It’s Time for VPNs to Publish Audit Results

Mullvad VPN

Trust is a big issue for VPN services.

After all, you’re trusting them to

  • reliably encrypt your data
  • be secure from DNS leaks and other vulnerabilities
  • not sell your data
  • operate a strict no-logs policy
  • regularly update software
  • maintain servers and ensure their integrity

Yet few of them bother to have their servers, software, and infrastructure audited. Fewer still release the results of those audits.

Happily, Mullvad VPN has joined the list of audited VPN services, and published the results of Cure53’s investigation, who state:

“Mullvad does a great job protecting the end-user from common PII [personally identifiable information] leaks and privacy related risks.”

Interestingly, Mullvad has taken the decision to publish both the initial findings and the completed report, useful for any observers to better appreciate the process. Following recommendations, Mullvad has issued new versions of its apps for Windows, macOS, Linux, Android, and iOS.

But has your VPN been audited? Can you trust that it is operating reliably, responsibly, and with no vulnerabilities? Are its servers secure, and is the the business run well?

To our knowledge, Mullvad joins ExpressVPN, Tunnelbear, IVPN, VyprVPN,and NordVPN as having been independently audited (as opposed to issuing a PIA-style transparency report). We hope it is a process that is regularly revisited by these services, and embraced by other VPNs.

What do you think?