Five Eyes, Nine Eyes, 14 Eyes & More: Do VPN Jurisdictions Really Matter?

Headshot of Site Editor Callum Tennent

Callum oversees how we test and review VPN services. He's a member of the IAPP, and his advice about VPNs has featured in Forbes and the Internet Society. Read full bio

Your VPN service could be subject to intrusive surveillance, data retention, or data-sharing laws. Learn about the Five, Nine, and Fourteen Eyes Alliances and what they mean for your privacy in this complete guide to VPN jurisdictions.

A man runs through five spotlights representing the five eyes alliance.

The world’s most powerful nations are members of secretive intelligence-sharing agreements called the Five Eyes, Nine Eyes, and Fourteen Eyes. In terms of privacy, these countries are the worst places to base a VPN company.

The members of these international alliances work together to collect mass surveillance data and share it among themselves in order to bypass restrictions on power.

The intelligence agencies behind these agreements work with internet service providers and tech companies to tap digital infrastructure for surveillance purposes.

They collect information such as your browsing activity, phone calls, text messages, electronic documents, location history, and much more.

If your VPN provider is based in one of these countries, it could be subject to intrusive surveillance, data retention, and gag order laws. It could even be compelled to hand over your data to authorities.

In this guide we’ll cover the Five, Nine, and Fourteen eyes alliances in depth. We’ll explain exactly why this topic is important when it comes to choosing a VPN.

You can also find out exactly where your VPN is based in our VPN jurisdiction comparison table.

The Five, Nine, and Fourteen Eyes Alliances

Map of Five Eyes, Nine Eyes, and Fourteen Eyes Countries.

Most users think of the NSA or GCHQ when they think of bulk surveillance. In truth, almost every country has its own respective signals intelligence (SIGINT) authority.

These agencies focus on law enforcement, data collection, and counterintelligence by intercepting electronic signals and online communications.

National authorities are often restricted in terms of the extent to which they can surveil their own population. This produces a powerful motive for them to work together and share information.

The Five, Nine, and Fourteen eyes alliances are international agreements that help to generate this kind of coordinated surveillance.

Here is a list of the global surveillance entities you should be aware of:

1. The Five Eyes Alliance

Infographic showing the five eyes countries.

The Five Eyes (FVEY) countries are the US, UK, Canada, Australia, and New Zealand.

This intelligence-sharing agreement can be traced back to WWII and the UKUSA agreement, which was originally devised as a partnership between the United States and United Kingdom as a way to gather intelligence on hostile governments.

Over the past few decades the treaty has grown in both members and reach. Member nations, known as the Five Eyes countries, now work cooperatively to collect, analyze, and share intelligence both domestically and internationally.

While Five Eyes countries have agreed to not spy on each other as adversaries, documents leaked by Edward Snowden revealed that the nations monitor each other’s citizens and share intelligence to avoid breaking laws that prohibit them from spying on their own citizens.

This means that as well as sharing surveilled data among themselves, Five Eyes countries also work together to send and enforce data retention notices. In short, one nation can pressure another to hand over the logs of VPN users within their jurisdiction.

The additional members of the UKUSA Agreement (Canada, Australia and New Zealand) are referred to as ‘second parties’. They have the greatest access to the NSA and its databases.

Third parties — such as South Korea or members of NATO — still cooperate with the NSA, but they have reduced access to the sum of its resources.

It should come as no surprise that many of the Five Eyes countries are among the worst abusers of digital privacy:

  • United Kingdom. The UK government passed the Investigatory Powers Act in 2016, which compels UK ISPs and telecoms to record their users’ browsing activity, connection logs, and messages. This data is stored for 12 months and is available to UK government agencies and third parties without a warrant.

  • United States. The US government is a global leader in mass surveillance and data collection methods. Authorities are aided in this with the help of telecoms, tech companies, and ISPs, as seen in the PRISM program. In 2006, it was revealed that the US government was conducting warrantless surveillance of its citizens by tapping all traffic going through AT&T’s internet backbone. As of March 2017, US ISPs also have legal authority to log user activity and sell this information for a profit.

  • Australia. Australia has implemented data collection laws similar to the UK. Officially called the ‘Telecommunications (Interception and Access) Amendment (Data Retention) Bill’, this law forces ISPs to monitor and record user metadata. The data is stored for two years and is accessible to authorities without a warrant. Police can also force companies to share access to encrypted messages without the user’s knowledge.

