Five Eyes, Nine Eyes, 14 Eyes – Explained

As awareness of global surveillance grows, more people are looking for information about the Five Eyes, Nine Eyes, and 14 Eyes surveillance alliances. This guide is regularly updated with new information and gives you everything you need to know.

The terms “Five Eyes“, “Nine Eyes“, and “14 Eyes” often appear in the privacy community, especially when discussing VPNs and other privacy tools.

In short, these are just international surveillance alliances representing various countries around the world. These surveillance alliances work together to collect and share mass surveillance data with each other. This network has been spying on people for decades, with established policies going back to World War II, as we’ll discuss below.

The state agencies behind these efforts often work with internet service providers and other large tech companies to tap key infrastructure for data surveillance. This turns your internet provider, for example, into a local adversary that is spying on you for state agencies. And no, this is not a theory. These practices are well-documented in the PRISM surveillance documents and also the infamous Room 641a example with AT&T and the NSA. Fortunately, there are some simple solutions to keep your data safe that we’ll cover below.

In this guide we’ll explain all the different “X” eyes surveillance alliances and why this topic is important when choosing privacy tools. Here’s what we’ll cover:

1. Five Eyes
2. Nine Eyes
3. 14 Eyes
4. NSA and GCHQ cooperation within 5 Eyes
5. ECHELON surveillance system
6. The importance of avoiding 5 Eyes
7. Recommended privacy services (outside of 5 Eyes)
   • Secure email services
   • VPNs
   • Private search

So let’s get started.

Five Eyes

The Five Eyes (FVEY) surveillance alliance includes the following countries:

1. Australia
2. Canada
3. New Zealand
4. United Kingdom
5. United States

The history of this alliance goes back to WWII and the UKUSA Agreement, which was officially enacted after the war in 1946. This agreement formalized a partnership between the United Kingdom and the United States for gathering and sharing intelligence. The partnership continued throughout the Cold War and has only strengthened since the “Global War on Terror” kicked off in the early 2000s.

Edward Snowden brought renewed focus to the Five Eyes surveillance alliance in 2013 when he exposed the surveillance activities of the US government and its allies.

Below are the different “5 Eyes” surveillance agencies working together to collect and record your activities:

It is no surprise that some of the Five Eyes countries listed above are also the worst abusers of online privacy:

• United Kingdom – Since the passage of the Investigatory Powers Act in 2016, internet service providers and telecoms have been recording browsing history, connection times, and text messages. The data is stored for two years and is available to UK government agencies and their partners without any warrant.
• United States – The US government has been implementing Orwellian mass surveillance collection methods with the help of large telecoms and internet service providers (see the PRISM program). In March 2017, internet service providers were given the legal authority to record user activity and sell this to third parties. Of course, internet providers have been collecting data on their customers for many years, long before this law passed in 2017.
• Australia – Australia has also implemented sweeping data retention laws similar to the United Kingdom.

Broad authority among 5 Eyes countries

Whether it is the NSA in the United States or the GCHQ in the United Kingdom, the “5 Eyes” is home to the most powerful surveillance agencies in the world.

The other drawback with Five Eyes countries is that they have tremendous authority to force companies to record and hand over data. In the United States, the Patriot Act ushered in a new level of power for federal data collection, especially through the use of National Security Letters. We see these same trends unfolding in the UK, Australia, and other locations as well.

Nine Eyes

The Nine Eyes countries include:

• 5 Eyes countries +
• Denmark
• France
• Netherlands
• Norway

The existence of the Nine Eyes alliance is referenced in various sources online and became well-known following the Snowden revelations in 2013. It is just an extension of the Five Eyes alliance with similar cooperation to collect and share mass surveillance data.

14 Eyes

The 14 Eyes surveillance countries include:

• 9 Eyes countries +
• Germany
• Belgium
• Italy
• Sweden
• Spain

As before, the original surveillance agreement was extended to these other countries. The official name of this group of countries is referred to as SIGINT Seniors Europe (SSEUR).

NSA and GCHQ cooperation within 5 Eyes

Various government document releases, which have come out through official FOIA channels, reveal the close relationship between the NSA and GCHQ. Being the two most powerful surveillance entities in the world, with historical ties, it is no surprise that they work closely together.

