A Macintosh Resource Site
for the Milwaukee Metro Area

5, 9 and 14 Eyes - Do the “Eyes” Have it or Not?

First published: April 2019. Latest revision: March 2023.

Introduction

This is a continuation of my series of articles about evaluating and choosing a trustworthy VPN service for one’s own use. In this article, we’ll examine the location and jurisdiction of VPNs, i.e., where is their base of operations and under what laws and regulations they operate, and we’ll consider the importance of this with respect to your choice of a VPN.

Definitions

Two sorts of locations are important to one’s use of VPNs. Also important is the jurisdiction of a particular location. (Note that we are concerned with countries here, as opposed to states or municipalities.)

The location of a VPN provider is the country in which the company that operates the VPN is legally registered as a business. Each VPN has just one country that qualifies as the VPN provider location.

A VPN server is the computer to which the VPN software that you are running on your own device connects, providing you with a secure and private connection to the VPN service. The server locations of VPN companies typically include multiple countries.

Jurisdiction refers to the authority of a country (as enabled by its laws and regulations) to rule over the VPN company itself and/or the VPN’s servers that are located in that country.

Thus, a VPN is typically subject to multiple jurisdictions. There is one jurisdiction in the country in which the VPN company itself is located, and often many other jurisdictions in the various countries in which the VPN’s servers are located. However, in general use, a VPN’s jurisdiction is in reference to the country in which it is legally based and registered.

Jurisdiction is of concern to VPN users because jurisdiction determines to what extent a presiding government might threaten the privacy and security of one’s use of the Internet when connected via a VPN.

Jurisdictions without borders?

Unfortunately, for privacy and security-minded users of VPNs, the influence of a government can be extended well beyond its normal jurisdiction, i.e. beyond the borders of the country. This wide-ranging influence is enabled by multilateral agreements between countries to cooperate in “signals intelligence” (SIGINT), which is the gathering of intelligence (spying) via the interception of “signals,” such as Internet data or phone communications.

The United Kingdom and the United States entered into such an agreement in 1941. The initial “United Kingdom–United States of America Agreement” (UKUSA Agreement) has been greatly expanded since its origin. The “5, 9 and 14 Eyes” jurisdictions refer to groups of countries that are now participants in an expansion of that initial UKUSA Agreement. These countries engage in an alliance to aid one another in spying both on their own citizens and on citizens of other countries.

Global Mass Surveillance: The Fourteen Eyes

The UKUSA Agreement is an agreement between the United Kingdom, the United States, Australia, Canada, and New Zealand to cooperatively collect, analyze, and share intelligence. Members of this group, known as the Five Eyes, focus on gathering and analyzing intelligence from different parts of the world.

While Five Eyes countries have agreed to not spy on each other as adversaries, leaks by Snowden have revealed that some Five Eyes members monitor each other's citizens and share intelligence to avoid breaking domestic laws that prohibit them from spying on their own citizens.

The Five Eyes alliance also cooperates with groups of third-party countries to share intelligence (forming the Nine Eyes and Fourteen Eyes). However, Five Eyes and third-party countries can and do spy on each other.

(from Global Mass Surveillance - The Fourteen Eyes) (archived)
(I added bold emphasis and paragraph breaks.)

The parties agree to the exchange of the products of the following operations relating to foreign communications:

  1. Collection of traffic
  2. Acquisition of communications documents and equipment.
  3. Traffic analysis.
  4. Cryptanalysis.
  5. and translation.
  6. Acquisition of information regarding communications organizations, procedures, practices and equipment.

(from https://en.wikipedia.org/wiki/UKUSA_Agreement)
(I added bold emphasis.)

So, in a nutshell, the domestic and foreign spying agreement was originally between these five countries:

  • Australia
  • Canada
  • New Zealand
  • United Kingdom
  • United States
The above are the “Five Eyes” countries.

Another “signals intelligence” grouping was created: the “Nine Eyes,” consisting of the Five Eyes plus:

  • Denmark
  • France
  • Netherlands
  • Norway

Yet another group, the “Fourteen Eyes,” consists of the same countries as the Nine Eyes plus:

  • Belgium
  • Germany
  • Italy
  • Spain
  • Sweden

Finally, a few additional countries (Israel, Singapore, South Korea, Japan and British Overseas Territories) are apparently surveillance partners of the Fourteen Eyes countries.

