The “no Five Eyes” badge on a VPN’s homepage used to mean something. Now it’s a marketing shortcut that can actually make you complacent. Here’s everything that’s hiding behind it.
What is the Five Eyes Alliance?
The Five Eyes alliance is an intelligence-sharing agreement between the United States, United Kingdom, Canada, Australia, and New Zealand. It traces back to a signals intelligence (SIGINT) cooperation pact signed between the US and UK during World War II, later expanded into what’s known as the UKUSA agreement.
The arrangement allows member nations to collect surveillance data on each other’s citizens and share it across borders. In practice, this creates a legal workaround to domestic restrictions: if US law limits the NSA from surveilling Americans directly, the GCHQ can do it instead, and then share the results. The UK was specifically found to have requested NSA data on UK residents before additional safeguards were clarified.
Beyond Five Eyes sits the Nine Eyes group (adding Denmark, France, Netherlands, and Norway) and the Fourteen Eyes (adding Germany, Belgium, Italy, Spain, and Sweden). The further you get from the inner ring, the looser the coordination, but formal alliances aren’t the only way governments share intelligence data.
Specific laws make Five Eyes countries particularly hostile territory for VPN providers:
United States. FISA Section 702 allows intelligence agencies to collect data on foreign nationals from US-based companies without a warrant. National Security Letters (NSLs) can compel data production with a mandatory gag order attached, meaning the VPN can’t even tell users they’ve been served. The CLOUD Act (2018) lets the government compel US companies to hand over data stored on foreign servers.
United Kingdom. The Investigatory Powers Act 2016 requires ISPs and telecoms to retain user browsing activity, connection logs, and messages for 12 months, accessible to government agencies without a warrant. In 2025, the UK government demanded Apple create a backdoor into user data, underscoring how aggressively the British government pursues technical access.
Australia. Australia passed legislation specifically allowing agencies to force companies to hand over data and create decryption backdoors for encrypted content – the first Five Eyes nation to follow through on the 2018 alliance statement threatening mandatory encryption backdoors.
This is real. This is the threat model that pushed privacy-conscious users toward VPNs registered in Panama, the British Virgin Islands, Switzerland, Iceland, and Romania. And that instinct isn’t wrong,> jurisdiction does matter. The problem is that it’s only one layer of a much deeper stack.
Why “Outside Five Eyes” Became a Selling Point
The Snowden disclosures in 2013 gave millions of people a concrete picture of mass surveillance infrastructure. Programs like PRISM (bulk collection of data from US tech companies), XKeyscore (NSA’s search tool for internet activity), and Muscular (joint NSA/GCHQ tapping of Google and Yahoo’s internal fiber links) revealed that surveillance wasn’t theoretical.
VPN companies did what marketers do: they turned a technical consideration into a badge. “Panama-based.” “Swiss privacy laws.” “Based outside 14 Eyes.” These became shorthand for trustworthiness, and they got plastered on landing pages without much critical examination from buyers.
The shorthand isn’t entirely wrong. A VPN registered in Panama genuinely faces different legal obligations than one registered in Virginia. But the assumption that “offshore jurisdiction = privacy guaranteed” skips over four or five critical layers of the actual threat model. And VPN companies benefit commercially from keeping those layers invisible.
The Five Problems That “Outside Five Eyes” Doesn’t Solve
The CLOUD Act Problem: US Jurisdiction Follows the Company, Not the Server
The Clarifying Lawful Overseas Use of Data Act, passed in 2018, fundamentally changed the geography of data access. Before it, there was serious legal debate about whether US courts could compel US companies to produce data stored on servers in other countries. The CLOUD Act resolved that debate in law enforcement’s favor: jurisdiction attaches to the entity, not the data location.
Any US-controlled provider and this includes subsidiaries and companies with significant US investor presence can be compelled by a US court warrant to produce data stored anywhere in the world. The data doesn’t need to be in a US data center. The server doesn’t need to be in the United States. If the company is subject to US jurisdiction, the data is subject to US law.
