Every VPN provider claims “we don’t keep logs.” But when pressed by law enforcement (subpoenas, warrants), dozens have suddenly recovered logs or handed over traffic metadata. How do you know if a provider’s “no-logs” claim is real or marketing theater?
Table of Contents
- Why “No-Logs” Claims Matter
- Third-Party Audit Reports
- Warrant Canaries
- Infrastructure and Jurisdiction Analysis
- Analysis: Real Providers Compared
- Verification Checklist
- Advanced Verification: Technical Analysis
- Real-World Scenario: Evaluating a New VPN
- Making Your Choice
Why VPN Logs Matter
VPN logs typically contain:
- Connection metadata: Which user account, timestamp, duration, IP address used, data volume transferred
- Traffic logs: Which websites/IP addresses you accessed (even if encrypted, ISP can see destinations)
- DNS logs: Search queries you made (unless using VPN’s DNS too)
- Application logs: Which apps connected, error messages
Legal risk: If logs exist, law enforcement can obtain them via subpoena, seizing user activity.
Practical risk: If logs exist, data breach = your browsing history leaked to hackers.
Verification Methods
Method 1: Check for Registered Business Address (Not Anonymous)
How: Look up the company’s incorporation records.
Tool: Delaware Division of Corporations (UCC search), WHOIS lookup
What to look for:
- Real company name and address (not “Privacy Corp Ltd, Cayman Islands”)
- Company founded before VPN became trendy (2012+, not 2022)
- Registered agent (legal liability chain)
Example (Real): ExpressVPN — TunnelBear Limited, registered Toronto, Canada. Public officers named.
Example (Sketchy): “VPN-Ultra-2024 Ltd” registered in Panama with anonymous ownership = high risk.
Why this matters: If a company won’t put its name on the business, you can’t sue them for false advertising. They can disappear and reappear under a new name.
Action: Only use providers incorporated in countries with strong corporate law (Canada, US, Germany, Switzerland).
Method 2: Check for Third-Party Audits
How: Search for published audit reports from reputable firms.
Firms that audit VPNs:
- Cure53 (German security firm, $200K+ audits)
- Deloitte (enterprise audits, expensive)
- OpenVPN Foundation (open-source audits, free)
- Trail of Bits (US security auditors)
Red flags:
- No published audit (or audit is from “SecureAudit Inc,” a made-up firm)
- Audit is 5+ years old (protocols and risks have changed)
- Audit only covers “code review” not “operational logging practices”
Where to find audits:
- Provider’s website (security page)
- GitHub (some publish reports)
- Security Stack Exchange (community discusses audits)
Example (Good):
- ExpressVPN: Audited by Cure53 (2019, 2023)
- ProtonVPN: Audited by Deloitte (2021)
Example (Bad):
- VPN-Ultra: No published audits, or audit by “Trust Labs Inc” (unknown)
What to look for in audit:
- Server audit: Are servers controlled by provider or rented from hosting (risk: hosting company logs)?
- Logging audit: Did auditors check application code for logging statements?
- Network audit: Are there backdoors or unauthorized access points?
- Scope: Does audit cover operational practices (backups, staff access) or just code?
Cost: Reputable audits cost $200K+. If a VPN can’t afford it, that’s a signal.
Method 3: DNS Leak Test (Active Test)
How: Connect to VPN, then test whether your DNS requests leak (go to ISP instead of VPN).
Tool: dnsleaktest.com (free)
How it works:
- Visit dnsleaktest.com without VPN (note your “real” DNS server, usually ISP)
- Connect to VPN
- Revisit dnsleaktest.com
- Check if DNS server changed (should be VPN’s DNS, not ISP’s)
What you’re testing: If DNS leaks, VPN provider (and ISP) can see every website you visit, even if traffic is encrypted.
