First of all it's only been one day
Here it says you posted on the 19th and now I'm replying on the 20th (I've been on sick leave and none of my staff can confirm this by themselves hence they've been waiting for me).
1. Your privacy is not compromised as long no logs are kept. We would have to inform our customers in the event logging is made mandatory by laws. To date, we are not aware of any mandatory logging. In the US, there's a disturbing trend however because of this act that appears that it may be passed:
http://www.theatlantic.com/politics/archive/2011/08/the-legislation-that-could-kill-internet-privacy-for-good/242853/2. We accept Visa prepaid cards.
3. Same comments as previously on location. Offshore has its own share of problems with slow connectivity and a lack of respect of rule of law. For e.g. do you really trust Russia or Serbia? If the government wanted to get you, what then? For P2Pers they may be safe however since it's too small fry for governments to bother but if you're talking about privacy, then that's a separate issue.
4. No other big locations since they have the best connectivity. Korea and Japan's prices are prohibitive for some reason. Singapore as well. For the price of a 1-2 mbit i can get a gigabit server elsewhere.
5. Sweden is no exception. Currently there are no laws but there are subject to a EU directive which they are supposed to be implemented in local law and they have reprimanded for not implementing into local law yet. We are unsure when these laws will come to effect. This will allow ISPs to retain logs for 6 months or 1 year. It is unclear whether VPNs are 'communication providers' that would be covered under this directive but we are not logging anything currently.
In any case, even IF logs were made mandatory (where currently we are not logging), it will only be used for the following purposes:
Public authorities may interfere with the exercise of that right only in accordance with the law and where necessary in a democratic society, inter alia, in the interests of national security or public safety, for the prevention of disorder or crime, or for the protection of the rights and freedoms of others.
Not being an expert in these highly technical fields, these are my opinions only and I disclaim liability from relying on this information since a legal expert in these areas would be required to do this.
We meet all those requirements. With one exception that we do turn on logs is that in the event we notice suspicious activity that is affecting our service such as DDoS attacks or spam activities. We turn on to identify the user, and send a message to stop the activity or we'll terminate their account. This is a clear breach of our ToS. After user is identified, logs are then wiped off our servers again so the whole process takes less than a day or in certain cases just a few minutes.
My own personal opinion is that if you're just concerned about P2P privacy, then I don't think there's a problem. Terrorist activities, child related crimes and more serious crimes are a bit more tricky. In our current situation, as we keep no logs, so even if authorities wish to investigate our servers they'll find nothing.
There's two kinds of privacy, one which is simple p2p privacy for the average user and surfing and posting privacy or accessing censored material. This is something we are confident that we can maintain. Serious crime privacy, for people to post child related stuff etc etc or plot attacks, is not something I personally would like my service to be used for and although I would endeavour for ALL users to be protected, in the event that the law compels me under the proper laws, I'm not going to want to go to jail or face a hefty fine to protect these sorts of people. This is similar to HMA's policy which I believe you're using atm except that they log so can more easily comply.
The real question is what happens if the law requires us to keep logs? As of yet, we have not been imposed with a requirement to log. Certain countries also have certain circumstances where tapping can be implemented which can happen without our knowledge but usually for those instances, it has to be for serious matters of national security. Hence the more reason to host in countries where there is rule of law rather than the whole hullabaloo about 'offshore' countries where national security is a term that can be used for anything including hunting down dissidents.
This is my honest and frank opinion of what is happening at the moment. Try to get them from any other VPN provider. I'll be very surprised if anyone can reassure you. Just from HMA's response in that they're only subject to UK law...I too don't think they're properly advised. For instance, let's say they host a server in the US. US knows that server is HMA's through some method. Gov believes that the server is being used by terrorists. Don't tell me that those servers would be subject to UK law? Also other providers seem to be giving stupid responses.
Quote of one VPN provider
Response to Q1: “It’s technically unfeasible for us to maintain log files with the amount of connections we route,” VPN PROVIDER X explains. “We estimate the capacity needed to store log files would be 4TB per day.”
So you don't log cause it's not possible. Rubbish. There are ways to filter out the logs and there are also different levels of detail. If you're logging every connection fine. But what about those on dedicated IP servers? Can you not log the access time of a particular user to a particular IP? This wouldn't take much space at all. And after all if there's a requirement to log, there's a requirement to log. You can't say oh I'm not complying with the law cause it's too expensive for me to implement. We had at one time successfully implemented logging early in our business (when p2p was actually the only concern) and if it's done on a server by server basis, it's definitely doable.
What I can say is that I could easily just give misleading information as the research being undertaken by Wilders Security is more of 'ask a VPN provider and see how they respond' with some small checks. No check on the actual laws in the country (which would require a lot of work an professional legal advice). Same goes with Torrentfreak. At the end of the day, the research method seems to be the easiest to game I just have to say:
1. Laws don't apply to my servers
2. I don't keep logs
3. I will not give out any info no matter what circumstances.
4. I make proclamations about being in an offshore country and that I respect privacy.
I can easily say all of those. Now tell me, how verifiable are those? I can answer questions all day but it really boils down to, do you trust us from our responses? What is Wilders Security 'ideal' vpn service? I see Xerobank being mentioned a lot but I also see this:
http://bestvpnreviews.com/vpn-reviews/xerobank-xb-vpn-reviewThey mention they're multi-hop, has anyone actually verified this?
