Proton VPN won't log your data, audit confirms - even for free users

Follow ZDNET: Add us as a preferred source on Google. ZDNET's key takeaways Proton VPN's no-logs policy passes another independent audit. The report confirms that Proton does not log user metadata or activity. Such audits are a welcome practice - especially for a free VPN service. Proton VPN has revealed the results of its fourth independent security audit, which investigated the validity of its no-logs policy and security posture. Also: Proton VPN review: A very solid free VPN with robust leak protection Securitum performed the audit last month, and its report has now been made public. Securitum, which also counts DuckDuckGo among its VPN clients, upheld Proton VPN's claims concerning its no-logs policy; specifically, that Proton VPN does not log user metadata or activity. Proton VPN provides a free tier Any VPN provider that wants to earn and retain a trustworthy reputation must adhere to a no-logs policy -- and back up its claims with independent reviews. This is even more true for Proton VPN, which offers a free VPN in addition to its paid subscriptions. As VPN networks are not free to run, free VPNs are often associated with shady marketing and data collection practices, unless they are backed by paying subscribers. Proton VPN provides a free service as it believes "privacy should be accessible to all," and while restricted, it is supported by paying customers -- and so it is one of the few free VPNs we recommend. Also: These popular free VPNs all share the same shady security practices - here's why The on-site assessment took place August 18-20 at Proton's Zürich headquarters. Securitum auditors examined Proton VPN's architecture, including process evaluations, hands-on inspections, configuration reviews, operational security practice assessments, and data leakage analysis. The consultants also inspected server storage and memory for any evidence of out-of-band data persistence that could lead to unintentional data storage. Audit queries included: Is user activity tracked or logged on the production VPN servers that handle user traffic? Is connection metadata, such as DNS queries or session timestamps, logged on VPN servers? Is user network traffic actively inspected, or are its contents logged on VPN servers? Is the no-logs policy applied uniformly across all servers, in all geographic regions, and to all user subscription tiers? Strict no-logs policy deployed everywhere According to Securitum, Proton VPN does not track or log user activities on its production VPN servers. Its architecture is "explicitly designed to process user traffic without maintaining any records of its content or destination." In addition, no metadata that can be associated with a user is logged, and only non-identifiable data necessary for the service is collected. Also: How to remove your personal information from Whitepages in 5 steps - and why you should Proton does not log or monitor the specific services, websites, or servers that users connect to, ensuring that browsing history remains confidential," the report notes. "It has [also] been verified that a consistent server configuration and the same strict no-logs policy are deployed across all of Proton's servers, regions, and subscription tiers." Furthermore, the auditors say that Proton VPN does not perform Deep Packet Inspection (DPI) or log the contents of user network traffic. However, there is one exception: A mechanism is in place on free-tier servers to stop BitTorrent (P2P) traffic from passing through. "The technical evidence reviewed showed no instances of user activity logging, connection metadata storage, or network traffic inspection that would contradict the no-logs policy," the report concludes. Also: The best free VPNs: Secure, safe, and fast VPNs "When you connect to a VPN, it effectively becomes your internet provider, meaning any VPN provider is technically capable of tracking and logging what you do online. While many VPNs claim to have no-logs policies, these policies do not always hold up when put to the test," Proton VPN says. "As an organization founded by scientists who met at CERN, we believe in peer review and transparency. This is also why we make all our apps open source so that anyone can examine our code."