Internet censorship
F Fodt Dec 19, 2025

EU prepares ground for wider data retention and VPN's are among the targets

New jurisdiction on the horizon for Xeovo? (Currently Finland, EU)

Given the recent leaked EU Council document proposing mandatory data retention requirements for VPN providers (minimum 12 months of user identification data, metadata, and location information), I'm wondering if Xeovo is considering relocating to a privacy-friendly jurisdiction outside the EU.

Background:

The EU is preparing legislation that would require VPN services to retain user data for at least one year, effectively making "no-log" VPNs illegal within EU territory. The proposal targets messaging apps, VPNs, cloud services, and other online platforms.

Source: https://www.techradar.com/vpn/vpn-privacy-security/the-eu-prepares-ground-for-wider-data-retention-and-vpn-providers-are-among-the-targets

Timeline:

Impact assessment: Q1 2026
Legislative proposal: Mid-2026

Potential safer jurisdictions:

Tier 1 - Fully independent from EU regulations:

Switzerland (not in EU/EEA, strong privacy laws, home to ProtonVPN/ProtonMail)
Panama (completely outside EU sphere, already hosting privacy-focused VPNs)
British Virgin Islands (UK overseas territory, separate legal system, zero EU ties)
Faroe Islands (Danish autonomous territory, opted out of EU, not in EEA)

Tier 2 - European but with regulatory concerns:

Iceland (EEA member, must adopt some EU directives, but strong privacy tradition)
Norway (EEA member, may need to implement EU data retention rules)
Gibraltar (UK overseas territory, post-Brexit status still being negotiated with EU - uncertain regulatory future)

Note: Iceland, Norway, and Gibraltar, while having good privacy reputations, have ties to EU regulations. Iceland and Norway are EEA members and typically must implement EU directives. Gibraltar's regulatory framework is still being negotiated post-Brexit.

Switzerland and Faroe Islands remain the safest European options as they maintain full legislative independence on privacy matters.

Major providers like NordVPN and Surfshark have already expressed serious concerns about this proposal.
What are Xeovo's plans to protect user privacy in light of this development?

Let's discuss.

5 ⁨5⁩ ⁨comments⁩

⁨5⁩ ⁨Comments⁩

0xVirtualCake 0xVirtualCake Team Dec 19, 2025

We are aware of this and are already working to oppose the proposal so it does not pass in the EU. We will not do this alone and will cooperate with other VPN providers to push back together.

Switzerland is in the same boat. The Swiss government is actively pushing changes to its surveillance framework (VÜPF/OSCPT) that would expand data-retention and identification requirements to VPNs, messengers, and cloud services.

Offshore locations like Panama are not picked, because of "privacy laws", but simply because the company wants to avoid paying the taxes. They also still have companies in EU to process and accept payments from customers, because majority of payment processors do not accept offshore businesses/banks.

If this law passes and VPN will be included this would leave us no option, but to relocate the company outside of EU. This could also result in a mass exodus of VPN servers from the EU entirely, as they would remain subject to EU law. Changing jurisdiction alone would not be enough.

Finally perfect timings for me to post this meme.

kxxsebn7q9rmw0cv6qfs0da69g.png
F FX9z2c0UU Dec 19, 2025
In reply to 0xVirtualCake 0xVirtualCake

I wish you good luck. But frankly, I don't believe in a positive outcome. Similar bans are becoming more and more common in literally every country in the world. And while these countries may seem to be in conflict or completely unrelated, that doesn't stop them from moving in the same direction and issuing identical laws with different titles ("very unexpected").

Are you considering physical security methods or just legal ones? Automatic deletion of all logs, RAM-only servers, data wipes when connecting "incorrectly" directly to a server rack inside the hosting provider's building, etc.?

Is it possible to make all user logs look the same? Of course, you won't be doing this yourself, so as not to break the law. "Someone else" will simply create a third-party service/instructions/client, etc. And this tool, by a lucky chance, will work perfectly with your service.
0xVirtualCake 0xVirtualCake Team Dec 19, 2025
In reply to F FX9z2c0UU

We are looking only into legal one's. Unfortunately, the regulators are not that stupid and will classify this as "intentional data falsification", which will lead to fines, forced shutdown or worse.

