You generally can’t trust a VPN to honor privacy, it’s been proven time and again as multiple zero log VPN services, and “free” VPN services datamined, collected digital footprints, and otherwise did not provide what you signed up for.
Private Internet Access had Deloitte Audit Romania, which is part of the Deloitte organization, to do an audit of their no logs policy and found it in compliance. That’s the extent of it, an outside auditor found no evidence of PIA doing anything they say they’re not or logging any of your information.
Were Deloitte’s cyber ninjas able to detect misdirection? Did PIA turn it off and back on again after Deloitte left? Tinfoil hat time? I believe PIA, but that’s just an opinion, man.
The main takeaway from the PIA announcement is that besides not logging, the servers themselves are RAM only operations with an image loaded from disk on reboot, and everything lost logging wise on reboot as well. With reboots scheduled.
Here’s the blog entry on their audit. Anything below here is probably just Paul editorializing about VPNs.
Opining on Private Internet Access, and VPNs in general
However, privacy inclined should note that not logging or storing data, there are still things state actors can do to undermine and expose information. A VPN, even working properly, can’t hide it all. Your connection drops, you make a mistake, you transmit a set amount of data at a certain time in a state that’s monitoring packets, you’re identifiable. You’re on a cell phone, you’re at the mercy of the carrier installed spyware regardless of your internet connection or operating system.
With the no logging policy comes the lack of debug and error logs, which might detail an attacker incoming. So yeah, that’s… something.
That said, PIA has proven their claims of no logging in court with nothing to hand over, you can audit the source code to OpenVPN if you want to go that route for security.
But you know, I’m pretty much of the idea at this point that although VPNs are a good idea they’re not a major player in security these days. I trust Private Internet Access to do what I want it for, which is mostly popping out in other countries, seeing what Pocketables looks and loads like around the globe, threatening kittens in Japan, keeping my already encrypted traffic encrypted again and adding an extra layer of DNS leak prevention.
It’s one of the tools we’ve used at work and generally throw it up, or have people connect to our work VPN, just to prevent bad actors on crappy hotel networks from getting enough info to do anything. We know a bad actor got a couple of websites (banks,) from the HTTP days and used it to request our accountant to transfer money from A to B and cut a check to some rando. Didn’t happen, but they knew our banks after a connection to a crappy hotel Wi-Fi.
Oh yeah, if you sign up for Private Internet Access I don’t get a thing (there might be an affiliate link from a few years back I think when we discovered bloggers get 50% of the signup, which is dead now.) If you sign up for Google One with their VPN included, I also don’t get a thing. I’m not promoting either, but both have been good for my uses.