Get Cape, a no-bullshit mobile provider focused on privacy and security, and get $20 off your monthly bill.

AzireVPN: Are they worth your trust?

Damn her! Naomi Brockwell got my shorts in a knot regarding the VPN Hellscape (read that, seriously). I knew the VPN scene was bad, but i didn't realize how bad until i watched her video, The DARK side of VPNs.

I use AzireVPN because i believe they are worthy of my trust, but believing is not enough and, given my freshly ingested fur-ball of fear due to Naomi's video, i decided to put the screws to Azire and see how they reacted.

AzireVPN is one of very few VPN service providers that claim to physically own, secure and install their own servers and, in my book, no company is even worth considering if they can't make that claim (that's right, screw you Nord, PIA, Express, HideMyAss, IPVanish and most of the rest of them!). Azire tells us that they physically seal unneeded ports, run the OS in RAM (no hard drives), and run their servers in Blind Operator mode. And of course they have a zero-log policy and do not require any personal information when creating an account. Even payment can be handled anonymously using crypto currency, but of course they still know your IP address. The problem of course is that Azire, or any other VPN provider, can make whatever claims they want and in the end, they all add up to zero unless there is evidence to support them and so i proposed a few ideas as to how Azire could potentially reinforce customer trust:

  • By providing purchase orders and receipts for their servers which could potentially be verified by contacting the vendor. My thought here is that, if they provide such evidence, then there is little reason to doubt that Azire is actually using the equipment they paid for.
  • More photographic evidence.
  • Video of how the servers are prepared showing the sealing of unused ports, removal of hard drives, etc..
  • Live-streaming the server installation at the data center during which an Azire customer would provide a random verification string to the installer via an azirevpn.com email address which the installer would then display in the video. The problem with this is that only one, or possibly a small number of people, would be able to verify the installation and every one else could correctly posit that the whole thing was a setup.

Following is their responses to my proposals:

Hi,

Thank you for writing to us, [REDACTED].

We understand your concerns and this is why we have made such an effort to be as transparent and forthcoming as possible in our content and messaging - and also why we have our service in the first place.

As you mentioned, we've shown in our various blogs how we transport and install our servers in various datacentres around the world. Adding to this is our documentation (https://www.azirevpn.com/docs/environment#installation), which I am sure you've read through by now, where we list as much information about our service as we can without going the opposite direction and compromising our infrastructure's security, and in effect our user's security.

We could provide purchase order receipts for the servers and show what we do with them before they get installed, but there is no way for you to know we actually installed the servers we showed. Unless we had a continuous camera shot from arrival of the server at our office all the way through to installation, there isn't a fool-proof way to show that we do what we say we do - even then, the video could easily be edited.

Moving forward with our new server installations, we will make an effort to provide more details and documentation regarding ownership and installation. However, at a certain point we have to draw a line for our infrastructure's security, our user's security, and of course our own personal security.

If you have any specific suggestions, we are eager to hear them.

And in a follow-up email they said:

Hey,

1. Receipts we will begin posting with all servers moving forward, with certain confidential information redacted of course. However, there will be enough to understand we did purchase the specific servers in use.

2. We will do a video demonstrating how we modify servers (some parts may be removed to help preserve the physical security) but the overall outcome and before/after will be shown to illustrate how we handle our servers. Additionally, we will improve the documentation of transportation and installation and security measures we take.

3. The video verification you suggested may be difficult, we are discussing this internally. That said - we do have a semi open door policy where we are happy to invite users to our office in Stockholm and also provide a tour of the datacentre we use here. If this is something you are interested in yourself, please let us know and we are happy to have you come and visit.

If you have any other ideas or suggestions to help improve our efforts towards transparency and security, please let us know. We are happy to improve things always.

While i was very pleased with their response and was looking forward to seeing tangible results, the person i was communicating with no longer holds a position at Azire. When i inquired again about the trust issue, i received the following reply (excerpt):

Regarding our blog posts, I understand that a photo of our servers may not be enough to demonstrate their authenticity. I am currently exploring additional ways we can showcase our servers, and I will keep you updated on any developments.

That was many months ago and i have not received any further information regarding this specific subject. That said, AzireVPN is not yet mature as there is apparently a lot of work being done under the hood. For example, regarding a 3rd party audit which i mentioned in another unrelated email, i was told the following:

We did not conduct a third-party audit yet due to the fact that our service is still deeply evolving. We released port forwarding in the summer, and other features are still being considered or currently in development.

We plan to conduct an audit when we deem our service to be near feature complete, and that we do not plan to do any overhauling soon after the audit has been performed, which would in some way nullify it.

The comment about nullifying the audit is an interesting one which suggests that a company, such as NordVPN for example, could arrange their infrastructure in a particular way in order to pass an independent audit and then sort of flip a switch and potentially log traffic, etc., once the audit has concluded. In other words, the importance that many people attach to 3rd party, independent audits seems to be over emphasized.

All that said, at this particular time i tend to trust Azire, however i'm also very anxious to see documents and imagery regarding the securing and installation of their servers. If they follow up on the earlier promises, they may be the most transparent VPN provider of all of them.