How can i trust a VPN provider who is hosted in a 5 eyes nation?

How can i trust a VPN provider who is hosted in a 5 eyes nation (USA), given the abuses carried out by malicious entities such as the NSA? As someone from the UK (which is also a 5 eyes nation), i feel that i cannot trust this service. This stands out as a red flag for me. It’s the main reason i have avoided PIA for anything related to privacy.

I realise PIA claims to have a no logs policy, and states that it is proven for not handing over logs to anyone in legal cases (as they state they don’t store any), but how can anyone trust this?

Surely it is better for privacy to use a service that isn’t hosted in either of the 14 eyes nations? Please inform me why i may be wrong here.

People recommend PIA to me, but i cannot seem to find any trust in the service, for the fact that it is operated from the USA.

Yes, Private Internet Access is located in the USA which is a 5 Eyes country. But we’re not concerned about it…

But what is a 5 Eyes country?

A 5 Eyes country is a country who initially signed the UKUSA Agreement which was an agreement to collect, analyse and share intelligence between the signing countries. This means that whilst a country may not be able to collect information legally on it’s own citizens, they can ask another member to conduct the surveillance on their behalf.

Initially there were 5 signing members (5 Eyes) which later expanded to include a further 4 members (9 Eyes) and more recently, members of the SIGINT Seniors Europe (SSEUR) were added (14 Eyes).

5 Eyes (UKUSA)9 Eyes14 Eyes (SSEUR)United KingdomDenmarkGermanyUnited StatesFranceBelgiumAustraliaNetherlandsItalyCanadaNorwaySpainNew Zealand Sweden

Should I be concerned?

Online privacy sites such as privacytools.io recommend staying away from VPN Providers located within the 14 Eyes countries as it could potentially mean that Security Agencies could demand access to customer data. Furthermore, they could gag the VPN provider to ensure secrecy and prevent transparency.

This is why at PIA, we have designed our operations to prevent this from happening in the first place. There are no logs. There is no identifying information that can be collected, regardless of the amount of force applied. There are several companies who claim they don’t log, but do anyway at the end of the day. In contrast, we have public court records to prove we don’t log anything, available for anyone to read (pages 11-12):

“All of the responses from 1&1, Facebook, Twitter, and Tracfone have been traced back by IP address to … privateinternetaccess.com. […] A subpoena was sent […] and the only information they could provide is that the cluster of IP addresses being used was from the east coast of the United States. However, [PIA] did provide that they accept payment for their services with a vendor company of Stripe and/or Amazon. They also accept forms of payment online through paypal, bitpay, bitcoin, cashyou, ripple, ok pay, and pay garden.”

With the added security of end-to-end encryption and with nothing logged that can identify our users, with public court records to show for it, the question remains what to do if PIA is coerced into something – or rather, if authorities try to coerce PIA into something, such as was the case with Yahoo recently, when the NSA had forced it into spying on its own users.

There is a precedent for this, and it is Lavabit choosing to shut down operations instead of selling out its users (specifically, selling out Edward Snowden). That’s also exactly what Private Internet Access has already done once, when Russia demanded that we start logging our users’ identities, after seizing PIA servers.

Our response was to immediately shut down operations in Russia:

The Russian Government has passed a new law that mandates that every provider must log all Russian internet traffic for up to a year […] Upon learning of the above, we immediately discontinued our Russian gateways and will no longer be doing business in the region.

And this, in summary, is why Private Internet Access isn’t concerned about being located in a Fourteen Eyes Country.

From our article - https://www.privateinternetaccess.com/helpdesk/kb/articles/is-private-internet-access-located-in-a-fourteen-eyes-country

but how can anyone trust this?

By looking at cases like this

Thank you, i did not know that about the case with the Russian authorities.

In contrast, we have public court records to prove we don’t log anything

That’s a bold claim. How does your testimony that you don’t log “prove we don’t log anything”? Yes, yes, I’m sure the testimony was all given under oath and all that. But the reality is people lie under oath in court all the time. So where’s the “proof”? Did the court retain an independent expert witness to audit your servers and validate your testimony?

