Understanding VPN jurisdiction: 5 Eyes, 9 Eyes, 14 Eyes
When it comes to picking the right VPN provider, jurisdiction is important.
By jurisdiction, we mean where the company providing a VPN is actually based, not where its servers are located (although this matters too).
This is crucial for a number of reasons, but the major issue is state surveillance. You may not be aware of it, but security agencies in most developed nations have the ability to snoop and monitor almost everything you do. And they use these powers to the full, as the NSA scandals showed. It would be foolish to think that VPNs are immune to their intrusive activities.
Globally, the most powerful state surveillance agencies have combined into a series of alliances known as the 5 Eyes, 9 Eyes, and 14 Eyes alliances. These groupings have major implications for VPN users, so let’s explore them in more depth.
If you’re looking for a VPN far away from prying eyes, we have an excellent recommendation just for you. It’s based in a privacy-friendly jurisdiction, out of the clutches of the 14 Eyes alliance. The service also had multiple no-logs policy audits and was found to be clean of data logging, so you’d be in good hands.
5 Eyes alliance
The full five eyes list includes:
It emerged from the UKUSA security agreement, signed in 1946, and has been updated for the digital age. The idea behind the agreement was to ensure that Cold War allies could share SIGINT (signal intelligence) seamlessly. And the treaty also sought to keep this information sharing under wraps, remaining secret to the public until 2005.
Nowadays, the core aim of the alliance is to monitor their citizens’ online activity. And if certain laws prevent one member from digging into its peoples’ internet escapades, they can just ask another Eye to do the dirty work for them. The UK was found guilty of just that – asking the NSA to provide any data they pulled about United Kingdom residents.
Why was the 5 Eyes agreement kept hidden from the people? Well, we still don’t know the full story and the true scope of information gathering carried out under the terms of the alliance. But the implication is that the USA and its allies were engaged in detailed surveillance and intrusive activities which electorates would find controversial.
It very likely included the use of ECHELON, STONEGHOST, PRISM, and various other surveillance systems, which tapped into electronic communications across the world.
Do the 5 Eyes nations work alone?
If the intrusive operations permitted by the UKUSA treaty were the only global surveillance network, life would be easier for many spying-wary citizens. However, the core alliance doesn’t operate on its own. It has also gathered a series of satellite partners, that supplement its intelligence-gathering capabilities:
- Israel
- Singapore
- Japan
- South Korea
- British Overseas Territories
Israel operates hand in glove with the US government, providing and requesting security information on individuals of interest. It also has a thriving tech sector where cybersecurity is a major growth area. So users should be cautious about using Israeli VPNs.
Other partners include Asian nations like Singapore, Japan, and South Korea. All of these countries came under the US sphere of influence during the Cold War, and retain intelligence sharing systems with Washington. The same applies to British Overseas Territories like Bermuda or the Cayman Islands.
9 Eyes alliance
We’ve looked at the famous 5 Eyes countries, but if you’ve been searching around for a VPN, there’s a good chance that you’ve also come across the 9 Eyes countries, too. This is where understanding your VPN jurisdiction can get confusing, so it’s useful to be clear about who is in which “Eyes” list.
Here’s the full 9 Eyes list for reference:
- 5 Eyes countries
- Denmark
- France
- Norway
- Netherlands
Essentially the 9 Eyes network is an extension of the 5 Eyes group, and there is a debate about how formalized its structures are, and how powerful it is.
The main reason we are having this debate is down to one man: Edward Snowden. When he went public with his revelations about the NSA back in 2013, Snowden lifted the veil from the NSA’s global surveillance structures, confirming the existence of the 5 Eyes list.
What’s notable is that the 9 Eyes, and by extension the 14 Eyes, don’t have the same privileges as the 5 Eyes. Not all information collected by 5 Eyes members is available to the rest of the group, but the core nations are privy to all data gathered by the rest of the alliance countries, including satellite partners.
According to Snowden, the original 5 Eyes are not supposed to target each other. So, there should be no wiretapping by the USA of UK government meetings, and Australian ministers should be free to use the web without their activities being logged by the NSA. But that doesn’t really apply to other members.