The CLOUD Act also created a framework for bilateral executive agreements that let allied governments bypass the older, slower mutual legal assistance treaty (MLAT) process. Rather than waiting months for a diplomatic data request to work through bureaucratic channels, qualifying foreign law enforcement agencies can now go directly to US providers for data.
For VPN users, this has a specific implication: a VPN that claims to be “headquartered in Panama” while running significant operations, employing key personnel, or holding corporate assets in the United States may be subject to US jurisdiction regardless of where its legal registration sits. The legal registration address on paper doesn’t always tell you where effective control of the company lives.
The MLAT and Bilateral Treaty Problem
Even without the CLOUD Act, the idea that a non-US jurisdiction is safe from US (or UK, or Australian) legal reach misunderstands how international law enforcement cooperation works.
Mutual legal assistance treaties are formal government-to-government agreements for gathering and exchanging information to enforce criminal laws. The US has MLATs with over 50 countries, including most of Europe, several Caribbean and Central American nations, and others that are popular VPN registration destinations.
Under an MLAT, US law enforcement can formally request assistance from a foreign counterpart, who then seeks a court order under that country’s laws. The foreign government obtains the data and transmits it to the requesting government. This process takes months, sometimes over a year which is why MLAT requests tend to be reserved for serious criminal cases rather than routine surveillance. But for anyone under real criminal investigation, the slowness is not a reliable protection.
Panama – one of the most popular VPN registration jurisdictions – has had an MLAT with the United States since 1991. Switzerland, another commonly cited “privacy-friendly” country, has legal assistance agreements with the European Union and cooperates with foreign law enforcement on criminal matters. ProtonVPN has disclosed that it has complied with Swiss court orders in criminal cases.
The critical question isn’t whether a country has an MLAT with the US. It’s whether, for the specific kind of case you’re worried about, the treaty would be invoked and honored in a timeframe and scope that creates risk for you.
The Corporate Ownership Problem
This is the one most VPN review sites quietly skip over because much of the review industry has conflicts of interest with the very companies they’re rating.
The VPN industry is substantially more consolidated than its branding suggests. A handful of parent companies own dozens of VPN brands, many of which market themselves independently and claim separate privacy policies. The corporate ownership structure matters because:
Parent companies can compel data sharing across subsidiaries. If a VPN brand is owned by a holding company that also operates advertising, data analytics, or other data-adjacent businesses, the structural separation between “your VPN data” and “the parent company’s data business” exists on paper, but may not exist in practice.
The parent company’s jurisdiction controls. A VPN that claims to be “based in Romania” while owned by a UK holding company is, for many practical legal purposes, subject to UK law when UK authorities apply pressure to the parent. CyberGhost is registered in Romania but is owned by Kape Technologies, incorporated in the UK. ExpressVPN is similarly part of the Kape group, acquired in 2021. Kape Technologies was formerly known as Crossrider, a company with a history of adware and ad-injection software. Those audits of ExpressVPN’s no-logs policy are real. What they don’t address is the structural question of what the parent holding company could compel if it chose to.
Acquisitions transfer your trust relationship without your consent. You chose a VPN provider based on a specific ownership structure, legal jurisdiction, and business model. When that company is acquired, you get a new owner with potentially different values, investors, and legal exposure but you almost certainly won’t be notified in a way that prompts you to reconsider your subscription.
NordVPN’s structure is a useful case study. NordVPN’s legal entity is registered in Panama. Its parent, Nord Security, has regional subsidiaries including one in the UK (NV Secure Ltd). The founders are based in Lithuania, which is an EU member state. Multiple independent Deloitte audits under ISAE 3000 standards confirm no user-identifying data is stored on Nord’s servers. The point isn’t that NordVPN is untrustworthy – the audits are rigorous and the results are consistent. The point is that “registered in Panama” doesn’t capture the full picture of what legal reaches could be applied to a company of Nord’s structure. Understanding that complexity is more valuable than the simplified marketing badge.
