When you buy a virtual private networkmaybe you are looking for things like this VPN protocols, the price, speed, streaming power and other factors before deciding which one to go with. All important factors to consider when looking for a VPN, but one important consideration is often overlooked: capacity.
Jurisdiction refers to the country in which the VPN company is legally registered and in which country’s laws the VPN is recognized. Because privacy laws and data retention laws vary widely from one country to another, jurisdictions have major privacy implications for VPN users.
How much? I would say that using a VPN in a country whose laws require VPNs to log user data is worse for your privacy than not using a VPN at all. It’s the same thing if a country’s laws allow domestic or foreign intelligence agencies to force companies to log and share user data. Those are two of the biggest red flags you can find in a VPN service and the biggest reasons why I’ve paid close attention to the power over the past decade-and-a-half experience testing and reviewing VPNs.
Authorization is a complex issue that is often difficult to isolate, but I always make sure that any VPN service I recommend is based on an environment where it cannot be forced to spy on its users. Unfortunately, there is still a lot of confusion about how local laws do or do not apply to VPN companies and what foreign agencies may or may not have jurisdiction over VPNs in other countries.
The most important thing for your privacy is to make sure that the VPN you use is reliable, has a constantly audited no-logs policy, and is based in a privacy-friendly environment with no data retention laws that would force VPNs to log user data. Bonus points if the VPN is open source and its privacy claims have been tested in the wild.
Number of Eyes is not the most important information
A long-standing belief among many in internet circles is that it is dangerous to use a VPN based in a 14 Eyes country, which is a group of 14 countries that share surveillance data under the intelligence alliance.
But what’s really important to your privacy is using a VPN in a country that doesn’t have mandatory data retention laws that would allow authorities to force VPN companies to log user traffic. The lack of such rules is what really allows a VPN to claim authenticity no-logs policy and it is true whether the VPN is based in the land of 14 eyes or not.
In other words, the local regulatory environment has a far greater influence than any Eyes designation in determining whether a VPN is safe to use.
Case in point: Mullvadone of the most private VPNs available and one that I always recommend to users with important privacy needs, it is based in Sweden, one of the 14 Eyes countries. But the legal framework in Sweden is such that authorities cannot force VPN companies to log user data. Mullvad answers to Swedish law and Swedish law only, which means that intelligence agencies from another 14 Eyes country (or any other country, for that matter) do not have the power to jump in and make Mullvad log user data.
Also, Mullvad is completely open source and has a no-logs policy that has been tested, providing a high level of transparency and peace of mind that the company does not log the activity of users on its network. In addition, Mullvad says that he retains lawyers to monitor the legal situation (in Sweden and abroad) and is willing to close his work if the government can legally force the company to spy on its users.
In fact, Mullvad’s policies were put to the test in 2023 when Swedish authorities, acting with a search warrant, raided Mullvad’s offices in Gothenburg to seize customer data from VPN systems. However, the Swedish police left empty handed because there was no information.
Similarly, Windscribe, also based in the country of 14 Eyes (Canada), maintains strict privacy and is not subject to laws that would force them to log user data. Windscribe has been tested several times in the wild – once by Greek authorities in 2023, who later dropped their case to 2025 due to a lack of data, and more recently by Dutch authorities, who reportedly took over Windscribe’s server in February. The Dutch case is still ongoing as of this writing, but Windscribe CEO Yegor Sak told me that no user data is at risk because no user data can be provided.
In many places (inside or outside 14 Eyes), authorities can legally go to VPN companies with a warrant, demanding that they provide existing data related to an active investigation. But if a VPN doesn’t actually log customer data, it won’t have anything useful to hand over to the authorities.
But in some places, like the United States, authorities can issue a subpoena, warrant or other legal action including a gag order, which can prevent a VPN company from disclosing the fact that it has been told to start logging user data. Additionally, Wired reported that United States lawmakers recently sent a letter to the US intelligence director, asking for assurances that VPN users in the US are actually giving up their constitutional protections from warrantless government surveillance when they connect to a server overseas. If the answer is yes, that can be a big problem if you use a rogue VPN service that collects data about your internet activity or if your VPN can be forced by legal order to start logging.
However, a reliable VPN built with privacy in mind it can’t just flip a switch and start hacking in one minute to the next. Complying with such an order would require a VPN to change its server code and basically its entire infrastructure design to start recording useful data and store it permanently — not to mention outright selling all its users to the system.
That’s why things like RAM-only servers, open source software, transparent reports and regular third-party audits are more important than power. A RAM-only server infrastructure helps ensure that no data persists on the hard drive and that all data is completely erased whenever the server is shut down or restarted. When VPN applications are open source, their source code is publicly available for anyone to mine, which means that any attempt at intrusion may be visible to someone reviewing it.
Transparent reports detailing the number and type of legitimate requests a VPN receives at a given time (and how the company responded to requests, if any) are critical to building public trust. And though independent audits do not paint the full picturethey are important trust marks that can help verify a VPN’s claims that they are not loggers and that their infrastructure is properly configured to protect users’ privacy.
A VPN with reasonable privacy settings can be difficult to start spying on users, even if they are forced to do so. But the point of good VPN management is that it doesn’t have to.
You would (and wouldn’t) want your VPN to be stable
In general, you’ll want a VPN based in a location without mandatory data retention laws, backed by strong data protection frameworks with appropriate checks to limit government access and foreign mandates. Some of the best places for VPNs to be in include countries like Switzerland (Proton VPN), British Virgin Islands (ExpressVPN), Panama (NordVPN), Sweden (Mullvad), Gibraltar and Romania.
Privacy-minded VPN users should think twice about going with a US-based VPN because of the risks associated with VPN companies being issued national security warrants (which can force the company to hand over records) and gag orders that prevent them from talking about it.
UK-based VPNs are also at risk because the country’s Investigatory Powers Act gives the government the power to weaken encryption, enforce gag orders and enforce ISPs and VPNs that may be logging user data. Similar laws in Australia make VPNs based there dangerous as well.
VPNs based in countries with strict internet censorship and surveillance should never be considered. For example, any VPN operating in China needs to be approved by the government and provide authorities with backdoor access to its systems.
Look for VPNs with clear authority
While many VPNs are integrated and operate from one location, others may operate out of one country but set up a business that is legally registered in a different location. This can be done through tax benefits or ensuring that the VPN company is legally registered in a safe country, even if it does not actually operate in that country.
Also, some VPN parent companies may be headquartered in a completely different country. For example, ExpressVPN’s parent company, Cape Technologies, is a UK-based company, but ExpressVPN is officially based in the British Virgin Islands. ExpressVPN makes it clear Privacy Policy that it operates in accordance with the laws of the BVI. Similarly, NordVPN’s offices are in Lithuania, but under its Panamanian jurisdiction, all data requests “must follow due process of law set forth under the laws of the Republic of Panama,” according to the company’s privacy policy.
Because of all this, VPN ownership structures and real authority can sometimes be a tough nut to crack. But reliable VPNs all make it clear in which jurisdiction they are legally registered, and, therefore, which country’s laws they respond to. It’s something CNET specifically looks for when evaluating VPNs. If you come across a provider that doesn’t make their identity or location clear, it’s best to avoid that VPN.
Bottom line
Ultimately, what you want is a VPN that’s built for privacy from the ground up and based in a country that won’t force it to spy on its users — that’s a real consideration when it comes to control.
If privacy is your top concern with a VPN, you can also read on settings to enable complete privacy again additional privacy and security tools to include with your VPNor check out CNET’s review of the Mullvad, ExpressVPN again Proton VPN.
