Five Eyes, Nine Eyes, 14 Eyes & More: Do VPN Jurisdictions Really Matter?

Most users think of the NSA or GCHQ when they think of bulk surveillance. In truth, almost every country has its own respective signals intelligence (SIGINT) authority.

These agencies focus on law enforcement, data collection, and counterintelligence by intercepting electronic signals and online communications.

These authorities are often bound by domestic restrictions on the extent to which they can surveil their own population. This produces a powerful motive for them to work together and share information.

The Five, Nine, and Fourteen eyes alliances are international agreements that help create the framework for this kind of coordinated surveillance.

Here is a list of the global surveillance entities you should be aware of:

The Five Eyes countries are the US, UK, Canada, Australia, and New Zealand.

This intelligence-sharing agreement can be traced back to WWII and the UKUSA agreement, which was originally devised as a partnership between the United States and United Kingdom as a way to gather intelligence on hostile governments.

Over the past few decades the treaty has grown in both members and reach. Member nations, known as the Five Eyes countries, now work cooperatively to collect, analyze, and share intelligence both domestically and internationally.

While Five Eyes countries have agreed to not spy on each other as adversaries, documents leaked by Edward Snowden revealed that the nations monitor each other’s citizens and share intelligence to avoid breaking laws that prohibit them from spying on their own citizens.

This means that as well as sharing surveilled data amongst one another, Five Eyes countries also work together to send and enforce data retention notices. In short, one nation can pressure another to hand over the logs of VPN users under their jurisdiction.

Additional members of the UKUSA Agreement are referred to as ‘second parties’. These countries have the greatest access to the NSA and its databases. Third parties — such as South Korea or members of NATO — still cooperate with the NSA, but they have reduced access to the sum of its resources.

It should come as no surprise that many of the Five Eyes countries are also among the worst abusers of digital privacy:

• United Kingdom. The UK government passed the Investigatory Powers Act in 2016, which compels UK ISPs and telecoms to record their users’ browsing activity, connection logs, and messages. This data is stored for 12 months and is available to UK government agencies and third parties without a warrant.

• United States. The US government is a global leader in mass surveillance and data collection methods. Authorities are aided in this with the help of telecoms, tech companies, and ISPs, as seen in the PRISM program. In 2006 it was revealed that the US government was conducting warrantless surveillance of its citizens by tapping all traffic going through AT&T’s internet backbone. As of March 2017, US ISPs also have legal authority to log user activity and sell this information for a profit.

• Australia. Australia has implemented data collection laws similar to the UK. Officially called the ‘Telecommunications (Interception and Access) Amendment (Data Retention) Bill’, this law forces ISPs to monitor and record user metadata. This is stored for two years and is accessible to authorities without a warrant. Police can also force companies to share access to encrypted messages without the user’s knowledge.

We consider all five of the Five Eyes nations to be the worst VPN jurisdictions on the market.

ECHELON Surveillance System

The Five Eyes nations utilize ECHELON, a network of spy stations designed for large-scale surveillance and data collection.

These global surveillance stations can intercept data sent via telephones, faxes, and computers. ECHELON stations can track bank accounts and even intercept data sent to and from satellite relays. All of this data is stored in extensive databases that can keep millions of records on individuals.

Although evidence has been growing for almost 30 years, the US still denies that ECHELON exists, while the UK government has been consistently evasive.

Despite these denials, various whistleblowers have confirmed the truth by documenting various aspects of the ECHELON project.

The Nine Eyes alliance is an extended group of countries that cooperate to share intelligence. The Nine Eyes countries include all of the Five Eyes members along with France, Denmark, Norway, and The Netherlands.

The existence of the Nine Eyes alliance became well-known following the revelations of Edward Snowden in 2013. It is essentially a third-party extension of the Five Eyes agreement that cooperates to gather and distribute mass surveillance data.

While these four extra nations do not have domestic surveillance programs quite as problematic as the US, UK, or Australia, they still cooperate with each other and all five countries in the original alliance.

The Nine Eyes Alliance is an arrangement between SIGINT entities and is not officiated by any formal treaty.

The Fourteen Eyes countries include all members of the Nine Eyes alliance as well as Germany, Belgium, Italy, Sweden, and Spain.