Thanks for the link to the Torrent Freak story. However, I’m troubled over this revelation:

“However, London Trust did provide that they accept payment for their services through credit card with a vendor company of Stripe and/or Amazon. They also accept forms of payment online through PayPal, Bitpay, Bit Coin, Cash You, Ripple, Ok Pay, and Pay Garden.”

So rather than standing mute and just leaving it at “We don’t have any logs” PIA assisted the FBI in their investigation by noting the financial trail to implicate the accused. I find such assistance disturbing.

As to the case itself I agree that it lends weight to PIA’s advertised claim that they don’t log. But lending weight to a claim is still a far cry from “proof.” What I strongly object to is PIA leaping to an unsubstantiated claim that, “we have public court records to prove we don’t log anything.” I’ve read the court’s ruling and I find no basis in it for PIA to be able to make such a claim. This strikes me as blatant deception and, as such, calls into question whether PIA’s testimony to the FBI and the court wasn’t also deceptive.

Perhaps, however, there are additional court documents not readily available in the public record that PIA has access too? That’s certainly conceivable. Is that the case PIA? If so then you have an obligation to produce them or anything else that backs up your claim that “we have public court records to prove we don’t log anything.” What are those court records and where are they?

I’ve read that one before, thanks for linking. But ultimately, i feel like i cannot trust anything relating to privacy which is hosted in the USA. As it is, all of the spaghetti agencies, be that fbi/cia/nsa, are widely known worldwide to not abide to any legal code and are rogue entities that do not respect any kind of law or legal system in order to gather intelligence through mass surveillance.

I understand the USA apparently has no mandatory data retention law, but with these entities being the criminals they are, couldn’t they simply wiretap PIA servers to get their own logs? (not sure if that is admissible in court/legal cases).

If PIA is operated out of the USA, what jurisdiction do their remote servers come under? Say for instance you were to use a PIA VPN server hosted in Panama, or Hong Kong, do these fall under US jurisdiction, because they are operated by PIA?

Calling me a shill?

I am simply concerned about my own privacy, as the UK is a shithole with it’s data protection laws / online rights, and i want to know how i can trust an american VPN provider, where the NSA (criminal entity) has jurisdiction to share mass-surveillance of individuals to UK based mallicious/criminal entities such as GCHQ. For the fact both these nations are within the 5 eyes.

I regularly see that many people suggest avoiding any of the 14 eyes nations for these very reasons. Even if the individual is doing nothing more than browsing cat videos on youtube, i still regard that privacy should involve not letting these scumbags know that you even like cats in the first place.

I’m not necessarily pointing at PIA, but i am generally pointing my finger at any VPN/privacy related company that operates out of the USA. PIA is obviously one of the most recognized VPN providers in the US, and that’s why i asked this here.

It’s not PIA’s testimony, that is what the FBI wrote in their criminal complaint to the US District Court. It shows the information PIA supplied after the FBI served them a subpoena contained no revealing information. I’d say that is pretty good proof of no logging. Unless you’re suggesting that PIA do log and lied to the FBI?

Even though you’re concern trolling, i’ll bite.

It’s proof because it is extremely high risk to lie to the authorities. It would destroy the company. To think that PIA’s legal team would lie to the FBI is insanity.

Continuing to move the goalposts and placing an ever-increasing burden of proof on an VPN provider who has the most proof out there that they do not log is silly. There’s only two VPN providers in the world that have this level of confirmation.

The company is making tremendous strides in transparency. No technology currently exists that we can deploy to prove that no logs are kept. The only thing I can thank of is ramdisks and no physical storage device, but that still puts you in a position where you could “log” off-site, or log to memory as long as the server is never powered down. So where does that leave you? Have some independent authority audit your servers? That’s only good for a spot-check. Open source with reproducible builds and building a check system against that when you connect to the server? You’ve still got all of the dependencies, and the hardware/firmware. This is a problem we are working on trying to solve, but you have to understand the technical hurdles that are there.

