So I noticed a correlation between some of the top VPN services headquarters location and whether or not they provided a warrant canary. Regardless of its merits and effectiveness, it’s not something that hard to provide and it would be in most providers’ interest as it creates perceived value to the service… No?
Anyway, here it is (sorted by name, from A to Z):
| Name |
Headquarters |
Warrant canary? |
| AirVPN |
Italy (inside EU) |
No |
| BlackVPN |
Hong Kong |
No |
| bolehvpn |
Malaysia |
Yes |
| BTGuard |
United States |
No |
| FrootVPN |
Sweden (inside EU) |
No |
| Hide.me |
Malaysia |
No |
| HideIPVPN |
United States |
No |
| IPVanish |
United States |
No |
| IVPN |
Gibraltar (outside EU) |
Yes |
| Lokun |
Iceland (outside EU) |
Yes |
| Mullvad |
Sweden (inside EU) |
No |
| NordVPN |
Panama |
No |
| Perfect Privacy |
New Zealand |
No |
| Private Internet Access |
United States |
No |
| PrivateVPN |
Sweden (inside EU) |
No? |
| Privatoria |
Czech Republic (inside EU) |
No |
| proxy.sh |
Seychelles |
Yes |
| PRQ |
Sweden (inside EU) |
No |
| SlickVPN |
Nevis? |
Yes |
| Torguard |
United States |
No |
| TorrentPrivacy |
Seychelles |
No |
| VikingVPN |
United States |
Yes |
| vpn.ac |
Romania (inside EU) |
No |
Interestingly, most of the US-based VPN services when asked by TorrentFreak if they provided a warrant canary claimed that it was useless. As for EU-based services, they claimed it was unnecessary because they were outside US.
SLICKVPN
713 E GREENVILLE STREET
SUITE D, 101
ANDERSON, SC 29621 USA
That doesn’t sound like Hong Kong to me.
Nice post! You left us out.
We are US based and have a Warrant Canary.
I’m a bot, bleep, bloop. Someone has linked to this thread from another place on reddit:
^(If you follow any of the above links, please respect the rules of reddit and don’t vote in the other threads.) ^(Info ^/ (/message/compose?to=/r/TotesMessenger))
Can anybody explain what does ‘Warrant canary’ mean in simple words?
Warrent Canarys are pointless. A clear example of this is on proxy.sh’s warrent canary at the bottom (https://proxy.sh/canary). It states: " This notice is not 100% bulletproof…a legal onus exists and lies in whether we could be forced to keep publishing such notice no matter if it is proven false – in other words, the question is whether we may be forced to state false information for the benefit of the underlying investigation". So basically, they may be forced to keep issuing a false warrent canary for the sake of the investigation.
We operate a complex business structure with multiple layers of Offshore Holding Companies, Subsidiary Holding Companies, and finally some Operating Companies to help protect our interests. We will not disclose the exact hierarchy of our corporate structures, but will say the main marketing entity for our business is based in the United States of America and an operational entity is based out of Nevis.
Can’t really tell - seems to be Nevis - but you’re right, it’s not HK.
This is exactly my gripe with privacytools.io immediately throwing out ANY US-based solution. You gain some benefits from having data overseas, but you almost guarantee that the NSA is snooping on you then.
US doesn’t automatically mean bad.
Can you comment on the efficacy? Moxie Marlinspike of SecureSystems wrote how he thinks it wouldn’t really hold up if tested under court.
I’m not saying he’s 100% correct but I still think Warrant Canaries are a nice to have, but not a must.
https://github.com/WhisperSystems/whispersystems.org/issues/34
Ok, you can’t just post those two links and assume all is settled about US services. Lavabit’s mail wasn’t actually broken into. They were forced to give up the SSL keys to the FBI and therefore would offer access to data in transit. Yes it’s happened, but it doesn’t mean the US is inherently the problem. This could happen in any other country. Tomorrow a foreign intelligence service could force Tutanota, ProtonMail, etc to inject malicious code also. These are all possibilities.