If you want to minimize corporate ownership risk, the options with the clearest ownership structures are providers that are either nonprofit or founder-owned private companies with no diversified data businesses: Mullvad (founder-owned, Sweden), ProtonVPN (Proton AG, foundation-backed, Switzerland), IVPN (independent), and Windscribe (founder-owned, Canada – yes, a Five Eyes country, which is exactly the point of the following section).
The No-Logs Policy Problem: Marketing Claims vs. Court Reality
“Strict no-logs policy” is possibly the most abused phrase in the VPN industry. It costs nothing to write on a landing page. Until a law enforcement request arrives, it’s also impossible to independently verify from the outside.
The historical record of tested no-logs claims is specific and illuminating.
IPVanish (2016). At the time owned by Highwinds Network Group, IPVanish was advertising a “zero logs” policy. When the Department of Homeland Security investigated a child exploitation case in Indiana, they sent a summons to Highwinds. IPVanish provided connection logs. Court documents confirmed that the company was recording and retaining data at the same time it was claiming not to. IPVanish has since changed ownership, overhauled its infrastructure, commissioned an independent audit from Leviathan Security Group, and is in the process of transitioning to RAM-only servers but the original incident is the canonical example of a no-logs claim that meant nothing when tested.
PureVPN (2017). PureVPN’s privacy policy stated that the company “does not keep any logs.” The FBI investigated a cyberstalking case in Massachusetts involving a man named Ryan Lin. PureVPN provided connection timestamps that tied Lin’s real home IP address to VPN IP addresses used in the harassment campaign. The company later clarified that its policy referred to “browsing activities” and not connection metadata – a distinction that was nowhere in the marketing. PureVPN subsequently hired KPMG for an audit and revised its policy language.
HideMyAss. Provided logs to UK and US law enforcement in an unrelated criminal case, despite marketing claims.
Private Internet Access (multiple cases). Received FBI subpoenas in separate cases involving bomb threats and hacking investigations. In both cases, PIA complied with the legal process by explaining that no logs existed. The FBI confirmed no data was available. This is the correct outcome, the provider cooperated fully while demonstrating that its infrastructure design made data disclosure impossible, not just against policy.
ExpressVPN (Turkey, 2017). Turkish authorities investigating the assassination of Russian ambassador Andrei Karlov seized an ExpressVPN server in Turkey. No user data was found because ExpressVPN’s TrustedServer architecture runs entirely on RAM. The server had no persistent storage to examine. This is the correct outcome from an infrastructure standpoint.
Mullvad (Sweden, 2023). Police arrived at Mullvad’s offices with a search warrant. They were allowed to inspect office premises and servers. No customer data existed on any system. The warrant found nothing because there was nothing to find. This was the first documented case of a VPN provider successfully demonstrating a no-logs policy through a physical police raid, and it remains the gold standard for verified no-logs claims.
Windscribe (Greece). Windscribe’s founder was prosecuted in Greece after Ukrainian authorities seized servers in 2021 that still held an outdated private key on disk – a serious infrastructure mistake. All charges were ultimately dismissed, but the case illustrates how infrastructure errors can create legal exposure even when the intent is privacy.
The pattern across these cases is clear: no-logs claims only matter when they’re enforced at the infrastructure level, not the policy level. A company can promise not to log your data. They can even mean it sincerely. But if their servers could log data, law enforcement can request that logging happen retroactively via a court order and many providers in the world have complied.
What gag orders mean for users. National Security Letters in the US come with mandatory nondisclosure provisions. A VPN provider served with an NSL legally cannot tell you they’ve received it. This is why warrant canaries exist – the provider publishes a regular statement saying “we have not received any NSL or FISA order.” If the canary disappears or isn’t updated, users can infer that one has been received. NordVPN moved from warrant canaries to regular transparency reports in 2024, arguing that proactive disclosure of aggregate request counts is more informative than the binary canary system. Both approaches are imperfect; neither provides real-time notification of an active government request that comes with a gag order.
The Physical Infrastructure Problem
Where the servers actually sit matters as much as where the company is registered and these are often different places.
