A Macintosh Resource Site
for the Milwaukee Metro Area


5, 9 and 14 Eyes - Do the “Eyes” Have it or Not?

First published: April 2019. Latest revision: November 2019.

Introduction

This is a continuation of my series of articles about evaluating and choosing a trustworthy VPN service for one’s own use. In this article, we’ll examine the location and jurisdiction of VPNs, i.e. where is their basis of operations and under what laws and regulations they operate, and we’ll consider the importance of this with respect to your choice of a VPN.

Definitions

Two sorts of locations are important to one’s use of VPNs, as is the jurisdiction of a particular location. (Note that we are concerned with countries here, as opposed to states or municipalities.)

The location of a VPN provider is the country in which the company that operates the VPN is legally registered as a business. Each VPN has just one country that qualifies as the VPN provider location.

A VPN server is the computer to which the VPN software that you are running on your own device connects, providing you with a secure and private connection to the Internet. The server locations of VPN companies typically encompass multiple countries.

Jurisdiction refers to the authority of a country (as enabled by its laws and regulations) to rule over the VPN company itself and/or the VPN’s servers that are located in that country.

Thus a VPN is typically under multiple jurisdictions. There is one jurisdiction of the country in which the VPN itself is located and often many other jurisdictions of the various countries in which the VPN’s servers are located. However, in general use, a VPN’s jurisdiction is in reference to the country in which it is legally based.

Jurisdiction is of concern to VPN users because it determines to what extent a presiding government might threaten the privacy and security of one’s use of the Internet when connected via a VPN.

Jurisdictions without borders?

Unfortunately, for privacy and security-minded users of VPNs, the influence of a government can be extended well beyond its normal jurisdiction, i.e. beyond the borders of the country. This wide-ranging influence is enabled by multilateral agreements between countries to cooperate in “signals intelligence” (SIGINT), which is the gathering of intelligence (spying) by the interception of signals, such as Internet data or phone communications.

The United Kingdom and the United States entered into such an agreement in 1941. The initial “United Kingdom – United States of America Agreement” (UKUSA Agreement) has been greatly expanded since its origin. The “5, 9 and 14 Eyes” jurisdictions refer to groups of countries that are now participants in an expansion of that initial UKUSA Agreement that are participating in an alliance to aid one another in spying both on their own citizens and on citizens of other countries.

Global Mass Surveillance - The Fourteen Eyes
The UKUSA Agreement is an agreement between the United Kingdom, United States, Australia, Canada, and New Zealand to cooperatively collect, analyze, and share intelligence. Members of this group, known as the Five Eyes, focus on gathering and analyzing intelligence from different parts of the world. While Five Eyes countries have agreed to not spy on each other as adversaries, leaks by Snowden have revealed that some Five Eyes members monitor each other's citizens and share intelligence to avoid breaking domestic laws that prohibit them from spying on their own citizens. The Five Eyes alliance also cooperates with groups of third-party countries to share intelligence (forming the Nine Eyes and Fourteen Eyes), however Five Eyes and third-party countries can and do spy on each other.

(from https://www.privacytools.io/providers/)
(bold emphasis added by me)

The parties agree to the exchange of the products of the following operations relating to foreign communications:
1. Collection of traffic.
2. Acquisition of communications documents and equipment.
3. Traffic analysis.
4. Cryptanalysis.
5. Decryption and translation.
6. Acquisition of information regarding communications organizations, procedures, practices and equipment.

(from https://en.wikipedia.org/wiki/UKUSA_Agreement)
(bold emphasis added by me)

So, in a nutshell, the domestic and foreign spying agreement was originally between 5 countries:

  • Australia
  • Canada
  • New Zealand
  • United Kingdom
  • United States
These are the “Five Eyes” countries.

Another “signals intelligence” grouping was created: the “Nine Eyes”, consisting of the Five Eyes plus:

  • Denmark
  • France
  • Netherlands
  • Norway

Yet another group, the “Fourteen Eyes”, consists of the same countries as the Nine Eyes plus:

  • Belgium
  • Germany
  • Italy
  • Spain
  • Sweden

Finally, a few additional countries (Israel, Singapore, South Korea, and Japan) are apparently surveillance partners of the Fourteen Eyes countries.

Why should you care about all these “Eyes?”