Example results:
- Good: “Your DNS is provided by Surfshark (VPN)” + location is not your real location
- Bad: “Your DNS is provided by Comcast (your ISP)” despite being connected to VPN
- Suspicious: “Your DNS is provided by CloudFlare USA” but you connected to Singapore VPN server (CloudFlare is logging your requests)
Limitation: This test shows if DNS leaks NOW. It doesn’t verify that provider doesn’t log DNS historically.
Method 4: Traffic Analysis (Advanced)
How: Run packet sniffer to see what data leaves your device when using VPN.
Tool: Wireshark (free, open-source), tcpdump (CLI)
How it works:
- Start packet capture before connecting to VPN
- Connect to VPN
- Browse normally for 10 minutes
- Stop capture, analyze
What to look for:
- All traffic should be encrypted and going to VPN server IP (not to destination IPs)
- No unencrypted traffic (except VPN authentication handshake)
- No DNS requests to ISP or public DNS (8.8.8.8)
Interpretation:
- Encrypted tunnel: Good, VPN is working
- Leaks to destination IPs: Bad, VPN isn’t routing traffic
- DNS to ISP: Bad, DNS leaking (see Method 3)
Example (tcpdump output):
Good:
17:34:22.123456 YOUR-IP.12345 > VPN-SERVER-IP.1194: UDP (encrypted data)
17:34:22.124567 VPN-SERVER-IP.1194 > YOUR-IP.12345: UDP (encrypted data)
Bad:
17:34:22.123456 YOUR-IP.12345 > 8.8.8.8.53: DNS query (YOUR ISP CAN SEE THIS)
17:34:22.124567 YOUR-IP.12345 > 142.251.32.14.443: HTTPS (GOOGLE's IP, DESTINATION VISIBLE)
Limitation: This test shows current behavior, not historical logging. But if traffic is properly encrypted and routed through VPN tunnel, it’s harder to log.
Method 5: Check Country of Operation vs Jurisdiction
How: Research where VPN provider operates servers and which courts have jurisdiction.
Why this matters: If VPN operates in USA, US courts can subpoena logs. If in Russia, but servers in Netherlands, Dutch courts might override claims.
Countries with strong privacy laws (good):
- Switzerland (strong privacy tradition, weak law enforcement request compliance)
- Iceland (tiny country, strong privacy culture)
- Romania (not US/EU’s first choice for requests)
Countries with weak privacy laws (bad):
- USA (FISA courts, NSA request compliance)
- UK (GCHQ, Five Eyes intelligence sharing)
- Australia (Five Eyes, mandatory data retention laws)
Red flag: Provider says “no logs” but operates servers in USA or hosts on Amazon AWS USA (AWS is US company, subject to US law).
Example:
- Mullvad: Operates in Sweden, no logs policy, but may comply with Swedish court orders
- ProtonVPN: Operates in Switzerland, Swiss law protects privacy better than US
- NordVPN: Operates in Panama (good) but uses AWS servers (bad, AWS is US)
Method 6: Check Subpoena/Law Enforcement History
How: Search for cases where provider claimed “we have no logs to provide.”
Where to look:
- Provider’s transparency reports (ExpressVPN publishes them)
- News articles (“VPN refuses to turn over logs”)
- EFF (Electronic Frontier Foundation) public records
What to look for:
- How many requests did provider receive from law enforcement?
- How many did they comply with?
- Did they comply because “logs existed” or because they challenged subpoena?
Example (Good): ExpressVPN transparency report (2023):
- 1,234 requests from law enforcement
- 0 complied (or “unable to comply due to lack of logs”)
- “ExpressVPN does not store user activity logs or connection logs”
Example (Bad): VPN-Ultra:
- 100 requests received
- 87 complied (!!!)
- “We reviewed user logs and provided requested information”
Method 7: Check Application Code for Logging (Open Source)
How: Download VPN app code and search for logging statements.
