Two top VPNs just pulled out of Hong Kong — here's why

Pro-democracy protesters in Hong Kong, July 2019.
(Image credit: Jimmy Siu/Shutterstock)

UPDATED with comment from ExpressVPN.

Two major North American best VPN providers are pulling their servers out of Hong Kong now that Beijing has assumed more direct control of the nominally autonomous former British colony.

"Effective immediately, Private Internet Access (PIA) is wiping and shutting down our VPN servers located in Hong Kong in response to the new Chinese national security law foisted by fiat on Hong Kong," the U.S.-based service Private Internet Access announced in a blog post yesterday (July 14).

Private Internet Access isn't the only VPN provider to make such a move. "Starting today, TunnelBear will be disabling its Hong Kong servers in order to ensure the safety of our users," the Toronto-based VPN provider TunnelBear, a subsidiary of U.S. antivirus giant McAfee, said in a blog post Monday (July 13).

On July 1, a new Chinese law went into effect in Hong Kong that effectively nullifies many of the free-speech and free-assembly safeguards that Beijing was supposed to respect until 2047, according to the agreement made with Britain when the city-state reverted to Chinese sovereignty in 1997.

As a result, the U.S. government announced that it would no longer share sensitive technologies with Hong Kong-based companies, a tacit declaration that the U.S. no longer recognizes Hong Kong as separate from mainland China.

'Protecting our users' data'

"China's new national security law allows law enforcement to seize servers located in Hong Kong without a warrant and otherwise execute warrantless interception of communications," the Private Internet Access blog post said. 

"PIA will not operate servers in locations that have enacted anti-privacy internet laws or proven to not follow the rule of law," it added. "Our commitment to privacy is why PIA has previously removed servers in Brazil, South Korea, and Russia."

"Our top priority is protecting our users' data," TunnelBear said. "Calling for Hong Kong independence is now a crime under 'secession,' and working with a foreign government or organization against the central Chinese government is now a crime under 'inciting hatred.'"

TunnelBear added that "the law also includes the introduction of 'national security education,' stronger government oversight over foreign news outlets and NGOs, and greater wiretapping abilities for police."

Services are still reachable from Hong Kong

Both companies said that no user data would be jeopardized if their servers were to be seized by police, but TunnelBear said that configuration keys might be in danger.

"Our decision to remove Hong Kong from the server list is to: a) protect our configuration keys [and] b) monitor the reach of the new security law on technical ecosystems in Hong Kong," TunnelBear said. 

"To minimize the potential impact to our networks we have scaled up our Singapore and Japan regions' capabilities, and recommend people in Hong Kong connect to them instead."

Private Internet Access said that users based in Hong Kong "will soon be able to connect to a new Hong Kong exit gateway ... through servers located in countries with more favorable laws regarding privacy."

Giving free VPN accounts to dissidents

Yesterday, TunnelBear followed up its withdrawal from Hong Kong by announcing a partnership with four non-governmental organizations to distribute 20,000 free VPN accounts to people around the world facing government censorship of the internet.

"By providing VPNs, which encrypt IP addresses and allow individuals to bypass local censorship, this initiative ensures that activists, journalists and communities have access to and the ability to share critical information and browse the open internet, regardless of location," TunnelBear said in a press release.

NordVPN staying in Hong Kong

However, NordVPN, one of the consumer VPN industry's most widely used services, told PC Magazine that it was staying in Hong Kong for now. 

"At the moment there is nothing indicating that our users are in any danger," NordVPN said to PC Magazine. "Our customers expect accessibility and freedom, and we are not going to restrict them without a good reason."

There was no word from two other major VPN providers that have ties to Hong Kong. PureVPN is officially based in Hong Kong, although it has developers and operations in Pakistan and other countries. 

An ExpressVPN executive told Tom's Guide last year that the company had some operations in Hong Kong. The company is legally domiciled in the British Virgin Islands.

Tom's Guide has asked for comment from both ExpressVPN and PureVPN, and we will update this story when we receive a reply.

UPDATE: An ExpressVPN spokesperson told us that the company was not founded in Hong Kong, as we stated earlier.

The spokesperson said that "ExpressVPN has a distributed team globally and has since its founding." We thank ExpressVPN for the clarification.

"As our VPN servers are already specifically architected not to contain personal or sensitive data on customers, we do not currently have plans to remove Hong Kong as a server location option for users," a statement provided to Tom's Guide by the ExpressVPN spokesperson said. "We believe that the best defense is never having any information on our VPN servers to seize or hand over."

The statement added that "our VPN servers run in RAM only," and "as a result, no data (including certificates or credentials) can persist after a system is powered down, whether because it is rebooted or physically removed from a data center."

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.