Jurisdiction is a key consideration when selecting a trustworthy VPN provider.
Some VPN companies argue that concerns around jurisdictions and their surveillance practices are unwarranted and overblown. However, there are several real-life cases that prove the risks associated with operating in a Five Eyes country.
If you’re using a VPN for privacy purposes, you already believe you cannot trust certain parties. These parties might be the websites you’re visiting or the government whose mass surveillance program is encroaching on your rights.
Using a VPN that’s based in an invasive jurisdiction simply adds one more untrustworthy party with a responsibility for your online activity.
When you use a VPN service, you should be aware of the jurisdictions governing:
- Your physical location
- The location of your chosen VPN server
- Your VPN provider’s business location
If you really want to be safe, it is best to know the laws and practices of all three.
If any of these locations are subject to invasive privacy laws or data sharing obligations, they could be susceptible to unwarranted searches and compromises in the name of ‘national security’.
Your VPN provider could be forced to hand over information to authorities about its users, which can then be shared with several other countries according to intelligence-sharing agreements.
VPN services based in an invasive jurisdiction could be vulnerable to the following issues:
1Surveillance and Data Retention
Along with their usual surveillance infrastructure, national intelligence agencies like the NSA and GCHQ have the power to force domestic organisations to log, share, and decrypt private information. Given the scope of their bulk surveillance programs, targeting a certain company or server network is particularly easy.
In the United States, the Patriot Act ushered in new powers for federal data collection, especially through the use of National Security Letters. These laws give authorities the power to coerce a legitimate privacy-focused business to become a data gathering tool for state agencies.
These logging requests may be accompanied by a gag order which makes it illegal for the target company to disclose what they’re being compelled to do. Some VPN companies publish warrant canaries in an attempt to tackle this problem, which we’ll cover later in this guide.
Data sharing requests are less problematic if the target company has a zero-logging policy. However, it is possible a company might be coerced into logging.
There is a precedent for this. In 2013, secure email service Lavabit was targeted by the FBI after learning that Edward Snowden had used the service. The company was subpoenaed with a gag order for the encryption keys to its users’ email contents. This would allow the FBI to access communications in real-time for all of Lavabit’s customers, not just Snowden’s.
The founder of the company, Ladar Levison, handed over the company’s encryption keys and shut down the service simultaneously. US authorities proceeded to threaten Levison with arrest, arguing that his actions violated the court order.
Screenshot of the Lavabit case files released by the FBI. Snowden’s email address was mistakenly left unredacted; the documents were later published by pro-transparency group Cryptome.
Similarly, Seattle-based VPN service Riseup was forced to collect user data for government authorities, and was also served with a gag order to stop them revealing this to their users.
HideMyAss, a VPN provider based in the UK, was also served with a court order to collect data and share this with authorities for a criminal investigation. This was not revealed until after the prosecution.
These are just examples of cases that have been made available to the public — it’s highly likely that there are other examples we don’t yet know about.
Ultimately, if faced with legal action, a VPN company operating in an invasive jurisdiction has three options:
- Comply with the request to log, decrypt, and share user information.
- Comply with the request but remove a warrant canary, signaling a compromise.
- Shut down the service or the compromised server immediately.
International surveillance agreements like the Five, Nine, and Fourteen Eyes Alliances allow member countries to take advantage of, as EFF puts it, “the lowest common privacy denominator.” In other words, every participating country gets to benefit from the mass surveillance data each other member brings in.
The intelligence-sharing practices of these countries have wide implications for internet users and VPNs in particular. It is reasonable to assume that if any one of these nations gains access to your data, it can then be shared with other countries.
Likewise, if a law expanding electronic surveillance capabilities is passed in one of these countries, it is as if the same legislation is passed in every country involved in the agreement. This means there is a strong chance your activity is being collected and shared with an intelligence agency no matter where in the world you are.
3Virtual Private Servers
Some VPN services rent Virtual Private Servers (VPS) to reduce operational costs. Virtual rented servers are significantly cheaper than owning physical servers.
While they can reduce a VPN provider’s overheads, a VPS can be problematic in terms of privacy.
Rental servers can keep logs of your activity regardless of the VPN company’s logging policy. Depending on the jurisdiction of the rented server, local authorities could compel the server host to retain or share this data.
In this case, the jurisdiction and logging policy of the VPN company is redundant. Local authorities can go directly to the server host to seize the information they need.
There are a handful of truly no logs VPN services that have passed real-life test cases or been audited by third parties. A VPN in a safe offshore jurisdiction simply adds additional protection, as there is less chance it can be compelled to hand over data to authorities.