VPN Jurisdiction Explained: 5 / 9 / 14 Eyes, the Mullvad Raid, and the PureVPN Logs Case
VPN marketing makes a lot of jurisdiction. The two best-documented court-cooperation events — the Mullvad 2023 raid and the PureVPN 2017 FBI cooperation — show that what the provider stores matters more than the country flag.
What 5 / 9 / 14 Eyes actually means
The 5 Eyes is a signals-intelligence sharing arrangement between the USA, UK, Canada, Australia, and New Zealand, with origins in the post-WWII UKUSA agreement. 9 Eyes adds Denmark, France, Netherlands, and Norway. 14 Eyes adds Germany, Belgium, Italy, Sweden, and Spain. VPN marketing has popularised the idea that a VPN registered in any of these 14 countries is at risk because its host government could compel it to hand over data and share that data with the broader alliance. The claim is partially true — those governments do have legal frameworks for data requests — but it is not the whole story.
Where the major audited VPNs are based
Mullvad: Gothenburg, Sweden (in 14 Eyes). NordVPN's operating entity Nordvpn S.A.: Panama (outside Eyes). Proton VPN: Plan-les-Ouates, Geneva, Switzerland (outside Eyes; Switzerland is also outside the EU and the US legal-request framework). ExpressVPN's operating entity Express VPN International Ltd.: British Virgin Islands (outside Eyes). Surfshark B.V.: Netherlands (in 9 Eyes). Two of the five — Mullvad and Surfshark — are in Eyes jurisdictions; three are outside. All five have published no-logs audits.
The Mullvad 2023 raid: what actually happened
On 18 April 2023, six officers from Sweden's National Operations Department (NOA) arrived at Mullvad's Gothenburg office with a search warrant, intending to seize computers containing customer data. The warrant had been issued on 17 February 2023 in international legal cooperation with German authorities. Mullvad documented the event publicly the same day at mullvad.net/en/blog/mullvad-vpn-was-subject-to-a-search-warrant-customer-data-not-compromised. According to Mullvad's account and subsequent reporting, the police left without seizing anything because the data the warrant sought did not exist on the servers. Mullvad's Cure53 audit history (most recent: 4th infrastructure audit, June 2024) documents the no-logs server configuration that produced this outcome. The implication: jurisdiction did matter — the raid happened — but the operational privacy posture was the deciding factor.
The PureVPN 2017 FBI cooperation: the inverse
In October 2017, the FBI used VPN connection logs from PureVPN to identify Ryan Lin, a 24-year-old Massachusetts man, in an extensive cyberstalking case. PureVPN's marketing prior to the case had emphasized a no-logs claim. The FBI's affidavit (cited in DoJ filings and mainstream reporting at bleepingcomputer.com and others) documented that PureVPN had, in fact, retained connection logs that included the customer's home IP address at session start, and that those logs were sufficient to identify Lin via his VPN sessions. The case is the canonical inverse example: a marketing claim contradicted by what the provider actually stored, and the provider's jurisdiction (Hong Kong — outside Eyes) did not insulate the data because the data existed and was responsive to a US legal request.
What jurisdiction does and does not predict
Jurisdiction is a real risk factor when a government request is made. A provider in a 14 Eyes jurisdiction with a legal-cooperation framework with the requesting country can be compelled to hand over data it holds. But jurisdiction does not predict what the provider holds. A no-logs provider in 14 Eyes (Mullvad) has nothing to hand over; a logs-keeping provider in a non-Eyes jurisdiction (PureVPN circa 2017) does. The Mullvad and PureVPN events together establish that the predictive variable is operational practice — verified by audit — not the country flag.
What to weigh in 2026
Three factors predict real-world privacy outcomes more reliably than jurisdiction alone. (1) Audit scope and recency — does the most recent published audit cover server-level configuration, and is it within the last 24 months? (2) Open-source clients — are the desktop and mobile apps published as open source? Mullvad and Proton VPN both publish their clients on GitHub. (3) Documented response to a real legal-compulsion event — Mullvad has one (the 2023 raid), PureVPN has the inverse one (the 2017 case). Most providers have neither. Apply jurisdiction as a tiebreaker once the first three are satisfied, not as the headline factor.
Sources
5 / 9 / 14 Eyes: en.wikipedia.org/wiki/Five_Eyes (with citations to the original UKUSA agreement). Mullvad 2023 raid: mullvad.net/en/blog/mullvad-vpn-was-subject-to-a-search-warrant-customer-data-not-compromised. Mullvad audit history: mullvad.net/en/blog/tag/audits. PureVPN/Lin case: bleepingcomputer.com/news/security/cyberstalking-suspect-arrested-after-vpn-providers-shared-logs-with-the-fbi. NordVPN jurisdiction: nordvpn.com/blog/jurisdiction. Proton VPN jurisdiction: protonvpn.com/features/swiss-based. ExpressVPN trust: expressvpn.com/trust. Surfshark trust: surfshark.com/trust-center. All URLs accessed 2026-04-30.