Many VPN providers rent server capacity from third-party data centers. The data center has physical access to the hardware. In theory, a data center operator could be compelled by local authorities to log activity, regardless of what the VPN company’s privacy policy says. VPN logging policies apply only to the VPN company, not to the colocation or hosting providers they work with. When authorities want to apply pressure, going directly to the data center bypasses the VPN company entirely.
This is a practical limitation that even well-intentioned VPN providers struggle with. Running your own global server infrastructure requires significant capital investment. Most commercial VPN companies rent at least some of their capacity.
The solution that’s emerged is RAM-only (diskless) server architecture. If a server runs entirely in volatile memory with no hard drive or SSD, there’s physically nothing to seize. When the server powers down or reboots, all data disappears. Third-party data center operators cannot log what doesn’t persist.
ExpressVPN launched its “TrustedServer” RAM-only infrastructure in 2019. NordVPN followed. Mullvad completed its migration to 100% diskless servers in 2023. Surfshark transitioned in 2020. IPVanish began its rollout in 2025, targeting full network coverage by 2027.
RAM-only architecture doesn’t solve every problem. A server can still be compelled to start logging going forward even if it logged nothing previously. And a compromised server transmitting live traffic in real-time (as happened with the NordVPN Finland incident in 2018, where a management console was exploited by an external attacker) creates exposure regardless of storage architecture.
But as a baseline control against the most common attack vector – physical server seizure, RAM-only architecture is now a meaningful technical differentiator rather than just a marketing claim.
When Jurisdiction Actually Does Matter
Having spent several thousand words explaining what jurisdiction doesn’t solve, it’s worth being precise about what it does address.
Mandatory data retention laws. Some countries legally require VPN providers to retain user connection metadata for a minimum period. If the law mandates it, the provider must do it regardless of their privacy policy. Germany, France, and other EU members have had data retention directives at various points. A VPN registered in a country with no mandatory retention law for VPN services has one fewer structural pressure on its logging practices.
Ease of legal compulsion. Law enforcement in Five Eyes countries faces fewer procedural barriers to demanding data from domestic companies than it does when going through MLAT channels to access foreign companies. The requests still reach foreign jurisdictions – they just take longer and require more paperwork. For anyone not under active criminal investigation by a sophisticated state actor, that procedural friction is real protection.
The severity of local surveillance law. A VPN registered in a country that requires ISPs and telecoms to log and surrender user data by default (as the UK’s Investigatory Powers Act does) creates legal exposure that a VPN in Switzerland or Panama doesn’t face. The direction of legal pressure matters.
Cooperative vs. adversarial relationships. Even with MLAT agreements in place, some jurisdictions are genuinely resistant to honoring requests from certain governments. Iceland’s Modern Media Initiative places strong emphasis on press freedom and digital privacy. Swiss courts apply local privacy standards before honoring foreign requests. This isn’t a guarantee, it’s friction in the system, and friction adds protection.
The correct framing is that jurisdiction is one filter among many, not the deciding factor. A VPN registered in a “bad” jurisdiction with RAM-only servers, independently audited zero-logs infrastructure, and a clear history of refusing to produce data when it doesn’t exist can be more trustworthy than one in a “good” jurisdiction with no audits, rented servers, and a parent company you’ve never heard of.
What Real VPN Privacy Looks Like in 2026
The privacy attributes that actually matter, roughly in order of importance:
Infrastructure architecture (RAM-only / diskless servers). This is the single biggest technical differentiator. If nothing is written to disk, there’s nothing to seize. Not all providers have completed this migration; the ones that have include Mullvad, NordVPN, ExpressVPN, ProtonVPN, Surfshark, and (partially) IPVanish.
Verified no-logs policy via independent audit. An audit from a credible firm (Deloitte, KPMG, Cure53, PwC) that examined actual server configurations, not just policies on paper is meaningfully different from a self-reported claim. The audit should be ISAE 3000 or equivalent standard, and the auditor should have had access to live server infrastructure. Frequency matters too: a single 2018 audit provides far less confidence than annual audits.
Court-proven no-logs history. Mullvad’s 2023 police raid is the gold standard. PIA’s two separate FBI subpoenas with no data produced are a strong second. These are real-world confirmations that the infrastructure design works as claimed. Most VPN providers have never been tested at all.