The official name of the Fourteen Eyes alliance is the SIGINT Seniors of Europe (SSEUR), which has existed in various forms since 1982. Once designed to exchange military intelligence, it has now been expanded to include surveillance information on everyday citizens.

The SIGINT Seniors Meeting is held annually and attended by the leaders of SIGINT agencies including the BND, NSA, DGSE, GCHQ and more. These meetings provide a space for global intelligence heads to discuss cooperation and development.

The SIGINT Seniors of the Pacific is a similar entity which was created in 2005. Member states include all of the Five Eyes countries as well as India, France, Singapore, Thailand, and South Korea.

Other notable countries including Israel and Japan are also believed to work closely with the 14 Eyes alliance and the NSA.

The European Union is a collection of 27 sovereign European nations. It is one of the largest and most powerful political and economic unions in the world, and is also problematic in terms of surveillance and data privacy.

While the European Union’s cooperative policies are nowhere near as far-reaching or invasive as those in the Five, Nine, and Fourteen Eyes alliances, EU member states still engage in data sharing and retention agreements.

It’s worth nothing that there are some exceptions to this rule. In 2009, the Constitutional Court of Romania (CCR) agreed that EU demands were an unconstitutional violation of Romanian citizens’ rights to privacy. This makes Romania a rare bastion of user privacy among EU nations, and helps explain why VPN providers like CyberGhost might choose to base their operations there.

It’s clear that some countries are better than others, but there are plenty that cooperate with Five Eyes or SSEUR authorities and have a history of data sharing. This is worth keeping in mind when choosing a VPN based in an EU jurisdiction. You can find these countries listed in amber in our VPN jurisdiction comparison table.

The Shanghai Cooperation Organization (SCO) — also known as the Shanghai Pact — is a Eurasian political and economic alliance between Russia, China, Pakistan, India, Kyrgyzstan Kazakhstan, Uzbekistan, and Tajikistan.

The SCO is primarily focused on its members’ national security, and generally considers the issues of terrorism and extremism as among its main priorities.

Over the past few years, the entity’s activities have expanded to include increased military cooperation, intelligence sharing, and counterterrorism. It is highly likely that SCO member states collect and share data in a similar fashion to Western intelligence alliances.

There are certain countries that persecute VPN usage and invade citizens’ privacy regardless of international agreements.

The worst offenders for internet restriction include China, UAE, Turkey, Russia, Oman, Iraq, and Belarus, although this list is far from exhaustive.

While it’s fairly unlikely that you’ll find a VPN or a VPN server physically based in any of these countries, it’s worth being vigilant. We found a large number of VPNs with explicit ties to questionable Chinese tech companies in our investigation into free VPN apps.

Jurisdictions with close ties to these governments — such as Hong Kong — should also be avoided if you’re concerned about your data privacy.

For more information on the legality of VPNs and restrictions on their use, you can read our dedicated guide to VPN laws.

Jurisdiction is a key consideration when selecting a trustworthy VPN provider.

Some VPN companies argue that concerns around jurisdictions and their surveillance practices are unwarranted and overblown. However, there are several real-life cases that prove the risks associated with operating in a Five Eyes country.

If you’re using a VPN for privacy purposes, you already believe you cannot trust certain parties. These parties might be the websites you’re visiting or the government whose mass surveillance program is encroaching on your rights.

Using a VPN that’s based in an invasive jurisdiction simply adds one more untrustworthy party with a responsibility for your online activity.

When you use a VPN service, you should be aware of the jurisdictions governing:

• Your physical location
• The location of your chosen VPN server
• Your VPN provider’s business location

If you really want to be safe, it is best to know the laws and practices of all three.

If any of these locations are subject to invasive privacy laws or data sharing obligations, they could be susceptible to unwarranted searches and compromises in the name of ‘national security’.

Your VPN provider could be forced to hand over information to authorities about its users, which can then be shared with several other countries according to intelligence-sharing agreements.

VPN services based in an invasive jurisdiction could be vulnerable to the following issues:

1Surveillance and Data Retention

Along with their usual surveillance infrastructure, national intelligence agencies like the NSA and GCHQ have the power to force domestic organisations to log, share, and decrypt private information. Given the scope of their bulk surveillance programs, targeting a certain company or server network is particularly easy.

