What a 'No-Logs VPN' Claim Is Actually Worth (and How to Verify It)

Every VPN landing page in 2026 says "strict no-logs policy." That phrase has become indistinguishable from "free shipping" — copied across the industry until it stopped meaning anything. Here is how to actually read those claims.

What a no-logs claim is supposed to mean

A genuine no-logs VPN does not record: - Connection timestamps tied to your account - Source IP address (or hashes of it) - Destination domains or DNS lookups - Bandwidth used per session - DNS queries (these route through the VPN by default)

Aggregate health metrics — total active connections, server load — are usually fine. The dividing line is whether anything stored can be tied back to a specific user.

What a "no-logs" claim actually means in marketing copy

Often: "we do not log *more than is necessary* for service operation." That carve-out can swallow everything. Connection timestamps could be "necessary for billing." Bandwidth caps require counting bytes per account. The phrase needs to be backed by either an audit, a legal incident, or both.

What an audit actually proves

A VPN audit is a snapshot. The auditor reviews server configurations, log retention policies, and code paths during a defined window. They cannot prove the company will continue not logging next month. They can prove that *at the moment of inspection,* the configurations match the marketing claim.

Read the audit report itself, not the press release. The good ones (PwC for Mullvad, Securitum for Proton VPN, Cure53 for IVPN) name specific server configurations they checked, list what they could not verify, and note any disagreements with the company.

What a legal incident actually proves

The strongest signal is a real-world subpoena where the VPN had nothing to hand over.

• Mullvad had servers seized by Swedish police in 2023; nothing on them was useful, leading the police to leave empty-handed. Mullvad published the full incident report.
• Proton VPN has been served by Swiss courts and produced no logs in cases where they had no logs to produce.
• Private Internet Access (PIA) was subpoenaed in a 2016 US case; the operator testified under oath there were no logs to provide.

Marketing claims are talk. Behavior under legal pressure is the test.

What to actually look for when picking a VPN

A defensible VPN choice satisfies all four: 1. Audited within 24 months, by a named third party, with the report public. 2. Anonymous payment option (cash, Monero, or BTC). Not just "no email required" — real anonymity at payment time. 3. A jurisdiction without mandatory data retention (Switzerland, Sweden, Panama). Avoid Five Eyes operators when possible. 4. A track record under legal pressure (or being too new to have one — but if a provider is more than 5 years old and has never been tested, ask why).

By that filter, in mid-2026, the defensible choices are Mullvad, Proton VPN, and IVPN. NordVPN, ExpressVPN, Surfshark, and most of the marketing-heavy crowd score well on audits but lose points on jurisdiction or payment anonymity.

What a VPN does *not* protect

Worth saying because the marketing always overpromises: - Browser fingerprinting: a VPN hides your IP, not your browser configuration. Combine with Mullvad Browser or Tor. - Logged-in services: if you log into Google through a VPN, Google still knows it is you. - Endpoint compromise: spyware on your laptop bypasses the VPN entirely. - Traffic correlation by a global adversary: a sufficiently funded attacker watching both ends can correlate timing. This is Tor's threat model, not most VPNs'.

Recipe

For most threat models in 2026, pick Mullvad. Pay in cash or Monero. Pair with Mullvad Browser or LibreWolf. Don't expect it to do more than it does.