As awareness of global surveillance grows, more people are looking for information about the Five Eyes, Nine Eyes, and 14 Eyes surveillance alliances. This guide is regularly updated with new information and gives you everything you need to know.
The terms “Five Eyes“, “Nine Eyes“, and “14 Eyes” often appear in the privacy community, especially when discussing VPNs and other privacy tools.
In short, these are just international surveillance alliances representing various countries around the world. These surveillance alliances work together to collect and share mass surveillance data with each other. This network has been spying on people for decades, with established policies going back to World War II, as we’ll discuss below.
The state agencies behind these efforts often work with internet service providers and other large tech companies to tap key infrastructure for data surveillance. This turns your internet provider, for example, into a local adversary that is spying on you for state agencies. And no, this is not a theory. These practices are well-documented in the PRISM surveillance documents and also the infamous Room 641a example with AT&T and the NSA. Fortunately, there are some simple solutions to keep your data safe that we’ll cover below.
In this guide we’ll explain all the different “X” eyes surveillance alliances and why this topic is important when choosing privacy tools. Here’s what we’ll cover:
- Five Eyes
- Nine Eyes
- 14 Eyes
- NSA and GCHQ cooperation within 5 Eyes
- ECHELON surveillance system
- The importance of avoiding 5 Eyes
- Recommended privacy services (outside of 5 Eyes)
- Secure email services
- VPNs
- Private search
So let’s get started.
Five Eyes
The Five Eyes (FVEY) surveillance alliance includes the following countries:
- Australia
- Canada
- New Zealand
- United Kingdom
- United States
The history of this alliance goes back to WWII and the UKUSA Agreement, which was officially enacted after the war in 1946. This agreement formalized a partnership between the United Kingdom and the United States for gathering and sharing intelligence. The partnership continued throughout the Cold War and has only strengthened since the “Global War on Terror” kicked off in the early 2000s.
Edward Snowden brought renewed focus to the Five Eyes surveillance alliance in 2013 when he exposed the surveillance activities of the US government and its allies.
Below are the different “5 Eyes” surveillance agencies working together to collect and record your activities:
It is no surprise that some of the Five Eyes countries listed above are also the worst abusers of online privacy:
- United Kingdom – Since the passage of the Investigatory Powers Act in 2016, internet service providers and telecoms have been recording browsing history, connection times, and text messages. The data is stored for two years and is available to UK government agencies and their partners without any warrant.
- United States – The US government has been implementing Orwellian mass surveillance collection methods with the help of large telecoms and internet service providers (see the PRISM program). In March 2017, internet service providers were given the legal authority to record user activity and sell this to third parties. Of course, internet providers have been collecting data on their customers for many years, long before this law passed in 2017.
- Australia – Australia has also implemented sweeping data retention laws similar to the United Kingdom.
Broad authority among 5 Eyes countries
Whether it is the NSA in the United States or the GCHQ in the United Kingdom, the “5 Eyes” is home to the most powerful surveillance agencies in the world.
The other drawback with Five Eyes countries is that they have tremendous authority to force companies to record and hand over data. In the United States, the Patriot Act ushered in a new level of power for federal data collection, especially through the use of National Security Letters. We see these same trends unfolding in the UK, Australia, and other locations as well.
Nine Eyes
The Nine Eyes countries include:
- 5 Eyes countries +
- Denmark
- France
- Netherlands
- Norway
The existence of the Nine Eyes alliance is referenced in various sources online and became well-known following the Snowden revelations in 2013. It is just an extension of the Five Eyes alliance with similar cooperation to collect and share mass surveillance data.
14 Eyes
The 14 Eyes surveillance countries include:
- 9 Eyes countries +
- Germany
- Belgium
- Italy
- Sweden
- Spain
As before, the original surveillance agreement was extended to these other countries. The official name of this group of countries is referred to as SIGINT Seniors Europe (SSEUR).
NSA and GCHQ cooperation within 5 Eyes
Various government document releases, which have come out through official FOIA channels, reveal the close relationship between the NSA and GCHQ. Being the two most powerful surveillance entities in the world, with historical ties, it is no surprise that they work closely together.
A top-secret NSA document from 1985, which was released in 2018 via a FOIA request, reveals the close cooperation continues today, based on the broadly-written UKUSA Agreement:
The UKUSA Agreement, dated 5 March 1946, has twelve short paragraphs and was so generally written that, with the exception of a few proper nouns, no changes to it have been made. It was signed by a UK representative of the London Signals Intelligence Board and the U.S. Senior Member of the State-Army-Navy Communications Intelligence Board (a predecessor organization which evolved to be the present National foreign Intelligence Board). The principles remain intact, allowing for a full and interdependent partnership. In effect, the basic agreement allows for the exchange of all COMINT results including end product and pertinent collateral data from each pattern for targets worldwide, unless specifically excluded from the agreement at the request of either party.