→ 2018 EU: Encryption and anonymity are essential tools for democratic rights!
→ 2025 EU: Proposing mandatory data retention that undermines anonymity.
F FX9z2c0UU Dec 19, 2025
In reply to 0xVirtualCake 0xVirtualCake

So it's not the stupidity of the inspectors, but the loopholes. I think you should consult a good lawyer who can tell you how to screw the government. That's if the law comes into force, of course, and it will 99% of the time, because the authorities of all countries don't care what people think until they...

Perhaps the user themselves can configure something at the client level so that the traffic appears identical (without Tor). If you want logs, here they are. Let it be optional; some will make such settings, others won't.

I'm not an expert in technical matters, but I believe you can't play by the rules here, because they don't have any rules. Tomorrow they'll introduce another law: "To protect children, you must now submit an anal scan to confirm your age." "Now, to confirm that you're over 16, not 14, you must also provide a stool sample in addition to the scan."

Besides, the upper crust of any country always bends the rules and looks for loopholes to avoid paying taxes, etc., so you should do the same.

You can even take it to the extreme: "My gender is a VeraCrypt cryptocontainer, I can't give you my data because you're insulting my personality." I don't know the local laws, but I'm sure some nonsense can be found that will allow it.

In any case, victory will be ours.🐘
F Fodt Dec 20, 2025

Legal loopholes vs. illegal workarounds - and the "Ignorance by Design" approach

I appreciate your commitment to staying within legal boundaries. However, I think it's worth clarifying the distinction between evasion (illegal) and elusion (legal), and exploring another powerful concept: Ignorance by Design.

Evasion = Breaking the law

  • Falsifying logs
  • Hiding required data
  • Lying to authorities
    → This leads to fines, shutdown, criminal charges

Elusion = Exploiting legal loopholes

  • Complex corporate structures across multiple jurisdictions
  • Functional separation (who owns the data? who processes it? who stores it?)
  • Narrow interpretation of legal requirements
  • Decentralized models where no single entity has full control
    → This is what multinational corporations do for tax planning - it's legal

Ignorance by Design = Technical architecture that makes data collection impossible

  • The system is designed so that certain data simply doesn't exist
  • It's not "we won't give you the logs" - it's "the logs don't exist by design"
  • Like Signal: they can't give authorities messages because they don't store them
    → It's not a choice, it's an architectural limitation

Examples that could be explored:

  1. Jurisdictional complexity: Holding company in Switzerland, operational entity in Faroe Islands, servers managed by separate entities, payments processed by another company. Which entity is legally required to retain what data?

  2. Technical architecture: If the law requires "storing user IP addresses" but users connect through intermediate proxies/nodes, you technically store something - just not the actual user IP. Letter of the law = complied. Usefulness for authorities = zero.

  3. Data ownership model: The VPN provider doesn't "own" the data - users do. The provider is just a technical intermediary. Who must retain what?

  4. Ignorance by Design implementation: Redesign the architecture NOW (before the law passes) to make data collection technically impossible. RAM-only servers, no persistent storage, user-controlled encryption keys. When the law comes into force: "We cannot collect data that our architecture doesn't support."

5. THE PARADIGM SHIFT - Client-side encryption keys:

This is the game-changer: Encryption keys exist ONLY on the user's client device. The VPN provider architecturally cannot access, store, or transmit user keys.

How this works:

  • User generates encryption keys locally on their device
  • All session data is encrypted with keys the provider never has access to
  • Even if forced to keep logs, the logs exist but are heavily encrypted (Signal's triple-ratchet design or similar)
  • The provider literally cannot decrypt the logs even if they wanted to

Legal compliance met, but useless for authorities:

  • Regulator: "Give us the logs"
  • Provider: "Here they are" ✓ (compliant)
  • Regulator: "Decrypt them"
  • Provider: "We don't have the keys. They're on user devices. Architecturally impossible." ✓ (still compliant)

The beauty of this approach:

  • You ARE keeping logs (law complied with)
  • The logs are encrypted garbage without user keys
  • You CANNOT decrypt them (architectural limitation, not refusal)
  • Users control their own keys (data ownership model)

6. DISPOSABLE ACCOUNTS - Breaking continuity:

Offer disposable, temporary accounts with maximum 30-day lifespan (or even shorter periods like weekly accounts).