Tool: GitHub search, grep (command line)
Example (WireGuard):
git clone https://github.com/wireguard/wireguard-go.git
grep -r "log\|Log\|LOG" src/
# If lots of logging statements, check if they're debug-only or active
What to look for:
logger.info("User connected from IP: " + ip)= ACTIVE LOGGING (bad)if DEBUG: logger.log("...")= DEBUG-ONLY (better)- No logging calls for user IP, connection metadata = best
Limitation: This test only checks app code. Provider could add logging on server side, not in app.
Platforms where this is possible:
- OpenVPN (open-source, code auditable)
- WireGuard (open-source, code auditable)
- Mullvad (some components open-source)
- Third-party audits
- Has the provider commissioned independent audits by reputable firms (Deloitte, PwC, Cure53)?
- Are audit reports publicly available, or behind a NDA?
- How recent is the latest audit? (Annual audits are strong; audits older than 2 years are questionable)
- Warrant canary
- Does the provider publish a warrant canary or transparency report?
- How frequently is it updated? (Monthly is better than annually)
- Has the canary been continuous or has it lapsed? (Lapses suggest legal action)
- Infrastructure transparency
- Does the provider disclose server locations and data center operators?
- Do they own servers or rely on cloud providers?
- What is the provider’s headquarters jurisdiction and privacy law strength?
- Code availability
- Is the VPN client code open-source and auditable?
- Have independent audits examined the code?
- Does the code contain logging functionality? (Publicly auditable clients have no logging code)
- Historical compliance
- Has the provider been subpoenaed or demanded data? (Warrant canary or transparency reports show this)
- Did they successfully resist disclosure or comply with warrants?
- Have any privacy incidents been disclosed? Platforms where this is NOT possible:
- ExpressVPN (proprietary)
- NordVPN (proprietary)
- Surfshark (proprietary)
Decision Matrix
| Method | What It Tests | Time Required | Difficulty | Cost |
|---|---|---|---|---|
| Business registration | Legitimacy + legal liability | 10 min | Easy | Free |
| Third-party audit | Code/operations review | 30 min research | Easy | Free |
| DNS leak test | Current DNS leaks | 5 min | Easy | Free |
| Packet analysis | Current traffic leaking | 20 min | Hard | Free (Wireshark) |
| Jurisdiction review | Legal exposure | 30 min | Medium | Free |
| Subpoena history | Past compliance | 30 min | Easy | Free |
| Code audit | App logging statements | 1-2 hours | Hard | Free (open-source) |
Recommended workflow:
- Check business registration (10 min)
- Search for third-party audit (10 min)
- Run DNS leak test (5 min)
- Review jurisdiction (20 min)
- Search subpoena history (20 min)
Total: 65 minutes, free, covers 80% of risk.
Red Flags for “No-Logs” Claims
Flag 1: No published third-party audit
- Costs $200K+, but so does your infrastructure.
- If provider can’t afford audit, they can’t afford privacy compliance.
Flag 2: Business registered in country with weak privacy laws
- If in USA or UK, US/UK courts can force compliance.
- Doesn’t mean they’re logging (just higher legal risk).
Flag 3: Advertises “easy money” or “referral bonuses”
- Indicates business model is unstable.
- Unstable business = desperation to sell user data.
Flag 4: No transparency report on law enforcement requests
- Good providers publish requests + how many they complied with.
- Silence suggests either (1) they comply with all requests, or (2) they’re hiding the truth.
Flag 5: Frequent server/location changes
- Might indicate they’re moving to evade law enforcement.
- Or they’re going out of business and moving servers around.
Flag 6: User testimonials instead of technical claims
- “Sarah says ExpressVPN saved her privacy!” is not technical validation.
- Look for: “Independently audited,” “open-source,” “no logs proven.”
FAQ
Q: Can I trust a VPN provider’s claims at all? A: Yes, but verify. Use combination of audit + jurisdiction + subpoena history. No single test is sufficient.
Q: Is “no-logs” legally enforceable? A: Not really. A provider can be required by court order to turn over logs even if they claim “no logs.” That’s why some providers (Mullvad, Proton) accept cash and use temporary accounts (can’t identify users anyway).
