New research raises some concerns

The issues with virtual location servers

VPN service providers promote online security and anonymity. They claim  to not keep logs and provide high speed downloading by effectively  providing you access to the nearest 'virtual' server.

That  server, however, may not be that close geographically. To address that,  some providers also offer servers at virtual locations. However, there  are various reasons to be concerned about where these VPN servers are  actually located.

Given that one man's terrortist can be another  man's freedom fighter, there are differing views on which physical  locations can be considered acceptable or not. Some consider the US and  its allies to be dangerous whilst some might prefer US-based servers, as no legal requirement to retain logs is in place.

Likewse, on a  purely commercial level, the running costs of having lots of low traffic, remotely located servers versus a few high traffic ones, in  turn, impacts pricing.

But the real underlying concern has to be  access to reliable, verifiable information on matters as fundanemtal as  log retention. Whilst, a user can monitor speed and see access to  content (specifically any that is geo-blocked), log retention is not verifiable.

And that is why virtual server usage and disclosure on locations should be made available.

Findings (https://restoreprivacy.com/virtual-server-locations/)  suggest that for a variety of reasons, some financial and others  practical, that the reality of virtual server locations is that they are  often clustered around a small number of easy access locations, usually  close to the user's base.

Determining the location of servers

it should be easy to find server locations. There' are a number of  public domain data sets that will help point you in the right direction,  not least the pronouncements of the providers themselves. That stated,  it seems that some information doesn't appear to correspond with reality  so the locations remains elusive.

However, whilst it is not  easy, there are diagnostics tools available that allow the skilled user  to make educated and informed estimations as to where they are.

How can virtual servers locations even be possible?

VPN providers can exploit the lack of coordination between Internet monitoring organizations to help disguise the real locations of their servers.  The provider can lease IP addresses owned by various ISPs across the  globe. It can then announce them via the ISPs that actually provide the  internet access to the server. This ensures any traffic goes directly to  them regardless of the nominal locations of their IP addresses.

ISPs can obtain IP addresses from Regional Internet Registries or RIRs.  Firms can then setup accounts with an ISP and lease addresses from them.

Firms can also register domain names with multiple name registries.  After providing basic organizational and contact information, they can  specify named servers which map their domain names to IP addresses  delegated to them by their ISPs.

Once your device finds the IP  address for any given domain name, and initiates a connection, then your  ISP needs to know how to reach it but it's nominal geographical  location doesn't help. Once the best routing has been established and  the required information is furnished, the determination can be made as  to the probable location.

But there's a catch. When arranging  Internet connectivity with it's local ISP, a firm discloses it's IP  address that it's leased from other ISPs, if those other ISPs agree. It  then advises it's ISP of the shortest router-to-router path to the  firm's servers, so the ISPs that own the address aren't involved in  routing traffic!

Summary of the report's conclusions

  • There are pros and cons to virtual server locations. However, users deserve to know where their VPN provider have theirs. VPN providers exploit the lack of coordination between Internet  monitoring organizations to hide the real location of their servers.
  • Three of the VPNs reviewed (NordVPN, Perfect Privacy and VPN.ac)  disclose no virtual locations and no substantial evidence to the contary  was discovered. Four of the eight VPN services (ExpressVPN, HideMyAss, PureVPN and Surfshark) disclose at least some virtual locations.
  • Virtual locations seem to be clustered around a few cities and/or countriese.g. Singapore, The Netherlands Overall, five of the eight VPN services (ExpressVPN, NordVPN, Perfect  Privacy, Surfshark and VPN.ac) have disclosed all or nearly all of their  virtual locations.
  • Eight providers were reviewed: ExpressVPN, NordVPN, Perfect Privacy, Surfshark, VPN.ac, Hidemyass, PureVPN and VyprVPN

Our general feeling after reading this is that these remain murky waters and long may that continue, although there has been some pushback  as to the need and value of this research and what constitutes the  'right' level of disclosure vs privacy.

For the full report, it's disclosures, methodologies and findings, please refer to the link shown above.