Ownership structure transparency. Can you trace the ultimate beneficial owner of the company? Is the ownership structure clearly disclosed? Does the parent company operate other businesses that create conflicts of interest around user data? Independent and foundation-backed providers have fewer structural conflicts than subsidiaries of media or ad tech conglomerates.
Payment anonymity. A provider that accepts Monero (XMR), cash by mail, or anonymous gift cards makes it harder to link your account to your identity. Mullvad is the most rigorous here – they accept cash, Bitcoin, Monero, and don’t require an email address for signup. ProtonVPN accepts Bitcoin. If you pay with a credit card tied to your real identity, the payment processor has a record even if the VPN doesn’t.
DNS and WebRTC leak protection. A VPN that uses third-party DNS resolvers (Google DNS, Cloudflare) creates a potential logging point outside its own control. Providers running their own private DNS infrastructure keep those queries internal. DNS leaks – where DNS queries bypass the VPN tunnel are a common misconfiguration problem that can expose browsing activity even with the VPN active.
Obfuscation and traffic analysis resistance. In countries with deep packet inspection, standard VPN traffic can be identified and blocked. Obfuscated protocols disguise VPN traffic as regular HTTPS. This matters more for users in China, Russia, Iran, and similar environments than for users in open internet countries but it’s also relevant for anyone concerned about traffic correlation attacks by sophisticated adversaries.
Transparency reports. Regular disclosure of the number of government requests received, data produced (if any), and legal process type is more informative than silence. NordVPN’s move from warrant canary to quarterly transparency reports is a model worth watching.
Threat Model Framework: Who Are You Hiding From?
Jurisdiction matters differently depending on who your adversary is. Most VPN guides skip the threat modeling step, which is why people end up worried about Five Eyes surveillance when their actual concern is their ISP selling browsing data.
If you’re protecting yourself from your ISP and data brokers. Jurisdiction is largely irrelevant. Any commercial VPN with a credible no-logs policy and basic encryption handles this. Your ISP sees encrypted traffic going to a VPN endpoint and nothing else. Data brokers can’t pull your browsing history if your ISP can’t see it. Even a US-based VPN solves this threat model.
If you’re protecting yourself from targeted advertising and tracking platforms. A VPN is necessary but not sufficient. Browser fingerprinting, tracking pixels, first-party cookies, and cross-site tracking happen at the application layer, above the VPN tunnel. A VPN hides your IP address; it doesn’t stop Google Analytics from identifying you across sites you’ve logged into. You also need a privacy-focused browser, tracker blocking, and compartmentalization.
If you’re a journalist, researcher, or activist in a high-risk country. Jurisdiction matters substantially. You want a provider with no connection to any government likely to target you, RAM-only infrastructure, anonymous payment, no-logs history verified by audit, and ideally a track record of resisting legal pressure (not just claiming they would). Mullvad, ProtonVPN, and IVPN are designed with this threat model in mind. You also want to layer a VPN over Tor for the highest-risk activities, understanding that a VPN-over-Tor configuration changes your trust assumptions.
If you’re trying to avoid detection by a Five Eyes intelligence agency as part of a serious criminal investigation. A VPN is not the right tool and will not protect you. Nation-state intelligence agencies have capabilities that go well beyond legal requests to VPN providers: traffic correlation attacks, endpoint compromise, infiltration of services you use, and legal access to data held by any party you communicate with. The Snowden disclosures made clear that mass surveillance operates at the network infrastructure level, not just at the application level. Anyone in this threat category needs operational security practices that go far beyond VPN jurisdiction selection.
If you’re protecting yourself from a state actor that isn’t in the Five Eyes. This is where the “outside Five Eyes” framing breaks down entirely in a different direction. Countries like China, Russia, Turkey, and others have their own surveillance infrastructure and bilateral agreements. A VPN registered in Panama provides no particular protection against Chinese intelligence operations targeting users on Chinese network infrastructure, regardless of where the company is incorporated.
