When it comes to picking the right VPN provider, jurisdiction is important.
By jurisdiction, we mean where the company providing a VPN is actually based, not where its servers are located (although this matters too).
This is crucial for a number of reasons, but the major issue is state surveillance. You may not be aware of it, but security agencies in most developed nations have the ability to snoop and monitor almost everything you do. And they use these powers to the full, as the NSA scandals showed. It would be foolish to think that VPNs are immune to their intrusive activities.
Globally, the most powerful state surveillance agencies have combined into a series of alliances known as the 5 eyes, 9 eyes, and 14 eyes alliances. These groupings have major implications for VPN users, so let’s explore them in more depth.
5 eyes alliance
The full five eyes list includes:
It emerged from the UKUSA security agreement, signed in 1941, and has been updated for the digital age.
The idea behind the agreement was to ensure that Cold War allies cold share SIGINT (signal intelligence) seamlessly. And the treaty also sought to keep this information sharing under wraps, remaining secret to the public until 2005.
Why was the 5 eyes agreement kept hidden from the people? Well, we still don’t know the full story and the scope of information gathering carried out under the terms of the alliance, but the implication is that the USA and its allies were engaged in detailed surveillance and intrusive activities which electorates would find controversial. This may have included the ECHELON and STONEGHOST systems, which tapped into electronic communications across the world.
Given recent controversies regarding the NSA’s information-gathering strategies, those concerns are still very real.
9 eyes alliance
We’ve looked at the famous 5 eyes countries, but if you’ve been searching around for a VPN, there’s a good chance that you’ve also come across the 9 eyes countries, too. This is where understanding your VPN jurisdiction can get confusing, so it’s useful to be clear about who is in which “eyes” list.
Here’s the full 9 eyes list for reference:
- 5 eyes countries
Essentially the 9 eyes network is an extension of the 5 eyes group, and there is a debate about how formalized its structures are, and how powerful it is.
The main reason we are having this debate is down to one man: Edward Snowden. When he went public with his revelations about the NSA back in 2013, Snowden lifted the veil from the NSA’s global surveillance structures, confirming the existence of the 5 eyes list.
According to Snowden, the original 5 eyes remain a privileged group, in that the members are not supposed to target each other. So, there should be no wiretapping by the USA of UK government meetings, and Australian ministers should be free to use the web without their activities being logged by the NSA.
These safeguards don’t apply as rigorously to the 9 eyes countries, who are often referred to as “third parties.” However, because they have signed up to working groups in the Eyes system, 9 eyes participants do tend to enjoy greater protections and access to information than other nations around the world.
14 eyes alliance
As with the 9 eyes countries, the 14 eyes list includes:
- 5 & 9 eyes countries
This alliance also emerged directly from the Cold War and NATO structures, being christened the “SIGINT Seniors Europe” grouping. But it is much more loosely integrated into the circuits of global intelligence sharing than countries in the core alliance.
In fact, this has led to some friction, with Germany demanding greater access to intelligence data. In 2015, allegations emerged about the NSA spying on German government meetings, so it’s easy to see why they would want the protection from mutual spying that being in the 5 eyes provides.
However, the core nations have sought to protect their privileges, leading some of the 14 eyes countries to go their own way. In August 2018, the Germans announced a major new cybersecurity initiative along the lines of America’s DARPA, with the aim of establishing digital independence from the USA/UK.
Recent years have also seen the rise of “Pirate Parties” in nations like Sweden, which prioritize digital freedom and privacy, making governments less inclined to strengthen their ties to bodies like the NSA.
All eyes on VPN: using VPNs based in alliance member states
How do the 5 eyes countries relate to VPN users?
In recent years, 5 eyes governments have passed numerous laws which should concern VPN users.
For instance, the UK’s Investigator Powers Act empowered GCHQ to collect the following:
- Data on users’ browsing habits
- How long users spend connected to certain sites
- Users’ SMS messages
These nations have also beefed up their powers to force ISPs to hand over data regarding individual users, again using national security as an excuse. And ISPs have tended to comply, adding backdoors when asked which allow security agencies to access the flow of consumer data.
Most importantly, governments have recognized the increasing usage of VPNs and taken steps to neutralize the threat they pose. Experts now generally advise users to avoid companies based in 5 eyes nations and to exercise caution when using servers located in these nations.
Do the 5 eyes nations work alone?
If the intrusive operations permitted by the UKUSA treaty were the only global surveillance network, life would be easier for VPN users. However, the core alliance doesn’t operate on its own. It has also gathered a series of satellite partners, that supplement its intelligence-gathering capabilities:
- South Korea
- British Overseas Territories
Israel operates hand in glove with the US government, providing and requesting security information on individuals of interest. It also has a thriving tech sector where cybersecurity is a major growth area. So users should be cautious about using Israeli VPNs and servers.
