Does Private Internet Access Keep Logs? The Only No-Logs Policy Proven in Court

Every VPN claims it keeps no logs. Private Internet Access is the only one that has proven it in a US courtroom, twice, under FBI subpoena, with real defendants and real stakes.

That makes PIA’s logging question the most interesting one in the industry, because the evidence is strongest exactly where you’d expect it to be weakest: a US company, inside the Five Eyes, with nothing to show a federal court.

The short version for skimmers: twice subpoenaed, twice nothing to produce, with the full stories below. Everything else in this article is context around those two facts.

The 2016 case: a bomb threat and an empty subpoena

In 2016, the FBI investigated a man named Preston McWaters for fake bomb threats and subpoenaed London Trust Media, PIA’s then-parent, for records identifying the user behind certain IP addresses. As TorrentFreak documented, the only thing PIA could produce was that the IP cluster connected from somewhere on the US east coast. No identity, no activity, no timestamps tied to a person. The data didn’t exist.

McWaters was convicted anyway, on other evidence, which is its own lesson: VPNs don’t launder guilt, they just don’t manufacture evidence against their users.

The 2018 case: same test, same result

Two years later, a hacking investigation produced another subpoena for PIA user data. TorrentFreak again: nothing to hand over, because nothing was logged. Two for two, under different cases and legal teams.

Court-tested no-logging is a different species of evidence from an audit. An audit verifies configuration during a scheduled visit from a firm the provider pays. A subpoena is an adversarial, unscheduled demand with criminal penalties for misrepresentation. PIA passed the version you can’t rehearse. In our comparison, that record earns PIA a 4/5 no-logs score despite the absence of a recent independent audit, a trade explained below.

The complications an honest assessment includes

US jurisdiction, first. PIA lives inside Five Eyes, subject to US legal process including National Security Letters with gag orders. The court record proves the no-logging architecture worked when tested; it cannot prove what future US law might compel, a structural risk our jurisdiction guide weighs against Panama- and Switzerland-based rivals. PIA’s mitigation is the same as Mullvad’s in Sweden: collect nothing, so there’s nothing to compel retroactively.

Ownership, second. PIA was acquired by Kape Technologies in 2019, the same owner as ExpressVPN and CyberGhost, a company whose earlier incarnation (Crossrider) distributed adware. Nothing since the acquisition suggests PIA’s logging practices changed, and the 100% open-source apps mean the client side stays inspectable. But buyers who weight corporate history heavily should know it.

Audit cadence, third. PIA commissioned a Deloitte audit of its no-logs setup in 2022 but hasn’t matched the annual rhythm of Proton VPN or NordVPN since. Given the court record, this matters less here than anywhere else, but the contrast with the audit-every-year crowd is real. Our piece on verifying no-logs claims ranks these evidence types against each other.

The 2022 Deloitte audit, briefly

Between the two court cases and today sits PIA’s one formal audit: Deloitte examined its no-logs configuration in 2022 and found the server environment consistent with the policy. It matters as corroboration from a Big Four firm, and it matters that PIA hasn’t repeated it annually the way Proton and NordVPN have; in our table that cadence gap is why PIA’s no-logs score sits at 4/5 rather than 5/5 despite the court record.

The fair synthesis: PIA’s evidence is the strongest on the dimension that matters most (involuntary, adversarial testing) and middling on the dimension audits cover (recurring voluntary verification). Buyers weighing it against Proton or NordVPN are really choosing which evidence type they find more persuasive; reasonable people land on both sides.

What PIA actually keeps and what it can’t say

Like every account-based provider, PIA holds your email and payment record. The no-logs policy covers the operational layer: no browsing activity, no connection or assigned-IP logs, no session records. The architecture runs RAM-only servers, so even seizure of hardware yields nothing persistent, the same design logic our RAM-only servers explainer covers.

The court cases bound what this means in practice better than any policy text: when US federal law enforcement asked, the most PIA could say about a user was the coast their traffic touched.

What to configure if you choose PIA

Settings worth a minute after install: enable the kill switch (PIA’s is robust, with an “advanced” always-on mode), pick WireGuard for speed, and turn on MACE, PIA’s DNS-level ad and tracker blocker, which quietly ranks among the better bundled blockers. Crypto payment is available for buyers who want the account itself less linked to identity, a half-step toward the Mullvad model. And as with every provider, verify the no-leak claim on your own setup once: two minutes on a leak-test site beats any review’s assurance, ours included.

Should you trust PIA with your privacy?

For the threat model most people actually have, ISP snooping, network surveillance, advertising profiles, PIA’s evidence file is excellent and its price ($3.33/mo on the 1-year plan, unlimited devices) makes it the best privacy-per-dollar deal in our table. The full picture, including its weaker streaming, lives in our PIA review.

For threat models involving state-level adversaries specifically targeting you, the US jurisdiction is the honest hesitation, and Proton VPN or Mullvad fit better. That’s not a knock on PIA’s integrity; it’s just what the Five Eyes membership means structurally, no matter how empty the filing cabinets are.

If the court record convinces you the way it convinces us: get PIA here.

What would have to be true for PIA to log you anyway

Steelmanning the skeptic helps calibrate trust. For PIA to log users today despite the record, several things would need to hold simultaneously: a reversal of the architecture that produced two empty subpoena responses, concealment surviving open-source client code and periodic external review, silence from employees across years and an acquisition, and a willingness to incinerate the company’s single market differentiator the day it surfaced.

Possible? In the way all unfalsifiable corporate betrayals are possible. Likely? The incentive analysis says no: PIA’s entire commercial identity is the court record, and no subpoena since has produced a contradicting result. That’s the honest shape of VPN trust generally: never proof, always a probability built from evidence, incentives and time. PIA’s particular stack of evidence is unusual enough that paranoia about it specifically is misallocated; the US legislative future is the rational thing to watch instead.

Want to compare all VPNs side by side? Check our full VPN comparison table with scores across 18 criteria.

One historical footnote for completeness: PIA’s parent briefly drew criticism in 2016 for exiting Russia rather than complying with local server logging mandates, abandoning hardware instead of users. Episodes like that, leaving money on the table to keep the policy intact, are the texture behind the court record, and they predate the current ownership entirely.