The Transparency Stack: How to Evaluate Any VPN
Use this framework to cut through marketing language:
Step 1: Find the ultimate beneficial owner. Search the company’s registered name in the jurisdiction’s corporate registry. Companies House for UK entities, Lithuanian Register for Lithuanian entities, the BVI Financial Services Commission for BVI entities. Follow the ownership chain until you find a natural person or a foundation. If you can’t find the beneficial owner, that’s a flag.
Step 2: Check for parent company conflicts of interest. Does the parent own advertising, analytics, or other data businesses? Has the parent company had any history of data monetization that conflicts with privacy claims? The Kape Technologies/Crossrider history is worth knowing about for anyone relying on ExpressVPN or CyberGhost primarily for serious privacy needs.
Step 3: Look for independent audits, not policy documents. Check when the last audit was conducted, who conducted it, and what exactly they examined. An audit of “privacy policies” is different from an audit of live server configurations. An ISAE 3000-compliant audit is more rigorous than a checklist. Multiple annual audits are more confidence-inspiring than a single audit from five years ago.
Step 4: Check the real-world legal record. Has this provider been tested by law enforcement? What was the outcome? This is the hardest information to find but the most meaningful. Searching for the provider’s name plus terms like “subpoena,” “court order,” “logs,” or “data request” in legal databases and credible journalism is worth the effort.
Step 5: Verify the infrastructure claims. Does the provider use RAM-only servers? Do they own their infrastructure or rent from third parties? If they rent, do they have contracts that restrict data center access and logging? Have their RAM-only claims been independently verified?
Step 6: Check the warrant canary or transparency reports. If there’s a warrant canary, is it current? Has it ever lapsed without explanation? If there are transparency reports, what do they actually say? Some providers publish aggregate numbers without meaningful detail; others (like Mullvad) provide specific disclosure categories.
Step 7: Test for DNS and IP leaks. Technical claims should be verifiable. Services like ipleak.net, dnsleaktest.com, and browserleaks.com can confirm whether your VPN is actually protecting what it claims to protect. A VPN that passes the marketing test but fails a DNS leak test is a concrete problem, regardless of jurisdiction.
VPN Providers Ranked by Privacy Architecture
This is not a comprehensive review but a framework for how different providers stack up on the criteria that matter:
Tier 1: Highest Privacy Architecture
Mullvad (Sweden) – 100% RAM-only infrastructure as of 2023, independently audited, accepts cash and Monero, no email required for signup, police raid passed with zero data recovered, no advertising business, founder-owned private company. The major tradeoff is that Sweden is a 14 Eyes country. Mullvad’s response is correct: if there’s nothing logged, there’s nothing to surrender regardless of the country. The 2023 police raid confirms this works in practice.
ProtonVPN (Switzerland) – Built by the ProtonMail team, foundation-backed, Swiss jurisdiction with strong local privacy laws, independent audits, accepts Bitcoin, no-logs policy verified. Has complied with Swiss court orders in criminal cases – but this is actually a mark of operational transparency, not failure. When Proton complied, it was with Swiss court orders applying Swiss law. That’s meaningfully different from complying with secret NSL orders with gag orders attached. Jurisdiction matters here in the way it’s supposed to: Swiss courts applied Swiss standards.
IVPN (Gibraltar) – Small, independently operated, strong privacy focus, open-source apps, accepts cash and Monero, no email required, regular audits. Less popular than Mullvad or Proton, which means less scrutiny and a smaller target profile.
Tier 2: Good Architecture with Caveats
NordVPN (Panama entity, Lithuanian founders, UK subsidiary) – Six independent no-logs audits by Deloitte, RAM-only servers, strong technical infrastructure. Complex corporate structure. Annual audits are rigorous. The 2018 Finland server compromise (management console exploit, not log exposure) was handled reasonably but disclosed six months late. Has never been tested by law enforcement.
ExpressVPN (BVI, Kape Technologies parent) – Excellent RAM-only TrustedServer technology independently verified by KPMG across 18+ audits. The Kape Technologies parent company creates a structural conflict of interest for the privacy-first use case. Turkish server seizure confirmed RAM-only works in practice. Kape’s former identity as Crossrider (adware) is worth knowing.
