What does 'no logs' actually mean for a VPN?

VPN logging falls into three categories: usage logs (websites visited, files downloaded), connection logs (timestamps, originating IP addresses, bandwidth), and aggregate logs (anonymous server statistics). When a provider claims 'no logs,' what matters is whether they retain connection logs or usage logs - the types that can identify individual users.

Which VPNs have had their no-logs policy tested in court?

Four providers have had their no-logs claims verified through adversarial law enforcement actions: ExpressVPN (Turkey server seizure, 2017), Private Internet Access (two FBI subpoenas, 2016 and 2018), Mullvad (Swedish police raid, 2023), and Windscribe (Greek prosecution of founder, dismissed 2025). Two providers - IPVanish and PureVPN - had their claims contradicted when they provided logs despite advertising no-logs policies.

What is a RAM-only VPN server?

A RAM-only server runs entirely in volatile memory with no hard drives. All data is wiped automatically when the server is rebooted or powered off. ExpressVPN, NordVPN, Surfshark, CyberGhost, Mullvad, and PIA all run RAM-only servers. Proton VPN uses full-disk encryption instead, arguing that RAM-only only protects against physical seizure of a powered-off server.

What is a VPN warrant canary?

A warrant canary is a regularly published statement confirming a VPN has not received any secret government subpoenas. If the statement disappears, it implies a gag order was received. Some providers (like IVPN) publish cryptographically signed monthly canaries. Others (like PIA) reject canaries in favor of detailed transparency reports, arguing canaries only alert users to damage already done.

VPN "No-Logs" Policies Tested in Court: Who Can You Trust?

Every VPN claims “no logs.” Most have never been tested. This page tracks the providers whose no-logs claims have been tested by law enforcement, courts, or server seizures – not by marketing departments or hired auditors.

The gap between marketing claims and verified reality is the single most important factor in choosing a VPN. A provider can write anything on its website. What matters is what happens when someone with a warrant shows up and demands data.

ⓘ Last reviewed: March 18, 2026

What Does “No Logs” Actually Mean?

Not all logging is the same. VPN providers use the phrase “no logs” to mean different things, and the distinction matters – it’s exactly what tripped up PureVPN in 2017.

There are three types of data a VPN could record:

Types of VPN Logging
Usage logs (activity logs)	The content of what you do: websites visited, files downloaded, searches made. The most invasive type. No reputable VPN keeps these.
Connection logs (metadata)	When you connected, how long, which server, your originating IP address, bandwidth used. Less invasive than usage logs, but enough to identify you. This is what PureVPN provided to the FBI in 2017 while claiming “no logs.”
Aggregate/anonymous logs	Server load statistics, crash reports, total bandwidth per server. Cannot identify individual users. Most providers keep some form of this for maintenance.

When we say a provider’s no-logs policy has been “verified,” we mean they could not produce connection logs or usage logs – the types that identify individual users – when compelled by law enforcement.

What Counts as “Court-Tested”?

We track three categories of adversarial verification:

Law enforcement compelled production. A government agency served a subpoena, court order, or warrant demanding user data. The VPN either produced data or demonstrated it had none.
Server seizures. Authorities physically seized VPN servers and examined their contents.
Criminal prosecutions. A VPN provider or its executives were charged in connection with activity on their network.

We do not count third-party audits here. Audits are useful – we cover them separately below – but they are fundamentally different. An audit is a controlled exercise where the VPN chooses the auditor, defines the scope, and cooperates throughout. A law enforcement action is adversarial. The provider does not get to choose the timing, scope, or outcome.

Five incidents across four providers. That is the entire body of court-tested evidence for VPN no-logs claims worldwide.

Tweet

Verified: No Logs Found

These providers had their no-logs claims tested under adversarial conditions. In each case, the provider could not produce user-identifying data because it did not exist.

