Is CISPA a threat to VPN users?

So the Cyber Intelligence Sharing and Protection Act is firmly back on the agenda, with the infamous bill likely to be voted on in the next 24 hours. If CISPA does eventually become enacted it will likely see more US citizens turning to virtual private networks (VPNs) to help anonymise their internet activity. But will CISPA impact VPN companies and if your VPN is US-based should you be worried?

In case you haven’t been keeping up, CISPA is a bill designed to facilitate the sharing of information between private companies and US government agencies. Although ostensibly designed to combat “cyber-threats” the bill is so broadly written it could be interpreted to be used against copyright infringers, or anyone else a company believes is trying to do it harm. The bill’s vagueness has seen a number of high profile backers withdraw support, including Facebook, but the list of companies that continue to support CISPA remains pretty long.

VPNs off the hook?

So will CISPA make it more difficult for VPNs to keep customer information private? In short, no,  CISPA should not affect VPN companies that have a commitment to privacy. CISPA, in its current state, does not force companies to hand over information without a warrant. It also has nothing to say on data retention, so ISPs are still not compelled to record logs on the websites you’ve visited and people you’ve emailed.

Of course, not all VPNs are privacy-orientated. Some clearly state this, while others don’t make their intentions clear at all. The only effect CISPA will have is that VPNs without a privacy commitment will find it much easier to share any information with the government. As TechDirt points out, there are VPNs who show little regard for privacy (and little understanding of the law). These companies could be more inclined to report activity such as file-sharing to the authorities if CISPA diminishes the ability to punish companies sharing info without consent.

Safer territory

Even without CISPA, many argue you should never use a VPN based in the US anyway. There is some good reasoning behind this. the NSA’s warrantless wiretapping, and other incidents, showed how easily US surveillance laws could be subverted. But on paper, the US still doesn’t have any data retention directives and requires judicial oversight for law enforcement to get data from a company that doesn’t want to provide it (compare this to the UK’s RIPA legislation for example). However, a US data retention law may be around the corner.

As we’ve mention before, choosing a VPN based on a given countries current legislation is a difficult process . For instance, places like Russia and Panama may appear tempting (given the amount of online criminality coming from these countries), but these countries also have problems with corruption and law enforcement agencies are not as accountable as in more developed areas if the world. Germany has an excellent track record on protecting citizens, but it’s draconian when it comes to pursuing copyright infringers. And remember, surveillance legislation is currently undergoing massive changes in governments across the world.

So when choosing a VPN the best thing to do is read its terms and conditions closely. Does it log your data? What are the surveillance policies in its host country? Is it willing to relocate if legislation changes in its jurisdiction? If in doubt contact the VPN and ask the questions. If you don’t get answers, don’t sign up.

Comments icon
We invite you to discuss this post in our Reddit community or on Twitter. You can also send your feedback to
Tags: Privacy

Most people don't need a commercial VPN to work from home securely

Posted on April 7, 2020 by Nick Pestell

Many small businesses and their employees are concerned about the security of their data whilst working from home during the coronavirus pandemic. We see a lot of confusion surrounding this topic, even from fairly technical folk and there is unfortunately a lot of misinformation being spread by commercial VPN providers themselves.

You can't always get what you want: the eternal conflict between lawful access and privacy

Posted on April 19, 2018 by mirimir

In late March, the US Clarifying Lawful Overseas Use of Data Act (CLOUD Act) took effect. And predictably, the US Supreme Court just dismissed United States v. Microsoft Corp. In that case, Microsoft was fighting a subpoena for data stored in an Irish data center.

Protect yourself today and get peace of mind

Shut out hackers, identity thieves and the global government surveillance apparatus — every time you go online.