Why should you care about all these “Eyes?”

Basically, these “Eyes” coalitions are of concern to a VPN user because everything that comes to or from your Internet device through a VPN is at risk of being observed by secretive, well-funded, government-run entities that have more spying resources at their disposal than you can imagine.

… These countries not only spy on their own citizens where they can get away with it, but they spy on each others, and swap notes to bypass governmental restrictions on power. If a service, or the people who run a service is based in one of these countries, it’s not unreasonable to expect that they may be susceptible to unlawful searches and compromises made in the name of national security.

(from “Choosing a VPN” in “Choosing a VPN” by That One Privacy Guy) (archived)
(I added bold emphasis.)

… Legal jurisdiction of VPN providers have become another important issue in light of Edward Snowden’s revelations of global mass surveillance.

While users frequently wish to avoid VPN providers based in what are known as the “5-9-14 Eyes Jurisdictions,” we should be clear: no one should expect a VPN service alone to provide a perfect defense against nation-state level surveillance.

Jurisdiction information is still useful, as the Electronic Frontier Foundation points out, because the VPN provider’s place of incorporation and the national law it operates under may afford users different protections such as general privacy laws, data retention requirements, and security obligations. It also dictates how providers may respond to legal requests for data.

(from https://cdt.org/issue/privacy-data/vpns/) (archived)
(I added bold emphasis and paragraph breaks.)

These are just two out of many sources who warn that VPN services that are based in or operating in 5-9-14 Eyes jurisdictions are likely more susceptible to interception, search, and/or seizure of information regarding the utilization of the VPN by a user of that VPN.

What to do, given this situation of government surveillance?

Some sources recommend a cautious approach.

You should also take note of the countries in which the VPN provider does business. The provider will be subject to the laws of those countries, including laws governing government requests for information. Laws vary from country to country, and sometimes those laws allow officials to collect information without notifying you or giving you an opportunity to contest it.

(from Choosing the VPN That's Right for You) (archived)
(I added bold emphasis.) (archived)

Choosing a VPN that is outside the 5/9/14 Eyes surveillance countries may offer further protection.

(from https://restoreprivacy.com/vpn-logs-lies/)
(I added bold emphasis.)

However, other sources are somewhat less restrictive in their jurisdiction recommendations, merely emphasizing the avoidance of 5-Eyes or US-based VPNs:

Avoid All Five Eyes-based Services

The Five Eyes (FVEY) spying alliance includes Australia, Canada, New Zealand, the United Kingdom, and the United States. Edward Snowden has described it as a “supra-national intelligence organization that doesn’t answer to the known laws of its own countries.”

Intelligence is freely shared between security organizations of member countries, a practice that is used to evade legal restrictions on spying on their own citizens. It is therefore a very good idea to avoid all dealings with FVEY (Five Eyes)-based companies.

(from https://proprivacy.com/guides/the-ultimate-privacy-guide)
(I added bold emphasis.)

Why is it not recommended to choose a US-based service?

Services based in the United States are not recommended because of the country's surveillance programs and use of National Security Letters (NSLs) with accompanying gag orders, which forbid the recipient from talking about the request.

This combination allows the government to secretly force companies to grant complete access to customer data and transform the service into a tool of mass surveillance.

(from https://www.privacytools.io/providers/) (archived)
(I added bold emphasis and paragraph breaks.)

The US and NSA Spying

The scope of the NSA’s (National Security Agency’s) PRISM spying program is staggering.

Edward Snowden’s revelations have demonstrated it has the power to co-opt any US-based company. This includes monitoring information relating to non-US citizens and pretty much anybody else in the world. It also includes monitoring all internet traffic that passes through the US’s internet backbone…

The UK (United Kingdom) and GCHQ (Government Communications Headquarters) Spying

The UK’s GCHQ is in bed with the NSA. It also carries out some particularly heinous and ambitious spying projects of its own. According to Edward Snowden, “they [GCHQ] are worse than the US.”

(from https://proprivacy.com/guides/the-ultimate-privacy-guide)
(I added bold emphasis and paragraph breaks.)

So, thus far, we have a high suspicion that the 5-9-14 Eyes countries have the capability to surveil pretty much whatever they desire.