We consider all five of the Five Eyes nations to be the worst VPN jurisdictions on the market.

ECHELON Surveillance System

The Five Eyes nations utilize ECHELON, a network of spy stations designed for large-scale surveillance and data collection.

These global surveillance stations can intercept data sent via telephones, faxes, and computers. ECHELON stations can track bank accounts and even intercept data sent to and from satellite relays. All of this data is stored in extensive databases that can keep millions of records on individuals.

Although evidence has been growing for almost 30 years, the US still denies that ECHELON exists, while the UK government has been consistently evasive.

Despite these denials, various whistleblowers have confirmed the truth by documenting various aspects of the ECHELON project.

2. The Nine Eyes Alliance

Infographic showing the nine eyes countries.

The Nine Eyes alliance is an extended group of countries that cooperate to share intelligence. The Nine Eyes countries include all the Five Eyes members along with France, Denmark, Norway, and The Netherlands.

The existence of the Nine Eyes alliance became well-known following the revelations of Edward Snowden in 2013. It is essentially a third-party extension of the Five Eyes agreement that cooperates to gather and distribute mass surveillance data.

While these four extra nations do not have domestic surveillance programs quite as problematic as the US, UK, or Australia, they still cooperate with each other and all five countries in the original alliance.

The Nine Eyes Alliance is an arrangement between SIGINT entities and is not officiated by any formal treaty.

3. The Fourteen Eyes Alliance

Infographic showing the 14 eyes countries.

The Fourteen Eyes countries include all members of the Nine Eyes alliance as well as Germany, Belgium, Italy, Sweden, and Spain.

The official name of the Fourteen Eyes alliance is the SIGINT Seniors of Europe (SSEUR), which has existed in various forms since 1982. Once designed to exchange military intelligence, it has now been expanded to include surveillance information on everyday citizens.

The SIGINT Seniors Meeting is held annually and attended by the leaders of SIGINT agencies including the BND, NSA, DGSE, GCHQ and more. These meetings provide a space for global intelligence heads to discuss cooperation and development.

The SIGINT Seniors of the Pacific is a similar entity which was created in 2005. Member states include all the Five Eyes countries as well as India, France, Singapore, Thailand, and South Korea.

Other notable countries including Israel and Japan are also believed to work closely with the 14 Eyes alliance and the NSA.

4. The European Union (EU)

Infographic explaining the European Union.

The European Union is a collection of 27 sovereign European nations. It is one of the largest and most powerful political and economic unions in the world, and is also problematic in terms of surveillance and data privacy.

While the European Union’s cooperative policies are nowhere near as far-reaching or invasive as those in the Five, Nine, and Fourteen Eyes alliances, EU member states still engage in data sharing and retention agreements.

It’s worth noting that there are some exceptions to this rule. In 2009, the Constitutional Court of Romania (CCR) agreed that EU demands were an unconstitutional violation of Romanian citizens’ rights to privacy. This makes Romania a rare bastion of user privacy among EU nations, and helps explain why VPN providers like CyberGhost might choose to base their operations there.

It’s clear that some countries are better than others, but there are plenty that cooperate with Five Eyes or SSEUR authorities and have a history of data sharing. This is worth keeping in mind when choosing a VPN based in an EU jurisdiction. You can find these countries listed in amber in our VPN jurisdiction comparison table.

5. The Shanghai Cooperation Organization (SCO)

Infographic explaining the Shanghai Cooperation Organization

The Shanghai Cooperation Organization (SCO) — also known as the Shanghai Pact — is a Eurasian political and economic alliance between Russia, China, Pakistan, India, Kyrgyzstan Kazakhstan, Uzbekistan, and Tajikistan.

The SCO is primarily focused on its members’ national security, and generally considers the issues of terrorism and extremism as among its main priorities.

Over the past few years, the entity’s activities have expanded to include increased military cooperation, intelligence sharing, and counter-terrorism. It is highly likely that SCO member states collect and share data in a similar way to Western intelligence alliances.

6. Highly-Censored Countries

Infographic explaining the most highly-censored countries in the world.

Certain countries persecute VPN usage and invade citizens’ privacy regardless of international agreements.

The worst offenders for internet restriction include China, UAE, Turkey, Russia, Oman, Iraq, and Belarus, although this list is far from exhaustive.

While it’s fairly unlikely that you’ll find a VPN or a VPN server physically based in any of these countries, it’s worth being vigilant. We found lots of VPNs with explicit ties to questionable Chinese tech companies in our investigation into free VPN apps.

