Consider removing audits as a minimum requirement and leave the requirement as a best case.
The criteria itself is a bit vague as there is no criteria as to what makes a third party firm a “reputable” firm . There is also nothing defining when that audit has to have taken place or if there needs to be another audit. PG mentions it would be ideal for it to be comprehensive and done annually but even some of the recommended VPNs would not meet that criteria. For example, Proton VPN was last audited in April of 2022. I question what value an audit from 20 months ago provides a potential new user.
Audits also do not guarantee future avoidance of traffic logging or transmission to third parties, which to me, makes it more of a trust criteria then a security criteria.
EDIT: Changed title and catagory - In retrospect I probably should of posted this as a question in the question catagory.
Is this change intended to allow another VPN provider to be recommended? Because all of our recommendations do meet this criteria already, so loosening restrictions for no reason doesn’t seem necessary.
What kind of mad idea is this?
Third party audits play an essential role jn the verification of trust in security, finance and privacy world. You really should not underestimate the impact this has.
I read this more as in we should require interval on audits. Which actually would be a good idea…
Audits surely are a way to establish trust. But it is trust in the fact that the company has a well enough understanding of security by having verified the implementation. That’s the entire idea of it.
Audits are a minimum threshold. To establish that at least the basics were done right and therefore a very effective control.
Lol did I just misread the report. Thats embarassing…
Yeah I agree but, thats a trust issue and PG already has a seperate catagory of criteria for that. Audits only confirm something you had to trust the VPN provided ahead of time.
Not a particular VPN if thats what you mean but I think it allows for the very real possibility of a VPN with a great reputation and possibly being court proven but not having done an audit to atleast be considered.
I already use a VPN that is not reccommended. It would not benefit me in anyway if that VPN was reccommended (other then the warm fuzzies of it being included) anyone can guess from my post history what VPN I use. My evil plan is not to remove the requirment just to get the VPN I use approved lol.
I think people will overblow what kind of impact removing this, as a minimum requirment, would have. This does not seismically alter the amount of VPNs that would qualify. Also, its is not like PG just reccommends any VPN or other tool just because it meets the requirment stated anyway. I don’t forsee some sort of flood of insecure VPNs all of sudden being suggested or approved.
I also posted this fully expecting a resounding “NO” which is totally fine. I enjoy the back and fourth.
I have never trusted any audit claim/company to begin with. IMO, there are too many holes in the audit chain to the point that it’s useless if you don’t put your trust in it, in which the trust you put in it is definitely is not related to the fact as it’s actually happened in reality.
It’s like those useless (sponsored)reviews, awards, etc.
I do not see them as being “essential” but I think they are a nice way to help consumers trust a product. What it comes down to is I don’t see them being so important as to be an automatic disqualifier of a VPN.
Audits are good. In fact, you should do them to yourself more often. Audit your own house for good security. Audit your expenses and see where you could cut cost.
Sometimes its hurts to see where your locks fail, how much money you spend on Starbucks and so on. But if you act on it to correct these issues, you become better. You buy better locks and buy actual freshly roasted coffee bean, grinder and espresso machine and have a better tasting coffee and save more money.
Audits add cost to operation of an online service provider. Spending on a third party to do fact checking for your compliance on the company’s own marketing claims with no interest to see you “win” or “lose” is something desirable in my book. We should keep them so that good companies keep to their own claims.