Require VPN providers maintain physical ownership of some/all servers

Cannot comment on random datacenter companies but AWS gives you total control too. They have datacenters specificly tailored for regions, like for government contracts, or EU or China. They have strict access and security requirements, so you even as a customer cannot just walkin without proper authorization.

Having a datacenter underground or old military base have no meaning. Is your datacenter guarded by military? No. So, it is just a location and company is using underground bunker, old nuclear silo, old military base, fallout shelter with vault dwellers as marketing gimmick.

Having your own datacenter is always the best solution, but I feel like you have no idea how much these datacenters cost. Apart from hardware, you also need to take care of personel, security, certifications, as well as environment.

My company has several datacenters around the globe, and one DC in Germany had fire hazard few months ago. One floor was on fire due to electrical malfuction. And downtime was two days, on weekend. Two days of downtime for complete DC and damage cost was in tens of millions of Euro. Just for two days.

Now imagine Proton, Mullvad, or any other company having such things. They are serving millions of people, and Proton is also serving business clients too, which also has SLA requirements. Same goes for Windscribe / Control D duo.

1 Like

This is a reply to my post but it doesn’t actually address anything I said. However, I do want to point out that this section you quoted from Mullvad…

Hosting providers never have direct access to the operating system or the software running on the server itself. If we need their help in rebooting and reinstalling faulty servers, the provider uses remote management.

…does not just apply to owned servers, it applies to all their servers. This is exactly what I’ve been getting at, this is the part that matters and it is not tied to actual ownership of the hardware so making ownership the criteria doesn’t accomplish what you think it does.

This would be a meaningful addition if the requirement was “does not grant third parties access to the software running on any of its servers”

I disagree. The third-party still owns the server and can theoretically do what it wants with it.