How do major VPN companies like ExpressVPN handle government subpoenas?
Executive summary
Major VPN providers like ExpressVPN publicly say they refuse to keep connection or activity logs and will only comply with lawful process when required by their governing jurisdiction, a claim tested in high-profile seizures and transparency reporting that together show limits, legal obligations and real-world nuances [1] [2] [3].
1. How jurisdiction shapes the subpoena story
ExpressVPN emphasizes its British Virgin Islands headquarters as a legal firewall: the BVI has its own courts and no blanket data‑retention regime, which ExpressVPN argues makes it harder for foreign governments to compel logs directly [2]; ExpressVPN itself acknowledges it is legally bound to respond to BVI orders or to requests made through mutual legal assistance treaties [1].
2. The “no‑logs” claim and what it actually means
ExpressVPN publicly says it does not record browsing history, DNS queries, timestamps, source or outgoing IPs so it cannot match activity to a specific user—language reflected in its privacy policy and public statements [1] [4]; independent observers caution that “no‑logs” marketing must be measured against what a company can prove in court and under coercion [5] [6].
3. Real-world tests: server seizures and transparency numbers
The most cited stress test came when Turkish authorities seized an ExpressVPN‑leased server in 2017 and reportedly found no usable logs linking activity to users, a result publicized by the company and third‑party reporting as evidence of its policy in practice [7] [1]; separately, ExpressVPN’s transparency reporting shows it receives government and police requests (e.g., 194 requests in a six‑month window cited by reporting) while often reporting that no actionable user data was provided [3].
4. Where subpoenas can still bite: legal compulsion, MLATs and secret orders
Legal commentary and case history make clear that governments have diverse tools—subpoenas, warrants, court orders and international cooperation—to seek data, and that in extreme cases a domestic court can compel a provider to begin logging or to respond under secrecy [8] [5]; providers’ public denials do not eliminate the legal reality that compliance can be required depending on where the order originates and how mutual legal assistance is used [1].
5. Failures and counterexamples matter for credibility
Not all VPNs have resisted or been able to resist requests: public cases show providers that either had logs or cooperated (for example, PureVPN’s documented assistance to investigators), which demonstrates that some vendors’ privacy claims did not hold up when legally tested and underscores why court‑proven cases are the gold standard for credibility [3] [9].
6. Technical mitigations and remaining vulnerabilities
Providers point to operational choices—RAM‑only servers, limited persistent logging, or physical server architectures—to reduce what can be handed over or seized, and auditors and journalists list these as meaningful protections [5] [6]; nonetheless, architecture choices like virtual servers or the single‑point‑of‑failure of any given leased physical host can introduce risks if law enforcement seizes hardware or if servers are compelled to log [6] [7].
7. Bottom line for observers and users
ExpressVPN and similar major providers balance legal reality, marketing and engineering: they advertise no‑logs and have survived some high‑profile seizures without producing user data, they publish transparency figures about requests received, but they also reserve the right to comply with lawful orders and are subject to the limits of their jurisdiction and international legal processes—so independent audits and court‑tested outcomes remain the clearest evidence of what happens when subpoenas arrive [1] [3] [5].