In the vast majority of countries, internet service providers are obliged by law to register and save their customers’ internet traffic. Does that apply to VPN services too? That’s exactly the question you should ask yourself, because the very foundation of a VPN provider being able to run an operation that makes sure your traffic stays private is this: Are they based in a country where the laws require them to log traffic?
Mullvad VPN is based in Sweden, and here the relevant law is called the Electronic Communications Act (Lagen om elektronisk kommunication, LEK). It’s LEK that regulates how internet service providers must log traffic, and it’s very clear: this law doesn’t apply to VPN services. So the basic conditions for running a privacy-focused VPN service are good, Swedish law doesn’t require VPN services to log either their customers or their traffic.
This doesn’t protect us against the police turning up at our door with a search warrant, which happened in 2023. Just because a VPN service doesn’t have to log customer data, doesn’t mean they don’t do it. And when a public authority turns up with a search warrant, this is really put to the test. The result? Well, because we don’t log any data we had nothing to hand over – which meant the National Operations Department (NOA) of the Swedish Police had to go away empty-handed. This was the first time a public authority visited us with a search warrant, so we got to test the part of our strategy for how we handle government requests in a real life situation. It wasn’t the type of independent audit we usually carry out on our operations – but we have to admit it turned out well.
Swedish law also means the police can’t pressure us. They aren’t allowed to twist our arms to make us secretly begin logging traffic. Swedish law also means that no other country can step in and ask for information without going through the Swedish legal apparatus and Swedish laws. Here you can read more about the Swedish laws that apply to Mullvad – and why Sweden is a good country to run a VPN service from. Essentially the legal system here makes it possible to keep your data private.
Whether or not your VPN service is based in what’s known as a 14 Eyes country is entirely irrelevant. It’s the individual country’s laws that make a difference. Not whether the country is part of various intelligence collaborations.
If this is a subject that interests you and you’re looking for more information, sooner or later you’ll run into VPN services or other sources saying “Don’t get a VPN service based in a 14 Eyes country.” This is a gambit demonstrating either incompetence or dishonesty. But what’s it all about?
This is 14 Eyes. And this is why it isn’t relevant when you choose your VPN service.
Fourteen Eyes is a collaboration through which the intelligence services in fourteen different countries work together and share information with each other. This was something that Edward Snowden revealed in 2013. First there were five Eyes countries, then nine, and finally (?) fourteen. Among other things, it emerged that the countries were eavesdropping on internet traffic passing national borders in the physical cables running under the Atlantic. And because the internet is a global phenomenon, this essentially means that every internet user in the world was captured here (assuming they weren’t using a VPN, of course).
In other words, it took a whistleblower to reveal these fourteen countries and their collaboration. Today there may be fewer of them? Though it is more than likely that there are more. Or the collaboration no longer exists. The answer to this is something known to no VPN provider, or anyone else outside those intelligence services. We can assume that this type of collaboration is now even more extensive than in 2013. In any case, it has nothing to do with where your VPN service’s offices are located. The 14 Eyes collaboration is all about sharing information, and they gather this information all over the world.
What is important is the domestic laws in the country where your VPN service is based, and how well that company’s operations are protected by the laws there. If the laws in a 14 Eyes country mean that a VPN service needn’t log data, there’s no data to collect and share with other 14 Eyes countries.
In the same way, a country that isn’t a 14 Eyes member doesn’t automatically offer a safer place to run a VPN business. One example: Switzerland is sometimes highlighted as a safe country outside the 14 Eyes collaboration. Well, that didn’t help ProtonMail in the slightest when Swiss law forced them to hand over a French climate activist’s IP address and browser fingerprint. As a VPN company, the only thing that can save you in such a scenario is a hard-nosed philosophy with no exceptions: if you don’t save any data, you have no data to release. So the only important thing about “VPN laws” is this: operate in a country where you can’t be forced by law to save data.