Are Some Countries Better Than Others for VPN Providers?
For example, ExpressVPN extols the virtues of being based in the British Virgin Islands (BVI), NordVPN lauds its location in Panama, and ProtonVPN banks hard on being Swiss—to name just three. Thing is, though, does it really matter where a VPN is based?
The short answer is no, it doesn’t really matter where your VPN is based—or at least not in most cases. Obviously, using a VPN based in a repressive country like Russia, China, or anywhere else that doesn’t care too much for the human right to privacy would be a terrible idea. If the government in a place like that decides it wants something from a company, like your personal details, they’ll get it, by hook or by crook. (Unfortunately, India may be joining these ranks soon with its new VPN law.)
However, if looking at the “free” world, it doesn’t really matter all that much where your VPN provider calls home. At least not enough to sway your purchasing decision one way or the next. That may seem a little strange: after all, countries like Panama, Switzerland, or dependencies like the British Virgin Islands have a reputation for secrecy. It stands to reason that the laws that protect billionaires’ offshore fortunes would also shield VPNs’ customer data.
To a certain extent, they do. If a prosecutor came with a baseless warrant for your data in one of those places, their request would probably get shot down—and fast. Then again, this would be the case in any country. Sure, the U.S.’s National Security Letters are a bit iffy, but you can still fight them to a certain point. It’s not like they turn the United States into another Russia.
The exception seems to be torrenting, which has been the subject of several court cases. This has resulted in a select few U.S.-based VPNs being forced to ban torrenting traffic. VPNs based in other countries don’t need to deal with these issues yet.
Countries Work Together
Still, you could make a pretty solid claim that countries like Switzerland or Panama are a better bet simply because things like National Security Letters don’t exist. However, VPN marketing copy does skip a pretty important detail: countries work together.
As we explain in our article on what VPNs share with law enforcement, these privacy laws can be bent when pressure is applied. For example, if the U.S. government wants information from or about a Panamanian citizen or company, it can just ask the government of Panama to write out a warrant. It’s very common practice and happens all the time. It’s rare for a country to refuse, especially if the country making the request has as much clout as the U.S. has.
As a result, NordVPN, to name just one example, admits it will cooperate with law enforcement requests to log data as long as they’re ordered “by a court in an appropriate way.” Much the same happened in Switzerland, which has a long and storied reputation for secrecy. That didn’t prevent the government from executing a warrant on behalf of the French police asking for data on a ProtonMail customer, though, and then, when Proton’s appeal failed, having to provide it. (Proton insists that Swiss law provides additional protections for VPNs like ProtonVPN that aren’t available for email services like ProtonMail.)
Sure, Swiss laws are strong and providers have a solid chance to appeal any warrant, but if the appeal fails, the provider in question will still have to cooperate with the authorities.
Why Be Based There?
Of course, this raises the question of why so many companies are based in the BVI, Panama, or the Seychelles. Though we can’t say for sure, the more likely explanation is that they’re great places to stay ahead of the taxman. According to Offshore Protection, a site dedicated to helping people avoid paying tax, the BVI is ” one of the most attractive places in the world for establishing an offshore business.”
Much the same goes for Panama, which is where the infamous Panama Papers originated from. These files detailed how the rich and famous have been squirreling money away for years in Panama as well as other countries, like the Seychelles. As for Switzerland, while it does have a good reputation for protecting people’s data, as shown in the Proton case mentioned above, it’s also been a great place to stash gold ever since World War 2.
The idea that these places are chosen for their financial secrecy as much as that of consumers is borne out by looking at where these companies’ employees work. NordVPN, for example, may be incorporated in Panama, but a look at the company’s LinkedIn page shows that most of its employees are located in Vilnius, the capital of Lithuania, and we can assume that they’re working from a company office there.
Much the same goes for ExpressVPN: look at the employee page on its LinkedIn and you see nobody there works in the British Virgin Islands (population 30,000, and with a notoriously corrupt government), but instead in locations as far apart as Singapore, London, and Poland, to name but a few. Again, it’s no stretch to assume that some of these people are working from a physical company office.
What Does Protect You?
Of course, this raises the question of what does protect you if the location of these companies does not. The fact is that if a warrant is served, it’s best if there’s nothing to find, so you need to make sure that your VPN doesn’t keep logs. Though there’s no way to be absolutely sure, a VPN’s reputation and past performance is a good guide, here.
If you’re particularly worried, you should also make sure to always sign up to a VPN anonymously so you can’t be found that way, either. Alternatively, you could also not do anything illegal while using a VPN. Whatever way you go, don’t blindly believe everything VPNs tell you about their location.