ExpressVPN is a BVI company: What is the BVI, and is it part of the “14 Eyes” intelligence sharing countries?
The BVI, while sharing the same monarch as Great Britain, is a self-governing group of islands located in the Caribbean. The BVI has its own legislature elected by BVI citizens, an independent judiciary, and a national police force. The code of laws which BVI companies are required to abide by was enacted in the BVI, not the UK.
“14 Eyes,” also known as SIGINT Seniors Europe, refers to a collection of 14 countries whose foreign intelligence agencies are reported to share military and counterterrorism information with one another.
As these intelligence agencies strive to intercept all communications internationally (not only from within their national borders), it is unclear whether there is incremental risk associated with operating a VPN service from within a 14 Eyes country.
Nevertheless, because the BVI is a tiny nation without any foreign intelligence operations, it is most certainly not a party to any 14 Eyes intelligence sharing agreements. Therefore, the BVI is not considered as belonging to the 14 Eyes group of countries.
Why should a VPN company’s jurisdiction be important to you?
In choosing a VPN provider, it’s important for privacy-conscious users to consider the following:
- Is this VPN company operating from a jurisdiction without data retention laws?
- What is the legal process by which a government can order the VPN provider to produce information about one or more of its customers?
- Under what circumstances can such an order be made?
In ExpressVPN’s case, there are clear answers:
- There are no data retention laws in the BVI. The BVI is an offshore jurisdiction renowned for privacy protection. This is in contrast to many European countries and Australia, which have laws requiring ISPs to retain metadata related to their users’ internet activity.
- An order for a BVI company to produce evidence and records (pursuant to an investigation) must come from the BVI High Court. Other countries including the United Kingdom and the United States do not have jurisdiction to compel a BVI company to produce records relating to its customers. These governments must petition the BVI High Court to make such an order under BVI jurisdiction.
- The foreign government making the request is required to describe to the BVI High Court a.) the nature of the criminal activity that has taken place, b.) the specific evidence being sought, c.) the relevance of the requested evidence to the case, and d.) grounds for believing that the relevant evidence can be produced from within the BVI. Moreover, there is a requirement for “dual criminality,” meaning that for the request to be upheld the same crime must be punishable by at least a one-year prison sentence under BVI law, had it taken place in the BVI.
It’s a highly burdensome process to obtain a BVI court order, and most investigators would not go through such painstaking effort. Compare that to the United States, where any judge or law firm can issue a subpoena with very little hard evidence. U.S. companies are generally required to comply. Google (according to its own transparency report) receives nearly 30,000 requests for user information each year in the United States and complies with 79% of them.
What if a foreign government does succeed in compelling the BVI High Court to order ExpressVPN to release your information?
The answer to this question lies within the following: What information does the VPN provider know about me?
ExpressVPN is a premium VPN provider focused on user privacy and anonymity. Our network is built around specifically NOT knowing the internet activities of our users. As privacy is a core part of our service offering, ExpressVPN is in the business of protecting our users’ private internet data.
To provide our users with full transparency, below is the list of what we DO know:
- The information you submit on our order page, including payment information. ExpressVPN could not offer premium VPN services without accepting payments from customers. For the most anonymous form of payment, we recommend bitcoin.
- Which of our apps (and app versions) you have successfully activated. App activation details allow our support team to troubleshoot any app-specific technical issues with individual customers.
- Whether you have successfully established a VPN connection on a particular day (but not a specific time of the day), to which VPN location, and from which country/ISP (but not from which IP address). This minimal information assists us in providing technical support, such as providing country-specific advice on how to best use our service.
- The aggregate sum (in MB) of data transfer through the VPN. Although we do offer unlimited data transfer, if a single user pushes more traffic than thousands of users combined, we may ask the user to explain why.
- (Optional for the user) Anonymous information about whether your VPN connection attempts succeed. This data feeds into our network operations tools to let us identify problems with specific apps, VPN servers, or from specific ISPs. The information we receive is fully anonymized and cannot be tied back to individual ExpressVPN users. This feature is similar to a “send bug reports” option, and users can easily switch it off inside our apps.
Should any of the above concern you? We don’t believe so because the basic information we retain about VPN usage is not the kind of information that would be useful in an investigation. If the BVI High Court orders us to tell them which ExpressVPN user had accessed “X” website or service on “Y” date/time with “Z” IP address, we cannot match any of those data points (separately or in combination) to an individual.
Why does ExpressVPN retain any usage data at all?
ExpressVPN only keeps the bare minimum amount of information required to operate a highly reliable VPN service at scale. Without this information, we couldn’t keep our server network running, ensure that our apps are working correctly, or provide accurate support to our customers.
We never collect anything about what users do with the VPN: No logs of traffic destination, DNS records, data content, connection timestamps or IP addresses. That means, should the BVI High Court come asking, we CANNOT answer any of the following questions:
- Which ExpressVPN user(s) accessed the following website or service?
- Which websites did user X access?
- Which ExpressVPN users were utilizing a given ExpressVPN IP address at a particular time?
ExpressVPN takes your privacy seriously and does not keep activity logs or connection logs. Specifically, that means we do NOT log any of the following sensitive information:
- Browsing history
- Traffic destination
- Data content
- DNS queries
- Timestamp or duration of connection
- Your original IP address that you connect from
- Your outgoing IP address (i.e. the ExpressVPN IP assigned to you once connected)
The combination of our BVI jurisdiction, no activity logs, and no connection logs makes ExpressVPN an excellent choice for internet users concerned about their privacy.
Comments
So If I downloaded a copyright song on a usa server hollywood server for example.
Would the us riaa force you to hand over any information on me or are they powerless?
that being said does any pirate police get anything from you?
Two posters here mentioned good people like Dan Guido and Georgian Partners. They were getting at the point that many consumers simply believe any VPN solves all their problems. Nope. Dan Guido said, (paraphrase) many people fail to realize that a VPN operator can be the subject of server log subpoenas. This is true for VPN operators in 14-Eyes countries that share their intelligence information in pursuit of surveilling as much traffic as they can obtain. The opposite of what VPN is for. “Privacy is a function of liberty” -Edward Snowden. Most countries don’t truly support liberty beyond lip service. That said, if someone is doing their own “intelligence” operation they could contact Guido to help them set up their own VPN servers and security software.
One of the truly great things about ExpressVPN is that it is outside of the 14-Eyes intelligence cabal, and is not subject to subpoena. This is exactly the kind of VPN that is preferred. Someone could go about setting up their own VPN server, as Guido specializes in doing. But consider that ExpressVPN is for users who want to stay free of the complications required to set up their own servers, install and maintain their own software tools, and who prefer the simplicity of very well designed software, such as ExpressVPN that just works fleetly and comes with customer support too. I’ve used many VPNs and while I don’t work for Express, I use it year after year because ExpressVPN is a great professional tool.
Good
Dan Guido is a well known security expert. One would hope you know who he is.
You have servers in USA and other countries which are heavily invested in surveillance, so regardless of the country of incorporation, by operating in X country I think you are subject to their laws, right?, could be compelled to give information by the operating country? Do you apply the same privacy policy to all servers and countries where you operate?
Hi Emmanuel. There are no logs on any of our servers, wherever they are.
If you are incorporated in the BVI, then who is this? https://georgianpartners.com/the-problem-with-the-tor-network-and-commercial-vpns/
¯\_(ツ)_/¯ We’re not sure who that person is. We are definitely incorporated in the BVI, though.