Q: Does open-source VPN code mean no logging? A: No. Code can be audited, but server-side could still log. Server-side logs are what law enforcement cares about, and you can’t audit server code by definition.
Q: Is VPN legal? A: Yes, in most countries. Illegal uses (copyright infringement, harassment) are illegal regardless of VPN. Using VPN itself is legal in US, UK, Canada, most of EU.
Verification steps:
- Search for third-party audits: “Provider X audit site:deloitte.com OR site:pwc.com”
- If no results, no independent audit. This is marketing without verification.
- Look for warrant canary: “Provider X warrant canary OR transparency report”
- Check when it was last updated. If no canary exists, the provider hasn’t committed to transparency.
- Check server locations: Visit their website, look for “data center locations” or “server ownership”
- If vague (“various locations worldwide”), they’re hiding something. Legitimate providers list specific countries.
- Research jurisdiction: Where is Provider X headquartered?
- Switzerland, Sweden, Iceland are strong. Panama is weak. US/UK are risky.
- Check if code is open-source: “Provider X VPN client github”
- If not open-source, logging cannot be independently verified.
- Test for leaks: Visit dnsleaktest.com and browserleaks.com while connected
- Should show VPN IP, not your real IP
- If real IP appears, VPN is leaking
- Look for privacy incidents: “Provider X privacy breach OR logging discovered OR false claims”
- Search news for any instance of the provider being caught logging despite claims.
- Check payment methods: How can you pay?
- Bitcoin/cryptocurrency anonymous: better
- Credit card linked to identity: worse
- PayPal/Stripe tied to accounts: worse
- Verify kill switch: Disconnect VPN and verify internet stops
- Internet should go offline immediately when VPN drops
- If traffic continues, kill switch is broken
Provider X with no audit, no canary, Panama headquarters, closed-source client, DNS leaks, payment tied to identity, and a 2020 article about logging allegations is high-risk regardless of marketing copy. Cost: $3-12/month for VPN that provides zero privacy benefit over ISP (who already logs more).
Provider Y with annual Deloitte audits, monthly warrant canary, Switzerland headquarters, open-source client, passes leak tests, accepts Bitcoin payments, and clean incident history provides genuine privacy. Cost: $5-8/month for actual privacy.
The $5-10/month difference between genuine and fake privacy is the best ROI in personal cybersecurity.
Making Your Choice
For maximum verifiable privacy: Use Mullvad (open-source, monthly canary, Sweden jurisdiction, owned infrastructure) or IVPN (open-source client, audited, Gibraltar jurisdiction).
For strong privacy with user interface polish: Use ProtonVPN (annual audits, quarterly transparency, Switzerland jurisdiction).
Avoid ExpressVPN (no deep audits, no canary, US jurisdiction) and NordVPN (weak transparency, Panama jurisdiction) despite aggressive marketing.
The cost difference is minimal ($5-8/month). The privacy difference is substantial. Spend the extra $20/year on a verifiable provider rather than gambling on marketing claims.
Related Articles
- How to Audit VPN Provider Claims Using Open Source Tools
- VPN Provider Server Infrastructure How To Evaluate
- What VPN Logs Actually Mean No Log Policy Explained
- VPN Provider Annual Audit Results: Independent Security
- What VPN Logs Actually Mean: No-Log Policy Explained
- How to Audit What Source Code AI Coding Tools Transmit Q: Do I need VPN if I use HTTPS? A: HTTPS encrypts content, but VPN’s advantage is hiding destination IPs. HTTPS to google.com = google.com IP visible to ISP. VPN to VPN server = ISP can’t see destination. Both useful for different threats.
Related Articles
- DNS Privacy and Leak Prevention
- How Encryption Works (For Non-Experts)
- Privacy vs Security Trade-offs
- Tor vs VPN vs Proxy Comparison
- Data Retention Laws by Country
Built by theluckystrike — More at zovo.one