I was reading an audit from a very famous and security focused provider, made by cure53. All seemed legit and throughly technical but for obvious reason (and not to compromise the provider and its users security) the audit was performed on a replica of the infrastructure. I don’t know if there would be any other way around to do it but to me it seems a pointless audit: isn’t it true the to this day there’s no other way to verify every provider claims that they don’t keep any log than by trusting their word?
Trying to guess “trustworthiness” or “not logging” is a losing game. You never can be sure, about any product or service. Even an audit or court case just establishes one data point.
So, instead DON’T trust: compartmentalize, encrypt, use defense in depth, test, verify, don’t post private stuff, maybe don’t do illegal stuff. And give fake/anon info where possible: fake name, throwaway or unique email address, pay with gift card or virtual credit card or crypto or cash.
You can use a VPN, ISP, bank, etc without having to trust them.
its hard to get a 100℅ concrete answer on this but there are some VPN providers whom have been forced to goto court, proven to be unable to turn over logs, and provide regular transparency reports of their subpoenas
I guess best way is proven in court, which some VPNs have gone to court and offered up next to nothing, while others have gotten a request from LEOs to hand over data and have handed over enough data to cause an arrest.
Look for the companies that have a long and documented history of being scandal-free, are transparent in their privacy policy, don’t ask for any personal information, embrace open-source software, and don’t engage in misleading advertising.
You can’t ever know for sure, but you can know for sure that some companies are scum and deserve to be ignored. I’d say start there and practice layered security to protect yourself (even if you DO trust the service you go with).
I’m not sure that you can ever be 100% certain that no logs are retained. I’m sure that I’ve seen some VPN providers publish audits carried out by third party companies such as KPMG but even then there is always the risk that a stray piece of code somewhere used for initial testing hasn’t been removed and is logging in the background.
If all you’re using a VPN for is getting around region blocks for media streaming or the odd but of torrenting it probably isn’t that big of a deal if they are logging. If you’re doing something that could land you a spell in gaol it’s best to assume that no VPN is safe.