Another top-secret NSA document from 1997 (officially released in 2018) further elaborates on the close cooperation between the NSA and GCHQ:
Some GCHQ [redacted] exist solely to satisfy NSA tasking. NSA and GCHQ jointly address collection plans to reduce duplication and maximize coverage through joint sites and cross-tasking, despite site closures.
With the reference to “joint sites” above, it’s important to discuss ECHELON.
ECHELON surveillance system
ECHELON is a network of spy stations utilized by Five Eyes countries for large-scale espionage and data collection. The Guardian described ECHELON as follows:
A global network of electronic spy stations that can eavesdrop on telephones, faxes and computers. It can even track bank accounts. This information is stored in Echelon computers, which can keep millions of records on individuals.
Officially, however, Echelon doesn’t exist. Although evidence of Echelon has been growing since the mid-1990s, America flatly denies that it exists, while the UK government’s responses to questions about the system are evasive.
Despite these denials, there have been whistleblowers who have confirmed what’s going on behind the scenes. Both Perry Fellwock and Margaret Newsham came forward to document various aspects of ECHELON to the public.
The importance of avoiding 5 Eyes
While there are privacy concerns with countries in 9 and 14 Eyes alliances, the big one to avoid is the Five Eyes (US, UK, Canada, Australia, and New Zealand). Therefore, when data security is critical, simply avoid the Five Eyes.
Some people say concerns about these surveillance jurisdictions are overblown or misguided, and that it really doesn’t matter. You often hear this argument from VPN companies (and their marketers) that are based in the US or Canada, for example. This line of thinking is misinformed and ignores reality.
There are many examples proving the risks associated with privacy-focused companies operating in Five Eyes jurisdictions. Here are just a few that we’ve discussed before on Restore Privacy:
- Riseup, a Seattle-based VPN and email service, was forced to collect user data for government agents and was also hit with a “gag order” to prevent any disclosure to their users. (They also could not update their warrant canary.)
- Lavabit, another US-based email service, was basically forced to shut down after the US government demanded encryption keys and full access to user emails. (Rather than comply, the owner closed the business.)
- IPVanish, a US-based VPN service, was forced to collect user data for an FBI criminal investigation, all while claiming to be a “no logs VPN” and not alerting their users to what was happening. (See the IPVanish logs case.)
- HideMyAss, a UK VPN service was also ordered by a court to collect user data and hand this over to authorities for a criminal investigation. News about this came out after-the-fact.
These are just a few cases that have publicly come to light, but you can be sure there are other examples we don’t know about.
Secret demands for user data + gag orders = privacy nightmare
As we can see from these examples, when authorities compel businesses to collect and hand over data, they usually serve them with a gag order as well. This is done through National Security Letters and prevents the business from disclosing any information to their customers.
These laws basically give the government the authority to compel a legitimate privacy-focused company to become a data collection tool for state agencies, without any warning or notification. Even warrant canaries are ineffective and illegal in places like the United States.
Ignoring the jurisdiction of a privacy-focused business is foolish and ignores these well-documented risks.
Recommended privacy services (in good jurisdictions)
One of the main purposes of Restore Privacy is to test, research, and recommend privacy and security tools that meet specific criteria. Given our emphasis on data security and trust, jurisdiction is a key factor we consider.
In terms of jurisdiction, our main concern is avoiding Five Eyes countries. After all, some of the 9 and 14 Eyes countries do indeed have strong privacy laws, especially in comparison to the US and UK.
Secure email outside Five Eyes
Using a secure and private email service in a safe jurisdiction is a no-brainer. Consider this:
- Gmail was found to be giving third parties full access to user emails and also tracking all purchases via receipts in your inbox.
- Advertisers are allowed to scan Yahoo and AOL accounts to “identify and segment potential customers by picking up on contextual buying signals, and past purchases.”
- Yahoo was found to be scanning emails in real-time for US surveillance agencies.
Alternatives – Here are some of our favorite secure email services:
- ProtonMail review (Switzerland)
- Tutanota review (Germany)
- Mailbox.org review (Germany)
- Posteo review (Germany)
- Mailfence review (Belgium)
- Runbox review (Norway)
- Countermail website (Sweden)
- CTemplar website (Iceland)
- KolabNow website (Switzerland)
All of our email reviews are here.
Best VPNs outside Five Eyes
As mentioned above, internet service providers are actively collecting data for government agencies around the world. They do this by either actively snooping on connections simply recording all your DNS requests. Additionally, advertisers and other third-parties will track and record your online activity that is tied to your unique IP address.
