PureVPN’s Audit: Every Cloud Has a Silver Lining (No-Logs Verified)

Last updated: September 7, 2019
Muhammad Hamza Shahid

Muhammad Hamza Shahid

PureVPN gets audited by Altius IT, so I decided to ask them a few technical questions!

PureVPN Audit for No Logs

PureVPN joins the ranks of top VPN services to get their no-logs claims verified, as part of their commitment to delivering strong privacy and security to its customers around the world.

The security audit firm, Altius IT, analyzed PureVPN’s logs regarding DNS queries, outgoing traffic, visited websites, browsing history, connection time, user’s originating IP address,assigned VPN IP, connection logs, and browsing activities. 

They also tested PureVPN’s system log files, network infrastructure documents, and system configurations, following which they officially gave PureVPN a clean chit on their no-logs claims.

As audits are becoming a trend in the VPN industry, I decided to come up with a series of technical queries, sending them to different VPN services that have undergone an audit.

Since PureVPN only recently released news about their audit, they were quite proactive in responding to our questions, providing detailed answers:

1. Why did you choose Altius IT?

We chose Altius IT due to their 25-year track record and accreditation for security audits (ISACA for CISA, CRISC & CGEIT). They are based in California which is well known for large scale consumer Internet companies.

They have experience with Internet scale enterprise and consumer architectures. And they understand the privacy nuances required by Internet scale companies to operate in a global setting.

The Altius IT approach was impressive. The Altius IT team surprised us with their thoroughness with the company principals becoming mystery users, conducting hands-on audit work and threat analysis. The uniqueness of the scenarios and the number of audit activities were unexpected.

2. What was the extent of this Audit?

It was an intensive end to end Audit. We allowed and provisioned all accesses for them to pick up which systems they’d want at their will. They looked at everything from our VPN servers to configurations to systems services and APIs.

They also looked at our databases and traced the entire data flows to ensure that no user identifiable information was stored nowhere. Full Audit report is available for publishers upon request and has been made available for all our users inside Members Area.

3. What additional steps, if any, are you planning to reassure users of highest privacy standards?

This audit is part of a series of steps that we are taking to further cement our commitment to true privacy. Apart from being the first to comply with GDPR and having the most transparent Privacy Policy to date, PureVPN is the first and only provider to have a public paid bug bounty program (Bugcrowd.com/purevpn) where 90,000+ strong community of white hat hackers continuously test and strengthen our service. We strive day and night to deliver more and more value to millions of subscribers in over 120 countries who trust their security and privacy with us.

Our next move, that we are keeping close to the chest for now, will be equally exciting and Industry-first for our privacy conscious subscribers.

4. How do you verify being logless but still impose limits on simultaneous connections?

We don’t need logs to watch for simultaneous user connections. We simply rely on the LIVE connection state to find the number of active connections, which are immediately cut off if they exceed the specified limit.

For instance, if one of our users connects to any VPN node and then uses the same account to establish another VPN connection, the count number switches from 1 to 2 on our centralized session manager (audited by the independent auditors). If another connection is added on top of that, it becomes 3.

If the user continues to add more connections, eventually exceeding the count 5, which is our limit – all the connections are instantly terminated (and the user will receive an email stating that they have violated our “multilogins limit”).

5. VPN Termination nodes have full possession of a user identity and activities. How do you ensure information is deleted after termination of a session?

All VPN Termination nodes are configured via centrally configuration management system to explicitly NOT log the user identity and activity, therefore no information erasure is required.

6. What happens to the openvpn.log file and the information present in it upon VPN connection/disconnection?

All running OpenVPN services on PureVPN’s termination nodes do not store any logs because of the initially set configuration variables:

log/dev/null
status /dev/null

Which essentially means that the logs from OpenVPN, which are turned on by default have been disabled and piped through /dev/null. To elaborate, /dev/null is a special file called the ‘null device’ in Unix systems.

This part of UNIX systems can be basically concluded as a location where every bit of information is immediately discarded when written to it and only returns an end-of-file EOF when read.

7. How does PureVPN’s app kill switch API stop the recording of user IP addresses?

PureVPN’s internet kill switch do NOT use any API based service and also do NOT record any type of user IP addresses.

8. Load balancers are used by VPN providers to hand the connection off to the VPN Termination server. How do you stop it from recording info, even if its momentarily?

PureVPN uses different techniques to distribute the user/connection load to VPN nodes, similar to how we use API servers to find the best possible servers. Therefore, we do not use inline load balancers and thus our users don’t get exposed.

9. How do you stop the recording of URL paths in API logs?

API servers ensure that a VPN server with the best possible speed is made available to the user based on their selections. Any type of system and service logging was not found on the API server, as verified by the independent auditors.

10. What is PureVPN’s process for ensuring virtualized or containerized servers do not log data?

Virtualized or Containerized servers make no difference to us, we enforce our privacy policies and processes on all type of servers in use. The audit company itself randomly selected different servers to test our no logs claims.

We use configuration playbooks to centrally implement no logging on all our VPN servers, which includes Linux, Windows and their virtual and bare metal variants. 

This security audit is the result of a court-case, where a Massachusetts man was arrested on charges of cyberstalking, against a former female roommate and her family members/friends.

Court documents indicated that logs provided by PureVPN from the FBI, helped in the prosecution. While this assisted in ending a year’s worth of misery for the victim, the Hong Kong-based provider was dragged through the mud by the privacy-conscious.

In light of that event, PureVPN revamped their privacy policy, clearly mentioning they keep no Personally Identifiable Information (PII) of its users.

Wrapping Things Up

After asking these questions and looking at PureVPN’s recent history of Industry-first (and some equalizing) initiatives, I feel confident that the provider is steadily rising among the ranks of the top players in the market and remain eager to see what their next move is!

Leave a Reply

Your email address will not be published. Required fields are marked *