Jurisdiction is a common topic within the VPN space, with many individuals citing privacy concerns based on the country that VPN providers operate out of as a business.

When TunnelBear was acquired in 2018, concerns were raised about the company's new position within the broader cybersecurity landscape. Critics pointed to TunnelBear's Canadian jurisdiction as a member of the Five Eyes intelligence alliance as a reason for concern.

However, these jurisdiction-based worries often miss the fundamental reality of how VPN privacy actually works - and why technical implementation matters far more than corporate ownership or geographic location.

The truth is that VPN jurisdiction concerns are often used as a marketing myth that distracts from the technical factors that actually determine your privacy protection. In reality, TunnelBear's position as part of the McAfee family - and its Canadian jurisdiction - should be the least of your concerns.

Transparent Privacy: Independently Audited No-Logs Policies

TunnelBear's privacy protection doesn't rely on corporate goodwill or favourable jurisdiction - it's built into the technical architecture through a rigorously audited no-logs policy.

Since 2016, TunnelBear has conducted independent security audits annually, making it the first and one of the few VPN providers today to maintain this level of transparency. In fact, we’re currently gearing up to release 2024’s report and will be starting our 2025 audit soon. We are looking forward to once again have multiple senior auditors examining every aspect of our service.

Additionally, our no-logs policy is a top priority in our privacy-centric approach to making software. This means that even if authorities presented TunnelBear with a legally binding court order, there simply wouldn't be any meaningful data to provide. As an example, between 2021 and 2023, TunnelBear received 70 government authority requests, but provided zero browsing data because none exists to provide.

What Does Our Privacy Policy Say?

Put simply, our privacy policy states:

"We don't know who you are. We don't know where you connect from. We don't know what you do while you use TunnelBear. We cannot provide information related to above three points to anyone".

When authorities request data from TunnelBear, we can only confirm whether an email address has an account - nothing else. No browsing activity, no connection logs, no user behaviour.

This isn't a policy promise; it's a intentionally designed technical reality verified by independent auditors who have access to TunnelBear's entire infrastructure.

Privacy-Driven Analytics and Client-Side Anonymization

Unlike many VPN providers that collect extensive user analytics, TunnelBear has engineered its data collection to focus exclusively on service performance rather than user activity. We've built a specialized analytics database designed around privacy-first principles, asking critical questions during development; such as:

  • What event details do we need?
  • Is there anywhere we can remove timestamps from events?
  • Can customers be identified from information in our analytics database?
  • Is this data absolutely necessary for a purpose?

The result is an analytics system that collects only operational data necessary for service improvement - connection success rates, limited server performance metrics, and crash errors. Crucially, all analytics data is anonymized client-side before it even reaches TunnelBear's backend servers. This means that even the TunnelBear team cannot trace analytics events back to individual users.

This approach contrasts sharply with VPN providers that collect detailed usage statistics, connection timestamps, and user behaviour patterns. Our operational data shows "how our system is running" rather than "how someone use our system".

In other words, our team can see basic anonymized events like subscription status and app version, but cannot access any information about where users connect from, who they are, or what they do online.

The most persistent myth in VPN marketing is that companies based outside intelligence-sharing agreements somehow operate above the law or provide superior privacy protection. This narrative fundamentally misunderstands how legal systems work globally. VPN companies in any country - whether in the Seychelles, Panama, or Switzerland - must comply with lawful court orders and subpoenas when properly presented.

Even some of the world’s most popular VPNs, who have long marketed as being based in privacy-friendly countries such as Panama, updated their own policies to clarify that they would ultimately comply with "legally binding" court orders.

And this is the norm for serious VPN providers. A business simply is unable to exist if it does not observe the legal framework it is subject to.

Moreover, international mutual legal assistance treaties ensure that government agencies can obtain data from virtually any jurisdiction when conducting legitimate criminal investigations. Major VPN providers regularly receive hundreds of government data requests annually regardless of their jurisdiction. This goes to show that the determining factor in user privacy isn't the company's location - it's whether the company has data to provide when requests arrive.

Besides, Intelligence Agencies Don't Need Our Assistance

A crucial point is that modern intelligence agencies don't rely on VPN providers for criminal investigations or national security operations. The NSA and similar organizations have sophisticated technical capabilities that operate independently of commercial VPN services. Documents revealed through various leaks show that intelligence agencies can compromise internet traffic through multiple attack vectors that don't require VPN provider cooperation.

The NSA has also demonstrated capabilities to compromise IPsec transmissions, conduct traffic analysis, and decrypt various forms of encrypted communications through technical means rather than legal requests to service providers. Even if VPN providers maintained detailed logs (which properly implemented services, like TunnelBear, don't), this data would provide no additional insights into investigations and would not add any information they don't already know. Because of the way the Internet has been implemented and the reach of surveillance programs, nobody is ever anonymous online - with or without a VPN.

Additionally, for legitimate criminal investigations, law enforcement agencies have access to multiple data sources that are far more valuable than VPN logs: internet service provider records, device forensics, financial transaction data, communication platform logs, and physical surveillance. VPN connection logs, even if they existed, would represent just one small piece of a much larger investigative puzzle that rarely proves decisive in criminal cases.

Put simply, the type of analytics data that TunnelBear collects - mostly connection success rates, limited server performance metrics, and crash errors - is completely useless for intelligence purposes. And that makes sense; knowing that a VPN server in Germany processed 50GB of encrypted traffic tells investigators nothing about specific users, activities, or criminal behaviour.

The Bottom Line: Technical Implementation Trumps Corporate Politics

Ultimately, what matters for your online privacy is not corporate ownership or geographic location, but technical implementation verified through independent audits. TunnelBear's history of consecutive annual security audits, genuine no-logs architecture, and client-side data anonymization provide far more meaningful privacy protection than any jurisdictional consideration.

The focus on jurisdiction that takes place in some online discussions creates a false sense of security that distracts from the technical factors that actually determine privacy protection. A VPN provider with robust encryption, verified no-logs policies, and transparent security practices offers superior privacy regardless of whether it's based in Canada, the United States, or any other country.

Rather than worrying about corporate ownership or alliance memberships, VPN users should focus on verifiable technical factors, such as:

  • Independent security audits
  • Transparent privacy policies
  • Minimal analytics practices
  • And a proven track records of protecting user privacy when challenged by authorities

Looking at these measures, TunnelBear's integration into the McAfee family represents continuity of strong privacy practices rather than a compromise of user protection.

The TL;DR (too long; didn't rawr)

Ultimately, it does not matter if TunnelBear operates out of a country part of the Five Eyes Alliance. Our no-logs policy and privacy-oriented philosophy with data anonymization ensures there is no valuable information we could ever provide upon receiving legal requests for data.

The jurisdiction argument remains a marketing tactic designed to create artificial differentiation in a crowded marketplace, rather than a meaningful indicator of privacy protection. TunnelBear's technical approach to privacy, verified annually by independent auditors, provides the real foundation for user protection that no amount of corporate restructuring or jurisdictional gamesmanship can undermine.

Stay safe, stay informed, and commence tunneling.

the TunnelBear Team