VPN’s and the 14 Eyes Government Surveillance Alliances



TechViews News   …..

For anyone considering the use of a VPN, the privacy of their actions online is clearly a concern. While a VPN can certainly help to preserve browsing privacy and protect your data from advertisers and malicious agents, they are not the be-all and end-all of online anonymity. While a VPN offers a good deal of privacy and protection from external agents, by international agreement VPN providers can still legally access and store your data and browsing details internally.

What is the 14 Eyes Surveillance Alliance?

Most people are not aware of the 14 Eyes Government Surveillance Alliance. Actually, the alliance is comprised of three levels international cooperation. Commonly called ‘The 5-9-14 Eyes Alliance’, the “Eyes” indicate the number of countries involved in a sharing alliance for data collected on its country’s citizenry.

Any VPN provider in a 5, 9 or 14 Eyes jurisdiction can be legally compelled to provide whatever stored data they have to their country’s intelligence agencies, and often have frameworks in place to bypass the need to ask – frameworks which can also be exploited by malicious third parties.

The primary foundation is the UKUSA Sharing Agreement, the official name given in 1946 to what had begun as an informal agreement between the UK and USA in 1941. The UK’s Investigatory Powers Act of 2016 gives sweeping powers to UK government agencies, granting the rights to access to users’ personal data without warrant; and ISPs in the United States have recently been given the right to record and sell user activity to any third party. Awareness of which jurisdiction a VPN provider falls under is vital for any VPN user with concerns about protecting their data.

5 Eyes Jurisdiction

  1. United States
  2. United Kingdom
  3. Canada
  4. Australia
  5. New Zealand

The Five Eyes or FVEY Alliance is an extension of the UKUSA Agreement. While it was originally a treaty to share critical electronic signals intelligence after the Second World War, through the cold war and the war on terror, the agreement grew to include Canada, Australia and New Zealand. And, of course, it grew in scope as technology advanced.

Snowden’s revelations brought to light how these agreements are being used to collect and share data on countries’ own citizens, and how laws protecting people from being spied on by their own government can be circumvented by allowing a cooperative foreign power to do it and then share the data.

When choosing a VPN – especially for a citizen of a 5 Eyes country – the best option for privacy is to be found outside of the Eyes alliances. Many VPN providers store data, and as with all things online no security measures are impregnable.

VPN users must be aware that if their VPN service is registered in a 5 Eyes country, it falls under the jurisdiction of that country’s surveillance agency – complete with all the legal rights and tools to access any data held by or stored on that network.

It’s also important to remember the significance of allies and cooperative countries; nations which are not explicitly part of the 5, 9 or 14 Eyes groups can still be cooperative with requests for data. America’s Pacific allies, like Singapore, South Korea and Japan have a close relationship with the 5 Eyes, and Israel is known to work closely with the NSA. The British Overseas Territories, as well, have legal obligations to the UK and may be required to share intelligence or surveillance information even if they operate independently.

9 Eyes Jurisdiction

5 eyes, plus:

  1. Denmark
  2. France
  3. Netherlands
  4. Norway

The 9 Eyes alliance is an extension of 5 Eyes, including the original 5 – USA, UK, Canada, Australia and New Zealand – as well as Denmark, France, The Netherlands and Norway. While 9 Eyes countries don’t have such an intimate level of cooperation and mutual information sharing as the core 5 Eyes countries, there is still extensive data sharing, especially to the US.

Whereas FVEY allows a mutual access to citizens’ data across the participating countries, the 9 Eyes countries have a less equal role. Programs like RAMPART-A, reported in Denmark’s Dagbladet Information and The Intercept, provide the NSA access to key communication networks and allow it to intercept almost all forms of digital communication – telephone, fax, e-mail, internet chats and VoIP services, including data from VPNs originating in the participating country.

In exchange, the foreign partner is granted access to resources, equipment and assistance from the NSA to surveil the data entering and leaving the country. This is granted on condition that the 9 Eyes agencies will not collect any data on US citizens, leaving the NSA with the ‘better deal’, but more importantly meaning that citizens of the participating countries can expect to have their data accessible to both their own government and those of the 5 Eyes alliance.