Provider	Year	Jurisdiction	What Happened	Source
ExpressVPN	2017	🇹🇷 Turkey	Police seized server during assassination investigation of Russian Ambassador Andrei Karlov. No user data found. ExpressVPN withdrew from Turkey. Full details Turkish police found that the suspect’s Gmail and Facebook accounts had been deleted remotely through an ExpressVPN server. Authorities physically seized the server in January 2017. ExpressVPN stated it had no connection logs that could identify which customer used the IP addresses in question. The company subsequently stopped operating physical servers in Turkey.	ExpressVPN Blog
Private Internet Access	2016	🇺🇸 USA	FBI subpoena in bomb threat case. PIA confirmed IPs were theirs but could provide no identifying information. Court confirmed inability to produce logs. Full details The FBI investigated hoax bomb threats against schools and an airport in Palm Beach County, Florida. Subpoenas traced activity back to PIA IP addresses. PIA confirmed the IPs belonged to its service and originated from the US east coast, but could not provide any further identifying information. Court documents in the prosecution of Preston McWaters confirmed PIA’s inability to produce logs.	TorrentFreak
Private Internet Access	2018	🇺🇸 USA	FBI sought connection records in Embarcadero Media hacking case. PIA had no logs and no subscriber records matching the suspect. Conviction built on non-VPN evidence. Full details The FBI investigated the hacking of email accounts and websites belonging to Embarcadero Media, a California news publisher. PIA confirmed it had no logs and could not find subscriber records matching the suspect’s email addresses. The FBI built its case using other evidence. Ross M. Colby was convicted using non-VPN evidence.	TorrentFreak
Mullvad	2023	🇸🇪 Sweden	Six police officers raided Mullvad’s office with a search warrant. Mullvad demonstrated no customer data existed. Police left empty-handed. Full details On April 18, 2023, officers from Sweden’s National Operations Department (NOA) raided Mullvad’s office in Gothenburg with a court-issued search warrant originating from a German legal cooperation request. Police intended to seize computers containing customer data. Mullvad demonstrated to the officers that no customer data existed on any systems. After consulting with the prosecutor, police left without seizing anything.	Mullvad Blog
Windscribe	2023-25	🇬🇷 Greece	Founder Yegor Sak personally prosecuted after INTERPOL traced activity to Windscribe servers in Finland. All charges dismissed. Court accepted no-logs policy as valid defense – a legal first. Full details Greek authorities, working with INTERPOL, traced an IP address used to breach a Greek server back to Windscribe infrastructure in Finland. Greek prosecutors charged founder Yegor Sak personally rather than pursuing the matter through corporate channels. All charges were dismissed by the Athens court on April 11, 2025. The court accepted that Windscribe could not provide user data it never collected. This is the first known case where a VPN executive was personally prosecuted and a no-logs policy was accepted as a valid legal defense.	Schneier on Security

Two providers advertised no-logs policies and provided user logs when compelled. Both have changed ownership since.

Tweet

Contradicted: Logs Were Provided

These providers advertised no-logs policies but provided user-identifying data to law enforcement when compelled. Both incidents occurred before ownership changes, and both providers have since commissioned independent audits. The incidents remain part of the public record.

Provider	Year	Jurisdiction	What Happened	Source
IPVanish	2016	🇺🇸 USA	DHS demanded data in child exploitation case. After initially claiming no logs, IPVanish provided source IP and connection timestamps. Now under different ownership (Ziff Davis) with two independent audits (2022, 2025). Full details DHS investigated a suspect accessing child exploitation material via IRC. The IP traced to Highwinds Network Group (IPVanish operator). After a first summons where Highwinds claimed no logs, a second summons produced the suspect’s source IP and connection timestamps – despite IPVanish advertising a “strict zero-log policy.” IPVanish was acquired by StackPath (2017), then Ziff Davis (2019). Under Ziff Davis, IPVanish completed audits by Leviathan Security Group (2022) and Schellman (2025).	TorrentFreak
PureVPN	2017	🇺🇸 USA	FBI cyberstalking case. PureVPN provided connection timestamps and originating IPs despite “no log” advertising. Later claimed it only meant “no usage logs” – a distinction that is exactly why understanding what “no logs” means matters. Commissioned KPMG audit in 2020. Full details The FBI investigated Ryan S. Lin for an extensive cyberstalking campaign. PureVPN provided connection timestamps and originating IP addresses, showing the same PureVPN IP was accessed from the suspect’s home and workplace within minutes. PureVPN later distinguished between “usage logs” (never kept) and “connection logs” (kept at the time). Lin pleaded guilty in May 2018 to cyberstalking, distribution of child pornography, bomb threats, computer fraud, and identity theft. PureVPN commissioned a KPMG audit in 2020.	The Register

