This is very interesting. https://docs.google.com/spreadsheet...uQPU4BVzbOigT0xebxTOw/edit?pref=2&pli=1#gid=0
Thanks. The iVPN entry says it's registered in Gibraltar rather than Malta (which is the case). Gibraltar would clearly have been in the 5-eyes, let alone 14!
iVPN moved to Gibraltar some months ago, based on legal advice. I gather that the EU clarified VAT policy, which iVPN counsel interpreted to mean that customers had to provide information about their locations. But I haven't seen anything about this from other VPN proividers, so
The list is a little out of date but it gives a generally OK steer. The IVPN stuff is pretty on and I think Mirimir is correct. Also AirVpn, one of my other providers, is shown to only have 60 servers and they have nearly double that amount now.
So this means that customers don't need to provide location info? At the expense of being subject to UK law and GCHQ monitoring?
http://uk.practicallaw.com/1-525-4816# That implies that Gibraltar doesn't enforce VAT. Well, the servers aren't in Gibraltar. But I don't know. You could email them. Generally, I assume that everything is being logged, so it doesn't worry me.
@mirimir - oh I see - they don't have VAT so don't need to report on location; and because there's no servers there, there's nothing to directly intercept. So the problem is then UK NSLs, which, I guess, is not worse than the sysadmins & VPN hardware/certificates being hacked (presumably common), or the company bending to local pressure regardless of jurisdiction. With the presumption that everything is logged, you're "good" to go anyway.
Paying with credit cards, there's no need to ask for location, because the payment processor handles the VAT stuff. It's Bitcoin payments that are the issue. Some VPS providers do ask for full contact information, even for Bitcoin payments. But I only recall being asked for contact information (which I of course fake) by one EU-based VPN provider. So maybe the VAT regs aren't being fully enforced. iVPN (and other reputable VPN providers) segregate payment records, account credentials, and CA certificates on separate servers. No sensitive data ever touches the VPN servers.
This is critically important. Most major vpn providers have servers in dozens of countries and they simply cannot predict the legal evolution in all those countries. That said and completely true, it is imperative that if a physical server gets seized it means nothing to security. Sure the cost of the physical server is a small consideration, but absolutely nothing compared to the reputation and protection to its members. The three providers I use have done a great job of keeping the "accounting" servers light years from any online member equipment. Like Mirimir I have never had a provider ask for more than maybe an email to verify a link at signup. Between that and tumbled Bitcoins I don't worry at all over these pesky little laws that keep circulating around.