ProtonVPN has also published over 1.38 million data requests received in H2 2025 with zero user data disclosed – a transparency report figure that represents the clearest public evidence of a provider functioning as claimed under real-world pressure.
Tier 3: Adequate for Most Use Cases, Not for High-Risk Privacy Needs
Surfshark (Netherlands, NordVPN parent) – RAM-only, independently audited. Merged with Nord Security in 2022, raising questions about effective independence. Suits streaming and general use; the corporate merger reduces its value as a privacy-isolated provider.
Private Internet Access (US jurisdiction) – Twice proven in court to have no logs when subpoenaed by FBI. That’s a real credential. But PIA is US-based, ZIFF Davis subsidiary, which introduces corporate ownership complexity. For users primarily concerned about ISP surveillance and corporate tracking rather than government requests, the court-proven record is actually more meaningful than jurisdiction.
IPVanish (US jurisdiction) – Had the 2016 logging incident. Has since been acquired, audited, and is transitioning to RAM-only. The incident is in the past; the question is whether the infrastructure rebuild is complete. In mid-2025, RAM-only coverage began in limited cities.
Beyond VPNs: What a Layered Privacy Setup Actually Looks Like
A VPN – even a perfect one – only handles network-layer privacy. Here’s what a realistic layered setup looks like for different threat levels:
For general privacy (avoiding ISP surveillance, reducing tracking, basic security):
- Any reputable VPN with a verified no-logs policy
- Browser with tracker blocking (Firefox + uBlock Origin, or Brave)
- DNS over HTTPS or DNS over TLS to prevent DNS query leakage at the OS level
- HTTPS everywhere (now the default in most modern browsers)
For elevated privacy (journalism, activism, sensitive research):
- Mullvad or ProtonVPN with Monero/cash payment and no email signup
- Compartmentalized browsing (separate browser profiles or separate machines for different activity categories)
- Tor Browser for the most sensitive activities
- End-to-end encrypted messaging (Signal) for communications
- A privacy-focused OS (Tails for temporary high-security work, Qubes OS for compartmentalized persistent work)
- Careful attention to metadata: encrypted messages still reveal that you communicated with someone
For the highest-risk scenarios (active government targeting, whistleblowing, hostile state actor exposure):
- VPN is one small piece of a much larger operational security practice
- Tor over VPN to separate VPN provider from Tor entry node visibility
- Air-gapped devices for the most sensitive work
- Physical security: device encryption, secure destruction of devices when compromised, careful handling of who knows what device is used for what
- Legal counsel and trusted intermediary organizations (EFF, Freedom of the Press Foundation) before any significant disclosure
TL;DR Cheat Sheet
Jurisdiction matters, but it’s one layer, not the whole picture. Here’s what actually matters in order:
- What the servers store (RAM-only vs. disk). If nothing is written, nothing can be seized. This is the biggest single technical differentiator.
- Whether the no-logs policy has been independently audited – by a credible auditor, examining live server configurations, recently.
- Whether the no-logs policy has been tested in court – and what happened. Mullvad’s raid and PIA’s subpoenas are the only public verifications that no-logs claims actually hold under real legal pressure.
- Who owns the company and what their other businesses are. A parent company with a data monetization business creates conflicts the marketing copy never mentions.
- Where the servers physically sit and who has physical access to them. Third-party data center operators operate under their own local laws.
- Jurisdiction, which determines ease of legal compulsion, mandatory retention laws, and how friendly the local legal environment is to resisting foreign data requests.
- Transparency mechanisms. Warrant canaries, transparency reports, and audit publication tell you whether a provider is treating accountability as a real commitment or a checkbox.
The “outside Five Eyes” badge is at position six on this list. That’s not irrelevant – it’s just not the lead.
This article was accurate as of June 2026. VPN ownership structures, audit statuses, and infrastructure details change. Always verify current ownership, recent audit dates, and transparency report status before making privacy-sensitive choices about a VPN provider.