Timeline: Every Known Court Test

Seven incidents across nine years. This is the complete public record of VPN no-logs claims being tested by law enforcement.

2016

PIA – FBI subpoena (bomb threats). No logs found.

2016

IPVanish – DHS summons (child exploitation). Logs provided.

2017

ExpressVPN – Server seized in Turkey (assassination investigation). No data found.

2017

PureVPN – FBI investigation (cyberstalking). Connection logs provided.

2018

PIA – FBI subpoena (hacking). No logs found. Second confirmed test.

2023

Mullvad – Police raid in Sweden with search warrant. No customer data existed.

2025

Windscribe – Founder prosecuted in Greece. All charges dismissed. Legal first.

RAM-Only Servers: Hardware-Level Protection

Some VPN providers run their entire server infrastructure in volatile memory (RAM) with no hard drives. If a server is seized or rebooted, all data is wiped automatically. This is a meaningful technical safeguard – it means even if authorities physically take a server (as Turkish police did with ExpressVPN in 2017), there is nothing persistent to examine.

Provider	RAM-Only?	Technology	Since
ExpressVPN	✓ Yes	TrustedServer – custom read-only OS image, PwC-audited	2019
NordVPN	✓ Yes	Full network diskless, plus colocated self-owned servers	2019
Surfshark	✓ Yes	100% RAM-only with 10 Gbps ports	2020
CyberGhost	✓ Yes	Full network RAM-only. NoSpy servers in Romania are self-owned.	~2020
Mullvad	✓ Yes	Custom stboot bootloader with cryptographic OS verification	2023
Private Internet Access	✓ Yes	NextGen network, Deloitte-audited	~2022
Proton VPN	✗ No (by choice)	Bare-metal servers with full-disk encryption (AES-256). Keys stored off-site.	N/A

Why Proton VPN says no. Proton VPN has publicly argued that RAM-only is “marketing hype” because a running server’s memory is equally accessible to an attacker with root access. Their position: full-disk encryption on a powered-off server provides equivalent protection to RAM-only, and RAM-only only matters if a server is physically seized while powered off – a narrow scenario. It’s a legitimate technical argument, even though most of the industry has gone the other direction.

Third-Party Audits: Useful but Different

Many VPN providers have commissioned independent audits to verify their no-logs claims. These are valuable but fundamentally different from the court-tested cases above. An audit is a point-in-time assessment where the provider selects the auditing firm, agrees on the scope, and cooperates throughout. That is why we track the two categories separately.

Regular audits by reputable firms are a meaningful signal – especially when the reports are published in full.

Provider	Auditor	Year(s)	Scope	Report
NordVPN	PwC	2018, 2020	No-logs verification	Not public
NordVPN	Deloitte	2022	No-logs verification	Not public
Proton VPN	Securitum	2022-2025 (annual)	On-site no-logs audit. No activity logging, no connection metadata, no traffic inspection.	Full report published
Surfshark	Deloitte	2023	No-logs verification	Not public
ExpressVPN	PwC, KPMG, Cure53	Various	Multiple security and no-logs audits	Not public
TunnelBear	Cure53	Annual since 2017	Full security audit. First major VPN to publish independent audit results.	Full report published
PureVPN	KPMG	2020	No-logs verification (commissioned after 2017 FBI incident)	Not public
IPVanish	Leviathan Security, Schellman	2022, 2025	No-logs compliance (commissioned after ownership change)	Not public

On audit report availability: Most VPN no-logs audits are not published in full. The provider typically issues a summary or press release. Proton VPN and TunnelBear are notable exceptions – both publish full audit reports publicly. We link to official published reports where available but do not host copies, because audit reports are living documents and a hosted copy risks becoming stale.

