Your VPN service could be subject to intrusive surveillance, data retention, and data-sharing laws. Learn about the Five Eyes Alliance and what it means for your privacy in our complete guide to VPN jurisdictions.
The world’s most powerful nations are members of secretive intelligence-sharing agreements called the Five Eyes, Nine Eyes, and Fourteen Eyes Alliances.
The countries involved in these agreements work together to collect mass surveillance data and share it among themselves.
They collect information such as your web browsing activity, phone calls, text messages, electronic documents, location history, and much more.
In terms of privacy, these countries are the worst places to base a VPN company.
If your VPN service is based in one of these countries, it could be subject to intrusive surveillance, data retention, and data sharing laws. It could even be forced to hand over your data to government authorities.
A VPN service’s ‘jurisdiction’ is the country in which it is legally based or incorporated. This country’s legal system will affect the laws and privacy regulations the VPN service is subject to.
The level of surveillance and control governments have over internet use varies from country to country. An intrusive or dangerous jurisdiction may be able to force a VPN service to monitor, collect, or share data about its users.
A VPN’s jurisdiction is different to the location of its servers. Most VPNs have servers in dozens of countries, but every VPN will have just one jurisdiction. This is the country the company is legally based in.
VPN servers are subject to the jurisdiction of the country they are physically located in. The authorities in this country are legally authorized to seize the server to examine it for data.
However, while these authorities can seize the server itself, they are unable to compel the VPN company to share information, because it is based in a different country. This is why a VPN’s logging policy is just as important as a good jurisdiction.
Depending on the extent to which your own country regulates the internet, you may want to choose a VPN service located outside of your country of residence.
It’s also sensible to choose a jurisdiction that has strong privacy laws and is not involved in international data-sharing agreements.
How Do Jurisdictions Affect VPN Users?
If you’re using a VPN for privacy, you already believe you cannot trust certain parties – whether it’s the websites you’re visiting or your government.
Using a VPN based in an invasive jurisdiction simply adds one more untrustworthy party. It could be forced to hand over user information to authorities, which can then be shared with other countries according to intelligence-sharing agreements.
You should be aware of the jurisdictions governing:
Your physical location
The location of your chosen VPN server
Your VPN service’s legal base of operation
If any of these locations are subject to invasive laws, they could be susceptible to unwarranted searches and privacy compromises in the name of ‘security’.
Though important, jurisdiction is just one of many factors to consider when selecting a VPN. Exactly how much it matters depends on the level of protection you need.
If you’re looking for protection from targeted surveillance, choosing a VPN in a safe jurisdiction is unlikely to be enough to protect you. National intelligence agencies have access to vast resources — if singled out, you’ll need to worry about more than the jurisdiction of your VPN.
Trust is also a major factor. A VPN can still lie to its customers and cooperate with authorities even if it operates in a “safe” jurisdiction.
Ultimately, if you’re looking to protect your online privacy then the location of the servers you’re connecting to and the practices of the company controlling them are likely to be more important than where the company is incorporated.
That said, VPN jurisdictions are still important if you really care about your privacy. You could be vulnerable to the following issues:
Surveillance and Data Retention
Along with their usual surveillance infrastructure, national intelligence agencies like the NSA and GCHQ have the power to force domestic organisations to log, share, and decrypt private information.
In the United States, the Patriot Act ushered in new powers for federal data collection through the use of National Security Letters. These laws give authorities the power to coerce a legitimate business to become a data gathering tool for state agencies.
These requests may be accompanied by a gag order that makes it illegal for the company to disclose what they’re being compelled to do. Some VPN companies publish warrant canaries in an attempt to tackle this problem, which we’ll cover later in this guide.
There is precedent for this. In 2013, the secure email service Lavabit was targeted by the FBI in an attempt to gather information about Edward Snowden.
Lavabit subpoenaed with a gag order for the encryption keys to its users’ email contents. This would allow the FBI to access communications in real-time for all of Lavabit’s customers, not just Snowden’s.
Screenshot of the Lavabit case files released by the FBI; Snowden’s email address was mistakenly left unredacted.
The founder of the company, Ladar Levison, handed over the company’s encryption keys and shut down the service simultaneously. US authorities proceeded to threaten Levison with arrest, arguing that his actions violated the court order.
