There are many providers of co-location and rental servers in the world. However, the colocation and rental servers used by the VPN providers recommended by Privacy Guides converge with a few ISPs (e.g. M247, Datapacket, Leaseweb). Why is this?
I suspect there may be security or privacy reasons that cannot be met by the numerous other ISPs. The VPN provider I use gave me an abstract response (selected according to our criteria), which did not resolve my technical curiosity.
I suspect for VPNs the criteria is often “whether or not this ISP allows us to use their network in the first place.”
Given the threat model of most VPN users, I don’t think it really matters. Every provider and ISPs have upstream providers of their own. There are only 15-16 ISPs on earth who do not purchase service from another ISP, and are ultimately responsible for interconnecting all other ISPs to the global internet.
All that being said, this is why reputable providers like Mullvad show which ISP each of their servers use in their server list, to allow you to make decisions based on that if you feel it’s necessary.
You’re likely conflating Access ISPs (from whom a consumer purchases Internet services) with Internet Exchanges (ISPs peering / connecting with other ISPs, including hosting providers / data centers), both of which are subject to different rules & regulations.
Like Jonah points out, for some, if their public VPN provider is hosted with a ISP (at an exchange or at a data center connected to an exchange) that’s far, far removed from their local/regional/national ISP, then that’s a valid threat mitigation.
If the hosting / peering arrangements of the public VPN providers concerns the end-user, they might consider using anonymizing networks based on, for example, Onion routing (Tor) / Garlic routing (i2p). Some prefer using public VPNs that support multi-hop, or even chaining 2+ different VPNs.
Personally, my use-case for a public VPN has always been anti-censorship, so I have different preferences (including, relying on QUIC / TLS based solutions and not really relying on a public VPN, at all).
Could you give an example of what you mean by this, or just explain in a bit more detail. I think I understand what you are suggesting, but I’d like to be sure I’m understanding your point correctly.
If you’re in Indonesia or Brazil, say, and are wary of accessing content banned by the respective govts, using a public VPN (preferably not based in Indonesia or Brazil, in this instance) to connect to its servers in Australia or India might do, regardless of the laws in Aus / Ind.
It is another thing if Brazil outlaws VPNs (in which case, you’d want to explore, for example, using DTLS/TLS-based or QUIC-based tunnels), or if there’s co-operation on law/enforcement between India & Brazil (in which case, you’d steer clear of Indian servers or providers).
Apart from the ISPs (exchanges, or data centres connected to exchanges) currently employed by the major VPN providers, there must be other ISP options with similar requirements, so why are they excluding them from their choices? They appear to have exactly the same tendency in their choice of ISPs and there appears to be a clear rationale for excluding other options.