Jurisdictions with close ties to these governments — such as Hong Kong — should also be avoided if you’re concerned about your data privacy.

For more information on the legality of VPNs and restrictions on their use, you can read our dedicated guide to VPN laws.

What Is a VPN Jurisdiction?

A VPN provider’s ‘jurisdiction’ is the country in which it is based or incorporated. This country’s legal system will affect the data retention laws and privacy regulations the VPN company is subject to.

Most countries allow citizens and visitors to use VPNs legally. However, the level of control over internet use and data retention will vary from country to country. An intrusive jurisdiction may be able to force a VPN provider to monitor, collect, or share data about its users.

A VPN provider’s jurisdiction may be different to the location of its VPN servers. VPN services tend to have servers in dozens of countries so users can choose which location they’d like to connect to.

A VPN server is subject to the jurisdiction of the country it is physically located in. If necessary, the authorities of this country will be able to seize the server to examine it for data. However, they will be unable to compel the VPN company to collect logs or share user information. This is why a zero-logging policy is just as important as a good jurisdiction.

Depending on the extent to which your country oversees VPN use, you may want to choose a VPN provider located outside of your country of residence. It’s also sensible to choose a jurisdiction that has strong privacy laws and is not involved in international data-sharing agreements. Skip to our section below on choosing a VPN jurisdiction for more.

How Do Jurisdictions Affect VPN Users?

Jurisdiction is a key consideration when selecting a trustworthy VPN provider.

Some VPN companies argue that concerns around jurisdictions and their surveillance practices are unwarranted and overblown. However, there are several real-life cases that prove the risks associated with operating in a Five Eyes country.

If you’re using a VPN for privacy purposes, you already believe you cannot trust certain parties. These parties might be the websites you’re visiting or the government whose mass surveillance program is encroaching on your rights.

Using a VPN that’s based in an invasive jurisdiction simply adds one more untrustworthy party with a responsibility for your online activity.

When you use a VPN service, you should be aware of the jurisdictions governing:

  • Your physical location
  • The location of your chosen VPN server
  • Your VPN provider’s business location

If you really want to be safe, it is best to know the laws and practices of all three.

If any of these locations are subject to invasive privacy laws or data sharing obligations, they could be susceptible to unwarranted searches and compromises in the name of ‘national security’.

Your VPN provider could be forced to hand over information to authorities about its users, which can then be shared with several other countries according to intelligence-sharing agreements.

VPN services based in an invasive jurisdiction could be vulnerable to the following issues:

1Surveillance and Data Retention

Along with their usual surveillance infrastructure, national intelligence agencies like the NSA and GCHQ have the power to force domestic organisations to log, share, and decrypt private information. Given the scope of their bulk surveillance programs, targeting a certain company or server network is particularly easy.

In the United States, the Patriot Act ushered in new powers for federal data collection, especially through the use of National Security Letters. These laws give authorities the power to coerce a legitimate privacy-focused business to become a data gathering tool for state agencies.

These logging requests may be accompanied by a gag order which makes it illegal for the target company to disclose what they’re being compelled to do. Some VPN companies publish warrant canaries in an attempt to tackle this problem, which we’ll cover later in this guide.

Data sharing requests are less problematic if the target company has a zero-logging policy. However, it is possible a company might be coerced into logging.

There is a precedent for this. In 2013, secure email service Lavabit was targeted by the FBI after learning that Edward Snowden had used the service. The company was subpoenaed with a gag order for the encryption keys to its users’ email contents. This would allow the FBI to access communications in real-time for all of Lavabit’s customers, not just Snowden’s.

The founder of the company, Ladar Levison, handed over the company’s encryption keys and shut down the service simultaneously. US authorities proceeded to threaten Levison with arrest, arguing that his actions violated the court order.

Screenshot of an FBI subpoena for user data from Lavabit.

Screenshot of the Lavabit case files released by the FBI. Snowden’s email address was mistakenly left unredacted; the documents were later published by pro-transparency group Cryptome.

Similarly, Seattle-based VPN service Riseup was forced to collect user data for government authorities, and was also served with a gag order to stop them revealing this to their users.

HideMyAss, a VPN provider based in the UK, was also served with a court order to collect data and share this with authorities for a criminal investigation. This was not revealed until after the prosecution.

These are just examples of cases that have been made available to the public — it’s highly likely that there are other examples we don’t yet know about.