A top-secret NSA document from 1985, which was released in 2018 via a FOIA request, reveals the close cooperation continues today, based on the broadly-written UKUSA Agreement:

The UKUSA Agreement, dated 5 March 1946, has twelve short paragraphs and was so generally written that, with the exception of a few proper nouns, no changes to it have been made. It was signed by a UK representative of the London Signals Intelligence Board and the U.S. Senior Member of the State-Army-Navy Communications Intelligence Board (a predecessor organization which evolved to be the present National foreign Intelligence Board). The principles remain intact, allowing for a full and interdependent partnership. In effect, the basic agreement allows for the exchange of all COMINT results including end product and pertinent collateral data from each pattern for targets worldwide, unless specifically excluded from the agreement at the request of either party.

Another top-secret NSA document from 1997 (officially released in 2018) further elaborates on the close cooperation between the NSA and GCHQ:

Some GCHQ [redacted] exist solely to satisfy NSA tasking. NSA and GCHQ jointly address collection plans to reduce duplication and maximize coverage through joint sites and cross-tasking, despite site closures.

With the reference to “joint sites” above, it’s important to discuss ECHELON.

ECHELON surveillance system

ECHELON is a network of spy stations utilized by Five Eyes countries for large-scale espionage and data collection. The Guardian described ECHELON as follows:

A global network of electronic spy stations that can eavesdrop on telephones, faxes and computers. It can even track bank accounts. This information is stored in Echelon computers, which can keep millions of records on individuals.

Officially, however, Echelon doesn’t exist. Although evidence of Echelon has been growing since the mid-1990s, America flatly denies that it exists, while the UK government’s responses to questions about the system are evasive.

Despite these denials, there have been whistleblowers who have confirmed what’s going on behind the scenes. Both Perry Fellwock and Margaret Newsham came forward to document various aspects of ECHELON to the public.

The importance of avoiding 5 Eyes

While there are privacy concerns with countries in 9 and 14 Eyes alliances, the big one to avoid is the Five Eyes (US, UK, Canada, Australia, and New Zealand). Therefore, when data security is critical, simply avoid the Five Eyes.

Some people say concerns about these surveillance jurisdictions are overblown or misguided, and that it really doesn’t matter. You often hear this argument from VPN companies (and their marketers) that are based in the US or Canada, for example. This line of thinking is misinformed and ignores reality.

There are many examples proving the risks associated with privacy-focused companies operating in Five Eyes jurisdictions. Here are just a few that we’ve discussed before on Restore Privacy:

1. Riseup, a Seattle-based VPN and email service, was forced to collect user data for government agents and was also hit with a “gag order” to prevent any disclosure to their users. (They also could not update their warrant canary.)
2. Lavabit, another US-based email service, was basically forced to shut down after the US government demanded encryption keys and full access to user emails. (Rather than comply, the owner closed the business.)
3. IPVanish, a US-based VPN service, was forced to collect user data for an FBI criminal investigation, all while claiming to be a “no logs VPN” and not alerting their users to what was happening. (See the IPVanish logs case.)
4. HideMyAss, a UK VPN service was also ordered by a court to collect user data and hand this over to authorities for a criminal investigation. News about this came out after-the-fact.

These are just a few cases that have publicly come to light, but you can be sure there are other examples we don’t know about.

Secret demands for user data + gag orders = privacy nightmare

As we can see from these examples, when authorities compel businesses to collect and hand over data, they usually serve them with a gag order as well. This is done through National Security Letters and prevents the business from disclosing any information to their customers.

These laws basically give the government the authority to compel a legitimate privacy-focused company to become a data collection tool for state agencies, without any warning or notification. Even warrant canaries are ineffective and illegal in places like the United States.

Ignoring the jurisdiction of a privacy-focused business is foolish and ignores these well-documented risks.

Recommended privacy services (in good jurisdictions)

One of the main purposes of Restore Privacy is to test, research, and recommend privacy and security tools that meet specific criteria. Given our emphasis on data security and trust, jurisdiction is a key factor we consider.