This is the best possible evidence that we can get that no logs are kept, real-world challenges. Setting the bar higher than this is asking for the impossible.

Not only is that not admissible(and illegal) it’s also nearly impossible. And those agencies you’ve mentioned have been following the law. The problem is the law, not the agencies.

I’m not versed enough to answer the legal part of your question.

Simply don’t use it then?

Sounds to me like nothing would convince you otherwise anyway.

PIA being in the US is not a big deal. You need to read about Kerpeles before making up your mind:

https://www.reddit.com/r/PrivateInternetAccess/comments/8eejmr/what_the_fuck_is_pia_thinking_hiring_mark/

Personally, I am undecided and stay wary.

Calling potential PIA customers “shills” and “trolls” is part and parcel of the PIA culture. It’s done routinely by PIA fanboys, and you will never, ever see a PIA staff member step in to put an end to it. Legitimate inquiry will be punished.

Worse yet even some PIA staff members engage in the name calling too. Moreover they even subject we PIA customers to it, as well. I’ve been on the receiving end of it myself. Welcome to PIA world!

I’d say that is pretty good proof of no logging.

Your ignorance is showing, both of the proper use of the English language and of American jurisprudence. It’s “proof” of nothing other than there being a court record that PIA told the FBI they didn’t have any logs to produce. So, yes, there is always the possibility that PIA lied to the FBI and the court. People lie to law enforcement all the time. For you to refuse to even consider that possibility is incredibly naive. But there is another plausible scenario in which PIA is a honeypot, and would therefore be in cahoots with the FBI (no need to go down that rabbit hole at this time though). Now I’m not accusing PIA of lying in their testimony, but I will say they’re being anything but honest about the claims they’re making about it right now. The original statement was, “we have public court records to prove we don’t log anything” I’m asking PIA (not your or anyone else or their personal opinion about it) to see the “proof.” Where is it?

This is the best possible evidence that we can get that no logs are kept, real-world challenges.

But this is the fundamental problem – tossing about legal terms with no regard for their definitions, terms like “evidence” and “proof” in ways they were never intended. Words have definitions, and legal terms and phrases have very precise meanings. When you redefine them willy nilly you make yourself out to be a liar.

PIA does not have “evidence” or “proof” they don’t log, and no court case has yet to show that. All they have is their testimony that they don’t log, and that is “evidence” of nothing. Yet they claim this court case gives them that when it does not. Furthermore, you couldn’t be more wrong in your claim that, “It’s proof because it is extremely high risk to lie to the authorities.” Try taking that argument into court the next time PIA gets subpoenaed to appear and see how far it gets. “Your honor, we have proof that PIA doesn’t log because in this other case we testified under oath that we don’t log. So there’s our proof we don’t log.” Throughout the courtroom would be heard snickers, but you probably wouldn’t understand why. Every one else though, and especially the judge, can see the utter absurdity of such circular reasoning. Furthermore you couldn’t be more wrong about lying in court being “extremely high risk.” I’ve spent years in criminal court proceedings and have witnessed false testimony being given everyday. The problem however is that it’s often untenable to prove that someone is not only lying but they know and also believe they’re lying. And it for those reasons that it’s rare that anyone is ever sanctioned for it.

Setting the bar higher than this is asking for the impossible.

I’m not the one raising the bar. I completely agree with you that “No technology currently exists that we can deploy to prove that no logs are kept.” But that’s just the problem. PIA is unwilling to just live with that fact. So in their typical marketing hype way they twist the findings of a court case and try to make more of it than it is. They’re just not willing to live with the fact that no vpn can “prove” or provide “evidence” that they don’t log, and there is no court finding that has or likely ever will make such a determination. In the end we have to look to other indicators to determine a vpn’s trustworthiness and integrity – and this is exactly where PIA is failing miserably – by citing a court case for marketing hype purposes and using it in a way that the law itself doesn’t afford.