However, according to the above comments, for a US citizen who is using a VPN to connect to the Internet, by far the worst situation is if the VPN is based in the US or another 5-Eyes country.

Does this situation actually affect you or me as typical users of the Internet via a VPN connection?

The following are statements that address that query.

Does (jursidiction) even matter?

In the end, it’s difficult to determine exactly how much influence a VPN’s jurisdiction has on your privacy and data.

This is especially true when you consider that these surveillance entities operate globally and have the capability to monitor communications around the world. Therefore, an ‘offshore’ VPN may not be the silver bullet that some claim.

Example: US authorities compelled a Hong Kong “no logs” VPN service (PureVPN) to log user data and hand over this information to arrest and prosecute the VPN user (see article). All of this took place with an ‘offshore’ VPN that has a ‘zero log policy’ and promises to make its customers “invisible” to third parties.

This shows that ‘no logs’ marketing claims do not always align with reality. And furthermore, choosing an offshore provider may in fact be worse than choosing a US-based VPN service with good data protection policies and practices.

Ultimately, jurisdiction is just one of many factors to consider when looking for the best VPN service for your specific needs.

(from https://restoreprivacy.com/5-eyes-9-eyes-14-eyes/) (archived)
(I added bold emphasis.)

Hence, we note that once again, in our attempt to find a VPN that meets our needs, we have a lack of consensus relative to recommendations from various sources. So let’s make our own assessment, not by ignoring the information presented above, but by selectively applying it to our own requirements for a VPN service.

Let’s look at this from the point of view of the “average law-abiding” US citizen, “John” or “Jane Doe,” who is using a home computer for email and Internet “surfing.” It seems to me that the mass surveillance perpetrated by various agencies of the 5-9-14 Eyes countries is probably not something of which “John” or “Jane Doe” needs to be too paranoid. Even if a government surveils them, is it a critical life-or-death or freedom-threatening situation? Likely not for “John” or “Jane.”

It is very important to note that, even if one is worried about 5-9-14 Eyes mass surveillance, if the VPN you are using has implemented strong encryption, and if the VPN is not keeping logs of your use, the “average law-abiding” US citizen ought to be able to rest well at night.

Allow me to restate this important point: even if a provider is located in any of these nations, if it doesn’t keep any logs, then typical users have little to worry about. Since the service does not record or store your browsing and downloading history, they would have nothing to hand over if someone came looking for any information.

So, the evaluation of a trustworthy VPN comes back to the topic addressed by my previous article, Logging by VPNs.” As far as I am concerned, a true strict no-logging policy is of the utmost importance when I consider a VPN service for my use.

Nevertheless, I find that I can’t ignore the 5-9-14 Eyes conundrum… I’d rather be somewhat more cautious than may be necessary. Thus, in my search for a trustworthy VPN, I’m only going to consider VPNs that are not based in 5-Eyes countries. The 5-Eyes countries would seem to pose a greater threat to a US citizen than the 9-14 Eyes countries. Hence, VPNs based in the 5-Eyes countries of the US, Australia, Canada, New Zealand, and the United Kingdom will be eliminated from my consideration as I search for a VPN for my own use.

Summary

Based on this article and also on my article about VPN logging, here is how I would grade a VPN service relative to jurisdiction and logging:

  • Best: No-eyes based and it also has a strict no-logging policy. (This is probably more security and privacy than I really need.)

  • Acceptable: Not 5-eyes based but it has a strict no-logging policy. (In general, this should provide “good enough” security and privacy for me.)

  • Unacceptable: Not 5-eyes based but performs at least some logging, or 5-eyes based, no matter if it has a strict no-logging policy or if it performs at least some logging. (5-eyes based results in “automatic” rejection, as does the performance of some logging.)

  • Worse than unacceptable: United Kingdom or United States-based, no matter if it has a strict no-logging policy or if it performs at least some logging. (Sorry to say it, but for a US citizen in the US, any UK or US-based VPN should be completely avoided.)

(In a later article in this series, we’ll generate some lists of VPNs that are worthy of consideration, including a list of VPNs that achieve “Best” and “Acceptable” ratings with respect to the above-noted criteria for jurisdiction and logging.)

In the next article of this VPN series, titled “Encryption and Privacy Protocols,” we’ll examine some of the protocols that VPNs use to provide privacy to their users and present the options that are available to safeguard and encrypt your data.