A good VPN service is crucial for this situation. A VPN encrypts all your traffic between your computer/device and the VPN server you are connected to. Not only does this make your traffic and online activities completely unreadable to your ISP and other third parties, it also effectively hides your IP address and location.
Here are the best VPNs for 2020 that are located in privacy-friendly jurisdictions:
- ExpressVPN (British Virgin Islands)
- NordVPN (Panama)
- Surfshark (British Virgin Islands)
- VPN.ac (Romania)
- Perfect Privacy (Switzerland)
- OVPN (Sweden)
- ProtonVPN (Switzerland)
- Trust.Zone (Seychelles)
We do our best to keep the VPN reviews updated to reflect the latest test results, company changes, and new features.
Note: Some people are worried about logs and data collection with VPNs. Fortunately, there are a few verified no logs VPNs that have undergone independent audits to confirm their no-logs policies:
- ExpressVPN has undergone an independent third-party audit performed by PricewaterhouseCoopers. This confirmed the no-logs policy and also verified ExpressVPN’s TrustedServer feature, which is to run all VPN servers in RAM-disk mode, making it impossible to store any logs on the servers.
- NordVPN was also audited to PwC AG in Zurich, Switzerland to confirm essential privacy-protection measures and the no-logs policy. NordVPN has committed to annual third-party audits, while also undergoing independent security audits and penetration testing carried out by Versprite.
Private search engines outside Five Eyes
Most of the big search engines, such as Google, record all your search queries and then link this to your identity and data profile, so you can be hit with targeted ads. Unless you want to give Google and its partners all your search activities, consider using alternatives.
Here are some private search engines you may want to consider:
For additional tools and tips, see the main privacy tools page.
Trust and jurisdiction
In the end, jurisdiction is just one of many factors to consider when selecting reliable privacy tools for your unique needs. How much it matters depends on your own circumstances, particularly your threat model and the types of adversaries you are looking to protect yourself against.
For those seeking higher levels of privacy and security, jurisdiction is indeed important, especially when you consider the growing power of governments to force companies to hand over data and log users.
Trust is also a major factor you should consider. After all, a VPN can operate in a “good” overseas jurisdiction, yet still lie to customers and provide data to government agencies. Take for example PureVPN, a “no logs” service based in Hong Kong that gave US authorities connection logs for a criminal case.
This is where trust is key. Fortunately, to strengthen trust, more privacy-focused businesses are undergoing independent audits and third-party verifications. In addition to the VPN audits we mentioned above, we also see this trend with password managers and occasionally with secure email services.
Good luck and stay safe!
Revised and updated on September 3, 2020.
Hey there,
and thank you for the pretty article. I think the case for “no logs” is a bit hard to swallow. It makes it harder to find criminals, too, that deserve proper punishment, like the cyber-harassment in the example you gave. Though the VPN-provider should have said it, that they keep logs, to not be hypocritical, if they said so, no one would want their VPN!
Nonetheless, for why I wrote: ProtonVPN seems to have an audit behind it now, too, so you might update the corresponding section for audited VPNs.
https://protonvpn.com/blog/open-source/
Yes, this was a security audit, which is very good, but the section in the article was referencing an audit to confirm no-logs claims.
Excellent post I want to read more about the topic Thanks for sharing.
Hey Sven, thank you for this rundown – vital information. And no, I have no criminal activity to conceal, and don’t plan on doing any in the future. That’s not the point. The point is that governments should not be able to invade people’s privacy (a computer is basically an extension of your brain, when you think of it,) without probable cause and due process of law. It’s the principle of the thing.
But a related issue relating to VPN choices – perhaps fit subject for an article of its own – but for which I have been able to find zero information, is about the similar privacy-destruction measures being taken by corporations, most egregiously by Microsoft, with its Orwell 10 rollout – the announcement that in agreeing to its Terms of Use – which you must agree to if you want to use the OS at all – you the user grant to the Microsoft workforce in their cubicles in Redmond, WA the right to monitor any and all activity that you do on your computer, right down to keystroke logging. Which means your passwords, PINs, account numbers, correspondence, your manuscripts (if you’re a writer,) information about family and friends, etc. And “Oh, but you can disable those features. Have a nice day” is the same thing as someone selling you a house, keeping his own set of keys, and telling you “Oh, I promise I’ll never come in while you’re gone. Have a nice day.”
I’d used Anonymizer for years with little hassle until it was sold; after flailing around for a replacement I bought a 3-year subscription to NordVPN… only to discover that it was impossible to install on any of my systems without first… downloading Microsoft’s latest spyware.
