If you’ve ever used a VPN, or are concerned about online privacy, you’ve probably stumbled across references to “Five Eyes,” “Nine Eyes,” and “14 Eyes.”
But what exactly do these surveillance alliances do? And can they affect the security of your VPN service?
What Is Five Eyes?
Five Eyes is a nickname for the United Kingdom–United States of America Agreement (UKUSA).
Despite the official name, UKUSA agreement consists of five countries. They are the UK, US, Canada, Australia, and New Zealand. The deal has its origins in a World War II intelligence-sharing agreement between Britain and America.
Five Eyes has given birth to many of the most notable privacy scandals in recent years, including PRISM, XKeyscore, and Tempora.
Today, its powers are scarily wide-ranging. According to the Electronic Frontier Foundation, the five governments can force any “communications service provider” (including ISPs, social media platforms, email providers, cell phone networks, and more) to:
- Insert malware on its users’ devices.
- Ignore existing laws in pursuit of Five Eyes directives.
- Interfere with people’s user experience.
- Provide governments with new product designs in advance.
- Provide user information as requested in secret warrants.
What Is Nine Eyes?
Nine Eyes is another intelligence sharing agreement. It’s grown out of the original Five Eyes alliance. It includes all the Five Eyes members, plus Denmark, France, the Netherlands, and Norway.
Its powers and dedication to information sharing is broadly the same as the Five Eyes agreement.
What Is 14 Eyes?
The 14 Eyes agreement adds a further five countries to the list: Germany, Belgium, Italy, Spain, and Sweden.
Interestingly, both France and Germany have been close to becoming full Five Eyes members in 2009 and 2013 respectively. The two agreements both fell through for various reasons.
Lastly, it’s important to mention Israel and Singapore. Israel reportedly enjoys observer status with the main Five Eyes group, while Singapore has partnered with the group but is not an official member.
What Does This Mean for VPNs?
Given the sweeping powers granted by the three agreements, what impact does it have on your VPN service?
It’s all a question of jurisdiction. When talking about a VPN provider’s jurisdiction, there are three things to consider:
- Local laws: Some countries outright ban VPN usage.
- Company location: The state in which the VPN provider is registered and has its physical offices.
- Server location: VPN providers typically offer servers in many different countries.
From a surveillance perspective, the two things you need to worry about are the company location and the company servers.
A VPN provider with either a physical address, or servers in the countries listed, could be compelled to hand over any information it has, including connection logs and browser traffic. The country might even monitor a VPN server’s inbound and outbound traffic. Worse still, the governments can forbid the provider from even notifying the affected customers; you lose the chance to respond to the invasion of privacy.
And, of course, due to the very nature of the agreements, once your information has been acquired by one country, it’s in the system. Ultimately, it could be shared with the other countries if they request it.
TFW you bank hates freedom and puts a hold on your card the SECOND you renew your vpn service for another year because it is (intelligently) based outside of Five Eyes countries.
— Jessica K (@Renessa47) March 29, 2018
If security is your main priority, you shouldn’t use a VPN that’s domiciled in one of the Five, Nine, or 14 Eyes countries. Nor should you connect to servers in one of those countries using a VPN provider from a non-14 Eyes member.
If you really need to use a VPN provider from one of the Five, Nine, or 14 Eyes member countries (for example, due to a unique feature), make sure you select one that explicitly does not keep logs. However, not even that can adequately protect you.
For example, you don’t need to look any further than the once-popular US-based email provider, Lavabit.
When the FBI found out Edward Snowden had used the service, it requested the company’s logs. The company did not keep logs, so the FBI instead issued a subpoena for the SSL keys. The keys would have given the FBI access to metadata and unencrypted content for all Lavabit users.
To its credit, rather than hand over the information, Lavabit opted to shut down. You cannot be so confident that your VPN provider would be equally willing to fall on its sword.
VPNs in Surveillance Countries: Which to Avoid
A surprising number of mainstream VPN providers have their headquarters in one of the participating countries. Here are a few popular ones to watch out for:
- Hotspot Shield
- Private Internet Access
To reiterate, these services aren’t necessarily bad. If your main reason for using a VPN is to circumvent geo-blocking on Netflix and other online services, you might have no choice but to sign up.
However, if you want a VPN for its security benefits, you should look elsewhere.
Which VPNs Do We Recommend?
If you want to avoid a VPN company that’s located in either a Five, Nine, or 14 Eyes territory, MakeUseOf recommends either ExpressVPN or CyberGhost.
Express VPN is based in the British Virgin Islands and thus is not subject to any of the three surveillance sharing agreements.
Other key features include an automatic kill switch (to prevent VPN leaks), split tunneling, service-wide encryption, zero-knowledge DNS, and 148 server locations across 94 countries.
CyberGhost is a Romanian company and, therefore, is also not subject to the 14 Eyes information sharing requirements.
You’ll have access to unlimited bandwidth and traffic, DNS and IP leak protection, 256-bit AES encryption, support for OpenVPN, L2TP-IPsec, and PPTP protocols, and simultaneous connections on up to seven devices at the same time.
Both providers have servers in the US and UK, meaning you can still use them to access localized websites and services. Just remember to switch back to a non-14 Eyes country as soon as you no longer need access to the geo-blocked content.
Learn More About VPNs
If you take away one thing from this article, learn to value the importance of thorough research. Many VPN providers are quick to profess how wonderful they are; if you look at each provider’s homepage, you will find it difficult to unearth the differences. However, dig a little deeper, and you’ll soon discover that some providers are much more secure than others.
Image Credit: antonprado/Depositphotos