Basically, these “Eyes” coalitions are of concern to a VPN user because everything that comes to or from your Internet device through a VPN is at risk of being observed by secretive, well-funded, government-run entities that have more spying resources at their disposal than you can imagine.

… These countries not only spy on their own citizens where they can get away with it, but they spy on each others, and swap notes to bypass governmental restrictions on power. If a (VPN) service, or the people who run a service is based in one of these countries, it’s not unreasonable to expect that they may be susceptible to unlawful searches and compromises made in the name of national security.

(from https://thatoneprivacysite.net/choosing-the-best-vpn-for-you/)
(bold emphasis added by me)

… Legal jurisdiction of VPN providers have become another important issue in light of Edward Snowden’s revelations of global mass surveillance. While users frequently wish to avoid VPN providers based in what are known as the “5-9-14 Eyes Jurisdictions,” we should be clear: no one should expect a VPN service alone to provide a perfect defense against nation-state level surveillance. Jurisdiction information is still useful, as the Electronic Frontier Foundation points out, because the VPN provider’s place of incorporation and the national law it operates under may afford users different protections such as general privacy laws, data retention requirements, and security obligations. It also dictates how providers may respond to legal requests for data.

(from https://cdt.org/issue/privacy-data/vpns/)
(bold emphasis added by me)

These are just two out of many sources who warn that VPN services that are based in or operating in 5-9-14 Eyes jurisdictions are likely more susceptible to interception, search and/or seizure of information regarding the utilization of the VPN by a user of that VPN.

What to do, given this situation of government surveillance?

Some sources recommend a cautious approach.

You should also take note of the countries in which the VPN provider does business. The provider will be subject to the laws in those countries, which may include both legal requests for your information from that government, and other countries with whom it has a legal assistance treaty. In some cases, the laws will allow for requests without notice to you or an opportunity to contest the request.

(from https://ssd.eff.org/en/module/choosing-vpn-thats-right-you)
(bold emphasis added by me)

Choosing a VPN that is outside the 5/9/14 Eyes surveillance countries may offer further protection.

(from https://restoreprivacy.com/vpn-logs-lies/)
(bold emphasis added by me)

However, other sources are somewhat less restrictive in their jurisdiction recommendations, merely emphasizing avoidance of 5-Eyes or US-based VPNs:

Avoid All Five Eyes-based Services
The Five Eyes (FVEY) spying alliance includes Australia, Canada, New Zealand, the United Kingdom, and the United States. Edward Snowden has described it as a “supra-national intelligence organization that doesn’t answer to the known laws of its own countries.”

Intelligence is freely shared between security organizations of member countries, a practice that is used to evade legal restrictions on spying on their own citizens. It is therefore a very good idea to avoid all dealings with FVEY (Five Eyes)-based companies.

(from https://www.bestvpn.com/guides/the-ultimate-privacy-guide)
(bold emphasis added by me)

Why is it not recommended to choose a US-based service?
Services based in the United States are not recommended because of the country's surveillance programs and use of National Security Letters (NSLs) with accompanying gag orders, which forbid the recipient from talking about the request. This combination allows the government to secretly force companies to grant complete access to customer data and transform the service into a tool of mass surveillance.

(from https://www.privacytools.io/providers/)
(bold emphasis added by me)

The US and NSA Spying
The scope of the NSA’s (National Security Agency’s) PRISM spying program is staggering. Edward Snowden’s revelations have demonstrated it has the power to co-opt any US-based company. This includes monitoring information relating to non-US citizens and pretty much anybody else in the world. It also includes monitoring all internet traffic that passes through the US’s internet backbone.

The UK (United Kingdom) and GCHQ (Government Communications Headquarters) Spying
The UK’s GCHQ is in bed with the NSA. It also carries out some particularly heinous and ambitious spying projects of its own. According to Edward Snowden, ‘they [GCHQ] are worse than the US.’

(from a previous version of the web page https://www.bestvpn.com/guides/the-ultimate-privacy-guide)
(bold emphasis added by me)

So, thus far we have a high suspicion that the 5-9-14 Eyes countries have the capability to surveil pretty much whatever they desire. However, according to the above comments, for a US citizen who is using a VPN to connect to the Internet, by far the worst situation is if the VPN is based in the US or another 5-Eyes country.

Does this situation actually affect you or me as typical users of the Internet via a VPN connection?

