5 Really Wrong Myths About US-Based VPNs [Digital Privacy] – Privacy News Online
VPNs based in the United States frequently get unwarranted criticism, claiming that, by nature of them being based in the US, they are somehow “less secure” or “less private” than VPNs based in more “privacy-friendly” countries. Many of these claims are asserted with insufficient context and no factual evidence, often relying on broad technical assumptions, false equivalences, and headline-friendly conjecture – spinning up pervasive myths about US-based VPNs.
These myths are recycled by well-known online publications and foreign-based VPN companies, all of whom cite each other, never addressing the lack of accuracy in the others’ arguments. This feedback loop perpetuates a deeply flawed message about VPN companies based in the United States.
As Private Internet Access is one of the oldest and most-used US-based VPNs, we hold a responsibility to provide honest, accurate, and historically contextualized facts that shed light on the realities of the global VPN market. In doing so, we’ll demonstrate that not only are US-based VPNs no worse off than VPNs based in other countries, but in many cases, US-based VPNs are actually more secure and private than their foreign counterparts.
Myth #1: All This Sensationalist Reporting Exists for Good Reason
At a time when US-based VPNs were capturing much of the global VPN market, VPN providers in other countries needed to find a way to discredit their US competitors, many of whom were at the top. As it were, around this same time, there was a fair amount of focus in the media on US privacy violations happening at the National Security Agency (NSA), the likes of which were exposed by Edward Snowden.
Several VPN companies and their affiliate partners seized the opportunity to claim that all the espionage taking place – by the NSA, other US government agencies, and a handful of allied countries – meant that US-based-digital-privacy providers were aligned with these spying parties, either politically or technologically.
As this happened during a time when the general public became aware about widespread surveillance measures carried out by the NSA, CIA, and the FBI – under the guise of counter-terrorism (which many, including Private Internet Access, found to be invasive) – it was a simple stretch to baselessly assert that US VPNs were in cahoots with the US government.
And so, this myth that US-based VPNs were inherently associated with the government became an easy one to sell, thanks to the sensationalist “reporting”.
It’s worth highlighting that much of the documentation that was initially revealed by Snowden implicated many large US tech companies like Google, Microsoft, Facebook, Yahoo, Apple, and others. It was shown that these companies all complied, in various degrees and methods, with lawful requests for user data from the US government. But very importantly, these companies worked in infrastructure and communications; none of them were digital privacy companies, none of them had a sole focus on data obfuscation, and none of them were VPNs.
Once a few publications began covering the supposed dangers of US-based digital privacy companies, more outlets began to rehash the same assertions they read elsewhere. Eventually, that flawed narrative became mainstream. Non-US VPN companies and their online affiliates were happy to perpetuate the fearmongering in order to outperform their American competition.
Nevertheless, with all this surveillance taking place, what did Snowden himself recommend to combat these forces? Encryption and data obfuscation – the very thing that all VPN providers (and especially US-based VPN providers like PIA) are amazing at providing.
Myth #2: The “Eyes” Alliances Are Shadowy Organizations Built to Erode Privacy
If you’ve read about the 5 Eyes, 9 Eyes, and 14 Eyes Alliances, you’ve probably learned about how these countries and their national governments are engaged in a nefarious conspiracy to collectively surveil, monitor, and control the mass communications of the entire globe (or at least the citizens located in those countries). While this dramatic narrative is certainly attention-catching, the reality is much more mundane.
The 5 Eyes (FVEY) was established unofficially in the Atlantic Charter of 1941, during World War II, as a multilateral agreement for cooperation in intelligence gathering between Australia, Canada, New Zealand, the UK, and the US. Intelligence sharing became even more crucial during the Cold War, with the growing need to monitor Soviet Union communications and carry out code-breaking measures.
In present day, the FVEY is primarily concerned with matters of international criminal activity like terrorism, child abuse, human trafficking, and drug trafficking. Given this context, the “Eyes” organizations aren’t concerned with “mundane” issues of digital privacy and online freedom, like monitoring IP addresses or enforcing geo-restrictions. And, importantly, these government operations don’t collude with private VPN companies in order to complete their espionage work.
But, in the well-known game of VPN one-upmanship, the 5, 9, and 14 Eyes became used as a marketing message to disparage VPNs operating in the jurisdiction of member countries. This editorial fearmongering performed well given the juicy nature of espionage storytelling, but few publications cared to explain the realities of these alliances and what their surveillance work actually focused on. Nevertheless, extrapolations based on bad-faith marketing continue to proliferate today.
Furthermore, cooperation with the “Eyes” organizations isn’t just limited to member countries. For example, a government agency is Panama is just as likely to comply with a subpoena request from a US agency, even though they’re not an “Eyes” country.
Take, for instance, the ProtonMail case where, despite being based in Switzerland (a country with robust privacy laws, often referred to as a “gold standard” for consumer privacy), ProtonMail responded favorably to a warrant initiated by French authorities and logged a user’s IP address after the order was affirmed by Swiss authorities.
