They explained why they dont pay for audits in a forum post and I agreed with their reasoning, which if I remember correctly was something like:
If we paid for an audit, there’s no way you’d know we didn’t enable logging, etc, right after the auditors left.
It really is just a game of trust when it comes down to it and they feel the most trustworthy to me, but if lack of an audit changes your mind that’s okay.
I think what they say makes sense. I read it the opposite way: How do I know any service with an audit really is as described the day after the audit concludes?
Most audits (as far as I’m aware) will tell the company maybe a week in advance that they are coming in to do the audit, so it’a not like surprise visits I don’t think.
I 100% think it comes down to trust (and some accountability being that their code is open source). Audits feel like a gamed system.
And being open source is a way of showing what they are doing.
You underestimate how costly it is to run services like that, your network is what it is, and it would be even costlier to change, who’s going to change it all, hired contractors? I mean hired people already have fulltime jobs in the company. Then scrape all the traces that there were logging (amongst other things)?
It’s not a Hollywood movie where you just “unplug the log machine” and hide it in a drawer.
They explained why they dont pay for audits in a forum post and I agreed with their reasoning, which if I remember correctly was something like:
If we paid for an audit, there’s no way you’d know we didn’t enable logging, etc, right after the auditors left.
It really is just a game of trust when it comes down to it and they feel the most trustworthy to me, but if lack of an audit changes your mind that’s okay.
That’s just so bad, “we won’t show what we’re doing because it’s tiresome to cover it up” is what I read here.
If you want to look at the thread I was referring to (looked it up): https://airvpn.org/forums/topic/56799-audits/
I think what they say makes sense. I read it the opposite way: How do I know any service with an audit really is as described the day after the audit concludes?
Most audits (as far as I’m aware) will tell the company maybe a week in advance that they are coming in to do the audit, so it’a not like surprise visits I don’t think.
I 100% think it comes down to trust (and some accountability being that their code is open source). Audits feel like a gamed system.
And being open source is a way of showing what they are doing.
You underestimate how costly it is to run services like that, your network is what it is, and it would be even costlier to change, who’s going to change it all, hired contractors? I mean hired people already have fulltime jobs in the company. Then scrape all the traces that there were logging (amongst other things)?
It’s not a Hollywood movie where you just “unplug the log machine” and hide it in a drawer.