In terms of jurisdiction, our main concern is avoiding Five Eyes countries. After all, some of the 9 and 14 Eyes countries do indeed have strong privacy laws, especially in comparison to the US and UK.

Secure email outside Five Eyes

Using a secure and private email service in a safe jurisdiction is a no-brainer. Consider this:

• Gmail was found to be giving third parties full access to user emails and also tracking all purchases via receipts in your inbox.
• Advertisers are allowed to scan Yahoo and AOL accounts to “identify and segment potential customers by picking up on contextual buying signals, and past purchases.”
• Yahoo was found to be scanning emails in real-time for US surveillance agencies.

Alternatives – Here are some of our favorite secure email services:

1. ProtonMail review (Switzerland)
2. Tutanota review (Germany)
3. Mailbox.org review (Germany)
4. Posteo review (Germany)
5. Mailfence review (Belgium)
6. Runbox review (Norway)
7. Countermail website (Sweden)
8. CTemplar website (Iceland)
9. KolabNow website (Switzerland)

All of our email reviews are here.

Best VPNs outside Five Eyes

As mentioned above, internet service providers are actively collecting data for government agencies around the world. They do this by either actively snooping on connections simply recording all your DNS requests. Additionally, advertisers and other third-parties will track and record your online activity that is tied to your unique IP address.

A good VPN service is crucial for this situation. A VPN encrypts all your traffic between your computer/device and the VPN server you are connected to. Not only does this make your traffic and online activities completely unreadable to your ISP and other third parties, it also effectively hides your IP address and location.

Here are the best VPNs for 2020 that are located in privacy-friendly jurisdictions:

1. ExpressVPN (British Virgin Islands)
2. NordVPN (Panama)
3. Surfshark (British Virgin Islands)
4. VPN.ac (Romania)
5. Perfect Privacy (Switzerland)
6. OVPN (Sweden)
7. ProtonVPN (Switzerland)
8. Trust.Zone (Seychelles)

We do our best to keep the VPN reviews updated to reflect the latest test results, company changes, and new features.

Note: Some people are worried about logs and data collection with VPNs. Fortunately, there are a few verified no logs VPNs that have undergone independent audits to confirm their no-logs policies:

1. ExpressVPN has undergone an independent third-party audit performed by PricewaterhouseCoopers. This confirmed the no-logs policy and also verified ExpressVPN’s TrustedServer feature, which is to run all VPN servers in RAM-disk mode, making it impossible to store any logs on the servers.
2. NordVPN was also audited to PwC AG in Zurich, Switzerland to confirm essential privacy-protection measures and the no-logs policy. NordVPN has committed to annual third-party audits, while also undergoing independent security audits and penetration testing carried out by Versprite.

Private search engines outside Five Eyes

Most of the big search engines, such as Google, record all your search queries and then link this to your identity and data profile, so you can be hit with targeted ads. Unless you want to give Google and its partners all your search activities, consider using alternatives.

Here are some private search engines you may want to consider:

1. MetaGer (Germany)
2. Swisscows (Switzerland)
3. Searx (open source, no jurisdiction)
4. Qwant (France)

For additional tools and tips, see the main privacy tools page.

Trust and jurisdiction

In the end, jurisdiction is just one of many factors to consider when selecting reliable privacy tools for your unique needs. How much it matters depends on your own circumstances, particularly your threat model and the types of adversaries you are looking to protect yourself against.

For those seeking higher levels of privacy and security, jurisdiction is indeed important, especially when you consider the growing power of governments to force companies to hand over data and log users.

Trust is also a major factor you should consider. After all, a VPN can operate in a “good” overseas jurisdiction, yet still lie to customers and provide data to government agencies. Take for example PureVPN, a “no logs” service based in Hong Kong that gave US authorities connection logs for a criminal case.

This is where trust is key. Fortunately, to strengthen trust, more privacy-focused businesses are undergoing independent audits and third-party verifications. In addition to the VPN audits we mentioned above, we also see this trend with password managers and occasionally with secure email services.

Good luck and stay safe!

Revised and updated on September 3, 2020.