If you’ve ever used a VPN, or are concerned about online privacy, you’ve probably stumbled across references to “Five Eyes,” “Nine Eyes,” and “14 Eyes.”
But what exactly do these surveillance alliances do? And can they affect the security of your VPN service?
Despite the official name, UKUSA agreement consists of five countries. They are the UK, US, Canada, Australia, and New Zealand. The deal has its origins in a World War II intelligence-sharing agreement between Britain and America.
Five Eyes has given birth to many of the most notable privacy scandals in recent years, including PRISM, XKeyscore, and Tempora.
Today, its powers are scarily wide-ranging. According to the Electronic Frontier Foundation, the five governments can force any “communications service provider” (including ISPs, social media platforms, email providers, cell phone networks, and more) to:
- Insert malware on its users’ devices.
- Ignore existing laws in pursuit of Five Eyes directives.
- Interfere with people’s user experience.
- Provide governments with new product designs in advance.
- Provide user information as requested in secret warrants.
What Is Nine Eyes?
Nine Eyes is another intelligence sharing agreement. It’s grown out of the original Five Eyes alliance. It includes all the Five Eyes members, plus Denmark, France, the Netherlands, and Norway.
Its powers and dedication to information sharing is broadly the same as the Five Eyes agreement.
What Is 14 Eyes?
The 14 Eyes agreement adds a further five countries to the list: Germany, Belgium, Italy, Spain, and Sweden.
Interestingly, both France and Germany have been close to becoming full Five Eyes members in 2009 and 2013 respectively. The two agreements both fell through for various reasons.
Lastly, it’s important to mention Israel and Singapore. Israel reportedly enjoys observer status with the main Five Eyes group, while Singapore has partnered with the group but is not an official member.
What Does This Mean for VPNs?
Given the sweeping powers granted by the three agreements, what impact does it have on your VPN service?
It’s all a question of jurisdiction. When talking about a VPN provider’s jurisdiction, there are three things to consider:
- Local laws: Some countries outright ban VPN usage.
- Company location: The state in which the VPN provider is registered and has its physical offices.
- Server location: VPN providers typically offer servers in many different countries.
From a surveillance perspective, the two things you need to worry about are the company location and the company servers.
A VPN provider with either a physical address, or servers in the countries listed, could be compelled to hand over any information it has, including connection logs and browser traffic. The country might even monitor a VPN server’s inbound and outbound traffic. Worse still, the governments can forbid the provider from even notifying the affected customers; you lose the chance to respond to the invasion of privacy.
And, of course, due to the very nature of the agreements, once your information has been acquired by one country, it’s in the system. Ultimately, it could be shared with the other countries if they request it.
If security is your main priority, you shouldn’t use a VPN that’s domiciled in one of the Five, Nine, or 14 Eyes countries. Nor should you connect to servers in one of those countries using a VPN provider from a non-14 Eyes member.
If you really need to use a VPN provider from one of the Five, Nine, or 14 Eyes member countries (for example, due to a unique feature), make sure you select one that explicitly does not keep logs. However, not even that can adequately protect you.
For example, you don’t need to look any further than the once-popular US-based email provider, Lavabit.
When the FBI found out Edward Snowden had used the service, it requested the company’s logs. The company did not keep logs, so the FBI instead issued a subpoena for the SSL keys. The keys would have given the FBI access to metadata and unencrypted content for all Lavabit users.
To its credit, rather than hand over the information, Lavabit opted to shut down. You cannot be so confident that your VPN provider would be equally willing to fall on its sword.