The phrase in the title is a common trope that comes up when VPN services are discussed. While this statement is technically correct, it can be misleading, as it implies that all providers handle law enforcement requests and prepare for worst case scenarios similarly, so their conduct cannot be a differentiating factor when you evaluate them. In this blog post we explain why competent service operators can avoid having to share sensitive information about you without facing severe legal consequences. The reasons laid out will also highlight why you are better off choosing a VPN service run by privacy activists who will prioritise principles before profits in difficult situations.
Let’s start with clarifying the statement in the post title: A VPN provider might face jail time for not complying with valid legal requests for sharing information as per the rules of the jurisdiction they operate in. Since reputable VPN services operate in countries that rely on the rule of law for fighting crime and national security, those responsible for your privacy will have no choice but to comply when facing pressure from law enforcement, so they can avoid prosecution.
We believe these observations apply to most VPN companies, however in every case, people running them have choices. Choices that prepare them for when law enforcement come knocking, in their conduct when responding to requests, and around reacting to the worst-case scenarios.
A list of things a VPN service can do to make sure that no sensitive information about you, or your activities need to be shared with authorities:
Choose the right jurisdiction. If the country the service is incorporated in provides proper safeguards for running a VPN service, they can simply state they have no information to give when receiving a valid request. This is only possible if there is no legal requirement to keep any customer records or log their activities. This should be a basic requirement for VPN service, yet many continue to operate in jurisdictions that don’t fulfil these criteria.
Have clear legal guidelines. If the jurisdiction choice is prudent, VPN services can simply ignore requests coming from outside of the country they operate in, and might only reply to queries coming in the right format through the right channels. If interested parties want to receive any information, they can only do so if they have done the legwork, which might require jumping through legal hoops. Even if that happens, when the provider addresses other points in this list properly, they will have no information to provide.
Know as little about you as possible. If your provider has nothing to give, they are not liable to hand it over. With proper jurisdiction and internal policies when building the service, there is no need to keep personally identifiable information about you. This includes not collecting your email address or your name, or “limited connection data to improve the service”. Zero information about users should be the goal. Payment information can also tie you to your VPN subscriptions, so it’s prudent to offer options where no information is shared with third parties (like anonymity-friendly cryptocurrency, or cash).
If the provider makes the right choices on the above points, there is a very good chance they can safeguard you from data requests about your subscription information and VPN use.
However, things can go wrong, and circumstances can change. Even if a provider has done everything right for a decade or more, there are unknowns and new threats they cannot influence.
Laws might change, jurisdictions can join surveillance cooperations, and covert operations can target individuals responsible for keeping your data private. For these eventualities, providers can establish a clear plan so they do not face the “go to jail for $5” dilemma.
Here are some measures for the proverbial stuff hitting the fan scenarios:
Move jurisdictions as soon as possible. Starting companies and drafting up new legal guidelines is not a five-minute exercise, however if faced with a choice of complying with fresh logging requirements, it is a required option that must be exercised to protect users.
Have a warrant canary and trigger it. If the first option is not workable for any reason, your provider can trigger its warrant canary to alert users to an event that cannot be publicised and could jeopardise their privacy. Such an event would likely severely affect the reputation of the service, thus providers who prioritise profits over principles will not be ready to do this.
Shut down their operations. VPN services run by activists would rather do this than to hand over customer data to authorities. At IVPN, we are conscious of the fact that we have one life and a reputation to uphold, and rather do something else than to violate our principles. We deliberately phrased this paragraph to reiterate our earlier promise to this action, if required.
Yes, your VPN provider won’t go to jail for you, and that includes IVPN staff. Yet operators of well-run services don’t need to face such risks if they prepare their legal protections and policies right.
By evaluating providers against the points above, you can separate those willing to go lengths to safeguard your privacy from those that care more about those five bucks.
Suggest an edit on GitHub.