New jurisdiction on the horizon for Xeovo? (Currently Finland, EU)
Given the recent leaked EU Council document proposing mandatory data retention requirements for VPN providers (minimum 12 months of user identification data, metadata, and location information), I'm wondering if Xeovo is considering relocating to a privacy-friendly jurisdiction outside the EU.
Background:
The EU is preparing legislation that would require VPN services to retain user data for at least one year, effectively making "no-log" VPNs illegal within EU territory. The proposal targets messaging apps, VPNs, cloud services, and other online platforms.
Timeline:
Impact assessment: Q1 2026
Legislative proposal: Mid-2026
Potential safer jurisdictions:
Tier 1 - Fully independent from EU regulations:
Switzerland (not in EU/EEA, strong privacy laws, home to ProtonVPN/ProtonMail)
Panama (completely outside EU sphere, already hosting privacy-focused VPNs)
British Virgin Islands (UK overseas territory, separate legal system, zero EU ties)
Faroe Islands (Danish autonomous territory, opted out of EU, not in EEA)
Tier 2 - European but with regulatory concerns:
Iceland (EEA member, must adopt some EU directives, but strong privacy tradition)
Norway (EEA member, may need to implement EU data retention rules)
Gibraltar (UK overseas territory, post-Brexit status still being negotiated with EU - uncertain regulatory future)
Note: Iceland, Norway, and Gibraltar, while having good privacy reputations, have ties to EU regulations. Iceland and Norway are EEA members and typically must implement EU directives. Gibraltar's regulatory framework is still being negotiated post-Brexit.
Switzerland and Faroe Islands remain the safest European options as they maintain full legislative independence on privacy matters.
Major providers like NordVPN and Surfshark have already expressed serious concerns about this proposal.
What are Xeovo's plans to protect user privacy in light of this development?
Let's discuss.
12 Comments
We are aware of this and are already working to oppose the proposal so it does not pass in the EU. We will not do this alone and will cooperate with other VPN providers to push back together.
Switzerland is in the same boat. The Swiss government is actively pushing changes to its surveillance framework (VÜPF/OSCPT) that would expand data-retention and identification requirements to VPNs, messengers, and cloud services.
Offshore locations like Panama are not picked, because of "privacy laws", but simply because the company wants to avoid paying the taxes. They also still have companies in EU to process and accept payments from customers, because majority of payment processors do not accept offshore businesses/banks.
If this law passes and VPN will be included this would leave us no option, but to relocate the company outside of EU. This could also result in a mass exodus of VPN servers from the EU entirely, as they would remain subject to EU law. Changing jurisdiction alone would not be enough.
Finally perfect timings for me to post this meme.
I wish you good luck. But frankly, I don't believe in a positive outcome. Similar bans are becoming more and more common in literally every country in the world. And while these countries may seem to be in conflict or completely unrelated, that doesn't stop them from moving in the same direction and issuing identical laws with different titles ("very unexpected").
Are you considering physical security methods or just legal ones? Automatic deletion of all logs, RAM-only servers, data wipes when connecting "incorrectly" directly to a server rack inside the hosting provider's building, etc.?
Is it possible to make all user logs look the same? Of course, you won't be doing this yourself, so as not to break the law. "Someone else" will simply create a third-party service/instructions/client, etc. And this tool, by a lucky chance, will work perfectly with your service.
We are looking only into legal one's. Unfortunately, the regulators are not that stupid and will classify this as "intentional data falsification", which will lead to fines, forced shutdown or worse.
So it's not the stupidity of the inspectors, but the loopholes. I think you should consult a good lawyer who can tell you how to screw the government. That's if the law comes into force, of course, and it will 99% of the time, because the authorities of all countries don't care what people think until they...
Perhaps the user themselves can configure something at the client level so that the traffic appears identical (without Tor). If you want logs, here they are. Let it be optional; some will make such settings, others won't.
I'm not an expert in technical matters, but I believe you can't play by the rules here, because they don't have any rules. Tomorrow they'll introduce another law: "To protect children, you must now submit an anal scan to confirm your age." "Now, to confirm that you're over 16, not 14, you must also provide a stool sample in addition to the scan."
Besides, the upper crust of any country always bends the rules and looks for loopholes to avoid paying taxes, etc., so you should do the same.
You can even take it to the extreme: "My gender is a VeraCrypt cryptocontainer, I can't give you my data because you're insulting my personality." I don't know the local laws, but I'm sure some nonsense can be found that will allow it.
In any case, victory will be ours.🐘
Legal loopholes vs. illegal workarounds - and the "Ignorance by Design" approach
I appreciate your commitment to staying within legal boundaries. However, I think it's worth clarifying the distinction between evasion (illegal) and elusion (legal), and exploring another powerful concept: Ignorance by Design.
Evasion = Breaking the law
→ This leads to fines, shutdown, criminal charges
Elusion = Exploiting legal loopholes
→ This is what multinational corporations do for tax planning - it's legal
Ignorance by Design = Technical architecture that makes data collection impossible
→ It's not a choice, it's an architectural limitation
Examples that could be explored:
Jurisdictional complexity: Holding company in Switzerland, operational entity in Faroe Islands, servers managed by separate entities, payments processed by another company. Which entity is legally required to retain what data?
Technical architecture: If the law requires "storing user IP addresses" but users connect through intermediate proxies/nodes, you technically store something - just not the actual user IP. Letter of the law = complied. Usefulness for authorities = zero.
Data ownership model: The VPN provider doesn't "own" the data - users do. The provider is just a technical intermediary. Who must retain what?