14 Eyes alliance
As with the 9 Eyes countries, the 14 Eyes list includes:
This alliance also emerged directly from the Cold War and NATO structures, being christened the “SIGINT Seniors Europe” grouping. But it is much more loosely integrated into the circuits of global intelligence sharing than countries in the core alliance.
In fact, this has led to some friction, with Germany demanding greater access to intelligence data. In 2015, allegations emerged about the NSA spying on German government meetings, so it’s easy to see why they would want the protection from mutual spying that being in the 5 Eyes provides.
However, the core nations have sought to protect their privileges, leading some of the 14 Eyes countries to go their own way. In August 2018, the Germans announced a major new cybersecurity initiative along the lines of America’s DARPA, with the aim of establishing digital independence from the USA/UK.
Recent years have also seen the rise of “Pirate Parties” in nations like Sweden, which prioritize digital freedom and privacy, making governments less inclined to strengthen their ties to bodies like the NSA.
Surveillance systems used by the Eyes alliance
Naturally, this alliance has numerous ways to spy on people. And we only know about a fraction of systems used to monitor and gather citizen information. Here are a few that received media attention, bringing them to light.
ECHELON
This surveillance program was originally created in the 1960s to spy on the Soviet Union and its Eastern Bloc allies by the signatory states to the UKUSA Security Agreement. Now, they are the core 5 Eyes countries, and ECHELON has greatly expanded beyond the original scope.
According to the documents leaked by Snowden, ECHELON’s systems are capable of eavesdropping on telephones, faxes, computers, emails, bank accounts, and so much more. And the computers used for this purpose can store millions of records about individuals.
PRISM
USA-led surveillance program the NSA uses to request user data from technology and telecommunication companies. Such information includes essentially anything that is passed over the company’s network. We’re talking about emails, chat logs, photographs, documents, videos, etc.
The confirmed companies participating in PRISM are:
- Microsoft
- Yahoo!
- Paltalk
- YouTube
- AOL
- Skype
- Apple
- Dropbox
As of today, the true extent of the PRISM program is still unknown.
XKeyscore
Another NSA-led program that allows surveillance in real-time and the agents intercepting your communications don’t require a warrant to do so. With XKeyscore, they can parse through metadata, emails and the content on them, VoIPs, browser history, and any other internet activity associated with a person.
It shouldn’t be surprising that the 5 Eyes countries have access to these surveillance databases.
All eyes on VPN: using VPNs based in alliance member states
How do the 5 Eyes countries relate to VPN users?
In recent years, 5 Eyes governments have passed numerous laws which should concern VPN users.
For instance, the UK’s Investigator Powers Act empowered GCHQ to collect the following:
- Data on users’ browsing habits
- How long users spend connected to certain sites
- Users’ SMS messages
These nations have also beefed up their powers to force Internet Service Providers (ISPs) to hand over data regarding individual users, again using national security as an excuse. And ISPs have tended to comply, adding backdoors when asked which allow security agencies to access the flow of consumer data.
Most importantly, governments have recognized the increasing usage of VPNs and taken steps to neutralize the threat they pose. Experts now generally advise users to avoid companies based in 5 Eyes nations and to exercise caution when using servers located in these nations.
Are worries about the Five Eyes countries exaggerated?
While the intelligence-gathering abilities of Washington and GCHQ are formidable, they are generally focused on specific security threats and interests, not everyday web users.
- For many of us, government intrusion is less worrisome than the threat of cyber-crime and theft, and your VPN jurisdiction doesn’t matter too much when facing down these threats.
- Secondly, the 5 Eyes countries haven’t taken direct steps to regulate VPNs. Their efforts are focused more on ISPs and conventional traffic, along with cellphone networks. VPNs currently have very few requirements regarding data retention. If they state that they keep logs (or fail to make it clear that they don’t), that’s their decision, not the state’s.
- VPNs based in 5 Eyes nations also tend to be transparent about their identity and how to reach them – in keeping with the regulatory environment in places like the UK, Australia or Canada. This needs to be balanced against non-5 Eyes operators, who can sometimes be very hazy about who they are, and how they work.
