CyberGhost began 2026 with the same claim it has made for years: when copyright holders and police ask for user data, there is nothing to hand over. In its transparency report for January through March, the VPN provider said it received 53,533 DMCA complaints and four police requests, all of which ended without disclosure because the company says it keeps no logs linking activity to identity.
That matters beyond one brand’s quarterly update. VPNs sell privacy as infrastructure, not as a marketing slogan, and transparency reports have become one of the few public windows into whether those promises hold up under legal pressure.
What the numbers show about pressure on VPN providers
The overwhelming bulk of requests came from copyright enforcement. CyberGhost reported 19,296 DMCA complaints in January, 15,973 in February, and 18,264 in March. Police requests were far rarer, with two in January, two in February, and none in March. Compared with the 56,053 DMCA notices the company said it received in the final quarter of 2025, the latest total is slightly lower, but still large enough to show how routinely VPN exit IP addresses are swept into automated enforcement systems.
This pattern is familiar across privacy services. Copyright notices generally target an IP address seen in file-sharing or distribution activity, but an IP address alone does not identify a person. For a VPN, the crucial question is whether it stores connection records that could bridge that gap. If it does not, legal requests reach a hard limit very quickly.
Why a no-logs policy matters only if the architecture supports it
CyberGhost says its servers run on volatile RAM and are wiped on reboot, and that it does not record browsing history, traffic content, or timestamps. Those design choices matter because privacy is not created by a policy page alone. It depends on what a company’s systems are technically capable of retaining.
That is the central issue in any VPN transparency report. A provider can promise not to identify users, but the stronger claim is structural: that the service is built to avoid creating a usable trail in the first place. For readers, the lesson is straightforward. Privacy claims are most credible when they are tied to clear operational limits, external testing, and public reporting over time.
Security work continues long after the legal requests stop
The report also points to CyberGhost’s bug bounty program, run with YesWeHack. In the first quarter of 2026, researchers submitted 20 reports, five of which were judged valid and fixed, while 15 were classified as invalid or informational. That ratio is not unusual in coordinated disclosure programs, where many submissions turn out to be duplicates, edge cases, or non-exploitable findings.
The more important point is that privacy services cannot rely on secrecy. A VPN handles sensitive traffic, account data, and authentication systems, which makes outside scrutiny valuable. Public bug bounty programs create a structured way to find weaknesses before criminals do.
Why the broader threat landscape makes privacy tools more consequential
The quarter’s wider cybersecurity news helps explain why demand for privacy and resilient infrastructure remains high. CyberGhost highlighted a major breach involving TELUS Digital and the ShinyHunters group, an outage at ignition interlock provider Intoxalock, a destructive attack attributed to Handala against Stryker, and an FCC warning about ransomware pressure on telecom firms. The incidents differ in target and method, but they share one lesson: digital systems now sit directly underneath essential services, outsourced operations, and communications networks.
That does not mean a VPN can solve every security problem. It cannot stop a third-party vendor from being breached or protect a company hit by ransomware. But it can limit some forms of exposure, especially where IP-based tracking, insecure public networks, or routine data collection are concerned. As cyberattacks spill more often into daily life, providers that claim to defend privacy will face a simple test: not what they promise when times are calm, but what they can prove when the requests arrive.