For a VPN to reliably protect user data, it must not only use the most secure encryption and protocols but also shield itself with strong legal protections.
When it comes to VPN services, legal jurisdiction plays an outsized role in the privacy protection that a VPN service can provide. The importance of a VPN’s local privacy laws is due to the fact that unlike end-to-end encrypted services (like ProtonMail), all VPN services have the technical capability to intercept all user traffic. You can find more details about this in our article about VPN threat models, but due to the way the Internet works, there is no way around this. As a result, a VPN’s legal jurisdiction plays a critical role in determining the level of privacy protection that it can provide.
When it comes to assessing what is the best country for a VPN
service, the most important factors are the following:
- Does the
country have mandatory data retention laws?
- Can the VPN
provider be legally coerced to intercept or log user data?
- Can the VPN
provider be coerced to log user activity in secret?
- Is the
country party to any surveillance or intelligence sharing agreements?
- Does the
country have strong privacy laws?
- Does the
country have advanced IT infrastructure and a large talent pool?
Outside of setting up a rig in international waters, which comes with its own difficulties (see: Sealand), all VPN companies need to be based in a country, and if the VPN company wants to stay in business, it must adhere to the law. Our analysis found that Switzerland offers privacy-focused VPNs significant advantages over nearly any other legal jurisdiction in the world, which is why both ProtonMail and ProtonVPN are based in Switzerland. Each of these factors is analyzed in detail below:
Mandatory data retention
Like most countries in the world, Switzerland has data retention
laws. However, Swiss data retention laws apply mostly to large
telecommunication and major Internet service providers. Under current law,
ProtonVPN is exempt from any data-retention requirement.
This compares favorably with the rest of Europe. European nations have a history of enforcing strict data retention laws that would adversely affect any VPN privacy. The EU passed the Data Retention Directive (DRD) in 2006 which extended to all members of the European Economic Area, including non-EU countries like Norway, Iceland, and Liechtenstein — but NOT Switzerland. While this directive was annulled by the EU Court of Justice in 2014, many of these countries transposed the DRD regulations into national law, laws that remain in force despite the fact that they go against EU jurisprudence. Furthermore, the EU has not given up on blanket data retention, as shown by recent deliberations in the EU Council.
Another notable country that does not have mandatory data
retention is the United States. Many US-based VPN companies cite this fact, but
for reasons discussed later, the US is a poor choice for privacy-focused VPN
Legally-coerced data retention
When we compare Switzerland and the US key differences appear. The US has dubious practices that can destroy the protections privacy-focused companies offer their users. US government overreach and the lack of due process, as demonstrated in the FBI’s national security letters and the one-sided FISA courts, make it impossible for any US-based VPN service to credibly guarantee their users’ privacy. While data retention is not mandatory in the US, the US government can compel a VPN service to start logging their users’ online activity. Law enforcement does not have this power under Swiss law.
While data retention is generally poor for privacy, what is even worse is data retention without accountability. US national security letters generally come with gag orders, which prevent VPN companies from revealing that they have been forced to start logging their users’ browsing history. European countries have similar laws, such as the UK’s outrageous Investigatory Powers Act (IPA) and Germany’s sealed indictments and gag orders.
Switzerland stands apart in this regard because while secrecy
regulations exist, Swiss law has the caveat that authorities must eventually
disclose any secret order to the subject under surveillance. Once notified, this
individual has the opportunity to file an objection to their surveillance in
Surveillance networks and agreements
Even if a country has good privacy laws, a nation’s participation in intelligence sharing and surveillance agreements can undermine their enforceability. Countries that are part of the 5 Eyes or 14 Eyes intelligence sharing agreements are susceptible to the “lowest common privacy denominator.” In short, this means that law enforcement and intelligence agencies can exploit the most invasive law enforcement legislation passed by any member country. This is what makes the IPA or Australia’s recent Assistance & Access Bill even more concerning. Switzerland is an excellent choice because it is not part of the 14 Eyes.
Strong legal protections
Switzerland has much more robust legal protections in place than
either the US or other European countries. While Switzerland is a party to
different international assistance treaties, any surveillance requests that
come from a foreign intelligence agency would need to pass the scrutiny of
Swiss criminal procedure and data protection laws, a much stricter standard
than any other country offers.
Places where strong legal guarantees for personal privacy are not
credible, like Russia, China, Hong Kong (part of China), and Turkey to name a
few, fail this standard.
Advanced IT infrastructure and talent
While there arguably isn’t much mass surveillance in Afghanistan,
Panama, or certain nations in the Caribbean or Africa, these locations are not suitable
due to the absence of the rule of law and, more importantly, a lack of advanced
IT infrastructure and talent. Securing and operating a VPN service requires a
large amount of technical expertise, which is generally only available in more developed
economies. Of the countries that are known for privacy, Switzerland is among
the most advanced and well-integrated globally.
The above factors are why we feel Switzerland is the best country
for a VPN service. However, even among VPN services that claim to be based in
Switzerland, there are a few extra factors that set us apart.
In 2018, the EU introduced the GDPR, a strict data privacy regulation. Under the GDPR, companies are subject to fines of up to €20 million if they violate any of the core GDPR principles.
Companies today are more and more international, which means a
company’s principal place of business is an essential factor for determining
jurisdiction. Even if a VPN company incorporates itself in Switzerland,
Switzerland may not be where the bulk of its staff and management work,
otherwise known as its “principal place of business.” In such cases, the VPN
company will also fall under the jurisdiction of its principal place of
business. ProtonVPN is a uniquely Swiss VPN company; we are one of the only VPNs
to have Switzerland as our principal place of business. The Swiss jurisdiction
of Proton Technologies AG is not in doubt.
While current regulations offer no guarantees about the future, at
present, Switzerland is without a doubt the best privacy country for a VPN
service when considering all of the relevant factors. For this reason, we are
proud to be headquartered in Geneva, Switzerland, and to provide the full
privacy protections of Swiss law to all of our users globally.
The ProtonVPN Team
You can get a free ProtonVPN account here.
To get a free ProtonMail encrypted email account, visit: protonmail.com
*** This is a Security Bloggers Network syndicated blog from ProtonVPN Blog authored by Richie Koch. Read the original post at: https://protonvpn.com/blog/best-vpn-country-comparison/