Ultimately, if faced with legal action, a VPN company operating in an invasive jurisdiction has three options:

  1. Comply with the request to log, decrypt, and share user information.
  2. Comply with the request but remove a warrant canary, signaling a compromise.
  3. Shut down the service or the compromised server immediately.

2Data-Sharing Agreements

International surveillance agreements like the Five, Nine, and Fourteen Eyes Alliances allow member countries to take advantage of, as EFF puts it, “the lowest common privacy denominator.” In other words, every participating country gets to benefit from the mass surveillance data each other member brings in.

The intelligence-sharing practices of these countries have wide implications for internet users and VPNs in particular. It is reasonable to assume that if any one of these nations gains access to your data, it can then be shared with other countries.

Likewise, if a law expanding electronic surveillance capabilities is passed in one of these countries, it is as if the same legislation is passed in every country involved in the agreement. This means there is a strong chance your activity is being collected and shared with an intelligence agency no matter where in the world you are.

3Virtual Private Servers

Some VPN services rent Virtual Private Servers (VPS) to reduce operational costs. Virtual rented servers are significantly cheaper than owning physical servers.

While they can reduce a VPN provider’s overheads, a VPS can be problematic in terms of privacy.

Rental servers can keep logs of your activity regardless of the VPN company’s logging policy. Depending on the jurisdiction of the rented server, local authorities could compel the server host to retain or share this data.

In this case, the jurisdiction and logging policy of the VPN company is redundant. Local authorities can go directly to the server host to seize the information they need.

There are a handful of truly no logs VPN services that have passed real-life test cases or been audited by third parties. A VPN in a safe offshore jurisdiction simply adds additional protection, as there is less chance it can be compelled to hand over data to authorities.

How Do I Choose a VPN Jurisdiction?

Illustration of VPN jurisdiction locations on a world map.

If you care about your privacy, we recommend that you do not choose a VPN provider based in a country associated with the Five, Nine, or Fourteen Eyes Alliances.

While a zero-logs policy is able to offset some of the issues with a poor jurisdiction, these countries are much more likely to participate in invasive surveillance, data retention, and intelligence gathering programs.

It is also likely that more powerful nations in these alliances — like the USA — will be able to use their leverage to force other member countries into logging, data sharing, or other forms of cooperation.

It’s worth noting that there are some services that have proven themselves to be trustworthy despite operating out of a “dangerous” jurisdiction. We cover this in more detail in the final chapter of this guide.

Ultimately, your data is likely to be much safer in the hands of a company based outside of the reach of participating countries.

It’s worth remembering that the list of countries on this page isn’t exhaustive, and there are still other countries that make a poor base of operations for a VPN.

When assessing a VPN’s jurisdiction, consider the following factors:

  • No connections to intrusive nations: Some countries are politically beholden to the laws and whims of bigger, more invasive countries. Make sure that there are no international ties that could jeopardize the security of your data. This includes countries involved in the Five, Nine, and Fourteen eyes alliances.
  • No history of warrants and subpoenas: Avoid governments with a history of wanton prosecution based on the contents of its citizens’ browsing logs.
  • Strong privacy and net neutrality laws: While questionable net neutrality laws won’t directly affect your privacy, they do imply that the government has a relationship with ISPs and telecom providers that hurts the consumer.

What Is a Privacy Haven?

A Privacy Haven is a country with a legal and political environment that is friendly to the notion of user privacy. These locations rarely take part in mandatory surveillance, data retention, or cross-border data transfers.

Privacy havens are not signatory to any international surveillance agreements and often boast some of the the world’s strongest privacy laws.

While they have no obligation to share user data with international authorities, these countries often lack the regulatory framework used to ensure accountability in data protection and security.

Countries often referred to as “privacy havens” include:

  • British Virgin Islands
  • Panama
  • Seychelles
  • Cayman Islands
  • Malaysia

Which VPNs Have a Good Jurisdiction?

Many VPN companies choose to register their business under a privacy haven to ensure any records are kept out of the hands of international authorities.

Here is a list of these VPN providers and their respective jurisdictions. Remember that each of these services will come with its own drawbacks, so be sure to read our full review before making your decision.

VPN Provider Jurisdiction
ExpressVPN British Virgin Islands
NordVPN Panama Malaysia
Astrill Seychelles
Surfshark British Virgin Islands
FastestVPN Cayman Islands
Trust.Zone Seychelles

What Is a Warrant Canary?

Infographic explaining the definition of a warrant canary.

