VPN provider jurisdiction vs VPN server jurisdiction
A question that gets bounced around regularly is if VPN providers based in the US are more or less secure than providers based elsewhere. What is most likely true is regardless of the location of the actual VPN company more importantly we should be looking at the location of its servers and the policies for such aspects as logging & copyright violations on a per server basis.
So much emphasis is placed upon location of the company. Are they a US based provider or aren’t they? It’s a dilemma that is never agreed upon with two camps of thoughts, one being that US VPN providers are some how superior to Non-US ones which is argued mainly due to the fact that the US has no data retention laws. However the other camp suggests that regardless of the requirements to log the government agencies from the United States and elsewhere have shown time and time again that they are well prepared to violate each and every law in the interest of “National Security”
So I ask myself, do the US have no data retention requirements because they can hop in and out of whatever system based in the US that they see fit? It has been proven that large corporations have been instructed to install back doors or weakened security so that agencies such as the NSA can gain access through the most easiest of avenues and no matter how much security or encryption we as individuals put in place the weakest link in the chain is always going to be the one exploited by the powers that be. This can be as simple as access via your operating system, with the ability to access your desktop discretely this removes any further protection that we enable ourselves.
So there are no data retention requirements in the US, but what if the hosting providers in the US are required to allow blanket access to everything stored on them and without being able to publicly talk about it? Doesn’t it seem odd that the most covert and suspicion laden country is one of the few that has no mandatory data retention? Why make it mandatory when you can take a peek in to anything whenever you see fit.
The argument continues that EU VPN providers are somehow required to have data retention although this is a very loosely written document that has been taken out of context on many occasions, it is clear that ISPs are bound to keep certain data logs but how this pertains to VPN providers and hosting facilities is not as clear.
Regardless of your thoughts on the merits of location of the VPN provider the importance should be stressed on the location of the VPN server. You may be signed up to a VPN provider based in the middle of nowhere with no data retention, copyright or other laws that most western countries adhere to but if you’re connecting to a server located, for example, in the same country as yourself would you be foolish enough to consider that just because the jurisdiction of the parent company is “Outer Mongolia” that your own government would not think twice of snooping upon the server that you’re actually making access from or even requesting a look at the server in another country should it be the type that has similar laws.
LiquidVPN themselves recently dropped servers in Russia for a very similar reason being that they were concerned about what type of data could be intercepted and at such a low level. Just because they are a US based company wouldn’t stop the Russian government from snooping on what was coming in and out of the server and even tying it to the user should they be a citizen of Russia and violating local laws.
One classic example of how things can go wrong was with EarthVPN who although specify they keep no logs it was possible for the Dutch authorities to catch a criminal on their own soil by going straight to the hosting companies thus bypassing any claim, term or condition from the actual VPN provider. So when a provider claims they keep no logs the truth behind it may not be all that it seems, if the provider is US based, EU based or anywhere else based the logging policy of the company no matter how well meaning may not always be worth the paper it is written on. Over the past year or two many providers have popped up out of the blue and while they aim to offer the same service it appears that there is a disparity between what is logged, claimed to be logged and actually logged. Moving forward it would seem the best solution is for providers to be as honest and clear about what types of logging or protection they can offer the consumer. A small minority of users berate providers who clearly state their logging policy yet champion those who claim no logs, as has been suggested in this article it is not always enough for a provider to just log nothing as there are many other factors, organisations and bodies who can possibly access your data in a variety of ways, even without the authorisation of the VPN provider themselves.
So as providers of VPN services we expect research to be given to a) the countries that you open nodes in and b) the possible logging policies or back doors of the hosting partners that would allow unscrupulous government and even scrupulous ones to sniff around your most private data when they see fit. It appears that the buck stops with the hosting provider and any possible intervention by them should be set clear for users to understand before signing up or as an alternative a guarantee that the VPN provider themselves has done the due diligence to ensure that they are not putting our data at risk of access.
While the argument for US and Non-US providers will undoubtedly rage on, the smart ones amongst us will be considering the countries that we connect to and the hosting providers who house the servers which the VPN companies make use of, either that or looking for assurances from the VPN companies themselves that they have fully researched the locations of their servers.