Similarly, Seattle-based VPN service Riseup was forced to collect user data for government authorities, and was also served with a gag order to stop them revealing this to their users.
HideMyAss, a VPN provider based in the UK, was also served with a court order to collect data and share this with authorities for a criminal investigation. This was not revealed until after the prosecution.
These are just examples of cases that have been made available to the public — it’s highly likely that there are other examples we don’t yet know about.
International surveillance agreements like the Five, Nine, and Fourteen Eyes Alliances allow member countries to take advantage of, as EFF puts it, “the lowest common privacy denominator.”
In other words, every participating country gets to benefit from the mass surveillance data the other members bring in.
The intelligence-sharing practices of these countries have wide implications for internet users and VPNs in particular. It is reasonable to assume that if any one of these nations gains access to your data, it can then be shared with other countries.
If a law expanding electronic surveillance capabilities is passed in one of these countries, it is as if the same legislation is passed in every country involved in the agreement.
This means there is a strong chance your activity is being collected and shared with an intelligence agency no matter where in the world you are.
Virtual Server Locations and Rented Servers
Some VPN services rent their servers from data centers to reduce operational costs. This makes running an international server network significantly cheaper than owning the servers outright.
While this can reduce a VPN provider’s overheads, it can be problematic in terms of privacy.
Rented VPN servers belong to the data center that is renting them out. It’s possible for the data center to keep logs of your activity regardless of the VPN company’s logging policy.
Depending on the jurisdiction of the data center, local authorities could also compel the server host to retain or share user data.
In this case, the jurisdiction and logging policy of the VPN company is useless. Local authorities can go directly to the server host to seize the information they need. You can learn more about rented VPN servers in our guide to virtual server locations.
Choosing a Safe VPN Jurisdiction
If you care about your privacy, we recommend that you choose a VPN service based outside of the Five, Nine, or Fourteen Eyes Alliances.
The countries involved in these alliances are much more likely to participate in invasive surveillance, data retention, and intelligence-gathering programs.
It is also likely that the most powerful nations in these alliances will be able to force other members into logging or other forms of cooperation.
When assessing a VPN’s jurisdiction, consider the following factors:
No connections to intrusive nations. Some governments are politically obliged or connected to more powerful, invasive countries. These international ties could jeopardize the privacy of your data.
A history of warrants and subpoenas. Avoid countries and governments with a history of online censorship or prosecution based on the contents of its citizens’ browsing logs.
Strong privacy and net neutrality laws. While net neutrality laws won’t directly affect your privacy, they do imply that the government has a relationship with ISPs and telecom providers that could hurt the consumer.
What Is a Privacy Haven?
It is generally recommended that you choose a VPN based in a country that is considered a “privacy haven”.
A privacy haven is a country with a legal and political environment that is friendly to the idea of online privacy. These countries rarely take part in mandatory surveillance, data retention, or data sharing agreements, and they often boast some of the world’s strongest privacy laws.
While these countries are not obliged to share user data with international authorities, they often lack the regulations necessary to ensure user data is properly protected, either. This means you could be compromising your security for privacy.
Countries often referred to as privacy havens include The British Virgin Islands, Panama, Seychelles, The Cayman Islands, and Malaysia.
Lots of VPN companies choose to register their businesses in these countries to ensure their service remains as private and secure as possible. Examples include ExpressVPN, NordVPN, and Astrill.
There are also some VPN services that have proven to be trustworthy despite operating in a “dangerous” jurisdiction. Private Internet Access (PIA), for example, could not provide data to the US government in an official court case, despite a subpoena for information.
There are a handful of truly no-logs VPN services that have passed real-life test cases or been audited by third parties. A VPN in a safe offshore jurisdiction simply adds additional protection, as there is less chance it can be compelled to hand over data to authorities.
Do VPN Services Need a Warrant Canary?
A warrant canary is a colloquial term for a regularly-published statement designed to prove that a service provider has not been contacted by a government agency or forced into sharing user data.
Data requests such as a “US National Security Letter” (NSL) typically come with a gag order that prevents the target company from disclosing the fact it has been compromised.
The goal of a warrant canary is to get around these legal restrictions and warn its users that their data may no longer be safe, without technically violating the court order not to do so.
