title: Jurisdiction Jiggery
For as long as there's been a consumer VPN industry - since 2006, basically - VPN companies have jostled for who can claim to have the coolest jurisdiction. The first example was Relakks setting up in Sweden, and citing the good laws there as a reason to use them (which is ironic, since those laws have gone bad in the meantime but several VPN companies still tout Sweden as "all that" for privacy... wtf?). Since then, it's become the wild west out there: quite a few VPN companies have basically nothing going for them except a claim they are in some "safe" jurisdiction. Just look for the ones that have the name of a country as part of their brand name... they're not hard to find.
In the early days, having a good choice of where to be "based" was pretty groundbreaking. We set up shop with our machines in Holland in 2007, and that put is in good stead when it came to protecting customers in more repressive countries (which means anything from Saudi Arabia to the USA, basically) - that was revolutionary at the time. The early hordes of me-too copycats to the new VPN business, in those days, were often just renting cheap servers in the USA and calling themselves "privacy companies." Pretty laughable, in terms of privacy - those kids rolled in a hot minute the first time some dork with a badge showed up at their parent's front door and asked them to turn over records. Look up Hide My Ass and vtunnel.com for examples. Pathetic.
But then, it became a free for all: there were VPN companies claiming to be "based" in just about every country on the planet. And that's when the bullshit started. Because there's two things going on here, actually (as real pros understood all along). There's the jurisdiction where your company is incorporated - which can basically be anywhere in the world - and there's the physical location of your stuff and people. What happened is that me-too kids started launching VPN companies claiming to be "based in" some exotic locale... except the only thing based there was their mail-order company paperwork. Not any servers, and not any employees - they usually just leased cheap VPS capacity in, you guessed it, the USA (the USA has super-cheap hosting/colo prices, which is why so many cheapo VPN companies end up getting all their servers there). The jurisdiction of their company (or what they claimed it was - nobody checked company paperwork then, and nobody does now) didn't make the slightest difference if the cops came calling -what mattered was who lived where, and whether the servers were easy to grab. Because, yep, alot of these kids didn't know how to run real full disk encryption on their servers so if they got raided, they were open sesame.
Since then, there's been so much bullshit thrown into the jurisdiction thing that I call it "jurisdiction jiggery." Every newly-birthed copycat VPN company has more outlandish claims about their jurisdiction... and unfortunately lots of customers take it all at face value. They're based in Switzerland? Wow, they must be super safe!!! Well, yeah, but if their servers are in Chicago and their two employees share a cheap apartment in Miami that doesn't do much to keep things safe. In the meantime, nobody really talks about where the employees live or where the servers are based (the real servers, command and control, not just disposable exit nodes). It's all jiggery: smoke and mirrors.
And things have changed alot since 2006, in terms of the politics and visibility of VPN companies. Back then, there wasn't any "VPN industry" - just a few pathbreaking companies like Cryptocloud, setting the ground rules as we went. Now, it's an industry - and law enforcement has it in its sights. Things are way different.
So nowadays, let's put a little bit of honesty back into the jurisdiction hype. Here's the deal: where you incorporate your company doesn't make any difference to how safe your customers are going to be. It just doesn't. Pick a cool tax haven for other reasons, but don't pretend it means that Vanuatu's laws magically apply to your company - with its servers in Chicago, or Toronto, or Stockholm. They don't. That's a charade.
Where your servers are at shouldn't matter - since you're running real disk encryption on ALL your machines, always. But for newbies who can't run servers properly (or who just run cheap VPS "servers" instead of dedicated hardware... a terrible idea on many levels), then yeah if your VPS is on a machine in Dallas then the FBI is just going to show up at the colo and demand access to it from the friendly hosting company employees there - they won't even bother calling you in your "secure" safe haven, wherever that is. And your customers are fucked. That's what happens when amateurs play at VPN service.
If you are smart enough to run FDE on your machines, then the hired guns of the state (whatever state decides to go after your customers, which usually means the USA let's be frank) will go for the next weak spot: the people. That's right, they just show up with guns and threaten to make bad things happen. Or they do make bad things happen: put people in jail (even if it's only temporary), break stuff, seize computers... all the usual thuggery. And that doesn't stop magically at international borders - anyone who thinks it does is living in fantasyland. Kim Dotcom got pinched in New Zealand, at the beck and call of the FBI. And if they can jam him up - with all the tens of millions of dollars for lawyers and security - the some youngster playing at VPN mogul sitting in a nice, friendly European country is only a plane flight away from FBI custody.
The real question is this: if goons with guns and badges show up at the homes of the executives or sysadmins of a VPN company, what will they do? Will they piss their pants and hand the keys to whoever looks most cop-like of the bunch? Will they last for a day in a jail cell before breaking down and begging for mercy? Or, will they tell the goons to go fuck themselves, clam up, lawyer up and - if needed - scupper servers and network components to make sure nobody gets ahold of them that shouldn't? If you've never had a gun pointed at you, it can be scary the first time - and if it's a cop caressing the trigger, things get serious. But the pros can handle this shit - they've seen it before, and know how to stay tight. That's who you want.
The jurisdictional jiggery in the VPN world is basically smoke and mirrors. Serious, professional, hardcore teams know how to insulate themselves effectively from extra-legal police pressure. They have lawyers on speed-dial, they aren't scared of a jail cell, and they never - ever - ever - break down and betray their customers. Ever. That's not a jurisdiction issue: it's a competence issue. You want competent teams, experienced teams... basically, hard-assed teams. Anything short of that is just hot air.
Sound unfair? Well, life's unfair. Look at it this way? Do you think someone who has gone to prison rather than go down on their knees for a Fed reaming is more likely to stand tall if the pressure gets high... or some kid who hasn't ever seen the business end of a cop's gun pointed in his face? Yeah, me too - you know who you'd trust if your life depended on it. Trust the badass dude, the one who tells cops to fuck off. Those dudes might not be the kind of guys you'd bring home to mommy for Thanksgiving, but we're the kind of guys who know how to keep your data secure. And that's what VPN service is supposed to do... right?
Don't fall for the hype. Use your good judgment, and common sense. There's no magical protection because someone is in their super secret hideout or whatever - lol. This isn't the fucking movies, dude. This is real life - and in real life, it's who you are not where your ass sits that ends up mattering when the shit hits the fan. Take it from someone who knows, firsthand. Don't fall for jurisdictional jiggery. Demand more than smoke and mirrors. And remember that a mail-order company from an alluring tropical island tax haven doesn't mean your packets are going to stay secure - that's just a bait and switch.