Since our inception in 2009, Golden Frog has been dedicated to doing what’s right, with an unwavering commitment to the Internet. We’re a small team on a mission: to provide people with better privacy, security, and Internet freedom.
When we founded Golden Frog and launched VyprVPN we believed that logging a minimal amount of VPN service data would vastly improve our customers experience when using a VPN. We kept this data to a minimum and focused on how this data could help improve speed, performance, reliability and troubleshooting. I am proud of our commitment to talking about issues in the VPN industry and our transparency with our users about our logging policies and our past reasons for retaining any user data.
What we formerly logged and retained for 30 days:
- Customer’s source IP address (generally the IP address assigned by the customer’s ISP)
- VyprVPN’s IP address assigned to the user
- Connection start and end times
- Total number of bytes used
So, I’m very excited to announce that VyprVPN is now a No Log VPN Service!
Why Did We Make the Change to No Log?
Over the course of the past year we have received significant feedback from our customers, our Policy Partners and the VPN market that any amount of activity logging by a VPN Provider erodes trust in the VPN service itself.
But, the tipping point was when Wirecutter published their review of the Best VPN Service and I saw one of our customers ask on Twitter why VyprVPN was excluded from the review.
So although we are one of the longest standing VPN Providers in the world and feel we have always fought to protect people’s privacy, our minimal logging excluded us from their review. Wow.
People’s expectations had clearly changed. It was time for action. People are demanding more privacy from the companies and that’s a good thing. I hope this positive trend continues.
As our service has matured over the past decade, we have become more experienced with running a global VPN network and the necessity for minimal logging has diminished. We have found better ways to improve performance and defeat fraudsters without needing a user’s connection information.
Isn’t This Just Another Blatant Marketing Campaign?
We have been very vocal about VPN Providers who promised total anonymity or a “no log” VPN service but turning over user data to authorities. We have had legitimate concerns about new entrants in the VPN industry that promise privacy but deliver quite the opposite while leaving users none the wiser. We feared that trust in VPNs was eroding and if people can’t trust a VPN to protect them then they won’t use encryption at all. We felt that decisive action was needed. That’s why we partnered with the Center for Democracy & Technology over the past year to create the “Signals of Trustworthy VPNs” report so that users can better understand what questions to ask of their VPN Provider. This was a good start and we encourage more VPN Providers to answer these questions for the sake of consumers.
How to Change the Conversation and Challenge the VPN Industry
So, we made the decision to hire a respected, independent auditor to validate that when we say “No Log” users can trust us and aren’t left wondering if we are yet another VPN Provider who says one thing and does another. After extensive research we hired Leviathan Security to perform an independent audit and ensure that no Personally Identifiable Information (PII) is collected, with respect to the use of the VyprVPN service. You don’t have to necessarily trust us (although I think you should), but we hope you can trust Leviathan Security when they attest that we have delivered on our No Log promise to our users.
So, I’m very proud to announce that we are the world’s first publicly audited No Log VPN Provider. Sure, this sounds like a marketing message, but our Engineers certainly don’t believe so! Our teams worked closely with the team at Leviathan Security to address any and all concerns that arose as they went through the investigation. We allowed Leviathan full access to our servers, application code, etc. – we let them get their hands dirty.
We spent a great deal of time modifying and ensuring that our server systems do not log any PII with respect to your connections. This includes VPN servers, authentication servers, API servers, etc. The normal, everyday path of connection logging was easy to modify, but the technical team went further and made drastic logging modifications across the entire suite of backend software to ensure that even accidental logging in exceptional cases does not occur. Leviathan verified all of our changes.
Our application developers also got involved. They audited their apps and provided updated versions which ensure any logs on the device maintained by the application or the OS are only sent to us with your express action and permission. Again, Leviathan verified all of our claims. Our technical team spent a great deal of time making certain this was no mere marketing campaign.
I’m very proud of our Engineering teams who worked closely with Leviathan to earn this accolade. They all deserve our recognition and I’m very grateful for their efforts. Kudos!
You may read the full report from Leviathan here: VyprVPN Privacy Audit
First, we must not only make promises, we must continue to deliver on them. Server infrastructure, desktop apps and mobile apps are a living, breathing system with continual change. We must manage change well and continue to deliver on our promises to our users.
Second, I challenge other VPN Providers to audit how they deal with user data to create more trust with their users, which will help create more trust with VPN services in general. I applaud Tunnelbear’s security audit and I hope they continue to do it every year. I also challenge them to do an audit of how they deal with user data and not just the security of their service. We are also considering a security audit in the near future.
I still believe there remain massive privacy questions about VPN Providers that promise anonymity but rely on third party hosting companies in various jurisdictions around the world to run their VPN servers. We’re lucky – we don’t rent, we own our servers, so this isn’t an issue for us. I would like to see if an audit would address my concerns about the impact that third party hosting providers have on user privacy.
Facebook famously did a PricewaterhouseCoopers audit under demand by the Federal Trade Commission and that audit didn’t catch the massive abuses by Cambridge Analytica. So, not all audits are created equal. But, if we live in a world where companies are touting which audit vendor is more trustworthy rather than which marketing message to believe, then that is a world I would rather live in.
Third, I hope this audit serves as a beacon to other companies dealing with user data, not just privacy companies. The reality is that almost every company deals with user data and the abuses are too numerous to list here. The amount and kinds of data collected is only increasing too. Alexa, am I right? So, users deserve privacy and transparency more than ever and a thorough audit can only help to establish more trust with your users.
The Chinese proverb says “[t]he best time to plant a tree was 20 years ago. The second best time is now.” The same is true for privacy audits. So just do it. Do something, do anything and share it with your users.
Feel free to contact me if you have any questions about where to start.