|
|
|
|
|
|
by patrakov
1000 days ago
|
|
|
Well... using PureVPN as an example. They claim that they have been audited twice. First audit, from 2019: https://my.purevpn.com/pdf/Privacy_No_Log_Audit_Report.pdf I tried to contact the auditor, Altius IT, in order to confirm whether exfiltrating connection data to a third party would result in the audit failure. They replied, but in a very vague way (refused to answer any questions regarding Altius IT's audit of PureVPN's environment). Well, at least they confirmed indirectly that the audit did exist. Second audit, from 2023: https://www.purevpn.com/wp-content/uploads/2023/07/KPMG_Pure... I tried to contact KPMG to verify the authenticity of that report, and also asked the same question - "whether deliberate real-time exfiltration of origin IP addresses, assigned VPN IP addresses, connection timestamps, or connected user activities to a third party by PureVPN, without PureVPN (as opposed to that hypothetical third party) storing anything locally in any form of logs, would have constituted a failure of the privacy assessment." Result: no reply from KPMG at all, so I cannot be sure even that the report indeed comes from KPMG and is not a fake. |
|
|
The ideal way to authenticate audits IMO would be for the audited entity to link back to a PDF or other report hosted on the auditor's site.