In recent months, I’ve started to take my own digital security much more seriously. I encrypt my e-mail when possible, I’ve moved away from Gmail, and I’ve become much more vigilant about using a VPN nearly all the time. Just as cryptographers and security researchers are auditing tools like TrueCrypt, I’ve started to kick the tires of the products that I rely upon on a daily basis.

When I lived in Germany between 2010 and 2012, my wife and I paid $40 a year for a commercial VPN so we could continue to watch Hulu. But upon our return stateside, I kept paying for it anyway, for privacy-minded reasons. There are lots of VPNs out there, but the one I use is Private Internet Access (PIA).

Why PIA? No particular reason, really. I don’t remember exactly how I came to choose it, but I remember seeing it in a roundup of VPNs listed on TorrentFreak. I now use PIA nearly every day, almost all the time, and that got me wondering: how does the company respond to real-world legal requests? Has it ever been compelled to hand over user data? Were those users ever notified?

Unfortunately, Private Internet Access’ website doesn’t really make clear who is behind its site. The site’s footer points to London Trust Media, which also provides nothing more than an e-mail address. A little searching led me to find, and then get in touch with, the CEO of London Trust Media, Andrew Lee—one of the firm's two owners.

Lee has a background in the world of Bitcoin (he was one of the original founders of Mt. Gox), but he has had an interest in online privacy for years. PIA has been around since August 2009. Today, it has around 100,000 users. Assuming that each of them is paying $40 per year for service, that works out to about $4 million in annual revenue. (As we’ve reported before, there’s money in privacy!)

“We don’t log, period.”

One of PIA’s biggest selling points (like other VPN providers) is that it does not log anything, and thus has little data to actually hand over to law enforcement.

“We’ve never been asked for keys, nor [have we] handed over user data,” Lee told Ars. “What happens is that if anybody asks us for information, first and foremost, we confirm that they are a legit agency or government body that has any jurisdiction to even attempt to ask for that data. Then we go through and see that that complies with the letter and the spirit of the law. We don’t have any logs whatsoever. We don’t log metadata [or] session data either. We will comply with anything, but we can’t comply because we do not provide any logs. We don’t log, period.”

Of course, one of the biggest problems is that there’s essentially no way for me to verify PIA’s (or anyone else’s) practices. Lots of VPN firms claim not to log, and I’d like to believe them, but there’s really no way for me to know for sure that Lee can’t see that I’m loading Ars about 100 times a day.

Lee also told me that his firm has spoken with the Electronic Frontier Foundation (EFF) and other related groups to try to come up with a third-party audit system that would attempt to alleviate this exact problem. That way, ordinary consumers like me would at least have a little bit more of a reason to trust that no logs are being kept.

“You have to trust the VPN—they have access to your data,” Dan Auerbach of the EFF told Ars. “Even if they’re really good, the government can come in and say we have a warrant... You have to take it on faith that there will be no CALEA-type orders, [where] the government will come in and say you have to come in and do logging. This is the reason that Tor was developed, was that people realized that we want some sort of anonymity service that doesn't require you to trust just one party. That’s the basic problem with VPNs.”

But even Auerbach admitted that he uses VPNs over Tor on a regular basis for this exact reason: while Tor offers robust security protection, it’s difficult to use and significantly slows down one’s Internet connection.

“If there could be some sort of check against governments coming in and being able to do that, like some sort of third-party auditing—that would be great,” he added. “I think it’s a really challenging problem, and we don’t know how to solve it. Suppose the third-party is in the same legal jurisdiction, then it’s easy for a court to say that you two both have to comply with this order, and you can’t tell anyone, so then you’re back in a situation where the third-party auditor didn’t exist.”

More transparency is more better

For my more precise legal questions, Lee referred me to his in-house counsel, John Arsenault. The Colorado-based attorney has some experience in the tech world as an intellectual property lawyer who fought against copyright troll Righthaven.

Arsenault joined PIA as the company’s Digital Millennium Copyright Act (DMCA) agent in March 2012 and became a full-time employee as of December 2012.

He told Ars that since his tenure at the company, PIA has received a total of 11 requests for user data, including three requests from outside the United States. Arsenault declined to name the countries involved, but he said that they were “primarily European countries,” and he added that he’s unaware of any legal requests that PIA might have received before 2012.

[ars_sidebar class="right" title="Read a subpoena"]Arsenault provided Ars with a redacted example of one request for data, along with the company's response .[/ars_sidebar]

Arsenault has said that the company has never handed over any user data, as it does not log traffic. He said that PIA has never been ordered to log any user data, nor has it received a National Security Letter, nor has it been compelled to handover SSL keys.

Further, as its IP addresses are shared, hundreds of subscribers are likely to be using one IP address at a time, so it would be impossible to separate out a single user’s behavior.

“The data that was requested is usually items like traffic log and history, user account information—in the case of the [requests] that we’ve had, it’s always related to an IP address,” he said.

Like Lee, Arsenault said that the first consideration is whether the request falls within the company’s jurisdiction, and if it does not, the company rejects it.

So has PIA received any legal request from an American federal authority?

“We are processing a request now, but that’s still yet to be determined because it is a federal question, and we will fight it the best we can in that regard. I can’t tell you what the outcome is going to be. I cannot comment on it at this time. This is the first request that we have received in that regard, yes.”

But he added that PIA would treat this federal request no differently than others it had received in the past.

“We’ve done our legal research and are comfortable with the jurisdiction of the United States for the time being, and others that have been in the news and might be concerned, we disagree with that interpretation [to leave the US], and so I think we’re very comfortable operating in the US given the circumstances,” Arsenault added. “If it came down to it, we do have a contingency plan, were the climate in the US to turn against us and our interests.”

And would PIA be open to starting a transparency report, as many other larger tech companies have done?

“Yes, and that is something we have been exploring since late summer, and we’re moving in that direction—hopefully by the end of the year,” Arsenault said.

Another way to increase consumer confidence would be for PIA and other VPN providers to publish a “warrant canary.”

The idea is that a company could publish a notice saying that a warrant has not been served as of a particular date. Should that notice be taken down, then users are to surmise that it indeed has been served with one. The theory is that while a court can compel someone to not speak (a gag order), it cannot compel someone to lie.

The only problem is, warrant canaries have yet to be fully tested in court.

“It’s something that I believe would be beneficial for building trust with consumers,” Arsenault noted.

So, at the end of the day, I'm going to stick with Private Internet Access for now—but as always, caveat emptor.