So there’s room to question how dangerous the 5 Eyes is when choosing a VPN jurisdiction. But bear in mind that we simply don’t know the full scope of how VPNs interact with bodies like the NSA, and given the past history of governments, there’s a decent chance that VPNs in 5 Eyes countries have working relationships with spooks.
Key VPNs in the 5 Eyes list
It might be handy to know a few popular VPNs that are based in 5 eyes nations, so here’s a quick list:
VPN provider | Based in: |
TunnelBear | Canada |
Ace VPN | USA |
BTGuard | Canada |
FlyVPN | USA |
LiquidVPN | USA |
IPVanish | USA |
StrongVPN | USA |
VPNSecure | Australia |
Windscribe | Canada |
Should you worry if your VPN jurisdiction is on the 9 Eyes list?
Here’s another area where things get interesting. On one hand, third parties on the 9 Eyes list tend to have less intrusive surveillance agencies than the 5 Eyes. So they should be more trustworthy as hosts for VPN providers. And plenty of VPNs have set up in these countries, such as GooseVPN (in the Netherlands) or ActiVPN (in France).
However, if you scroll through a list of the world’s most trusted VPNs, you’ll probably notice that many aren’t based in 9 eyes countries. The same security concerns apply to 9 Eyes jurisdictions as to those in the five eyes list. VPNs located in places like Norway or France are liable to be subpoenaed by the FBI or other agencies, forcing them to either release logs or hand over encryption key data.
Of course, you need to bear in mind that the risk is low for everyday users, but if you are using a VPN for sensitive business or political communications, the 9 Eyes alliance is just as perilous as the core 5 Eyes nations. In fact, given that the 5 Eyes nations have an agreement not to spy on each other, there may be a higher probability of VPNs in third party nations being compromised.
As with 5 Eyes nations, this tends to lead experts to advise those in need of the best possible security protection to avoid a VPN jurisdiction in the 9 Eyes network.
Some popular VPNs in the 9 Eyes countries include:
Is it dangerous to use a VPN based in 14 Eyes countries?
The answer to this question is exactly the same as with the other alliances. Yes, it tends to be riskier to use VPNs based in 14 Eyes countries than those outside the alliance.
There have been cases of these informal information-sharing networks being used to issue DMCA notices from US-based corporations, targeting file-sharers in other jurisdictions. And anyone in a 14 Eyes nation can expect the same kind of intrusion from state surveillance agencies, making them dangerous for transmitting sensitive information.
However, as we stressed above, these risks are relative.
In general, 14 Eyes countries will be slightly more autonomous where privacy is concerned than their partners in the core alliances. And for ordinary users, the risks are small.
For reference, here are some major VPNs based in the 14 Eyes countries:
VPN provider | Based in: |
AirVPN | Italy |
Avira Phantom VPN | Germany |
AzireVPN | Sweden |
ChillGlobal | Germany |
FrootVPN | Sweden |
PrivateVPN | Sweden |
Surfshark VPN | Sweden |
Integrity VPN | Sweden |
Mullvad VPN | Sweden |
OVPN | Sweden |
Steganos Online Shield | Germany |
Zenmate | Germany |
Should I use a VPN based outside the 14 Eyes list?
By now, you’re probably asking yourself whether you should always look for VPNs based outside the 14 Eyes umbrella. There are certainly plenty of good reasons to do so.
Most importantly, VPNs located outside the core nations will be much more tightly protected against legal challenges and state surveillance originating in the USA. So if you intend to work around geo-blockers or torrent large amounts of data, they could be the right option to go for.
This is especially important if you are worried about protecting personal communications from the eyes of the state. If privacy is your major concern, choosing a VPN jurisdiction outside the 14 Eyes is essential.
So, where should you look? Given that the world now has over 200 nations, there shouldn’t be any lack of contenders. Several things you should pay attention to while picking a VPN provider:
- Jurisdiction. Ideally, the VPN is based outside the influence of the 14 Eyes alliance, including the satellite nations. Such services won’t be forced to collect or hand over any user data. Furthermore, they aren’t required to comply with data requests dished out by other countries.