A “warrant canary” is a colloquial term for a regularly-published statement designed to certify that a service provider has not been contacted by a government agency or forced into sharing its users’ data.

Data requests such as the US National Security Letter (NSL) typically come with a gag order that prevents the target company from publicly disclosing the fact it has been compromised.

The goal of a warrant canary is to circumvent these legal restrictions on revealing the existence of a subpoena. The service provider can therefore warn users of their compromise without technically violating the court order not to do so.

Warrant canaries usually operate by informing users that there has not been a court-issued warrant, gag order, or NSL as of a given date.

If the canary is not updated for a specified period or if the warning is completely removed, users are to assume that speech prohibition has gone into place and the host has been served with a legal request.

Many VPN services choose to maintain a warrant canary to help convince users they can be trusted. Examples of VPN providers with a warrant canary include ProtonVPN, Perfect Privacy, and BolehVPN.

It should be noted that the fact a VPN provider maintains a warrant canary does not necessarily mean the service is private or secure. Likewise, many reliable and reputable services choose not to maintain a warrant canary as a matter of principle.

There is still some debate among experts as to the effectiveness of warrant canaries. Some argue that governments can coerce companies into maintaining a canary even if they’ve been compromised, rendering the canary useless.

It is also possible that a compromised service would refrain from changing their warrant canary to avoid losing their customers. In this sense, many warrant canaries are nothing more than marketing theater from companies that don’t really care about user privacy.

Unfortunately, there is no way to know for certain whether a canary change is a true indicator of a court order. Instead, users are forced to rely on speculation and circumstantial evidence to decide what the meaning of a missing or changed canary is.

When choosing a VPN, it’s sensible to consider the maintenance of a warrant canary as an additional feature once you’ve identified an otherwise trustworthy service, rather than specifically looking for a company that has one when making your decision.

VPN Jurisdiction Comparison Table (90+ VPNs Tested)

We checked the privacy policies of the most popular VPN services on the market. We found that a significant number of VPN providers are based in jurisdictions with the potential to put user data at risk.

The following table lists all 90 VPN providers, their respective jurisdiction, and whether or not they maintain a warrant canary. We found that:

  • 57% of VPN providers are based in a member state of the Five, Nine, or Fourteen Eyes Alliance. These countries are listed in red.
  • 32% are based in an EU member state or a country with suspected links to another invasive or censorious government. These countries are listed in amber.
  • 11% are based in “safe” jurisdictions outside the reach of privacy-abusing governments or international data-sharing agreements. These countries are listed in green.

If you’re searching for a specific VPN, use Ctrl+F to find the provider you’re looking for. Otherwise, you can skip to the next section on trusting VPN jurisdictions.

Do VPN Jurisdictions Really Matter?

We live in a time of unprecedented debate over the government’s powers to secretly monitor its citizens. Revelations about the NSA’s bulk surveillance program have raised serious questions about whether these powers are necessary, legal, or constitutional.

The best safeguard against these practices is strong encryption. Encrypting your data with VPN software before it hits the internet makes it much harder for intelligence agencies to record and track your internet activity.

If you’re looking for protection from targeted government surveillance, choosing a VPN incorporated in a “safe” offshore jurisdiction is unlikely to be enough to protect you. The intelligence entities listed in this guide have access to vast resources — if singled out, you’ll need to worry about more than the jurisdiction of your VPN.

Jurisdiction is one of many factors to consider when selecting a privacy tool like a VPN. Exactly how much it matters will depend on the level of protection you need.

Trust is also a major factor. A VPN can still lie to its customers and cooperate with authorities even if it operates in a “safe” jurisdiction. Providers like PureVPN have established a precedent for this; though they’re based in Hong Kong, they worked with the FBI to identify a user in 2017, completely undermining their “zero-logging” policy.

There are also VPN providers based in “dangerous” jurisdictions that have proven themselves to be trustworthy. In 2016, the FBI subpoenaed Private Internet Access (PIA) — a US-based VPN service — in connection with a user suspected of making bomb threats. Though they were facing official demands for logs, PIA simply had no data to provide, as described in the official court documents.

Ultimately, if you’re looking to protect yourself from government overreach, the location of the servers you’re connecting to and the practices of the people controlling them are likely to be more important than where the company is incorporated.

About the Author

  • Headshot of Site Editor Callum Tennent

    Callum Tennent

    Callum oversees how we test and review VPN services. He's a member of the IAPP, and his advice about VPNs has featured in Forbes and the Internet Society. Read full bio