Why it is hard (if not impossible) to run a privacy-focused company in the US

Posted on September 12th, 2018 by in Privacy & Security, Security.


When people think of tech companies, they typically think of Silicon Valley. This is where some of the biggest tech companies got their start and its where most of them have their headquarters. This is no accident. The available talent in the US, the easy access to capital and investors, and a general entrepreneurial spirit have created a unique set of conditions for tech companies to thrive and prosper.

However, for privacy companies, the many advantages of the US are canceled out by the absence of strong national online privacy laws. Below are some of the reasons we feel that the US is still an unsuitable environment for a privacy company.

A lack of adversarial oversight

The Foreign Intelligence Surveillance Act of 1978 was passed in response to the Watergate abuses of government surveillance. It created a special secret tribunal that decides whether to approve government wiretaps, data collection, and other requests for covert surveillance. The 2016 battle between Apple and the FBI over decrypting the San Bernadino shooter’s iPhone is an example of the type of case the FISA court usually hears. Experts speculate the FBI made the debate public after Apple refused to comply with a sealed court request.

The secrecy surrounding these courts makes effective oversight difficult. Critics claim that the FISA courts act as rubber stamps for authorities, pointing to the fact that between the court’s creation in 1978 and 2014, FISA court judges approved 33,942 surveillance applications while only rejecting 11 and modifying 504. The 2015 Freedom Act introduced reforms that increased transparency into court deliberations and rulings, but the majority of applications are still approved.

The FISA courts are the sole arbiters of what constitutes a legitimate surveillance target. They are the only institutional check that keeps the NSA and the FBI from violating your privacy during investigations. So it is concerning to say the least to see the court side so overwhelmingly with law enforcement.

Secretive, warrantless subpoenas

FISA court rulings at least pay lip service to the idea of judicial review. National security letters (NSLs), on the other hand, are secret subpoenas which do not require court approval of any kind. An FBI agent simply needs to clear an internal FBI standard before they can issue a letter.

With national security letters, the FBI can compel organizations to turn over vast amounts of personal data and metadata without a warrant. This includes every record associated with the customer’s account. These letters are almost always served in secrecy and they come with indefinite gag orders that bans any discussion of the NSL and its investigation.

There is evidence that the FBI has repeatedly abused NSLs to demand information that it cannot legally obtain, such as browsing data and email content. This should not be surprising. The secrecy and lack of supervision that surrounds national security letters invites such overreach. Even if they do not keep records of a user’s online activity, a VPN could be compelled by a NSL to share the user’s screen name, email, and payment details and begin collecting logs. The user and the general public would never know.

Lack of strong digital privacy laws

The NSA’s and FBI’s online surveillance both rely on the data collected by private enterprises. The US has no national legislation equivalent to the EU’s GDPR which has allowed large organizations to surreptitiously collect, monitor, and sell their users’ data. California just passed a new online privacy law modeled on the EU’s GDPR, which gives users more control over what is done with their data, but it fails to set major fines for violations. This lack of legal teeth makes it unlikely that it will provide anything more than empty promises.

Until there is a national privacy law that gives users control of their data and punishes large corporations for violating their users’ trust, corporations will continue to collect and sell as much user data as they can. The different surveillance and law enforcement techniques that the NSA and FBI have at their disposal would not be so threatening if these companies did not have so much data on their users.

Protecting privacy from Switzerland

Simply put, the US does not offer the legal privacy protections nor the level of accountability and transparency that exists in Switzerland. As Swiss companies, Proton Mail and Proton VPN are not subject to FISA courts and they cannot compel us to cooperate with the FBI or NSA. It is illegal for us to comply with any request for data unless it is supported by a Swiss court order. To secure approval from a Swiss court, law enforcement must meet a higher legal threshold than with FISA courts. Finally, as an organization with a significant amount of EU users, we comply with the GDPR and its “privacy by design” principle.

We are also regularly audited by independent security experts, and our latest security audit results confirm our no logs policy.

For these reasons, Proton Mail and Proton VPN continue to be headquartered in Geneva, Switzerland. It is a home that offers us unique security advantages, advantages that we, in turn, offer to our users.

Best Regards,
The Proton VPN Team

You can follow us on social media to stay up to date on the latest Proton VPN releases:

Twitter Facebook | Reddit

To get a free Proton Mail encrypted email account, visit: proton.me/mail

Prior to joining Proton, Richie spent several years working on tech solutions in the developing world. He joined the Proton team to advance the rights of online privacy and freedom.


  1. Kandy

    I believe what you said made a great deal of sense. However,
    what about this? suppose you added a little content? I am not saying your information isn’t solid, however suppose you added a headline that grabbed people’s attention? I mean Why
    it is hard (if not impossible) to run a privacy-focused company in the US – ProtonVPN Blog is a little
    vanilla. You should peek at Yahoo’s front page and see how
    they write article titles to grab viewers to open the links.
    You might add a related video or a picture or
    two to grab readers excited about what you’ve written. In my opinion, it might
    bring your blog a little bit more interesting. Chelsea Fotbollströja

  2. Richie Koch

    Thanks for your advice and for reading.

  3. Abby

    Great goods from you, man. I have understand your stuff previous
    to and you are just extremely magnificent. I actually like what you’ve acquired here, really like what you’re saying and the way in which you say it.
    You make it enjoyable and you still take care of to keep it smart.
    I cant wait to read much more from you. This
    is really a great website. maglie calcio poco prezzo WNQStacey fotballdrakter barn DustinTru

  4. RG

    Nice article. By the way, what about the PVPN servers hosted outside Swiss (that is other country servers)? Can hosters/maintainers of those servers be forced to do comply?

  5. Richie

    Hey! We are renting most of our servers from trusted data centers that meet all of our security criteria and are able to provide us with full access to the server itself. If we received an enforceable court order from either the Cantonal Courts of Geneva or the Swiss Federal Supreme Court, we would only disclose the limited user data we possess. Since we (nor do the server host) do not log, track or record any other information about our users, the only information we would be able to provide about the user is a single login timestamp which only contains the username and time when the user logged in his/her account.

  6. RG

    Got it. Thanks!

Comments are closed.

your internet

Get Proton VPN
Get Proton VPN

For customer support inquiries, please submit the following form for the fastest response:
Support Form

For all other inquiries:

Version: OpenPGP.js v4.10.10
Comment: https://openpgpjs.org


You can also Tweet to us: