With the upcoming draconian Digital Surveillance Bill in the UK, that has been described as ‘worse than scary’ by the UN’s Privacy Chief, I’ve again resorted to sending all of my web traffic over VPN.
The VPN I use is Private Internet Access (PIA), for their stance on user privacy. I was curious to see what they had to say about the new Bill, so dropped them an e-mail. I got two separate responses, one from their tech support, and one from their legal team. They’re worth reproducing publicly.
Here they are. First off, the more general position from their tech team:
Thank you for contacting us. It is our current interpretation that the EU Data Retention Directive 2006/24/EG is not applicable to private VPN services such as ours and instead applies to larger public communications networks. The law requires that telephone and internet providers temporarily store data about a user such as assigned Internet Protocol (“IP”) addresses, timestamps, and more to assist law enforcement and investigations. Private VPN providers do not fall within the purview of the European definition of a public communications network, so it is our position that the EU Data Retention Directive 2006/24/EG does not apply to our business organization.
PIA absolutely does not keep any logs, of any kind, period. While this does make things harder in some cases, specifically dealing with outbound mail, advanced techniques to handle abuse issues, and things of that nature, this provides a high level of security and privacy to all of our users. Logs are never written to the hard-drives of any of our machines and are specifically written to the null device, which simply acts if the data never existed.
The Mandatory Data Retention logs in the EU and many areas applies to Telecommunications and Internet Service Providers as they are a “Public Communications Network”. This is not applicable to our VPN service as we are a private network.
Due to this, we’re unable to provide information on our customers usage of our service under any circumstance, including subpoenas and court orders, which are extremely closely reviewed before we make any response by our experienced legal team.
PrivateInternetAccess.com is a business that strives to protect privacy and the privacy rights of our clients. Although we will comply with all valid subpoena requests, our legal team scrutinizes each and every legal request that we receive for compliance with both the “spirit” and letter of the law. For invalid or overly broad subpoenas, we will often question or attempt to narrow the scope of any subject matter sought.
Moreover, when it is possible and a valid option we will provide the user an opportunity to object to any requested disclosures. We cannot provide information that we do not have. PrivateInternetAccess.com will not participate with any request that is unconstitutional.
and secondly, the more direct answer from the legal team:
Thanks for the email. We are aware of this proposed law pending in the UK. First, the law has to actually go into effect first before we will consider making any changes. We are paying close attention to this proposed law and we will make any adjustments as necessary to maintain the privacy of our users. Second, PIA will not maintain logs because we do not believe that we will be classified as an ISP under the new law. The log keeping requirements are specific to ISPs and we do not fall under that definition. We hope that helps answer your questions.
Help fight back against the Bill with the Open Rights Group: