VPNs promise to protect your privacy, but law enforcement and courts the world over have the legal right to ask for your records—provided they can make a case against you. How do VPNs handle these requests, and how much do they end up sharing with the authorities?
VPNs and Data Requests
In most countries where the rule of law applies, the police or other law enforcement agencies need permission from a judge or some other kind of higher authority to know more about you. For example, if they want to search your house, they need some kind of search warrant. If they want to know who you’ve been calling—or even to whom a certain telephone number belongs—they need to produce some kind of warrant to your telecom provider.
VPNs are no different. For example, if somebody committed a crime and masked their location using a VPN, the police can approach the VPN provider with a warrant demanding that person’s details and connection logs (the records of which sites were visited when).
Now, to be clear, if you receive a warrant either as a private person or a company, you need to obey it: it’s not like you can refuse. The best any recipient that doesn’t want to comply can do is argue a warrant in front of a judge, and it’s not often that they’re overturned. However, most VPN users will still count themselves as safe for two reasons. The first is because the service they’re using is promising anonymity. The second has to do with location.
Many VPNs have foreign locales as their headquarters, and they will often advertise this fact, claiming that the strict privacy laws of their official country of residence protect them from warrants. However, this is very much not the case.
Going Across Borders
For example, NordVPN banks hard on it being based in Panama, claiming it’s a great place to settle because there are no “data retention laws,” whatever they may be. In practice, though, NordVPN has in the past and will continue in the future to comply with law enforcement requests.
The same goes for Proton, the company behind ProtonVPN and ProtonMail. It calls Switzerland its home and relies heavily on the Alpine country’s reputation for secrecy in its marketing material. However, as Proton explains on its own blog, Swiss authorities have requested data thousands of times over the years. To give ProtonVPN its due, it does often fight these warrants, but it’s not always successful.
This is because of something few VPNs seem willing to admit, namely that countries talk to each other and are often more than happy to help each other out with simple requests. When the French police wanted to apprehend a climate activist, they asked the Swiss government to issue a warrant for Proton to give out the man’s details. Swiss courts approved the order, and ProtonVPN began logging the IP information on the account. At that point, Proton had no choice.
ExpressVPN, which is headquartered in the British Virgin Islands admits it could be compelled to disclose information on its website, but reassures you that “most investigators would not go through such painstaking effort.” Though this may be true, it’s still cold comfort for anybody hoping their VPN would protect them.
Even if one country resists a warrant issued by another—a big if, especially if we’re talking about countries like the United States which have a lot of diplomatic clout—there’s another way in which your data can be traced, namely through server seizures. In this case, the authorities simply figure out which server is being used by the person they’re looking for and—if it’s in their jurisdiction—they go and get it and the data it contains.
Though it’s not common yet, the past few years have seen some big operations by law enforcement. In 2021, Ukrainian authorities seized servers belonging to Windscribe as part of a larger investigation, while this year saw a massive pan-European raid on server farms all over the continent.
Clearly, governments have a lot of power to go after your data if they want to. So what are VPNs doing to stop this?
VPNs, Anonymity and Logs
VPNs will often try to assuage your worries about warrants and the like by promising a number of things. Most importantly, they claim that you’re anonymous when signing up and using the service, as well as claiming that your connection logs are either destroyed or not even kept at all.
What VPNs Know About You
When it comes to identifying data, it’s difficult to gauge what VPNs do and don’t know about you. However, the idea that you’re some kind of digital ghost most likely isn’t true unless you made sure to take precautions and signed up anonymously—something that not all VPNs allow. The fact is that there’s a good chance your VPN knows a lot about you: things like your name, email address, location, and a host of other data points can be gleaned from you simply visiting the site.
If you sign up to the service, you’re surrendering even more information as almost all VPNs require an email address (a valuable data point) as well as the motherlode of personal information: a credit card. Most payment providers will share a cardholder’s information with the service they’re buying and this will include your full name and address.
Besides knowing who you are, VPNs also have access to what you’ve been doing online through what are called connection logs. These show everything you’ve been up to the web while connected through the VPN, and we do mean everything. It’s not just the sites you’ve visited, but also the files you’ve downloaded and the internet activity of your apps.
How VPNs Protect You
This data is sensitive to you, but also quite valuable to the kind of people that track others’ behavior online. To protect your privacy, VPNs generally have some kind of promise that they don’t collect personal information or connection logs.
These are called no-log VPNs. Despite the name, in most cases, we suspect that your logs are destroyed as soon as they’re created. That would allow normal internet connectivity while also protecting users.
Note that we’re not sure how this works: while VPNs claim that they keep no logs—with a few fly-by-night companies even claiming they create none in the first place, a tall tale indeed—there’s no good way to actually check this claim. While a growing number of VPNs are undergoing third-party audits to back up their claims, there are plenty of ways to make things seem better than they are.
The bottom line is that we don’t know exactly what VPNs know about their users. They could know an awful lot about you if they wanted to, from what you do on the internet to who you are. This is balanced out by their claims to destroy all, or at least most, of your data. In the end, though, their claims of anonymity are based on trust: without a good way to check, all you can do is take their claims on faith.