Your VPN provider won't go to jail for you for 5 dollars

The phrase in the title is a common trope that comes up when VPN services are discussed. While this statement is technically correct, it can be misleading, as it implies that all providers handle law enforcement requests and prepare for worst case scenarios similarly, so their conduct cannot be a differentiating factor when you evaluate them. In this blog post we explain why competent service operators can avoid having to share sensitive information about you without facing severe legal consequences. The reasons laid out will also highlight why you are better off choosing a VPN service run by privacy activists who will prioritise principles before profits in difficult situations.

Let’s start with clarifying the statement in the post title: A VPN provider might face jail time for not complying with valid legal requests for sharing information as per the rules of the jurisdiction they operate in. Since reputable VPN services operate in countries that rely on the rule of law for fighting crime and national security, those responsible for your privacy will have no choice but to comply when facing pressure from law enforcement, so they can avoid prosecution.

We believe these observations apply to most VPN companies, however in every case, people running them have choices. Choices that prepare them for when law enforcement come knocking, in their conduct when responding to requests, and around reacting to the worst-case scenarios.

A list of things a VPN service can do to make sure that no sensitive information about you, or your activities need to be shared with authorities:

1. Choose the right jurisdiction. If the country the service is incorporated in provides proper safeguards for running a VPN service, they can simply state they have no information to give when receiving a valid request. This is only possible if there is no legal requirement to keep any customer records or log their activities. This should be a basic requirement for VPN service, yet many continue to operate in jurisdictions that don’t fulfil these criteria.

2. Have clear legal guidelines. If the jurisdiction choice is prudent, VPN services can simply ignore requests coming from outside of the country they operate in, and might only reply to queries coming in the right format through the right channels. If interested parties want to receive any information, they can only do so if they have done the legwork, which might require jumping through legal hoops. Even if that happens, when the provider addresses other points in this list properly, they will have no information to provide.

3. Know as little about you as possible. If your provider has nothing to give, they are not liable to hand it over. With proper jurisdiction and internal policies when building the service, there is no need to keep personally identifiable information about you. This includes not collecting your email address or your name, or “limited connection data to improve the service”. Zero information about users should be the goal. Payment information can also tie you to your VPN subscriptions, so it’s prudent to offer options where no information is shared with third parties (like anonymity-friendly cryptocurrency, or cash).

4. Have a protective privacy policy. A concise and clear privacy policy is not just a promise to users, but a signal to authorities. It shows that it’s within the rights of the VPN service to not keep records on their customers and not log their activities, clearly communicating boundaries. Even if one comes equipped with email addresses, IP addresses or timestamps, the service can be up front on why they cannot assist with investigations.

5. Be transparent about requests. Similarly to the privacy policy, this is as much of a signal towards authorities as to customers. Publishing the number of requests alongside the number of cases where data was shared (which should be zero), a transparency report shows that their jurisdiction choice and policies are prudent.

If the provider makes the right choices on the above points, there is a very good chance they can safeguard you from data requests about your subscription information and VPN use.

However, things can go wrong, and circumstances can change. Even if a provider has done everything right for a decade or more, there are unknowns and new threats they cannot influence.

Laws might change, jurisdictions can join surveillance cooperations, and covert operations can target individuals responsible for keeping your data private. For these eventualities, providers can establish a clear plan so they do not face the “go to jail for $5” dilemma.

Here are some measures for the proverbial stuff hitting the fan scenarios:

1. Move jurisdictions as soon as possible. Starting companies and drafting up new legal guidelines is not a five-minute exercise, however if faced with a choice of complying with fresh logging requirements, it is a required option that must be exercised to protect users.

2. Have a warrant canary and trigger it. If the first option is not workable for any reason, your provider can trigger its warrant canary to alert users to an event that cannot be publicised and could jeopardise their privacy. Such an event would likely severely affect the reputation of the service, thus providers who prioritise profits over principles will not be ready to do this.

3. Shut down their operations. VPN services run by activists would rather do this than to hand over customer data to authorities. At IVPN, we are conscious of the fact that we have one life and a reputation to uphold, and rather do something else than to violate our principles. We deliberately phrased this paragraph to reiterate our earlier promise to this action, if required.

Yes, your VPN provider won’t go to jail for you, and that includes IVPN staff. Yet operators of well-run services don’t need to face such risks if they prepare their legal protections and policies right.

By evaluating providers against the points above, you can separate those willing to go lengths to safeguard your privacy from those that care more about those five bucks.

Featured posts

Related posts

Industry Insights

Who owns your VPN? You should find out

Posted on March 3, 2021 by Viktor Vecsei

Trust is, or should be, the number one factor in picking a VPN service. This is a point we have mentioned in previous posts in this series, but it’s worth expanding on and taking a closer look at the why.

Industry Insights

Misleading promises of the world's fastest, anonymous, military-grade VPNs

Posted on December 4, 2020 by Viktor Vecsei

Trust is hard to build and telling the truth is a valuable habit to support this process. Trust is also easy to lose and telling lies (even white ones) is a fast way to diminish it.