In the United States, the Patriot Act ushered in new powers for federal data collection, especially through the use of National Security Letters. These laws give authorities the power to coerce a legitimate privacy-focused business to become a data gathering tool for state agencies.

These logging requests may be accompanied by a gag order which makes it illegal for the target company to disclose what they’re being compelled to do. Some VPN companies publish warrant canaries in an attempt to tackle this problem, which we’ll cover later in this guide.

Data sharing requests are less problematic if the target company has a zero-logging policy. However, it is possible a company might be coerced into logging.

There is a precedent for this. In 2013, secure email service Lavabit was targeted by the FBI after learning that Edward Snowden had used the service. The company was subpoenaed with a gag order for the encryption keys to its users’ email contents. This would allow the FBI to access communications in real-time for all of Lavabit’s customers, not just Snowden’s.

The founder of the company, Ladar Levison, handed over the company’s encryption keys and shut down the service simultaneously. US authorities proceeded to threaten Levison with arrest, arguing that his actions violated the court order.

Similarly, Seattle-based VPN service Riseup was forced to collect user data for government authorities, and was also served with a gag order to stop them revealing this to their users.

HideMyAss, a VPN provider based in the UK, was also served with a court order to collect data and share this with authorities for a criminal investigation. This was not revealed until after the prosecution.

These are just examples of cases that have been made available to the public — it’s highly likely that there are other examples we don’t yet know about.

Ultimately, if faced with legal action, a VPN company operating in an invasive jurisdiction has three options:

1. Comply with the request to log, decrypt, and share user information.
2. Comply with the request but remove a warrant canary, signalling a compromise.
3. Shut down the service or the compromised server immediately.

2Data-Sharing Agreements

International surveillance agreements like the Five, Nine, and Fourteen Eyes Alliances allow member countries to take advantage of, as EFF puts it, “the lowest common privacy denominator.” In other words, every participating country gets to benefit from the mass surveillance data each other member brings in.

The intelligence-sharing practices of these countries have wide implications for internet users and VPNs in particular. It is reasonable to assume that if any one of these nations gains access to your data, it can then be shared with other countries.

Likewise, if a law expanding electronic surveillance capabilities is passed in one of these countries, it is as if the same legislation is passed in every country involved in the agreement. This means there is a strong chance your activity is being collected and shared with an intelligence agency no matter where in the world you are.

3Virtual Private Servers

Some VPN services rent Virtual Private Servers (VPS) to reduce operational costs. Virtual rented servers are significantly cheaper than owning physical servers.

While they can reduce a VPN provider’s overheads, a VPS can be problematic in terms of privacy.

Rental servers can keep logs of your activity regardless of the VPN company’s logging policy. Depending on the jurisdiction of the rented server, local authorities could compel the server host to retain or share this data.

In this case, the jurisdiction and logging policy of the VPN company is redundant. Local authorities can go directly to the server host to seize the information they need.

There are a handful of truly no logs VPN services that have passed real-life test cases or been audited by third parties. A VPN in a safe offshore jurisdiction simply adds additional protection, as there is less chance it can be compelled to hand over data to authorities.

If you care about your privacy, we recommend that you do not choose a VPN provider based in a country associated with the Five, Nine, or Fourteen Eyes Alliances.

While a zero-logs policy is able to offset some of the issues with a poor jurisdiction, these countries are much more likely to participate in invasive surveillance, data retention, and intelligence gathering programs.

It is also likely that more powerful nations in these alliances — like the USA — will be able to use their leverage to force other member countries into logging, data sharing, or other forms of cooperation.

It’s worth noting that there are some services that have proven themselves to be trustworthy despite operating out of a “dangerous” jurisdiction. We cover this in more detail in the final chapter of this guide.

Ultimately, your data is likely to be much safer in the hands of a company based outside of the reach of participating countries.

It’s worth remembering that the list of countries on this page isn’t exhaustive, and there are still other countries that make a poor base of operations for a VPN.

