As you do research into VPNs, trying to pick the best one for you, one of the re-occurring themes you’ll encounter is scary ideas about jurisdiction. Jursidiction refers to the location where the VPN company is incorporated or has its primary offices or physical employee presence.
The myth is that if the VPN company is located in a place that does not share information with other countries or that has no “spying” operations of its own, then your data is safe from authorities and spies.
In some articles you’ll find that companies whose ownership or corporate offices cannot be located are actually given positive points in rankings! At least one affiliate-run site says that it’s the number one thing that they look for when evaluating a VPN provider.
We believe that these ideas are dangerous for almost all users. In this article we’ll outline the reasons why.
Where a company is based has very little to do with whether logs are kept or not. There are a few countries the formally require you to keep log files including the UK (but not the USA) and most countries do not require that you keep log files of any kind.
Thus, keeping logs is generally a decision by the VPN provider and those that do usually do it to collect and sell your data to compensate for the low rates they’re charging you for service.
Additionally, all VPN providers keep some logs. Otherwise, they would not be able to manage their network and keep it free of spammers, hackers and other bad actors or be able to make good network architecture decisions to keep their networks problem-free. Good providers will generally keep those small utility logs for short periods of times and then get rid of them.
But all that has nothing to do with jurisdiction.
Many VPN related articles on the internet refers to “Five eyes”, “Nine Eyes” or “Fourteen Eyes”.
These are various groups of countries that share surveillance and intelligence information with each other. Here are the countries in each group:
- Five eyes: United States, Canada, United Kingdom, Australia, New Zealand
- Nine Eyes: United States, Canada, United Kingdom, Australia, New Zealand, Denmark, France, Netherlands, Norway
- Fourteen eyes: United States, Canada, United Kingdom, Australia, New Zealand, Denmark, France, Netherlands, Norway, Belgium, Germany, Spain, Italy, Sweden
Many of these countries, with the notable exception of the United States, have mandatory data retention laws and powers that enable authorities to access data without warrants. A full list of what these laws are by country can be found here.
Avoiding The Eyes
The trend with VPN articles seem to be that you want to avoid vendors located in the “eyes” countries because you can then bypass all the logging they do.
But is that really true?
Lets think about this logically…
Lets say that you are located in the UK with its strict logging laws and you are using a VPN vendor based in an island like BVI (which seems popular with VPN vendors). Now, assuming that you want to make a surveillance free connection to a web server located in the UK, how does that work?
Well, as a user, you will connect to a VPN server in a country that is not the UK – lets say that’s Singapore. Then from that Singaporean server you’ll connect to the web server in the UK.
Because the user is based in the UK, significant portions of that connection is still logged. The initial connection from the UK to the Singaporean VPN server is logged by the UK based ISP and the connection back to the web server in the UK is logged by both the ISP of the web server operator (based in the UK) and likely the web server operator themselves.
The authorities, with some simple timing correlation algorithms can easily identify the user.
The only portion of the connection that might not be logged someplace is the Singaporean log. But is that really true – isn’t it possible that the Singaporean ISP is logging some data in order to manage their network and will turn it over in response to a valid legal query?
Finally, once you get to your target website and log in, you’ve just been identified. Or if you’ve visited before, the cookies on your computer has correlated prior visits.
VPNs, by themselves, just make it more difficult for the “eyes” to piece together data, it doesn’t hide your activities all that much once they’ ve determined that they need to put things together.
VPN Employee Vulnerabilities
While the legal location for many VPN corporate offices might be based outside the “eyes”, most employees for these companies are not – they are likely based in locations that are close allies of “the eyes”. Which means that they fall under legal purviews that might compel them to turn over data regardless of where the physical servers are located.
How many employees working in a remote office is going to stare down the equivalent of the US FBI on behalf of a corporation based in some remote island and whose owners they’ve never met?
Its almost impossible to avoid the “eyes” with just a VPN. A VPN makes it harder but by sharing data across borders they’ll eventually get what they need.
Instead, a VPN is very very useful in avoiding spying by non-state actors such as hackers on free or public wi-fi networks. And it also helps you bypass the spying that your own ISP conducts on your browsing habits.
A Contrary Jurisdiction Alternative
Instead of trying to completely avoid the “eyes”, how about locating the VPN provider inside the one with the least restrictions and the most legal protection?
That location would be the United States.
Yup, you read that right. Ironically, because they have a strong judicial system, being based in the US allows every request for data to be disputed if necessary. And with no legal logging requirements, a VPN provider will likely have no data anyway. So the only logging that is done is likely done “on the wire” by entities like the NSA which would be doing that anyway, regardless of where YOU are located.
Here’s another thing to consider – if a firm is located in some tiny remote location, what prevents armed forces or spies or just guns-for-hire from showing up and just forcefully taking what they want?
Or what legal barriers are there to prevent data from being surreptitiously exfiltrated by state actors with boots on the ground?
And if either of those things happen no one might ever know about it. With no defense and no judicial recourse, data is a lot easier to take than it would be if the VPN provider was located in a country with a strong judicial culture!
The focus on Jurisdiction is overrated. We’re not saying its not a plus, we’re just saying that maybe the focus on it is overrated. And that maybe being located in select members of the “eyes” might actually be better in many cases.
And, if you’re transferring sensitive data you should encrypt that data before transferring it anyway – with or without a VPN.
Personal VPN Server
Get one now and enjoy privacy that is better than shared VPN services!