Notably, Proton explained that while ProtonMail was legally required to take this action, the same would not be true for ProtonVPN, as email services and VPN services exist under different legal frameworks. The reasoning is this: A VPN’s infrastructure (as long as it’s a “no-usage-logs VPN”) makes this type of data request unfeasible to comply with. Indeed, this is true of no-usage-logs VPNs in Switzerland, and it’s also true for no-usage-logs VPNs in the US… and it’s also true of any no-usage-logs VPN in any jurisdiction with basic privacy protections.
However, the ProtonMail scenario goes to demonstrate that virtually all governments are happy to share data to catch criminals. There are already many international government organizations that cooperate on intelligence sharing, and they exist outside of the 5/9/14 Eyes Alliances.
The bottom line is this: All legally operating VPNs, including those based in the US, comply with all valid, lawful government requests for data. The beautiful thing, however, is that no-usage-logs VPNs (like Private Internet Access) have no data to hand over.
For example, if and when PIA receives subpoenas for data on our users, and after we scrutinize the request and validate it as lawful, we “comply” by handing over all the data we have; but since we don’t keep usage logs, and since all data that passes through our VPN servers is encrypted, we have no data to provide. We operate perfectly within our rights as a US-based company not to record any personally identifying information or keep any kind of usage logs. And it’s because we’re a US-based VPN company that we are allowed to operate like this.
Myth #3: The US Government Makes VPNs Log User Data
Simply put, no, the US government DOES NOT make US-based VPNs log user data. That said, there is also a longer explanation for why this is not true. In the US today, there is no such law that requires VPN providers to log personal user data. Now, the US government may ask for a VPN company to provide data on our customers, in which case, any no-usage-logs VPN will respectfully inform them that no such data exists. For PIA, we neither have records of which IP addresses have accessed our servers nor any usage metric that can be linked to a customer’s personal identity.
But what if the US government wanted PIA to begin logging the activity of particular users, much like what happened in the ProtonMail case? For starters, like ProtonVPN, we’re protected from this sort of inquiry because we lack the infrastructure and capacity to comply with those types of requests. In essence, if the government were interested in getting data on a particular individual, it’s simply easier and more legally viable to get that data elsewhere (like from an ISP, email provider, or other business whose main charter is not data privacy).
These points are true in every single country, whether it is a part of an “Eyes” alliance or not. In fact, the US has some of the strongest protections against government overreach, where many other countries in the world do not. And regarding the countries that stand out by not offering these basic protections, PIA has chosen not to host any infrastructure there.
The only way that the US government would ever decide to target a VPN company for user data would be if a high-profile criminal target had somehow evaded all other possible means of detection and their VPN were the only feasible way to identify this person (notably, NOT by logging data but by logging an IP address). But realistically, this is unlikely to ever happen. Again, there are much easier ways to ascertain someone’s digital identity without going through a costly and risky legal process to coerce a no-usage-logs VPN to invest in and develop the architecture needed to track down a single user’s IP address.
And again, importantly, this could happen in any country in the world; luckily, the fact that consumer protections in the US are set up the way they are makes it nearly impossible for the US government to pursue this route.
Myth #4: The US Government Makes VPNs Forfeit User Data (Sort of True, But Very Misleading)
This myth is closely related to the previous one. When VPNs (of any country) are compelled to hand data over to governments as a result of lawful requests, they must hand over whatever data they have. But very crucially, a US-based no-logs VPN like Private Internet Access doesn’t have any data to hand over, even if compelled to do so. This is the case for all VPNs with a ‘no-logs’ claim.
Indeed, you may have heard of cases of US-based VPNs handing data over to the US government. These cases are all instances of companies willingly choosing to store personal user data, whether or not they claim to do so. These companies are choosing to keep personal user data for various reasons (like to improve their business strategy, get certain usage diagnostics, etc.). Then, when asked to turn over personal user data, they actually do have something to hand over; they cannot use the same response that a no-logs provider like PIA can.
It is incredibly crucial to note that these companies are choosing to engage in these data-collecting practices. They are not being legally forced or coerced into doing so. If these companies were truly not logging personal user data, then they wouldn’t have anything to give the government (as PIA consistently and routinely proves to investigators).
Relatedly, and generally speaking, US companies and the US government are at odds with one another, with the capitalist ideal being that businesses and governments have no direct relationship, allowing businesses to exist in a “free market”. The argument that the US government is conspiring with a private company doesn’t line up with this capitalist ideal. There is not only no “working relationship” between the government and businesses in the US, but often times the relationship between the government and businesses is an adversarial one.
The point is this: The US government can’t coerce a private company do anything illegal, and a private VPN company whose raison d’etre is consumer privacy (like PIA) is not going to comply with government overreach.
Myth #5: All VPN Providers Are Created Equal
Again, it’s universally true that VPN providers must hand over user data when lawfully compelled to do so, which is why it is incredibly important to choose a VPN provider that cannot feasibly produce any data to turn over. And yes, this does have to do with being located in a privacy-friendly jurisdiction.
Luckily for companies like PIA, in the US, companies are afforded all kinds of privacy-defending rights that help US-based VPNs cater specifically to the privacy needs of global consumers. Aside from a proven track record of being a no-usage-logs VPN, users should also consider a few other things when evaluating VPN providers.