When assessing a VPN’s jurisdiction, consider the following factors:

• No connections to intrusive nations: Some countries are politically beholden to the laws and whims of bigger, more invasive countries. Make sure that there are no international ties that could jeopardize the security of your data. This includes countries involved in the Five, Nine, and Fourteen eyes alliances.
• No history of warrants and subpoenas: Avoid governments with a history of wanton prosecution based on the contents of its citizens’ browsing logs.
• Strong privacy and net neutrality laws: While questionable net neutrality laws won’t directly affect your privacy, they do imply that the government has a relationship with ISPs and telecom providers that hurts the consumer.

What Is a Privacy Haven?

A Privacy Haven is a country with a legal and political environment that is friendly to the notion of user privacy. These locations rarely take part in mandatory surveillance, data retention, or cross-border data transfers.

Privacy havens are not signatory to any international surveillance agreements and often boast some of the the world’s strongest privacy laws.

While they have no obligation to share user data with international authorities, these countries often lack the regulatory framework used to ensure accountability in data protection and security.

Countries often referred to as “privacy havens” include:

• British Virgin Islands
• Panama
• Seychelles
• Cayman Islands
• Malaysia

Which VPNs Have a Good Jurisdiction?

Many VPN companies choose to register their business under a privacy haven to ensure any records are kept out of the hands of international authorities.

Here is a list of these VPN providers and their respective jurisdictions. Remember that each of these services will come with its own drawbacks, so be sure to read our full review before making your decision.

VPN Provider	Jurisdiction
ExpressVPN	✓ British Virgin Islands
NordVPN	✓ Panama
Hide.me	✓ Malaysia
Astrill	✓ Seychelles
Surfshark	✓ British Virgin Islands
FastestVPN	✓ Cayman Islands
Trust.Zone	✓ Seychelles

A “warrant canary” is a colloquial term for a regularly-published statement designed to certify that a service provider has not been contacted by a government agency or forced into sharing its users’ data.

Data requests such as the US National Security Letter (NSL) typically come with a gag order that prevents the target company from publicly disclosing the fact it has been compromised.

The goal of a warrant canary is to circumvent these legal restrictions on revealing the existence of a subpoena. The service provider can therefore warn users of their compromise without technically violating the court order not to do so.

Warrant canaries usually operate by informing users that there has not been a court-issued warrant, gag order, or NSL as of a given date.

If the canary is not updated for a specified period or if the warning is completely removed, users are to assume that speech prohibition has gone into place and the host has been served with a legal request.

Many VPN services choose to maintain a warrant canary to help convince users they can be trusted. Examples of VPN providers with a warrant canary include ProtonVPN, Perfect Privacy, and BolehVPN.

It should be noted that the fact a VPN provider maintains a warrant canary does not necessarily mean the service is private or secure. Likewise, many reliable and reputable services choose not to maintain a warrant canary as a matter of principle.

There is still some debate among experts as to the effectiveness of warrant canaries. Some argue that governments can coerce companies into maintaining a canary even if they’ve been compromised, rendering the canary useless.

It is also possible that a compromised service would refrain from changing their warrant canary to avoid losing their customers. In this sense, many warrant canaries are nothing more than marketing theater from companies that don’t really care about user privacy.

Unfortunately, there is no way to know for certain whether a canary change is a true indicator of a court order. Instead, users are forced to rely on speculation and circumstantial evidence to decide what the meaning of a missing or changed canary is.

When choosing a VPN, it’s sensible to consider the maintenance of a warrant canary as an additional feature once you’ve identified an otherwise trustworthy service, rather than specifically looking for a company that has one when making your decision.

We checked the privacy policies of the most popular VPN services on the market. We found that a significant number of VPN providers are based in jurisdictions with the potential to put user data at risk.

The following table lists all 90 VPN providers, their respective jurisdiction, and whether or not they maintain a warrant canary. We found that:

• 57% of VPN providers are based in a member state of the Five, Nine, or Fourteen Eyes Alliance. These countries are listed in red.
• 32% are based in an EU member state or a country with suspected links to another invasive or censorious government. These countries are listed in amber.
• 11% are based in “safe” jurisdictions outside the reach of privacy-abusing governments or international data-sharing agreements. These countries are listed in green.

If you’re searching for a specific VPN, use Ctrl+F to find the provider you’re looking for. Otherwise, you can skip to the next section on trusting VPN jurisdictions.