a claim – it has been double-checked by independent experts.
The latest security audit included all Proton apps and was conducted by security experts from Securitum, which is a leading European security auditing company that oversees more than 300 security testing projects every year for major corporations and banks. And they haven’t found any significant security issues.
This, according to Proton, shows that their internal audits and culture of secure software development are effective. And because these are all open source apps, the security is further bolstered by Proton’s bug bounty program – which brings security experts together from all around the world to check the apps.
With a VPN service, however, it is also important to verify what is happening on the server side and not just the application side.
Why does it matter?
When you connect to a VPN, it effectively becomes your internet provider which is able to track and log what you do online. While many VPNs claim to have no-logs policies, these policies do not always hold up when put to the test.
ProtonVPN’s strict no-logs policy was tested in a legal case in 2019. The company was ordered to turn over logs to help identify a user, but it was unable to comply because these logs did not exist. However, there remains the possibility that an incorrect server configuration or flawed system architecture could cause logs to be accidentally stored.
To address this potential issue, Proton asked Securitum to perform a thorough examination of the infrastructure and server-side operations. Securitum security experts spent several days on site reviewing Proton’s VPN configuration files and server configurations, assessing operating procedures, and interviewing the staff. The audit was extensive and checked the following:
- Does ProtonVPN track your activity on VPN servers (servers that are passing the traffic)?
- Does ProtonVPN log metadata about the activity on VPN servers, such as DNS traffic?
- Does ProtonVPN inspect or log the network traffic on VPN servers?
- Does ProtonVPN monitor or log information about which services and websites you connect to?
- Does ProtonVPN monitor which services have been used by a specific VPN server?
- Does ProtonVPN apply the same privacy policy to all servers, regions, and subscription tiers?
- Does ProtonVPN have a specific process to ensure that any unauthorized configuration change (such as “log=false” to “log=true”) will be detected? Will it trigger an automatic alarm?
- Does ProtonVPN have a proper change management process in place to ensure that any authorized changes applied to the logs-related configuration files are reviewed and approved by another employee (dual control)?
- Do VPN configuration files have any logging enabled?
- Does ProtonVPN log information about which VPN server you are connected to at a given time (or which users are connected to a specific VPN server at a given time)?
The resulting report confirms that Proton does NOT keep any metadata logs, does NOT log your VPN activity, and does NOT engage in any practices that might compromise your privacy.
It’s all about transparency
Proton is all about transparency and that’s one of the reasons why it made its apps open-source — so that everyone can check them.
But that’s not all; the company plans to perform periodic security audits and publish the results so everyone can read them before committing to using Proton’s services.
In case you wonder, we love this approach and would like to see more VPNs taking this route. With that in mind, if you still haven’t got yourself a VPN – Proton is highly recommended. Check it out.
Pros
Cons
- Easy to use apps for popular platforms
- Works with Netflix and Hulu
- Dedicated servers for Tor and torrenting
- There's a free version of the service
- No live chat support
- Doesn't work well with BBC iPlayer