Warrant Canaries and Transparency Reports

A warrant canary is a regularly published statement saying “we have not received any secret government subpoenas.” If the statement disappears, the implication is that a gag order was received. Transparency reports go further, disclosing the number and type of data requests received.

The industry is splitting into two camps: some providers maintain traditional warrant canaries, others have moved to detailed transparency reports, arguing they provide more useful information.

Provider	Canary	Transparency Report	Frequency	Notable
ExpressVPN	✗	✓	Semi-annual	374 requests in H1 2025, zero data disclosed
NordVPN	Transitioning	✓	Quarterly	2.4 million+ DMCA requests in early 2024, zero data disclosed
Surfshark	✓	✓	Quarterly	Maintains both canary and report simultaneously
CyberGhost	✗	✓	Quarterly	Details DMCA and police requests, zero data disclosed
Mullvad	✓	Via blog	As needed	Real-world proof: 2023 police raid, left empty-handed
PIA	✗ (rejected)	✓	Quarterly	Argues canaries “solve the wrong problem.” Q3 2025: 19 requests, zero data.
Proton VPN	✓	✓	Periodic	Swiss law requires eventual notification of surveillance targets
Windscribe	–	✓	Real-time	Live dashboard showing all requests. Response is always “can’t help you.”
IPVanish	✗	✗	N/A	No canary or transparency report found (as of March 2026)
PureVPN	–	✓	Periodic	Discloses court orders and responses
IVPN	✓	✓	Monthly	Gold standard: cryptographically signed monthly canary. All apps open-source.

What This Means for You

A practical framework for evaluating no-logs claims:

Court-tested (strongest evidence). The provider was compelled to produce data by a government agency or court and could not. Five incidents across four providers – ExpressVPN, Private Internet Access, Mullvad, and Windscribe – fall into this category.

Audit-verified (good but weaker). A reputable third-party firm examined the provider’s infrastructure at a specific point in time and found no logging. Meaningful signal, especially when audits are repeated annually and published in full. But the provider chose the auditor, the timing, and the scope.

Marketing-only (unverified). The provider claims “no logs” on its website but has never been tested by law enforcement and has never commissioned an independent audit. Most VPN providers fall into this category. The claim may be true – it is simply unverified.

Contradicted (proceed with caution). IPVanish and PureVPN had their no-logs claims directly contradicted by court evidence. Both have changed ownership and commissioned audits since. Whether those audits are sufficient to restore trust is a judgment call.

One important caveat: no external test can definitively prove what a company does with its server logs at all times. Our VPN leak test verifies whether your VPN is providing technical protection right now (IP leaks, DNS leaks, WebRTC leaks). This page tracks policy verification – whether claims about data retention have held up under scrutiny. Both matter.

What We Don’t Do

We don’t accept payment from VPN providers to appear on this page. We don’t remove negative entries. We don’t count marketing claims as evidence. We don’t host audit reports (they go stale). We don’t speculate about providers that haven’t been tested – “not tested” is its own honest category.

If a new court case, server seizure, or prosecution involving a VPN provider’s no-logs claims becomes public, we will add it here.

Test Your VPN Now

Knowing your VPN provider’s logging policy is one half of the equation. The other half is confirming your VPN is actually working – that your real IP address, DNS requests, and WebRTC connections are not leaking outside the tunnel.

Our free VPN leak test checks all three in about 30 seconds. No signup required.