Bulletproof privacy in one click
Discover the world's #1 privacy solution
Coming soon
Coming soon
Coming soon
Anyone who followed the NetOne scandal (that resulted in multiple board members getting the boot) understands that networking and telecommunications companies have the ability to fake their audit results.
Why would they do this? Well, the money of course.
Becoming compliant and following best practices costs money. Running a fake audit costs a fraction of the price. But the benefits can include inflating the stock price, using the results as an advertisement to gain more customers, enjoying reduced tax rates or less government scrutiny, membership in certain industry groups, or pumping up the company’s apparent net value before a sale or merger.
Some less scrupulous companies won’t think twice before faking an audit for their own personal gain. NetOne is just the tip of the iceberg.
But what about VPNs? So many of them claim to have conducted an audit that covers their privacy claims and their no-log policy. Can these be faked? If so, how?
Let’s talk about one of the biggest dirty tricks in the industry’s arsenal: Fake VPN audits.
There is a myriad of ways to run a fake audit. One of the main issues, of course, is that the people who are paying for the audit would rather have a ‘yes man’ than the truth. Anyone who has worked in consultancy in the past will tell you: A lot of details fall by the wayside when an audit deadline is coming up and the reputation of the client is at stake. A good result means returning business in the future and recommendations down the line.
Sadly, that kind of subtle manipulation isn’t really what we’re talking about in most cases. VPNs have the power to cheat an audit far more bluntly than that. The three main methods to run a fake audit are:
In a properly set up Linux environment, preparing a server to pass an ‘audit’ is so simple, that a child could do it.
Move the current logs to a backup drive; if they’re well-organized they’ll all be in the same set of folders. Then execute this command:
service rsyslog stop
If you want to keep logging from starting up at boot, it’s simply:
systemctl disable rsyslog
That’s it. Everything running through the logging service has now stopped recording transactions. Anything odd that isn’t running through that service can normally be edited in the /etc/defaults file.
On a well-planned server, this process takes a few minutes. Then any auditor examining the device will legitimately see no logging. They’ll put a checkmark in that box, hand in the report… and the VPN owner will then turn to log back on just as quickly as it got turned off.
Another tactic is to set up a ‘clean’ server from an existing image. This one will have all of the privacy settings correctly defined, and all of the backdoors removed… at least for the duration of the audit. As soon as the audit is over though, it’s back to business as usual.
Then there’s the age-old method of paying for the results you want. There are some companies out there that will simply run a fake VPN audit and report whatever they’re told to report. They’re either cashing in on a reputation they’ve built up over time, or they never had any reputation, to begin with. A smaller firm will do this for a couple of thousand dollars.
The only way to combat this practice is to actually examine who the auditor is instead of blindly believing their claims. How long had they been in business when the audit was performed? Is their primary business auditing networked systems? Do they still exist? Are they a member of a reputable regulatory board?
That last bit is one of the main issues: The VPN industry is vastly unregulated, and so are the people who audit them. There are watchdog organizations for financial auditors, but not for small tech consultancies who make money rubber-stamping fake VPN audits. It’s the Wild West out there.
Then again, why have an audit at all when you can lie about it? Creating a company on paper is cheap, almost trivial. If nobody is checking into the pedigree of the auditors, they can simply be a shell company.
This gives the VPN total control over the results. They can copy and paste the results of an authentic-looking audit, make a few small edits, and slap their own name in there. Again, it’s not like the industry is regulated. And advertising authorities have traditionally let VPN companies get away with murder if they even glance in their direction at all.
As you can imagine, creating a fake company and then posting fake results is the absolute cheapest way to go. This is why it’s so critical to check the auditor’s history and current status.
To put it all in perspective: Cure53, one of the most common auditors in the VPN field, was only founded in 2016. That’s when demand for such things really started to blossom.
And if you ask them the kind of things they’ve seen on their audits, they aren’t impressed. They even talk about companies requesting an audit, and then not releasing the results because they were bad:
“Yes, that did happen. Actually it just recently happened again. And… well, if that is the case, we don't judge. I mean, we do but you know, it's in the end up to the company to decide. If they want to publish, excellent; we support that every time it happens. But if not, then we're not the ones to add pressure, it's not our call to make.”
Because the VPN industry has no regulation, audits are not checked, required, or centrally published.
This means if a company gets a bad audit result, they can literally rip it up and try again with another company that will hopefully be more lenient. Or they can simply use one of the faking methods mentioned above.
To see just how laughable self-regulation is in the VPN industry, look at one of the largest organizations around, The VPN Trust Initiative - i2Coalition.
Their principles document is so toothless, that it’s probably on a diet of apple sauce. Look at all of the weasel words they use to avoid making VPNs do anything of real consequence:
‘VPN providers should commit to regular security audits…’
‘Should’ meaning they don’t have to, and ‘regular’ meaning whenever they want. There are no actual guidelines defined here, just suggestions.
‘…as well as out-of-sync security audits when deemed necessary…’
Oh well, that was easy, a VPN can just deem those not necessary, and they’re all set!
Finally, here’s how they define a VPN audit:
‘An audit conducted by an individual or organization that may be directed in scope but should entail complete access to the VPN provider’s systems and code. Compensation should be limited to usual and customary fees. The audit (and auditor) must be made public within a reasonable time of the audit.’
Four weasel phrases in a single definition, rendering it utterly useless as anything but a vague guideline. There’s no time frame defined. Everything is a suggestion. And there’s no penalty mentioned for ignoring the one ‘must’ statement.
There is no mention of the words ‘fine’, ‘penalty’, ‘deadline’, or ‘removal’ anywhere in the document. After searching this and other related membership documents available online, this doesn’t seem to be an enforcement body in any way, shape, or form. Unless there are some hidden documents about penalties buried somewhere on their site, there are literally no consequences for those who act in bad faith other than, one would guess, being delisted from their website.
Contrast this to self-regulation in the advertising industry, for example. The Digital Advertising Accountability Program (DAAP) has a massive reach, works with two regulatory boards that provide enforcement, and will literally perform independent investigations and audits to determine the truth of claims. That’s what real self-regulation looks like.
There’s simply one comparison. The VPN industry’s self-regulation is a joke. They have no real mechanism to stop fake VPN audits and no significant way to enforce their policy.
Well, we’ve already demonstrated how the conditions of the audit can be completely faked, so the answer is of course no.
But even if that weren’t the case: We now know that there’s no real regulation in place. There’s no self-policing going on. Nobody audits the auditors. And some of the most experienced auditors in the field tell horror stories about VPNs, including some of them who simply don’t publish the results and try again with another auditing company.
With all of these factors in mind, the answer is now a louder and more resounding ‘no’.
The main issue, of course, is that you can’t prove a negative. Things like ‘no logs’ claims aren’t tested until a VPN gets raided. Then the results can be disastrous for VPN users.
The best you can do is research the VPN auditor carefully, look at the VPN company’s track record on things like raids and subpoenas, and hope for the best. Or check out privacy apps as a better alternative to VPNs.
Will is a former Silicon Valley sysadmin and award-winning non-functional tester. After 20+ years in tech, he decided to share his experience with the world as a writer. His recent work involves documenting government hacking methods while probing the current state of privacy and security on the Internet.
Chapter 14: IoT Hacks
Dive into the unsettling world of government-controlled GPS tracking!
Trash Talk: How your garbage can be exploited by hackers, law enforcement, and government agencies
It’s time to uncover how government surveillance gets personal.
Discover the world's #1 privacy solution
Coming soon
Coming soon
Coming soon