While 9 Eyes countries have a somewhat more restrictive relationship than the 5 Eyes countries do, there is still extensive cooperation and data sharing, and it’s a safe bet that any information that Denmark, France, Norway or The Netherlands have access to is also accessible to the NSA. It’s especially important for VPN users to be aware that RAMPART-A and similar schemes allow for the collection of VPN data, greatly compromising the privacy and security of VPNs based in these countries.

14 Eyes Jurisdiction

9 eyes, plus:

  • Germany
  • Belgium
  • Italy
  • Spain
  • Sweden

The 14 Eyes alliance is another layer of the Eyes groups, including all previous countries of the 5 and 9 Eyes as well as Germany, Belgium, Italy, Spain and Sweden. 14 Eyes is one more step removed from the close cooperation of the 5 and 9 Eyes alliances, to the point that a Belgian telecommunications company has been targeted in a cyber-attack by GCHQ, the British equivalent of the NSA.

Although the 14 Eyes countries have a more distant working relationship, the alliance is more officially recognized than the 9 Eyes group, and Snowden’s documents identify the alliance as SIGINT Seniors Europe, or SSEUR. The exact nature of the agreement between the participating countries is less clear than the 9 Eyes alliance, but it is known that at least Sweden and Germany have access to the NSA’s XKEYSCORE, an internet data analysis and surveillance tool.

Sweden has even informally been called ‘the Sixth Eye’. Its importance to the NSA derives from the amount of eastern European and Russian electronic traffic that passes through the country.

Even if the 14 Eyes countries do not, in general, have as close ties to the NSA as the 9 Eyes countries do, users in the participating countries should still regard their data as vulnerable and, if not directly shared with the US, at least likely to be easily obtained by 5 Eyes countries. 14 Eyes governments are very likely to be compliant with requests made by the NSA and other surveillance agencies, so a VPN from a 14 Eyes country will not offer full protection, especially if the VPN provider stores browsing data.

VPN providers that are located in non-14 Eyes countries (Highly recommended)

With so many VPN services on the market, it can be time-consuming and frustrating to sift through feature-lists and review scores only to find that what seems like the ideal VPN is based in a 14 Eyes country.

I have included informative reviews on some of the best VPN providers provided by the respected thebestvpn.com, which are registered outside of the 14 Eyes and EU compliant partners:

  1. ExpressVPN (British Virgin Islands): Read review
  2. NordVPN (Panama): Read review
  3. CyberGhost (Romania): Read Review
  4. PureVPN (Hong-Kong): Read review
  5. Ivacy (Singapore): Read review
  6. Hide.me (Malaysia): Read review
  7. Astrill VPN (Seychelles): Read review
  8. VPNArea (Bulgaria): Read review
  9. Trust.Zone (Seychelles): Read review
  10. iVPN (Gibraltar): Read review
  11. VyprVPN (Switzerland): Read review
  12. ProtonVPN (Switzerland): Read review

Conclusion – Should you be worried?

Anyone considering their VPN options hardly needs to be told to “be careful”; anyone seriously considering a VPN must already be motivated by care and caution over their online privacy.

No VPN is going to be perfect; many fast performance VPN services (like HotSpot Shield) are likely to be based within the Eyes security alliances, and even many of the countries outside of those jurisdictions are compliant and cooperative with the intelligence agencies’ demands. This doesn’t mean it’s a lost cause or there’s no point trying to protect yourself, however. As with all things related to online security, while you cannot eliminate all threats, the more threats you can mitigate the better.

For the best possible protection, it is recommended to choose not only a VPN outside of the Eyes alliances, but to choose one that does not keep activity logs on its users – and even then, to only connect to servers which themselves are outside of the 5, 9 and 14 Eyes’ jurisdictions. For many users, following these guidelines at all times will be impractical, but as long as users stay aware of these best practices, as well as where and whether their browsing data is being stored and who can gain access to it, the right VPN can go a long way to restoring online privacy.

Clearly, the use of VPNs has value, but not to the level of privacy we think.

Be Safe – Backup Your Data Regularly!


And don’t forget to take advantage of our FREE subscription to the TechViews News Updates. You will receive all of our updates and posts the moment they are published.