Private Internet Access does not log. Ever.
At Private Internet Access, privacy is at the soul of what we do. Our business partners have occasionally been surprised when we say upfront that we’re in privacy first, business second – but that’s the passion we have. Making money is a matter of being able to continue pursuing the primary goal, privacy, on a sustainable basis.
Given this, we’re sometimes asked why we don’t fly warrant canaries on our web page: having a short statement designed to technically circumvent gag orders about what, when or where various authorities have legally coerced us to give up private information on our customers. A warrant canary can look like this:
“In 2014, this company did not receive any coercing legal request for private customer information.”
The idea is that if and when this statement disappears, it’s the equivalent of saying there were authorities grabbing what they wanted and preventing the company from talking about it – so what the company does, in order to circumvent the gag, is to remove the statement that it’s never happened.
This is going about the problem in the wrong way, when you’re a privacy company. The right way is to not have any collectable information in the first place.
A warrant canary is a little bit like a fire alarm going off. Great. You know there’s a fire. Now what do you do?
This is why at Private Internet Access, we have designed our operations to prevent this from happening in the first place. There are no logs. There is no identifying information that can be collected, regardless of the amount of force applied. There are several companies who claim they don’t log, but do anyway at the end of the day. In contrast, we have public court records that state (under threat of perjury) we don’t log anything, available for anyone to read (pages 11-12):
“All of the responses from 1&1, Facebook, Twitter, and Tracfone have been traced back by IP address to … privateinternetaccess.com. […] A subpoena was sent […] and the only information they could provide is that the cluster of IP addresses being used was from the east coast of the United States. However, [Private Internet Access] did provide that they accept payment for their services with a vendor company of Stripe and/or Amazon. They also accept forms of payment online through paypal, bitpay, bitcoin, cashyou, ripple, ok pay, and pay garden.”
The actual court record looks like this, with this passage divided across a page break:
So with nothing logged that can identify our users, and public court records to show for it, the question remains what to do if Private Internet Access is coerced into something – or rather, if authorities try to coerce Private Internet Access into something, such as was the case with Yahoo recently, when the NSA had forced it into spying on its own users.
There is a precedent for this, and it is Lavabit choosing to shut down operations instead of selling out its users (specifically, selling out Edward Snowden). That’s also exactly what Private Internet Access has already done once, when Russia demanded that we start logging our users’ identities, after seizing Private Internet Access servers.
Our response was to immediately shut down operations in Russia:
The Russian Government has passed a new law that mandates that every provider must log all Russian internet traffic for up to a year […] Upon learning of the above, we immediately discontinued our Russian gateways and will no longer be doing business in the region.
And this, in summary, is why Private Internet Access can demonstrate that we do not log. Ever.