It doesn’t matter how many eyes you have

If you read a lot of VPN reviews you may have noticed that when a VPN provider is located is in a “Five Eyes” country (US, Canada, United Kingdom, Australia and New Zealand) it’s usually considered a “con”. This is parroted by people online as if it’s the word of god.

First of all, let’s define what “Five Eyes” actually means. From Wikipedia:

The Five Eyes, often abbreviated as FVEY, is an intelligence alliance comprising Australia, Canada, New Zealand, the United Kingdom and the United States. These countries, with a similar common law legal inheritance, are parties to the multilateral UKUSA Agreement, a treaty for joint cooperation in signals intelligence.

Basically all this means is that “Five Eyes” countries have a really good relationship with each other and share intelligence among themselves. It also allows them to circumvent their own laws and allow their “friends” to spy on its citizens on their behalf and vise versa. Great — but how does that affect VPN providers based in those countries?

Well, it doesn’t. Here is something to think about:

  1. There are no mandatory data retention directives that apply to VPNs in any of the 5 eyes countries. If you don’t store any data, you cannot be compelled to hand over what you don’t have. The common misconception is that the data retention laws that do exist apply to Internet Service Providers. A VPN is not an ISP, so the law does not apply.
  2. All of the above mentioned countries have mature legal systems where the government can’t just show up at your office and seize everything based on the will of some “higher up”. There has to be due process, public courts, and the government has to follow the law.
  3. I would argue that countries that are NOT part of the “five eyes” are much more likely to be targeted by the “5 eyes” states, since that’s a major historical point of their alliance in the first place. The alliance was created and strengthened to fight the Soviet Union and get an edge during the Cold War.
  4. PureVPN, based in Hong Kong (not a “Five Eyes” country) cooperated with the FBI to unmask one of their customers. Did they have to do it? No. Did they do it anyway? Yes.
  5. Opening an offshore company costs as little as $1000. If it made any difference, every VPN would pay this price and claim to be in a “good jurisdiction”. Offshore companies protect the owners and reduce/eliminate taxes, they have zero impacts on user privacy.

How much faith are you willing to put into an offshore based VPN service, operated by seemingly anonymous individuals? With no personal responsibility, there is no accountability.

Russia, China and Saudi Arabia are not “Five Eyes” countries, would you be okay with using a VPN provider based there? Probably not.

In a last ditch effort, many try to give examples of VPN servers being seized, and no useful logs being extracted from the server. That’s great, but what most people don’t realize is that while setting up a VPN server, you really have to go out of your way to keep logs, and the server itself will have nothing of value on it by default.

Most VPN services use a central RADIUS server for authentication and keeping session states, which are required for the VPN to work and to enforce the parallel connection limits which pretty much all providers have (with a few exceptions, Windscribe being one of them). So to check how many parallel connections a user has, you simply look in this table and check how many records exist for a single username, with no session termination timestamp. After the user’s session is terminated, the record stays in the database. Unless the provider physically removes the record via a cleanup script, it will stay there forever. Can you prove the existence of this script, or that it actually runs? No.

The user database, connection logs, session logs are almost always stored on a central remote server, where the VPN service’s website and API usually reside, not on the VPN node itself, which is just a dumb conduit that’s forwarding packets. There were no cases where VPN service’s core infrastructure was seized.

Not you.

Finally, you also have to think about this objectively. If you’re a target of the NSA/GCHQ, it doesn’t matter where your VPN is based, who runs it, and what logs are kept or not kept. If they want you hard enough, they will be able to find you, in 99.999% of cases. You’re not Mr. Robot just because you use an offshore based VPN service that claims to keep no logs.