Ignorance by Design implementation: Redesign the architecture NOW (before the law passes) to make data collection technically impossible. RAM-only servers, no persistent storage, user-controlled encryption keys. When the law comes into force: "We cannot collect data that our architecture doesn't support."
5. THE PARADIGM SHIFT - Client-side encryption keys:
This is the game-changer: Encryption keys exist ONLY on the user's client device. The VPN provider architecturally cannot access, store, or transmit user keys.
How this works:
Legal compliance met, but useless for authorities:
The beauty of this approach:
6. DISPOSABLE ACCOUNTS - Breaking continuity:
Offer disposable, temporary accounts with maximum 30-day lifespan (or even shorter periods like weekly accounts).
Why this matters:
How it works in practice:
The legal beauty:
Similar precedents:
Critical timing consideration:
If you implement "Ignorance by Design" BEFORE the law passes, you can argue: "Our system was already designed this way." If you change the architecture AFTER the law passes, regulators could claim you're deliberately evading it.
The EU's potential counterattack:
The EU could respond by:
However, these would face serious challenges:
Real precedents:
Question: Have you consulted specialized lawyers in regulatory compliance who focus on:
Because that's different from just "opposing the law" or "relocating" - it's about exploiting the law's own weaknesses and architectural impossibilities. You can comply with data retention while making the retained data cryptographically useless AND time-limited by design.
Combined approach could be devastating to surveillance efforts:
Just food for thought.
⚠️ CRITICAL: The deliberate 6-month trap in the EU proposal
I want to highlight something crucial that many might have missed about this leaked EU document: the implementation timeline is weaponized against VPN providers.
The Timeline:
This means enforcement could begin as early as December 2026 - January 2027.
Why this matters - and why it's deliberate:
What VPN providers need to do to properly respond:
Total time realistically needed: 12-18 months MINIMUM
The trap:
This is NOT an accident. This is strategic.
The short implementation window ensures that providers:
Historical precedent - GDPR:
The Catch-22:
My recommendation to Xeovo:
Start contingency planning IMMEDIATELY, even before the law officially passes. Here's why:
Insurance: Even if this specific law doesn't pass, the trend is clear. Similar proposals will keep coming.
Legal defensibility: If you implement "Ignorance by Design" architecture in 2025, BEFORE any law passes, you can legitimately say: "This was our system design, not evasion."
Competitive advantage: Privacy-focused architecture becomes a selling point regardless of legislation.
Strategic flexibility: Having the architecture ready means you can deploy it when/if needed, not scramble at the last minute.
Industry leadership: Being proactive positions you as a leader in privacy protection.
What "contingency planning" means:
You don't have to deploy these changes immediately, but you need them ready to deploy so that when/if the law passes, you can respond in weeks, not months.
The EU likely expects:
Prove them wrong.
The 6-month window is designed to prevent resistance. The counter-strategy is to start preparing now, so you're not caught in the trap.
Timeline recommendation:
This way, the 6-month trap becomes irrelevant because you're already prepared.
Question for Xeovo: Are you aware of this timing trap? Do you have contingency plans in development, or are you waiting to see if the law passes first?
Time is the most valuable resource here, and it's being deliberately limited.
It's like text from a neural network.
But I agree that you need to look for legal and technical loopholes, because this law will definitely be passed in one form or another.
It's important to unite with others, but in the end, the most that unity will achieve is a text expressing discontent, which the authorities will print out and wipe their asses with.
It is. I am not an IT engineer and an English native tongue. I am a philosopher. My work is just thinking: I am the prompt designer of these Ai's posts.
It is not easy to find lawyer with such technical expertise. However even if we find any loophole the main problem remains.
If the law passes the damage is already done. Having a company in Europe would be big red flag and average consumer would assume that we log the information.
@Fodt Let's chill with AI posts. It's okay to use it to translate, but let's not litter Hub with it.
Imagine that the damage from this law has already been done and act based on the new reality. If you cannot ensure the protection of your users' data, then teach them or give them a ready-made tool to do it themselves. And explain everywhere in your advertising why it is safe.
You don't have many options. Either go underground, like darknet sites, or make radical changes.
You wrote above that you want to join forces with other VPN providers. So join forces, but not primarily to write about how you oppose this law, but for technical and legal solutions.
Speaking of average users, I am one of them. I am not a technical specialist or a lawyer. But I will never believe in any privacy policy because it's just letters on a screen. If the special services of one of the countries come to you personally and threaten your family or torture you (of course, they never do that), then in that very second you will collect all the logs and not write about it anywhere.
That's why the average user doesn't care. They care about speed, stability, and convenience of payment and use. Moreover, all VPN providers will face this, not just you. So you are on equal terms.
I would like to say a lot more, but the hub format is not convenient for this. So I will write as you respond, if it makes sense for both of us.
And I will repeat once again that the easiest thing to do is to make the logs identical or false, but from the user's side. You can store them for 100 years, but they will be nonsense. And you will be clear before the law because it is not you who does it, but the users. And you store everything very conscientiously.
After researching the EU data retention situation, here's what I found.
Switzerland is looking less reliable. ProtonMail handed over that activist's IP in 2021, and they've been signing EU cooperation agreements through 2024-2025. The privacy reputation seems more marketing than reality now.
Panama works for legal incorporation and jurisdiction protection, but server latency to EU is 180ms+ which kills performance.
Serbia is actually interesting: not in the EU so no data retention laws, 25ms latency to EU cities, low costs, and they don't automatically cooperate with requests. Seems like the best option for EU-facing infrastructure right now.
The setup that makes sense: Panama for legal entity (jurisdiction protection), Serbia for servers (performance), Russia/Kazakhstan as fallback.
Anyone else looked into Serbian hosting providers?