What is the best no logs VPN service and which of them are actually trustworthy and proven? This is a tough question. First, there are dozens of VPNs claiming to be "no logs" without any proof or verification. In other words, you just have to take their word at face value. Second, there have been a few "no logs" VPNs that have collected user data and provided the information to authorities and law enforcement. Here are three examples:
- PureVPN was caught logging customer data for the FBI. They've since been audited and claim to be a no-log VPN
- IPVanish also collected logs on one of their users and provided the data to the FBI
- HideMyAss provided logs to authorities for a hacking case
Guest author Sven Taylor is the editor behind Restore Privacy, a blog dedicated to inform about best online privacy practices, secure your electronic devices, unblock restricted content and defeat censorship.
There are surely other cases of this happening which have not come to light. So how can you find a true no-logs VPN that is actually worth your trust?
There have been a handful of VPN services over the years that have had their 'no logs' policies tested under various circumstances. We will examine these different providers below and the exact circumstances under which their 'no logs' policies were verified.
Based in: British Virgin Islands
No logs, 30 day refund policy, starts at $6.67/mo
ExpressVPN is currently the top recommendation in my comparison of the best VPNs. It offers user-friendly VPN apps with excellent performance and security. ExpressVPN is also one of the few VPNs that work with Netflix, BBC iPlayer, and other streaming services.
In terms of speeds, ExpressVPN one of the fastest VPNs I've tested. I can routinely get around 150 Mbps on nearby servers (with a 160 Mbps connection). Now let's examine how ExpressVPN's no-logs policies have been tested and verified...
In April 2019, ExpressVPN upgraded their server infrastructure so all VPN servers run in RAM-disk mode. They refer to this as the TrustedServer feature. This update ensures nothing can be stored on any VPN server as it does away with traditional hard drives. As they explained here, this is a major improvement from a privacy and security standpoint:
With our industry-first TrustedServer technology, our VPN servers run only on volatile memory (RAM), not on hard drives. Since RAM requires power to store data, this guarantees that all information on a server is wiped every time it is powered off and on again.
In contrast, the traditional and most common way of running servers relies very much on hard drives, which retain all data until they are erased and written over, a painstaking and error-prone process. This increases the risk that servers could inadvertently contain sensitive user information. If someone were to hack or seize the server, they could gain access to this data. Even worse, hackers who do find their way in might be able to install a backdoor that remains indefinitely.
Competitor Perfect Privacy also runs all servers in RAM-disk mode which would seem to be the safest and most secure way to run VPN servers. In July 2019, ExpressVPN underwent a third-party audit from PWC. This security audit verified the TrustedServer feature, no logs policy, and that all privacy protections are being adhered to correctly.
ExpressVPN also decided to open source their browser extensions and subject them to a security audit by Cure53. This sets a high bar and shows ExpressVPN is committed to transparency and safeguarding user data.
ExpressVPN server seized in Turkey
In December 2017, Turkish news outlets reported that Turkish authorities attempted to force ExpressVPN to provide customer data for an investigation into a political assassination. According to these reports, Turkish authorities allege that an unknown individual using ExpressVPN deleted evidence on social media related to the investigation.
While the Turkish news article claims ExpressVPN is based in the US (when it's in fact based in the British Virgin Islands), it does reveal that the authorities' attempts to collect user data failed:
The prosecution's contact with the company did not yield results as Express VPN stated that it is not subject to the rules of U.S. and EU laws.
After failing in their attempts to coerce data from ExpressVPN, the Turkish police decided to physically seize ExpressVPN's server, which they obtained from a data center in Turkey. However, this did not reveal any information because ExpressVPN does not keep any logs on its servers - or otherwise.
Based in: Panama
No logs, 30 day refund policy, starts at $3.49/mo
NordVPN is a no logs provider based in Panama that offers a wide selection of apps for a decent price. In the latest round of testing for the NordVPN review, it performed well in all categories. NordVPN's VPN apps also have strong leak protection settings as well as advanced privacy features, such as double-hop VPN servers, Tor-over-VPN servers, and obfuscated servers.
NordVPN audited by PWC to verify no logs claims
In November 2018 NordVPN announced that it had completed a full audit to verify their no-logs claims. The audit was conducted by PricewaterhouseCoopers and fully verified the no-logs policy. NordVPN subscribers can get access to the full audit in the members area. I carefully examined the findings for this guide and can offer this overview:
- NordVPN was audited by PWC who had full access to examine NordVPN's servers, interview employees, observer operations, inspect configurations, databases, and any other relevant aspect of the VPN service.
- NordVPN does not store connection logs, IP addresses, traffic logs, or any internet activity information.
Because NordVPN limits users to six connections per subscription, it does have a mechanism to verify the user's account and ensure the device limit is not exceeded. This is common for VPN services that implement connection limits (nearly every VPN service) and does not pose any threat to user privacy or security, nor violate the logging claims - as the audit verified.