Other partners include Asian nations like Singapore, Japan, and South Korea. All of these countries came under the US sphere of influence during the Cold War, and retain intelligence sharing systems with Washington. The same applies to British Overseas Territories like Bermuda or the Cayman Islands. Any VPN based in those territories should be viewed with caution.
Are worries about the Five Eyes countries exaggerated?
While the intelligence-gathering abilities of Washington and GCHQ are formidable, they are generally focused on specific security threats and interests, not everyday web users.
- For many of us, government intrusion is less worrisome than the threat of cyber-crime and theft, and your VPN jurisdiction doesn’t matter too much when facing down these threats.
- Secondly, the 5 eyes countries haven’t taken direct steps to regulate VPNs. Their efforts are focused more on ISPs and conventional traffic, along with cellphone networks. VPNs currently have very few requirements regarding data retention. If they state that they keep logs (or fail to make it clear that they don’t), that’s their decision, not the state’s.
- VPNs based in 5 eyes nations also tend to be transparent about their identity and how to reach them – in keeping with the regulatory environment in places like the UK, Australia or Canada. This needs to be balanced against non-5 eyes operators, who can sometimes be very hazy about who they are, and how they work.
So there’s room to question how dangerous the 5 eyes is when choosing a VPN jurisdiction. But bear in mind that we simply don’t know the full scope of how VPNs interact with bodies like the NSA, and given the past history of governments, there’s a decent chance that VPNs in 5 eyes countries have working relationships with spooks.
Key VPNs in the 5 eyes list
It might be handy to know a few popular VPNs that are based in 5 eyes nations, so here’s a quick list:
|VPN provider||Based in:|
|RogueVPN (no longer active)||Canada|
Additionally, SaferVPN is based in Israel, while ExpressVPN is based in the British Virgin Islands, a UK overseas territory.
Should you worry if your VPN jurisdiction is on the 9 eyes list?
Here’s another area where things get interesting. On one hand, third parties on the 9 eyes list tend to have less intrusive surveillance agencies than the 5 eyes. So they should be more trustworthy as hosts for VPN providers. And plenty of VPNs have set up in these countries, such as GooseVPN (in the Netherlands) or ActiVPN (in France).
However, if you scroll through a list of the world’s most trusted VPNs, you’ll probably notice that many aren’t based in 9 eyes countries. The same security concerns apply to 9 eyes jurisdictions as to those in the five eyes list. VPNs located in places like Norway or France are liable to be subpoenaed by the FBI or other agencies, forcing them to either release logs or hand over encryption key data.
Of course, you need to bear in mind that the risk is low for everyday users, but if you are using a VPN for sensitive business or political communications, the 9 eyes alliance is just as perilous as the core 5 eyes nations. In fact, given that the 5 eyes nations have an agreement not to spy on each other, there may be a higher probability of VPNs in third party nations being compromised.
As with 5 eyes nations, this tends to lead experts to advise those in need of the best possible security protection to avoid a VPN jurisdiction in the 9 eyes network.
Some popular VPNs in the 9 eyes countries include:
|VPN Provider||Based in:|
Is it dangerous to use a VPN based in 14 eyes countries?
The answer to this question is exactly the same as with the other alliances. Yes, it tends to be riskier to use VPNs based in 14 eyes countries than those outside the alliance.
There have been cases of these informal information-sharing networks being used to issue DMCA notices from US-based corporations, targeting file-sharers in other jurisdictions. And anyone in a 14 eyes nation can expect the same kind of intrusion from state surveillance agencies, making them dangerous for transmitting sensitive information.
However, as we stressed above, these risks are relative.
In general, 14 eyes countries will be slightly more autonomous where privacy is concerned than their partners in the core alliances. And for ordinary users, the risks are small.
For reference, here are some major VPNs based in the 14 eyes countries:
|VPN provider||Based in:|
|Avira Phantom VPN||Germany|
|Steganos Online Shield||Germany|
Should I use a VPN based outside the 14 eyes list?
By now, you’re probably asking yourself whether you should always look for VPNs based outside the 14 eyes umbrella. There are certainly plenty of good reasons to do so.
Most importantly, VPNs located outside the core nations will be much more tightly protected against legal challenges and state surveillance originating in the USA. So if you intend to work around geo-blockers or torrent large amounts of data, they could be the right option to go for.
This is especially important if you are worried about protecting personal communications from the eyes of the state. If privacy is your major concern, choosing a VPN jurisdiction outside the 14 eyes is essential.
So, where should you look? Given that the world now has over 200 nations, there shouldn’t be any lack of contenders.
Leading VPNs that operate outside the 5/9/14 eyes systems
|VPN provider||Based in:|
Generally, VPNs in countries like Switzerland or Panama will deliver enhanced protection against snoopers, especially if they offer techniques like “multi-hop” transmission. But always remember that if you use servers in 14 eyes jurisdictions, the advantages of these VPNs will be nullified.
So when choosing your next VPN, take jurisdiction into account. It’s a key part of ensuring online security, so it pays to keep your eyes open and exercise caution.