Understanding VPN Jurisdiction and International Privacy

One of the essential features of a high-quality VPN service is a no-logs policy. For more than a decade, commercial VPN service providers have been spinning the online privacy angle to boost their sales. However, not all of them take their promises seriously. If you visit almost any VPN website, then the no-logs statement will flash right before your eyes. “Ensures nobody — not a single other person — can spy on your instant messages. There are no logs, no breadcrumbs, no nothing. It was as if the conversation never happened.” States HideMyAss on their web page, a VPN provider that has been caught logging data. Sad but true, that it’s hard to choose a reliable no-logs service provider when almost all of them state such policies upfront, without providing any proof. However, there are ways to notice red flags and one of them is service providers jurisdiction. This phenomenon tends to be overlooked but, as you will see from further paragraphs, plays a vital role when it comes to no-logs policies. So let’s see why exactly is this important and how to choose the VPN provider that can stand by their privacy claims. Why jurisdiction matters? To put it short, jurisdiction is a geographical location or an institution supplemented by laws unique to that location and/or institution. It’s a political term, and it defines the content and functioning of the laws in the area or institution in question. When it comes to VPNs, jurisdiction plays a vital role in defining what a VPN can and cannot do. For example, if you run a VPN service based in China, then their government can easily demand access to your servers, and if you deny their claim most likely you will be persecuted. Same extends to the United States and other countries that closely monitor their citizens’ activities. VPNs, on the other hand, claim to provide safe and private access to the internet. They do this by encrypting your traffic, so no one, including your ISP, cannot see what you’re doing online, or make sense out of encrypted gibberish. However, this shifts the “spying” capabilities from ISP to a VPN service provider because everything goes through their servers. And this brings back the topic to the no-logs. In most cases you will have to take a leap of faith: either you believe that your VPN provider does not log your activities online, or you don’t. But your belief should not be solely based on the information on their web page, and VPN jurisdiction is one thing that you should take into consideration before committing. 14–9–5 eyes alliance There’s an alliance called the 14-eyes countries. Formally known as UKUSA (United Kingdom — United State of America Agreement) it was established way back, 70 years back. It was formed on the dawn of the cold war with a primary purpose of sharing information regarding the Soviet Union and other communist countries. However, it outlived the communist block and continues the mass surveillance to this day. First of all, the core of the 14 eyes is 5 eyes: the United States, United Kingdom, Canada, Australia, and New Zealand. These are the countries that formed the core, that later was extended to 9 eyes: Denmark, Norway, France, and the Netherlands joined. The last additions enlarged the alliance to what it is now, with Germany, Sweden, Spain, Italy, and Belgium finalizing the supranational body. Regarding VPNs, choosing the one that has it’s main headquarters based in one of the 14-eyes countries is considered a bad practice. Businesses have their structures, but none of them is above the law. So if the laws in the country in question request a data-retention and/or mass surveilance, then a VPN provider will be forced into logging the data, thus denying the primary purpose of a private network, — privacy. An excellent example of this is a relatively recent clash between the Russian government and VPN service providers. In late March ten of them received orders from the Russian officials to block specific web sites, which is precisely the opposite of what VPNs do. However, providers had to pull their servers out of the federation because their services do not comply with local laws. This example clearly illuminates how governmental agencies can interfere with the idea of an open internet. Russia has also demanded that all information about their citizens should be kept in Russian servers, thus threatening the no-logs policies too. Next, I will shortly overview a few logging scandals that were related to the jurisdiction that VPN service provider operates in. IPVanish and HideMyAss scandals It’s usually best to illustrate one or another problem by picking actual examples to describe what happened. When it comes to data-logging against the written terms of service, two cases have been selected that illuminate the issue pretty clearly. IPVanish, a VPN that has been around for seven years, and is US based, has been caught providing user data to the FBI. Ethically speaking they have made the right decision and helped the FBI to put a serious criminal behind bars. On the other hand, on their web page and in terms of service, they have clearly stated and repeated multiple times that they do not store any information at all apart from the necessary information to maintain the service. However, when asked for logs in 2016, after a short dispute, IPVanish provided the source IP address of a suspected criminal, as well as dates and times that the suspect connected to the IRC network. After being pushed by law institutions IPVanish had to reveal that they are keeping at least some logs about their users, and that’s why one should avoid a VPN service providers that are based in the five eyes country. Another similar case happened in 2011 and involved HideMyAss VPN that’s also based in 5 eyes country, — the United Kingdom. As I’ve outlined at the beginning of the article, they also marketed the no-logs policy and privacy features of their service. Later on, they declared “As stated in our terms of service and privacy policy our service is not to be used for illegal activity, and as a legitimate company we will cooperate with law enforcement if we receive a court order.” The aftermath resulted in an arrest of a hacker that got in trouble with Sony. Once again, we can see that a VPN service provider has to comply with the law and provide logs upon request. On both occasions, the cases have been made on criminal charges, and VPN technology should not be used for any malicious activities. On the other hand, data mining, governmental espionage, should no be taken lightly. As Cambridge Analytica revealed, confidential online data can even be used to undermine the democratic process, and private internet access is as important as ever. And VPNs that log data even though stating otherwise undermine this necessity. To conclude, VPN service providers cannot function against the law. And if laws regulate data-retention and force companies to collect user data, then the no-logs claim of providers operating in those countries cannot be maintained and will be violated when the circumstances demand. Such claims coming from companies in the 14-eyes countries should be taken with a big grain of salt.