Based in: Switzerland
No logs, 30 day refund policy, starts at $3.75/mo
VyprVPN is a no logs VPN service based in Switzerland with very secure apps and excellent performance. It offers secure and user-friendly apps for many different devices and speed tests in the VyprVPN review were pretty good. VyprVPN is unique in that they physically own every server in their network (no rentals from third parties), which helps to ensure data security. They also offer the Chameleon protocol, which will get around VPN blocks and restrictions (important when using a VPN for China).
No logs transition: Audited, advised by cybersecurity firm
In September 2018 VyprVPN began working with Leviathan Security Group to transition their service into a full "no logs" VPN service. The auditors examined all aspects of VyprVPN's network to identify any areas where logs were maintained that could de-anonymize the user. After fixing a few issues, they re-tested everything and found VyprVPN to be in full compliance with their stated "no logs" policy.
VyprVPN's security audit is available to the public here and can be referenced publicly. Here's an excerpt:
We examined all components of the project according to the threat assessment described below. While vigilance against logging is necessary to complete the process of implementing "No Log", we feel that this assessment achieved its goal of uncovering weaknesses in Golden Frog's implementation. The project revealed a limited number of issues that Golden Frog quickly fixed. As a result, it can provide VyprVPN users with the assurance that the company is not logging their VPN activity.
Golden Frog worked to remediate all no-log-related findings concurrently with the assessment. Once it had completed this, we performed a retest and verified that all of the fixes were effective.
Before this change took place, VyprVPN logged connection data (including IP addresses) for 30 days. Now VyprVPN can be counted among the small number of verified no log VPN services.
Based in: Switzerland
No logs, 7 day refund policy, starts at $8.95/mo
Perfect Privacy is a premium VPN that offers advanced online anonymity and security features. It is a no logs service that does not restrict user accounts. You get an unlimited number of connections to use with your subscription as well as advanced privacy features and unlimited bandwidth. Privacy features include multi-hop VPN configurations, port forwarding, and an advanced advertisement and tracking blocker called TrackStop.
Perfect Privacy server seized in the Netherlands
In August 2016 Perfect Privacy announced that Dutch authorities had seized one of their servers in Rotterdam, Netherlands. Although the reason for seizing the server was never revealed, Perfect Privacy confirmed no customer data was obtained:
Since we are not logging any data there is currently no reason to believe that any user data was compromised... We can now conclude that no customer information was compromised due to the seizure. The Rotterdam location will continue to operate using the replacement servers.
To further protect customer data in the event of a server seizure, Perfect Privacy runs all their servers in RAM-disk mode, like ExpressVPN, as they explain on their log policy page. While Perfect Privacy is a higher-priced service, it remains a great option for privacy and security, with a proven no logs policy and Switzerland jurisdiction.
Private Internet Access
Based in: USA
No logs, 7 day refund policy, starts at $3.49/mo
Private Internet Access is a United States-based provider that offers a cheap, simple, and user-friendly VPN service. While it's not a bad service for the price, it does have some drawbacks. PIA is limited on features and I've also seen users complain about connections and support - discussed in the PIA review. Nonetheless, it may be worth considering if you don't mind the US jurisdiction (Five Eyes) and some of the other minor drawbacks.
PIA logging claims verified in two court cases
Private Internet Access is somewhat unique in that its no logs claims have been verified in two separate US court cases. Since providing false information in a court of law is a serious offense, we can consider both of these cases to conclusively verify the "no logs" policy.
The first court case was from 2016 and it involved a man who allegedly made bomb threats while connected to PIA's VPN. The FBI officially subpoenaed PIA demanding logs of the user, but they simply could not provide anything, as described in official court documents:
A subpoena was sent to London Trust Media [Private Internet Access] and the only information they could provide is that the cluster of IP addresses being used was from the east coast of the United States.
In a second case from June 2018, Private Internet Access was again subpoenaed in court for user logs and evidence related to a hacking case. As with the previous court case, Private Internet Access was not able to provide any data, because there were no logs available to hand over. Based on these two court cases, Private Internet Access can be considered a verified no logs VPN provider.
Other verified VPN providers
Since first writing this guide, there have been a few other VPNs that have undergone audits to verify their privacy and security claims.
IVPN - a VPN provider based in Gibraltar, IVPN used Cure53 for their audit, which verified the privacy claims as follows: "Based on the findings, it is safe to say that all of the IVPN's privacy statements could be verified as truthful within the defined scope."
TunnelBear - TunnelBear is a VPN service based in Canada. It is now owned by US cybersecurity company McAfee, although it still operates from Canada. It is important to note that TunnelBear does not claim to be a full "no logs" VPN service. Instead, they keep some limited connection logs, but like other VPNs in this guide, they have undergone (and passed) a full audit. Similar to ExpressVPN and IVPN, TunnelBear also went with Cure53 for the audit.
Another issue is that there's no widely accepted definition of exactly what "no logs" even means. In light of these factors, it's great to see that there are VPNs taking proactive steps to verify and audit their own policies.
Image credit: Binary code concept pattern by Carlos Castilla