ExpressVPN is a BVI company: What is the BVI, and is it part of the “14 Eyes” intelligence sharing countries?
The BVI, while sharing the same monarch as Great Britain, is a self-governing group of islands located in the Caribbean. The BVI has its own legislature elected by BVI citizens, an independent judiciary, and a national police force. The code of laws which BVI companies are required to abide by was enacted in the BVI, not the UK.
“14 Eyes,” also known as SIGINT Seniors Europe, refers to a collection of 14 countries whose foreign intelligence agencies are reported to share military and counterterrorism information with one another.
As these intelligence agencies strive to intercept all communications internationally (not only from within their national borders), it is unclear whether there is incremental risk associated with operating a VPN service from within a 14 Eyes country.
Nevertheless, because the BVI is a tiny nation without any foreign intelligence operations, it is most certainly not a party to any 14 Eyes intelligence sharing agreements. Therefore, the BVI is not considered as belonging to the 14 Eyes group of countries.
Why should a VPN company’s jurisdiction be important to you?
In choosing a VPN provider, it’s important for privacy-conscious users to consider the following:
- Is this VPN company operating from a jurisdiction without data retention laws?
- What is the legal process by which a government can order the VPN provider to produce information about one or more of its customers?
- Under what circumstances can such an order be made?
In ExpressVPN’s case, there are clear answers:
- There are no data retention laws in the BVI. The BVI is an offshore jurisdiction renowned for privacy protection. This is in contrast to many European countries and Australia, which have laws requiring ISPs to retain metadata related to their users’ internet activity.
- An order for a BVI company to produce evidence and records (pursuant to an investigation) must come from the BVI High Court. Other countries including the United Kingdom and the United States do not have jurisdiction to compel a BVI company to produce records relating to its customers. These governments must petition the BVI High Court to make such an order under BVI jurisdiction.
- The foreign government making the request is required to describe to the BVI High Court a.) the nature of the criminal activity that has taken place, b.) the specific evidence being sought, c.) the relevance of the requested evidence to the case, and d.) grounds for believing that the relevant evidence can be produced from within the BVI. Moreover, there is a requirement for “dual criminality,” meaning that for the request to be upheld the same crime must be punishable by at least a one-year prison sentence under BVI law, had it taken place in the BVI.
It’s a highly burdensome process to obtain a BVI court order, and most investigators would not go through such painstaking effort. Compare that to the United States, where any judge or law firm can issue a subpoena with very little hard evidence. U.S. companies are generally required to comply. Google (according to its own transparency report) receives nearly 30,000 requests for user information each year in the United States and complies with 79% of them.
What if a foreign government does succeed in compelling the BVI High Court to order ExpressVPN to release your information?
The answer to this question lies within the following: What information does the VPN provider know about me?
ExpressVPN is a premium VPN provider focused on user privacy and anonymity. Our network is built around specifically NOT knowing the internet activities of our users. As privacy is a core part of our service offering, ExpressVPN is in the business of protecting our users’ private internet data.
To provide our users with full transparency, below is the list of what we DO know:
- The information you submit on our order page, including payment information. ExpressVPN could not offer premium VPN services without accepting payments from customers. For the most anonymous form of payment, we recommend bitcoin.
- Which of our apps (and app versions) you have successfully activated. App activation details allow our support team to troubleshoot any app-specific technical issues with individual customers.
- Whether you have successfully established a VPN connection on a particular day (but not a specific time of the day), to which VPN location, and from which country/ISP (but not from which IP address). This minimal information assists us in providing technical support, such as providing country-specific advice on how to best use our service.
- The aggregate sum (in MB) of data transfer through the VPN. Although we do offer unlimited data transfer, if a single user pushes more traffic than thousands of users combined, we may ask the user to explain why.
- (Optional for the user) Anonymous information about whether your VPN connection attempts succeed. This data feeds into our network operations tools to let us identify problems with specific apps, VPN servers, or from specific ISPs. The information we receive is fully anonymized and cannot be tied back to individual ExpressVPN users. This feature is similar to a “send bug reports” option, and users can easily switch it off inside our apps.
Should any of the above concern you? We don’t believe so because the basic information we retain about VPN usage is not the kind of information that would be useful in an investigation. If the BVI High Court orders us to tell them which ExpressVPN user had accessed “X” website or service on “Y” date/time with “Z” IP address, we cannot match any of those data points (separately or in combination) to an individual.
Why does ExpressVPN retain any usage data at all?
ExpressVPN only keeps the bare minimum amount of information required to operate a highly reliable VPN service at scale. Without this information, we couldn’t keep our server network running, ensure that our apps are working correctly, or provide accurate support to our customers.
We never collect anything about what users do with the VPN: No logs of traffic destination, DNS records, data content, connection timestamps or IP addresses. That means, should the BVI High Court come asking, we CANNOT answer any of the following questions:
- Which ExpressVPN user(s) accessed the following website or service?
- Which websites did user X access?
- Which ExpressVPN users were utilizing a given ExpressVPN IP address at a particular time?
ExpressVPN takes your privacy seriously and does not keep activity logs or connection logs. Specifically, that means we do NOT log any of the following sensitive information:
- Browsing history
- Traffic destination
- Data content
- DNS queries
- Timestamp or duration of connection
- Your original IP address that you connect from
- Your outgoing IP address (i.e. the ExpressVPN IP assigned to you once connected)
The combination of our BVI jurisdiction, no activity logs, and no connection logs makes ExpressVPN an excellent choice for internet users concerned about their privacy.
Also published on Medium.