Why this matters:

  • Breaks tracking continuity: Even if authorities get logs for one account, it expires and a new one is created
  • Prevents long-term profiling: Can't build a 12-month profile when accounts only exist for 30 days
  • Defeats targeted persecution: By the time an investigation targets a specific account, it may have already expired and been replaced
  • Legal compliance: You're still retaining data for the account's lifespan - just that lifespan is intentionally short

How it works in practice:

  • User subscribes for (e.g.) 1 year of service
  • Instead of one persistent account for 12 months, they get 12 monthly disposable accounts
  • Each month, old account data is legitimately deleted (account expired)
  • New account created with new credentials, new encryption keys
  • From a regulatory perspective: each account's data is retained for its full lifespan

The legal beauty:

  • You're not deleting data prematurely (each account's data is kept until account expiry)
  • You're not hiding anything (full compliance during account lifetime)
  • Authorities can request current data, but historical accounts are legitimately gone because they expired
  • It's like prepaid SIM cards: use it, expire it, get a new one

Similar precedents:

  • Prepaid SIM cards: Widely legal, expire after X days/months
  • Temporary email services: 10minutemail, Guerrilla Mail - perfectly legal
  • Burner phone apps: Legal services that provide temporary numbers

Critical timing consideration:

If you implement "Ignorance by Design" BEFORE the law passes, you can argue: "Our system was already designed this way." If you change the architecture AFTER the law passes, regulators could claim you're deliberately evading it.

The EU's potential counterattack:

The EU could respond by:

  1. Requiring that VPN services must be architecturally capable of collecting AND DECRYPTING this data to operate in the EU
  2. Mandating minimum account lifespans (e.g., "accounts must exist for at least 12 months")
  3. Requiring continuity tracking across account changes for the same payment method

However, these would face serious challenges:

  • Banning client-side encryption would undermine E2E encryption principles the EU has endorsed
  • Mandating minimum account lifespans could conflict with consumer choice and data minimization principles (GDPR actually encourages deleting data you don't need)
  • Requiring cross-account tracking could violate privacy principles

Real precedents:

  • Apple vs FBI (2016): Apple successfully argued "we don't have the keys, our architecture doesn't allow it" - they weren't charged with facilitating crime
  • Lavabit (2013): Shut down rather than compromise architecture - founder wasn't prosecuted for the design itself
  • Signal: Has publicly stated they'd shut down in countries rather than implement backdoors
  • WhatsApp Brazil ban attempts: Courts couldn't force WhatsApp to decrypt E2E messages they don't have keys for
  • Prepaid telecom services: Widely accepted despite making long-term tracking harder

Question: Have you consulted specialized lawyers in regulatory compliance who focus on:

  1. Finding legal loopholes in the legislation itself?
  2. Designing technically compliant architectures that render the law's intent ineffective?
  3. The legal defensibility of "Ignorance by Design" approaches?
  4. Client-side encryption architectures where the provider has zero access to decryption keys?
  5. Disposable/temporary account models that break tracking continuity while remaining compliant?

Because that's different from just "opposing the law" or "relocating" - it's about exploiting the law's own weaknesses and architectural impossibilities. You can comply with data retention while making the retained data cryptographically useless AND time-limited by design.

Combined approach could be devastating to surveillance efforts:

  • Logs exist but are encrypted with client-side keys (compliant but useless)
  • Accounts expire every 30 days, breaking long-term tracking (compliant but discontinuous)
  • Multi-jurisdictional structure makes it unclear who's responsible for what (compliant but complex)
  • Payment and service entities are separated (compliant but compartmentalized)

Just food for thought.
Comment Controls