For starters, free VPNs often engage in questionable privacy practices such as selling user data to advertisers in order to justify the cost of operating a VPN service. After all, if you’re not paying for the service, they must be generating revenue to stay in business somehow. With this behavior, free VPNs essentially subject users to the very thing that they’re trying to protect themselves from when using a VPN.
Next, consider the trustworthiness and transparency of a VPN provider. Large, publicly traded companies (like the parent company of Private Internet Access) are subject to disclosure laws and increased scrutiny from shareholders and regulators. It’s also worth considering how much a company stands to lose. Bigger companies whose sole business is in protecting user privacy often have more incentive to protect that privacy and play by the rules. As a general – and importantly, not absolute – rule, a large, reputable company is more invested in doing business in a highly legitimate manner because they have a bigger reputation to protect.
Another important thing to note is if the company has an ideological commitment to fighting for digital privacy and online freedom. Companies who are loud about their engagement in privacy as an ideal (more than just a business) will be more likely to do everything in their power to defend it. For example, Private Internet Access has been actively involved in the fight for privacy and net neutrality for over a decade. We donate to privacy-forward causes and we’ve publicly called out harmful privacy legislation and the politicians who support them.
Another thing to look for when choosing a VPN provider is a commitment to open-source software – a hallmark of transparency in the digital world. Some VPNs display their commitment to privacy by releasing their software for public analysis. For example, all PIA VPN apps and clients are available as 100% open-source products for users to inspect and scrutinize. In this same vein, most VPN users feel more comfortable trusting VPN providers that undergo regular independent security audits.
Another key metric of a trustworthy VPN is customer satisfaction. In an industry that runs on trust, companies that make every effort to protect user privacy are going to be well reviewed, and the companies that fall short can expect to have their shortcomings reflected in reviews as well. Having millions of satisfied customers and positive things said about them in third-party reviews is a good sign that a VPN provider is doing something right.
But overall, when shopping for a VPN, you should look for the best set of features that suit your needs at a price you deem fair. Some VPNs are tailored to specific use cases – some support more operating systems than others, or offer faster speeds, or include advanced security features like proxies, double-hop servers, and kill switches. Finding a VPN that gives you all the functionality you’re looking for is one of the most important aspects of choosing a VPN.
This all goes to say that you should care about the VPN provider’s jurisdiction, as well as the quality of service and features you’re getting, the company’s reputation, that company’s commitment to user privacy, their overall customer satisfaction, and their level of transparency. These are all legitimate considerations when choosing a VPN provider. But there is zero reason to discredit a US-based VPN on jurisdiction alone.
That’s not to say you should ignore jurisdiction altogether; some countries are known for invasive privacy laws like Russia or North Korea. But, for the most part, the jurisdiction that a VPN company is based in (provided it’s a privacy-friendly country) will not have any direct impact on the quality of service you receive.
Fact: The US May Actually Be a Safer Jurisdiction for VPNs
We’ve touched on some common myths in the VPN industry, and we’ve presented certain facts to counter these claims. When looking at the global VPN landscape, there’s no reason to think that a VPN company based in the US is uniquely worse than any other country in the world.
Like we mentioned, the international agreements surrounding intelligence sharing are designed to target high-profile international criminals involved in terrorism, human trafficking, and other organized crime – and they’re not relevant when it comes to maintaining a VPN service.
Moreover, most every country in the world would willingly participate in intelligence sharing to apprehend criminals of this degree – the “Eyes” alliances may initiate the search, but member countries outside the “Eyes” will almost always comply. But again, this does not mean, however, that “Eyes” alliance countries are conspiring to track the IP addresses of those using a VPN to, for example, access region-specific content or hide data from an ISP or network admin.
Importantly, not only is the US not a dangerous place to base a VPN company, it actually offers freedoms and protections that are largely unmatched almost anywhere else in the world – and the general stability of the US government means these laws are not likely to change anytime soon. The United States does not, and legally cannot, compel private companies that are structured like Private Internet Access to collect and log information about their users. The US has some of the strongest protections in the world against this type of governmental coercion.
And this is all evident in Private Internet Access’s proven track record in court. When forced to testify in a court of law, we have, time and time again, been completely incapable of producing any personal data about any of our users. And it’s because we’re based in the US that we’re able to operate like this.
It’s time we finally scrutinize and discredit these myths about US-based VPN providers. The claims about US VPNs detailed in this article are mostly rooted in fallacious, ill-reasoned arguments, or straight-up false equivalencies. On paper, some of these espionage conspiracies make for a juicy narrative, and many VPN providers and affiliates have piggybacked on it to disparage the competition… but in reality, none of it is truthful.
As has always been the case, and always will be for the foreseeable future, the United States is the land of the free – the US Constitution provides individuals and corporations with maximum legal footing to stand up against government forces, surveillance, and intrusions of privacy. And these freedoms are something all US citizens take very seriously.
For these reasons, Private Internet Access benefits significantly from being based in the United States, where we are best positioned to continue championing our users’ right to digital privacy and online freedom.