- Audited no-logs policy. Any service can claim to have a no-logs policy they adhere to, but where’s the proof no data collection is happening behind the scenes? Here’s where independent audits done by reputable third parties come into play. And better yet if you can view audit documentation and results yourself.
- Any past controversies. Many VPNs with “strict no-logs audits” have cooperated with governments in the past, like Riseup, HMA VPN, and such. A little digging around with Google helps reveal services that you shouldn’t trust from the get-go.
Leading VPNs that operate outside the 5/9/14 Eyes systems
VPN provider | Based in: |
NordVPN | Panama |
VPNArea | Bulgaria |
Perfect Privacy | Switzerland |
Proton VPN | Switzerland |
VPN.ac | Romania |
ZorroVPN | Belize |
PureVPN | British Virgin Islands |
ExpressVPN | British Virgin Islands |
CyberGhost | Romania |
VyprVPN | Switzerland |
Generally, VPNs in countries like Switzerland or Panama will deliver enhanced protection against snoopers, especially if they offer techniques like “multi-hop” transmission. So when choosing your next VPN, take jurisdiction into account. It’s a key part of ensuring online security, so it pays to keep your eyes open and exercise caution.
Other online privacy measures to consider
With so much data and our lives being shared on the web, you should think about minimizing how much you share of yourself online. We recommend:
- Pseudonyms and anonymous mail. Anonymous mail services encrypt your emails and usually don’t contain any information that could be traced back to you.
- Privacy-friendly browsers. Most web browsers like Chrome and various others that run on Chromium collect your browsing data for marketing purposes. Switching to a secure browser helps solve this. The most popular choices include Brave and Tor.
- Encrypted messaging apps. Not all messaging apps that utilize end-to-end encryption protect your metadata or abstain from collecting other identifiable data. (WhatsApp is notorious for this). There are better alternatives, like Telegram or Signal, that do not participate in such practices.
- Just don’t overshare. While it might be tempting to post the latest vacation photos on Instagram or share life updates on Facebook or Twitter, is it really worth it? Any kind of personal information you put on the internet stays there forever. And it’s easy pickings for any entity (government or not).
Bottom line
With seemingly every higher power vying for any bit and scrap of data about you, online privacy is a major concern for anyone diving into the interwebs. And the 5, 9, 14 Eyes alliance isn’t the only group of nations netizens should be worried about. China, Russia, India, and countless other countries aren’t shy about their mass surveillance tactics.
If you wish to retain some semblance of privacy, at least invest into a secure VPN. Data encryption is one of the best ways to keep anything you want to stay private, well, private. And such software does just that by making everything you do online a scrambled mess, unreadable to any prying eyes.
You may also like to read:
Most secure VPN providers
Best no-logs VPN providers
Are VPNs safe
What is AES encryption
What is Deep Packet Inspection (DPI)
Does a VPN protect you from hackers
FAQ
What does 5 Eyes country mean?
The 5 Eyes alliance is an intelligence network comprising the United States, United Kingdom, Canada, Australia, and New Zealand. Its main goal is to monitor electronic communications of citizens and foreign governments and share them between member countries.
Is there a VPN outside the Eyes?
Yes, there are multiple VPNs located outside the influence of the Eyes alliance. A few of the more popular options are NordVPN, ExpressVPN, CyberGhost, Proton VPN, PureVPN, and VyprVPN.
Is Surfshark outside of 14 Eyes?
Surfshark is headquartered in Sweden, a member of the 14 Eyes alliance. However, the company adheres to a no-logs policy that was audited by an independent third party and found to be true. Hence, it’s one of the few trustworthy VPNs based in the alliance.
Is NordVPN outside of 14 Eyes?
Yes, NordVPN is based outside of the 14 Eyes alliance – Panama. The country has no laws regarding enforced data logging or requiring VPNs to spy on their users. Furthermore, the service has undergone several no-logs policy audits without any troublesome findings.
Can you be tracked with a VPN?
No, you can’t be tracked while using a VPN. The encryption methods utilized by this software scramble all internet traffic coming from your device, so it can’t be viewed or intercepted by any third party. Thus, your ISP, government, or any other snoopers can’t see what you’re doing online.