Dirty Secrets - Fake VPN Audits

How Do VPNs Run Fake Audits?

There is a myriad of ways to run a fake audit. One of the main issues, of course, is that the people who are paying for the audit would rather have a ‘yes man’ than the truth. Anyone who has worked in consultancy in the past will tell you: A lot of details fall by the wayside when an audit deadline is coming up and the reputation of the client is at stake. A good result means returning business in the future and recommendations down the line.

Sadly, that kind of subtle manipulation isn’t really what we’re talking about in most cases. VPNs have the power to cheat an audit far more bluntly than that. The three main methods to run a fake audit are:

Fool The Auditor

In a properly set up Linux environment, preparing a server to pass an ‘audit’ is so simple, that a child could do it.

Move the current logs to a backup drive; if they’re well-organized they’ll all be in the same set of folders. Then execute this command:

service rsyslog stop

If you want to keep logging from starting up at boot, it’s simply:

systemctl disable rsyslog

That’s it. Everything running through the logging service has now stopped recording transactions. Anything odd that isn’t running through that service can normally be edited in the /etc/defaults file.

On a well-planned server, this process takes a few minutes. Then any auditor examining the device will legitimately see no logging. They’ll put a checkmark in that box, hand in the report… and the VPN owner will then turn to log back on just as quickly as it got turned off.

Another tactic is to set up a ‘clean’ server from an existing image. This one will have all of the privacy settings correctly defined, and all of the backdoors removed… at least for the duration of the audit. As soon as the audit is over though, it’s back to business as usual.

Pay For Results

Then there’s the age-old method of paying for the results you want. There are some companies out there that will simply run a fake VPN audit and report whatever they’re told to report. They’re either cashing in on a reputation they’ve built up over time, or they never had any reputation, to begin with. A smaller firm will do this for a couple of thousand dollars.

The only way to combat this practice is to actually examine who the auditor is instead of blindly believing their claims. How long had they been in business when the audit was performed? Is their primary business auditing networked systems? Do they still exist? Are they a member of a reputable regulatory board?

That last bit is one of the main issues: The VPN industry is vastly unregulated, and so are the people who audit them. There are watchdog organizations for financial auditors, but not for small tech consultancies who make money rubber-stamping fake VPN audits. It’s the Wild West out there.

No Real Audit At All

Then again, why have an audit at all when you can lie about it? Creating a company on paper is cheap, almost trivial. If nobody is checking into the pedigree of the auditors, they can simply be a shell company.

This gives the VPN total control over the results. They can copy and paste the results of an authentic-looking audit, make a few small edits, and slap their own name in there. Again, it’s not like the industry is regulated. And advertising authorities have traditionally let VPN companies get away with murder if they even glance in their direction at all.

As you can imagine, creating a fake company and then posting fake results is the absolute cheapest way to go. This is why it’s so critical to check the auditor’s history and current status.

What Do Auditors Think Of VPNs?

To put it all in perspective: Cure53, one of the most common auditors in the VPN field, was only founded in 2016. That’s when demand for such things really started to blossom.

And if you ask them the kind of things they’ve seen on their audits, they aren’t impressed. They even talk about companies requesting an audit, and then not releasing the results because they were bad:

“Yes, that did happen. Actually it just recently happened again. And… well, if that is the case, we don't judge. I mean, we do but you know, it's in the end up to the company to decide. If they want to publish, excellent; we support that every time it happens. But if not, then we're not the ones to add pressure, it's not our call to make.”

Because the VPN industry has no regulation, audits are not checked, required, or centrally published.

This means if a company gets a bad audit result, they can literally rip it up and try again with another company that will hopefully be more lenient. Or they can simply use one of the faking methods mentioned above.

What About Self Regulation To Avoid Fake VPN Audits?

To see just how laughable self-regulation is in the VPN industry, look at one of the largest organizations around, The VPN Trust Initiative - i2Coalition.

Their principles document is so toothless, that it’s probably on a diet of apple sauce. Look at all of the weasel words they use to avoid making VPNs do anything of real consequence:

‘VPN providers should commit to regular security audits…’

‘Should’ meaning they don’t have to, and ‘regular’ meaning whenever they want. There are no actual guidelines defined here, just suggestions.

‘…as well as out-of-sync security audits when deemed necessary…’

Oh well, that was easy, a VPN can just deem those not necessary, and they’re all set!

Finally, here’s how they define a VPN audit:

‘An audit conducted by an individual or organization that may be directed in scope but should entail complete access to the VPN provider’s systems and code. Compensation should be limited to usual and customary fees. The audit (and auditor) must be made public within a reasonable time of the audit.’

Four weasel phrases in a single definition, rendering it utterly useless as anything but a vague guideline. There’s no time frame defined. Everything is a suggestion. And there’s no penalty mentioned for ignoring the one ‘must’ statement.

There is no mention of the words ‘fine’, ‘penalty’, ‘deadline’, or ‘removal’ anywhere in the document. After searching this and other related membership documents available online, this doesn’t seem to be an enforcement body in any way, shape, or form. Unless there are some hidden documents about penalties buried somewhere on their site, there are literally no consequences for those who act in bad faith other than, one would guess, being delisted from their website.

Contrast this to self-regulation in the advertising industry, for example. The Digital Advertising Accountability Program (DAAP) has a massive reach, works with two regulatory boards that provide enforcement, and will literally perform independent investigations and audits to determine the truth of claims. That’s what real self-regulation looks like.

There’s simply one comparison. The VPN industry’s self-regulation is a joke. They have no real mechanism to stop fake VPN audits and no significant way to enforce their policy.

Can VPN Audits Be Trusted?

Well, we’ve already demonstrated how the conditions of the audit can be completely faked, so the answer is of course no.

But even if that weren’t the case: We now know that there’s no real regulation in place. There’s no self-policing going on. Nobody audits the auditors. And some of the most experienced auditors in the field tell horror stories about VPNs, including some of them who simply don’t publish the results and try again with another auditing company.

With all of these factors in mind, the answer is now a louder and more resounding ‘no’.

The main issue, of course, is that you can’t prove a negative. Things like ‘no logs’ claims aren’t tested until a VPN gets raided. Then the results can be disastrous for VPN users.

The best you can do is research the VPN auditor carefully, look at the VPN company’s track record on things like raids and subpoenas, and hope for the best. Or check out privacy apps as a better alternative to VPNs.