Following are statements that address that query.

Does (jursidiction) even matter?
In the end, it’s difficult to determine exactly how much influence a VPN’s jurisdiction has on your privacy and data.

This is especially true when you consider that these surveillance entities operate globally and have the capability to monitor communications around the world. Therefore an ‘offshore’ VPN may not be the silver bullet that some people claim.

Example: US authorities compelled a Hong Kong “no logs” VPN service (PureVPN) to log user data and hand over this information to arrest and prosecute the VPN user (see article). All of this took place with an ‘offshore’ VPN that has a ‘zero log policy’ and promises to make its customers “invisible” to third parties.

This shows that ‘no logs’ marketing claims do not always align with reality. And furthermore, choosing an offshore provider may in fact be worse than choosing a US-based VPN service with good data protection policies and practices.

Ultimately, jurisdiction is just one of many factors to consider when looking for the best VPN service for your specific needs.

(from a previous version of the web page https://restoreprivacy.com/5-eyes-9-eyes-14-eyes/)
(bold emphasis added by me)

Hence, we note that once again, in our attempt to find a VPN that meets our needs, we have a lack of consensus relative to recommendations from various sources. So let’s make our own assessment, not by ignoring the information presented above, but by selectively applying it to our own requirements for a VPN service.

Let’s look at this from the point of view of the “average law-abiding” US citizen, “John” or “Jane Doe,” who is using a home computer for email and Internet “surfing.” It seems to me that the mass surveillance perpetrated by various agencies of the 5-9-14 Eyes countries is probably not something with which “John” or “Jane Doe” need be too paranoid. Even if a government surveils them, is it a critical life-or-death or freedom-threatening situation? Likely not for “John” or “Jane.”

It is very important to note that, even if one is worried about 5-9-14 Eyes mass surveillance, if the VPN you are using has implemented strong encryption, and if the VPN is not keeping logs of your use, you ought to be able to rest well at night. The following restates this idea and it seems to be very sensible and practical to me:

Even if a provider is located in any of these nations but it doesn’t keep any logs then users have nothing to worry about. Since the service does not record or store your browsing and downloading history, they would have nothing to handover if someone comes looking for any information.

(from a previous version of the web page https://www.vpnranks.com/vpn-based-in-five-eyes-nine-eyes-or-fourteen-eyes-nation/)
(bold emphasis added by me)

So, the evaluation of a trustworthy VPN comes back to the topic of my previous article, “Logging by VPNs.” As far as I am concerned, a true strict no-logging policy is of the utmost importance when I consider a VPN service for my use.

Nevertheless I find that I can’t ignore the 5-9-14 Eyes conundrum… I’d rather be somewhat more cautious than may be necessary. Thus, in my search for a trustworthy VPN I’m only going to consider VPNs that are not based in 5-Eyes countries. The 5-Eyes countries would seem to pose the greater threat to a US citizen than the 9-14 Eyes countries. Hence, VPNs based in the 5-Eyes countries of the US, Australia, Canada, New Zealand and the United Kingdom will be eliminated from my consideration as I search for a VPN for my own use.

Summary

Based on this article and my article about VPN logging, here is how I would grade a VPN service relative to jurisdiction and logging:

  • Best: No-eyes based and it also has a strict no logging policy. (This is probably more security/privacy than I really need.)

  • Acceptable: Not 5-eyes based and it has a strict no logging policy. (In general, this should provide “good enough” security/privacy for me.)

  • Unacceptable: Not 5-eyes based but performs at least some logging, or 5-eyes based, no matter if it has a strict no-logging policy or if it performs at least some logging. (5-eyes based means “automatic” rejection, as does the performance of some logging.)

  • Worse than unacceptable: United Kingdom or United States-based, no matter if it has a strict no-logging policy or if it performs at least some logging. (Sorry to say it, but for a US citizen in the US, any UK or US-based VPN should be completely avoided.)

In a later article in this series we’ll generate some lists of VPNs that are worthy of consideration, including a list of VPNs that achieve “Best” and “Acceptable” ratings with respect to the above-noted criteria for jurisdiction and logging.

We’ll examine some of the protocols that VPNs use to provide privacy to their users and present the options that are available to safeguard and encrypt your data in the next article of this VPN series, titled “Encryption and Privacy Protocols.”