Warrant canaries usually work by informing users that there has not been a court-issued warrant, gag order, or subpoena as of a certain date.
If the canary is not updated or if it is completely removed, users are to assume that speech prohibition has gone into place and the host has been served with a legal request.
A recent screenshot of NordVPN’s warrant canary.
Many VPN services choose to maintain a warrant canary to help convince users they can be trusted.
However, just because a VPN service maintains a warrant canary does not mean the service is private or secure. Likewise, many reliable and reputable services choose not to maintain a warrant canary as a matter of principle, as their efficacy is still contested amongst experts.
Some experts argue that governments can coerce companies into maintaining a canary even if they’ve been compromised, rendering the canary useless.
It is also possible that a compromised service would avoid changing their warrant canary to avoid losing customers. In this sense, many warrant canaries are nothing more than marketing theater from companies that don’t really care about user privacy.
Unfortunately, there is no way to know for certain whether a canary change is a true indicator of a court order. Users are forced to rely on speculation to decide what the meaning of a missing or changed canary is.
We recommend looking at warrant canaries as an additional, bonus feature once you’ve identified an otherwise trustworthy VPN service, rather than specifically looking for a VPN that has one.
The Five Eyes, 9 Eyes, and 14 Eyes Alliances
Most people think of the NSA when they think of bulk surveillance. In fact, almost every country has its own signals intelligence (SIGINT) agency.
These agencies focus on law enforcement, data collection, and counterintelligence by intercepting electronic signals and online communications. What’s more, they often work together.
The Five, Nine, and Fourteen eyes alliances are three of the most significant international intelligence agreements that carry out this kind of coordinated surveillance. They’re also the worst VPN jurisdictions in terms of privacy.
Here is a list of the main global surveillance entities you should be aware of:
1. The Five Eyes Alliance
The Five Eyes countries are the US, UK, Canada, Australia, and New Zealand.
This intelligence-sharing agreement can be traced back to WWII and the UKUSA agreement, which was originally devised as a partnership between the United States and United Kingdom.
Over the past few decades the treaty has grown in both members and reach. Member nations, known as the Five Eyes Alliance, now work together to collect, analyze, and share intelligence both domestically and internationally.
While Five Eyes countries have agreed to not spy on each other as adversaries, documents leaked by Edward Snowden revealed that the nations do monitor each other’s citizens and share this intelligence amongst themselves.
As well as sharing surveillance data among themselves, Five Eyes countries also work together to send and enforce data retention notices. This means that one nation can pressure another to hand over the logs of VPN users within their jurisdiction.
It should come as no surprise that many of the Five Eyes countries are amongst the worst abusers of digital privacy.
Here are some examples of five eyes countries and their anti-privacy laws:
United Kingdom. The UK government passed the Investigatory Powers Act in 2016, which compels UK ISPs and telecoms to record their users’ browsing activity, connection logs, and messages. This data is stored for 12 months and is available to UK government agencies and third parties without a warrant.
United States. The US government is a global leader in mass surveillance and data collection. Authorities are aided in this with the help of telecoms, tech companies, and ISPs, as seen in the PRISM program.In 2006, it was revealed that the US government was conducting warrantless surveillance of its citizens by tapping all traffic going through AT&T’s internet backbone. As of March 2017, US ISPs also have the authority to log user activity and sell this information for a profit.
Australia. Australia has implemented data collection laws similar to the UK. The law forces ISPs to monitor and record user metadata. This data is stored for two years and is accessible to authorities without a warrant. Police can also force companies to share access to encrypted messages without the user’s knowledge.
If you’re concerned about your privacy while using a VPN, the Five Eyes countries are considered to be the worst VPN jurisdictions possible.
ECHELON Surveillance System
The Five Eyes nations utilize ECHELON, a network of spy stations designed for global surveillance and data collection.
ECHELON can intercept data sent via telephones, faxes, and computers. ECHELON stations can track bank accounts and even intercept data sent to and from satellite relays. All of this data is stored in extensive databases that can keep millions of records on individuals.
Although evidence has been growing for almost 30 years, the US still denies that ECHELON exists, while the UK government has been consistently evasive.
