As part of our mission to make a secure and private Internet available to all, Proton VPN will have to add servers in countries with poor privacy protections. Here’s how to safely use servers in high-risk countries.
Which VPN server you connect to is generally determined by what information you are trying to access and where that server is located. To access information that a government censored within its borders, you would need to connect to a VPN server outside your country. Other times you may need to access information that is only available inside your own country. For example, some websites only allow you to log in if you are using an IP address from the country hosting it. If you are traveling abroad, you would need a VPN to access that site. Therefore, the only way for us to properly serve our users, who come from more than 180 countries worldwide, is to add servers in practically every country on earth.
However, privacy laws vary widely from country to country, just as governments range from liberal democracies to dictatorships. Adding a server to a country does not mean that we endorse its government’s policies and regulations. In the process of serving our global user base and fulfilling requests for servers in more countries, we must necessarily add servers in countries which are, quite frankly, terrible at privacy.
In recognition of this, it is important for the Proton VPN community to be informed about the risks that can come with using these servers, and how some of these risks can be mitigated. We would also like to clarify our own policies regarding high-risk countries.
Guidelines for connecting to servers in high-risk VPN countries
Understand your threat model before connecting to servers in high-risk countries
As outlined in our threat model, Proton VPN cannot guarantee the absolute security of our servers in high-risk countries (such a guarantee is impossible for all VPN services). Therefore, you should consider any servers in a country with weak privacy protections to potentially be compromised as part of your user threat model.
Consider the following examples: If you are using the Internet to do low-risk activities (e.g., streaming TV or looking up football scores), then which server you connect to is not important. On the other hand, if you are a North Korean dissident handling sensitive communications, we would not recommend connecting to a server in North Korea (if we ever get one), as the North Korean secret police could potentially be monitoring that server.
Use Secure Core VPN
If you must connect to a server in a country with weak privacy protections, enable the Secure Core feature (available with the Proton VPN Plus plan). With Secure Core, your Internet traffic is routed through special, hardened servers in countries with strong protection laws, like Iceland, Sweden, or Switzerland, before it goes through the server in the high-risk country. If authorities are monitoring the VPN server in the high-risk country, they will only be able to trace the traffic from it back to the Secure Core server and not to your true IP address.
Whenever we add servers in unfriendly jurisdictions, we will always add Secure Core coverage to those servers. Secure Core significantly reduces the risk of using a server in any unfriendly jurisdiction.
Proton VPN policies in high-risk countries
To continue providing our users with the highest degree of security possible, even in countries with weak privacy protections, we have adopted the following internal policies for high-risk jurisdictions.
Avoid directly owning infrastructure
To avoid unfriendly governments from trying to claim jurisdiction over Proton VPN, we will utilize third-party infrastructure in high-risk countries. VPN services that own hardware or have a substantial staff presence in a country with weak privacy protections could fall under that country’s jurisdiction through the “principal place of business” doctrine. By working through third parties, Proton VPN avoids having a physical presence in any jurisdictions with weak privacy protections, making it difficult to dispute our status as a Swiss company.
Work only with reliable partners
We will thoroughly scrutinize all potential infrastructure partners in high-risk countries and only work with those whose values align with our mission. This vetting process may delay adding servers in certain high-risk countries where it is difficult to find a suitable partner. Even when we find an ideal partner, we will also deploy technical measures to further mitigate some of the risks of having a VPN server in an unfriendly jurisdiction.
Always use dedicated hardware
Proton VPN only uses bare metal (physical) servers that we can fully control all the way down to the base operating system level. We have followed this policy in all countries. Using a bare metal server as opposed to a virtual server means the hardware is dedicated solely to Proton VPN, giving us a higher degree of control and making it more secure. This bare-metal-only policy will continue in unfriendly jurisdictions to ensure that our servers are harder to compromise.
Implement full-disk encryption
All Proton VPN servers, including those in lower-risk countries, are secured with block-level disk encryption. This protects against a specific but powerful attack in which an adversary compromises an exit server, steals the server certificate, and redirects user traffic to a server controlled by the attacker. By implementing full-disk encryption on all our servers, we can protect our certificates and mitigate the risk of MITM attacks.
Leave countries rather than compromise our values
We expect that in some high-risk countries, law enforcement or intelligence agencies may exert pressure on our infrastructure providers to monitor network traffic upstream of our servers. In the US, for example, ISP monitoring and NSA data collection is the default on almost all Internet connections. Since our Secure Core architecture reduces the amount of information that these agencies can collect through this type of surveillance, they may try to force Proton VPN to log the online activity on our servers. If this situation arises, we will shut down our server and withdraw from the country in question, instead of compromising our values or our strict no-logs policy.
Communicate transparently
Finally, we reiterate our commitment to transparency. We are transparent about who we are, and we have always communicated openly with the community. As Proton VPN’s global network grows, this transparency will become more critical. If we come under pressure or feel that we can no longer live up to our privacy standards in a high-risk country, we will promptly share this information with our community and shut down the servers in that country. We will also endeavor to more systematically identify the privacy risks of each country and communicate that to the community at large.
It is an unfortunate fact that there are numerous countries around the world where online privacy is under attack. If we avoided these countries altogether though, we would only be able to have servers in Sweden, Switzerland, and Iceland, which would not be enough to sufficiently serve the needs of our community. However, as long as you are aware of the threat model, or enable Secure Core VPN, you can use our VPN servers anywhere in the world. We look forward to bringing Proton VPN to every country in the world.
Best Regards,
The Proton VPN Team
Get a free Proton VPN account
Follow us on social media to stay up to date on the latest Proton VPN releases: Twitter | Facebook | Reddit
To get a free Proton Mail encrypted email account, visit: proton.me/mail
