Does NordVPN Keep Logs?

While competition in the VPN market remains tight, NordVPN has emerged as one of the most popular services. It isn't easy to know whether you can truly trust the people behind a VPN. After all, using an evil provider could result in a wide array of bad outcomes. It could technically intercept all your web traffic and potentially even log it!

In addition to providing the definitive answer to whether you can trust NordVPN not to keep logs, we'll even show you how to make sure for yourself.

A Case Study: High-Profile VPN Lies

Though almost all VPN providers claim not to log your traffic, some are less honest than others. One of the most commonly cited examples of this is the VPN service “HideMyAss”. It had promised it would never log users' traffic. In 2011, the hacking group “LulzSec” was responsible for causing digital mayhem that rose to a criminal level. Though the members' identities remained a mystery for a short period of time, the FBI eventually arrested multiple members.

In the FBI's publicly available affidavit, with excerpts in this article on the topic from The Atlantic, it was shown that the FBI had subpoenaed “HideMyAss” for the IP address tied to a SQL injection attack on Sony Pictures, among other crimes. The provider advertised it kept no logs, but it had the identity of the user in question, which was promptly turned over to the FBI. Even though this VPN was very popular back then, it was not trustworthy.

But I'm Not a Criminal!

The explanation given by “HideMyAss” for this fiasco was that using their service for illegal activities was against their Terms of Use, and they had to comply with US law. While the person in question was clearly in violation of the law, the issue was that the service deceived users into thinking their sessions were private.

VPN stealing logs with private information

You may think that because you're not a criminal, it doesn't matter if a VPN logs or not. However, keep in mind that if a VPN does log, you're actually worse off than if you just used public WiFi! This means a third-party company gets full access to everything you do online, and, worst of all, you pay for it. They could sell this information, use certain information from your browsing sessions to blackmail you, steal your identity, or commit countless other acts against you.

In short, a VPN who logs is essentially making their service useless. That's why very few VPN companies admit to logging. While they would like to be on the “right side of the law” in situations like this, they also know customers would run away if informed.

NordVPN's Logging Policy

Unlike some providers who make you read through legalese to understand their logging policies, NordVPN dedicates a whole page to the topic. They state in no uncertain terms that they do not log absolutely anything.

That means that as soon as you connect to a NordVPN server, your ISP cannot see what you do. NordVPN also does not see your online activity. The only item related to your VPN connections that gets logged is the time you last used the software, for diagnostic purposes. All of this sounds great; you can use the Internet with confidence that your right to privacy will be protected, right?

You're probably thinking this is hypocritical, since we just discussed a case where another VPN provider had an identical promise to its users. This promise was not kept, so how do we know NordVPN holds its promise?

Independent Auditing

Relying on a VPN provider's claims isn't a good security practice. It's likely to end up with you signing up for a service that logs your activity. One of the few ways a VPN can prove it does not log users' activities is through an independent audit. Due to the rightful cynicism of its users, NordVPN commissioned an audit.

NordVPN hired PricewaterhouseCoopers (PwC) AG of Zurich, Switzerland, to conduct a full privacy audit. This company is internationally known as one of the “Big Four” auditing companies, so its results are credible.

An auditing company looking for logs

The full text of the audit results is only available to those who subscribe to NordVPN. In short, PwC had 11 days in late 2019 with full access to everything NordVPN uses. The company was able to view source code, have full access to servers, and see what data goes in and out. Because PwC's reputation is what is behind their annual gross income of more than $40 billion, they had to remain neutral during the audit.

When the audit was completed, PwC announced that no IP addresses or logs of browsing activity were created or stored by NordVPN. The only thing that remotely resembled logging they found was that they log concurrent sessions. That happens so that NordVPN can detect account-sharing. But even these logs are purged from the record after 15 minutes.

The Key Takeaways

NordVPN's competition had been spreading rumors that the service logged. In a move that no other VPN provider has been bold enough to do to-date, NordVPN had a giant audit firm tell the world they weren't lying.

Unfortunately, most VPN companies don't offer such an audit. They may have flashy websites and big promises, but there will always be a lingering suspicion that they are logging your activity. In the future, more of the established VPN companies will likely follow this trend to stay competitive.

You will always need to check for security updates with any VPN you use. However, security experts at PwC are confident that NordVPN has done what it promised from the beginning: give them their Internet privacy back.