Remember, privacy doesn’t just mean hiding from 3-letter agencies. If that’s all your services are concerned with, then you perhaps should have your site be nsaproof.io instead. There are varying degrees of privacy–VPNs are typically so your ISP doesn’t know exactly what you’re doing, and Tor is used for anonymity. If the jurisdiction of the NSA is your sole criteria for throwing US services out, that’s a very shortsighted approach.
Finally just not listing US/UK services doesn’t eliminate the possibility of a foreign intelligence service cooperating with the NSA. Just because the NSA can’t serve a NSL to a foreign company doesn’t mean they can’t get another government to help them out. Had Snowden knowingly used services from the 14 Eyes, I’d be willing to bet one of those companies could be coerced by the combination of NSA and the host nation to disclose information or set up some sort of honeypot if he continued to use it. The US has powerful allies and tons of resources. Blindly throwing out US/UK services would be like saying that as long as you don’t live in the ghetto, there’s no reason to fear for a burglary.
Furthermore, as others have pointed out, there are rules that the NSA needs to abide by before spying on US citizens whereas once the data is not coming from a US citizen, they can go all out. The easiest way to filter that is to screen all incoming/outgoing data from the US first, and then trying to sift through domestic data. there’s disadvantages and advantages to a US system. My recommendation is that you still list the US service but point out the potential issues and let users decide. It’s similar to listing services that have encryption, their type of encryption, whether or not cryptocurrencies are accepted or not, etc. Those are all factors users should be able to evaluate and then make an appropriate decision.
Thanks for your constructive feedback, dlerium.
We collected ideas so far withing the mod team and came up with having two VPN categories. The second VPN category could list US based VPN services as well. We don’t have a specific date for the next big upate on VPNs but feel free to participate. Every helping hand is welcome.
Thank you for your help. I know it’s a lot to maintain these lists and sites, so I appreciate your effort.
I believe there is a place for US VPNs even if it isn’t NSA-proof or whatever. I think the consumer should be given information and they should act accordingly to their needs.
I wouldn’t actually pay much attention to /u/Youknowimtheman and /u/anon-01. The first is biased because he operates an US-based service and the second has apparently registered reddit for the sole purpose of pasting and quoting the “US is safe, outside is not”.
These are selective arguments, impossible to prove.
I would honestly still keep them out from the list. Or add, but clearly not recommend, which is the same.
My issue is that you’re asking us to prove a negative. All the while ignoring the fact that NSLs are a hotly contested area in the court system (and are fairly unlikely to ever be used again without legal challenge), and that nothing is stopping any of the 3 letter agencies from owning / starting a VPN based anywhere in the world.
The basis of the paranoia about American services fails to meet the test of reasonable in the current legal environment in the US and it fails the test of accepting all other VPN services blindly because they are not 5-eyes based.
Nono, I’m well aware it’s impossible to prove either way.
In the end it’s up to intuition.
From my perspective, it’s considerably safer to assume all US-based services to be compromised and that the bureaucracy involved in overseas services would be an extra obstacle for obtaining the data.
Saying that “yeah but in US NSLs are contested, outside they’re not” it’s baseless propaganda and honestly, only makes me want to avoid your service because it reeks of commercially-driven arguments.
I can see from you resorting to Ad Hominem attacks that you’ve made up your mind regardless of facts.
It’s not ad hominem and it’s not certainly “facts”.
- This is a fact: X NSL was contested in US court.
- This is not a fact: From (1), all NSLs are contested in US courts.
- This is not a fact: NSLs are not contested outside US courts.
I can’t get much more objective than this. So yeah, while I accept the validity of (1), I don’t accept when you try to shove (2) and (3) down my throat, and thankfully nor does /u/BurungHantu.
I also don’t claim the opposite of (2) and (3) as truth. We just don’t know. That said, I repeat:
From my perspective, it’s considerably safer to assume all US-based services to be compromised and that the bureaucracy involved in overseas services would be an extra obstacle for obtaining the data.
This is why I wouldn’t recommend a US-based service.