11 minute read

TunnelBear has always tried to earn users’ trust through hard work and transparency. From being an early pioneer on “human readable privacy policies”, producing the industry's first independent security audits, GDPR compliance, and transparency reports, we strive to give users a clear understanding of how our service operates so they can make informed choices.

TunnelBear's philosophy on transparency is pretty simple:

  1. Don’t collect data.
  2. If we absolutely need to collect data, collect the minimum amount possible to accomplish the service requirement.
  3. If data is collected, always be transparent about it so customers can clearly understand how we operate our service. Even when it’s awkward.

Our Transparency Reports are our way of letting people know we’re keeping our promise to protect their privacy.

no logging

TunnelBear and US ownership

When we were first acquired, the internet had a lot to say about what US ownership might mean for TunnelBear. A year and a half later, we haven’t changed how we collect or manage your data. We still respect privacy and the rule of law the way we always have.

Responding to law enforcement might seem scary, but any VPN service that claims they don’t have to comply with law enforcement requests is either being disingenuous or naive around how global data privacy and access laws apply to them.

TunnelBear’s approach to law enforcement and governmental authority requests

When TunnelBear receives a request from governmental authorities, law enforcement agencies, or in connection with a legal proceeding, the request is reviewed by our legal counsel to verify that it is valid and to determine the appropriate nature and scope of our response.

As TunnelBear has grown from zero to tens of millions of users, the number of legal or governmental authority requests we’ve received has been small but is rising. Over the last year alone, requests for information have nearly doubled, and we expect that to increase in the coming years.

In each of the requests that we’ve received since our acquisition by McAfee, our process for validating requests has been the same. The results of our process can be seen in the table below:

Updated for 2019

April 1 - Sept 30, 2018

Requests Received: 4 Confirmed an individual has an account: 1 Usage data provided: 0

Sept 30 2018 - Sept 30, 2019

Requests Received: 10 Confirmed an individual has an account: 0 Usage data provided: 0

There’s a limited set of circumstances where TunnelBear may be able to confirm that an individual has an account. For example, if TunnelBear is presented with an email address, we may be required to confirm whether or not an account with that email address exists.

However, confirming that an account exists does not result in any usage information being disclosed, because the data we collect:

  • Does not contain IP addresses
  • Does not contain DNS queries
  • Does not contain the time you used TunnelBear
  • Does not contain any type of web traffic that can identify you on our network

You can see the exact data we might be required to provide by downloading a copy of your data from TunnelBear’s privacy centre.

At TunnelBear, we believe that the best way to protect our customer’s privacy is simply to not store data that puts their privacy at risk. You can see the exact data we might be required to provide in a request response by downloading a copy of your data from TunnelBear’s privacy centre.

A separate network for regulated US partners

In 2019, TunnelBear introduced a new Software Development Kit (SDK) and Application Platform Interface (API) so that McAfee and its industry partners could build apps and services on top of our high-speed global network of VPN servers.

The following updates apply only to users of those industry partners. They do not apply to TunnelBear customers.

Supporting new partners with an SDK

As we began building support for partners, we needed have an SDK that could coexist with certain rules that regulated partners face on how information can be handled, sent, used and monitored. One of these rules was the Communications Assistance for Law Enforcement Act (CALEA), or “Digital Telephony Act,” which is a US law that only applies to US telecommunication companies. To meet our service obligations with US regulated partners, we developed an entirely separate VPN server network to allow partner compliance.

We recognize that our users expect transparency in order to make informed choices. We felt it important to disclose this information because of our commitment to being open with our customers, while honouring our service obligations for US regulated partners.

What is CALEA?

CALEA is a law passed by the Clinton Administration in 1994 requiring telecommunications carriers and manufacturers of telecommunications equipment to design their services to ensure that they have built-in capabilities for lawful intercept to comply with legal requests for information.

In the original context, CALEA would allow law enforcement to contact a regulated entity with a subpoena and a phone number to conduct lawful targeted surveillance, commonly known as “wiretapping.” In the context of a VPN service, a US regulated entity in receipt of a valid subpoena would be required to provide a means of capturing internet traffic on a VPN server.

Does CALEA impact TunnelBear’s standalone (or non-partner) VPN service?

No. CALEA does not apply to TunnelBear as it is not a regulated telecommunications company. We created a separate VPN server network for US regulated partners that does not support TunnelBear. Users of our TunnelBear service will not and cannot connect to VPN servers subject to CALEA requirements.

We hope that our customers will understand and appreciate the complexity of this issue, as well as the time and effort we put into making sure we put your privacy rights first.

While it might be uncomfortable to talk about CALEA, not talking about it gives this legally-mandated technology a place to hide from the spotlight. We hope that our customers will understand and appreciate the complexity of this issue, as well as the time and effort we put into making sure we put your privacy rights first. We also appreciate McAfee’s executive support of this Transparency Report and the continued commitment to being open and direct with you our TunnelBear user community.

Earning trust with consistent transparency

Transparency reports force us to reexamine how we handle information, what information is necessary to run our service, and what we can do to protect our customers’ privacy. This takes constant effort to maintain, improve and evaluate. We are strongly committed to communicating what’s happening at TunnelBear and how it affects you, our customers.

Protecting your privacy and data remains our top priority at TunnelBear. By transparently communicating our data policies and the amount of operational data we require to run our service, we want you to feel secure using our network, be comfortable with the amount of data we’re asking for, and understand that we’re not sharing any data unless required to do so by law.

If you have any comments, questions, or concerns, we want to hear from you. Our friendly Support Bears are always happy to help.

Sincerely rawrs,
the TunnelBear Team