The Nine Eyes Alliance is an extension of the Five Eyes Alliance. It is made up of a larger group of countries that also cooperate to share intelligence. This includes all the Five Eyes countries as well as France, Denmark, Norway, and The Netherlands.
The existence of the Nine Eyes Alliance became well-known following the revelations of Edward Snowden in 2013. It is essentially an extension of the Five Eyes agreement that cooperates to gather and distribute mass surveillance data.
While the four additional nations do not have domestic surveillance programs quite as extensive as the US, UK, or Australia, they still cooperate with each other and all five countries in the original alliance.
The Nine Eyes Alliance is an arrangement between SIGINT entities and is not officiated by any formal treaty.
3. The Fourteen Eyes Alliance
The Fourteen Eyes Alliance includes all members of the Nine Eyes alliance as well as Germany, Belgium, Italy, Sweden, and Spain.
The official name of the Fourteen Eyes alliance is the SIGINT Seniors of Europe (SSEUR), which has existed in various forms since 1982. Once designed to exchange military intelligence, it has now been expanded to include surveillance information on everyday citizens.
The SIGINT Seniors Meeting is held annually and attended by the leaders of SIGINT agencies including the BND, NSA, DGSE, GCHQ and more. These meetings provide a space for global intelligence leaders to discuss cooperation and development.
The SIGINT Seniors of the Pacific is a similar entity which was created in 2005. Member states include all of the Five Eyes countries as well as India, France, Singapore, Thailand, and South Korea.
Other notable countries including Israel and Japan are also believed to work closely with the 14 Eyes alliance and the NSA.
4. The European Union (EU)
The European Union is a collection of sovereign European nations. It is one of the largest and most powerful political and economic unions in the world, and is also problematic in terms of surveillance and data privacy.
While the European Union’s cooperative policies are nowhere near as far-reaching or invasive as those in the Five, Nine, and Fourteen Eyes Alliances, EU member states still engage in data-sharing agreements.
There are some exceptions to this rule. In 2009, the Constitutional Court of Romania (CCR) ruled that EU demands were a violation of Romanian citizens’ rights to privacy.
This makes Romania a safe haven of user privacy amongst EU nations, and helps explain why VPN services like CyberGhost might choose to base their operations there.
Some countries are more private than others, but there are plenty that cooperate with Five Eyes or SSEUR authorities and have a history of data sharing. This is worth keeping in mind when choosing a VPN based in an EU jurisdiction.
5. The Shanghai Cooperation Organization (SCO)
The Shanghai Cooperation Organization (SCO) — also known as the Shanghai Pact — is a Eurasian political and economic alliance between Russia, China, Pakistan, India, Kyrgyzstan Kazakhstan, Uzbekistan, and Tajikistan.
The SCO is primarily focused on its members’ national security, and generally works to fight extremism in its various forms.
Over the past few years, the SCO’s activities have expanded to include increased military cooperation, intelligence-sharing, and counterterrorism. It is highly likely that SCO member countries collect and share data in a similar way to Western intelligence alliances.
6. Highly-Censored Countries
Certain countries ban VPN usage and invade their citizens’ privacy regardless of international agreements.
The worst offenders for internet restriction include China, UAE, Turkey, Russia, Oman, Iraq, and Belarus, although this list is far from exhaustive.
Jurisdictions with close ties to these governments — such as Hong Kong — should also be avoided if you’re concerned about your data privacy.
For more information on the legality of VPNs and restrictions on their use, you can read our dedicated guide to VPN laws.
VPN Jurisdiction Comparison (80 Analyzed)
We checked the privacy policies of the most popular VPN services on the market. We found that a significant number of VPN providers are based in jurisdictions with the potential to put user data at risk.
We investigated 80 VPNs and found that:
59% of VPNs are based in a member state of the Five, Nine, or Fourteen Eyes Alliance. These countries are listed in red.
30% of VPNs are based in an EU member state or a country with suspected links to another invasive government. These countries are listed in amber.
11% of VPNs are based in “safe” jurisdictions outside the reach of privacy-abusing governments or international data-sharing agreements. These countries are listed in green.
The following table lists all 80 VPN services we investigated. It tells you their jurisdiction and whether or not they maintain a warrant canary.
If you’re searching for a specific VPN, use Ctrl+F to find the provider you’re looking for.