So I need to find a VPN that will install and run on older Microsoft Operating Systems, and utterly independent of any need to download and install any of Microsoft’s latest “updates” or the need to use Orwell 10. Allowing a corrupt corporation to violate my privacy is no better than allowing a corrupt government to violate my privacy, IMO.
I wonder if such a product even exists – but I’ve been unable to find any information anywhere, in any VPN review, about backward-compatibility with “no longer serviced” Operating Systems, and/or VPNs that can be installed with minimal interaction with Microsoft beyond the basic OS itself. Please advise, and please consider adding this information to VPN reviews. We need to know what kind of garbage a VPN will require a person to install just to enable installing the VPN itself. If the prerequisite system software is a privacy hazard itself, it defeats the whole purpose.
Thanks,
Z
The big issue with older operating systems is security. New security issues and vulnerabilities are being found all the time, hence updates and patches. And if your security is compromised, your privacy goes down with it, so the two go hand in hand. But you can avoid Windows and go with Linux. As to your question, you’d just have to check with the various VPNs as to whether they support the OS you are using at this time.
I agree with Z. Recently just bought a ‘throw away’ PC because of this issue. We appreciate the work you do re privacy so i was a bit surprised to hear an Autobot response, ie need to update security vulnerability, clear your cache.
I for one don’t really care about ‘hackers’ if that is the security vulnerability you’re talking about. I would rather have a hacker get bored with my internet activity and move on than a bunch of paranoid delusional hall monitor bureaucrats storing every damn thing i do.
How about a pro, con how to, create your own vpn, but doesn’t apple or your isp know if you create a VPN using your own laptop?
Thanks again man, you are doing important work
Give VPN.ac a look at and see if it fits your need.
They got one sale at BF and CM and going two years subscript it’s under$50.
So i have just finished setting up Pivpn (openvpn) on my raspberry pi.
After reading this article i am now wondering if using a trusted paid vpn provider is safer or more secure than using my own vpn server for free (i am using openvpn).
And if using a paid service is better i’d also like to know what makes the paid vpn better then using my own free vpn server.
The biggest advantage a paid VPN offers is the ability to mix your traffic with other users. With only you using your VPN, everything is tied back to you. Another advantage of a paid VPN is a large server network around the world, and secure apps for all major devices. You can see our top picks are here.
Riseup, “… was forced to collect user data for government agents …”
The government cannot force a company to “program” or to alter their code, to accommodate the federal government. Apple proved that. While the government can “scare” them, fighting it in court is the worst thing to keep “secrecy” because all trails are PUBLIC.
So Riseup was just a Government B****!
Well, there are also secret court systems where rulings and verdicts are not even public. Check out the FISA courts, for example.
What about PC security software, like BitDefender Totl Security? How much browsing data are they privy to and storing?
See the antivirus privacy article.
I seem to be the only that thinks this is bad for cyber citizens or the average web user folks in their online privacy when using a product or service from one of the MLAT counties. Anyone else?
Hi out there, thank you for your privacy workout!
By the way, one source has been lost: The “sources” link of the Nine Eyes.
Carry on.
Thanks, I just updated the link with the archived version:
http://archive.is/MAgbt
Dear Sven,
Firstly, I have to say that I’m overjoyed to see Restore Privacy experience something of a Renaissance. You and your privacy-centric compatriots are doing wonderful work spreading the good word, as always. Anyways, I note that you make mention of CTemplar as a credible and private email provider. Having signed up a while back after hearing of the service’s features, I have to say it at least purports to be top-of-the-line; I lack the skills to verify the accuracy of CTemplar’s claims, but my experience has been good. Do you plan to release a review of CTemplar any time in the future? I consider this website one of the foremost privacy publications, and hold its declarations in high regard (although I still fact check them as I would anything). It’d be no doubt help the burgeoning company, who have themselves informed me they aren’t planning to market CTemplar any time soon (probably for financial reasons). All replies are most appreciated.
Thanks!
Anonymous
Hi Anonymous, yep, we can get a review of CTemplar on the To Do List. I think Heinrich is also testing out CTemplar at the moment, so he can do a review soon. Thanks for your support.
crypto ag case shows… from 5 to over 100 eyes LOOOOL
you have been warned about the sec_state
Freedom of speech also involves reading what we were taught about the past that was not so.
Those who control the present control the past, who controls the present controls the future.
If we knew the truth about the past we would know why we are losing our freedom Now.
“When a well-packaged web of lies has been sold gradually to the masses over generations, the truth will seem utterly preposterous and its speaker a raving lunatic.” Dresden James.
Good luck, Internet privacy will do little to save you from what is to come.
In the mean time hard wire your Wifi with an Ethernet cable.
https://www.youtube.com/watch?v=ICA19oKPi5I
And dont put your laptop on your lap.
If you don’t post this comment at least read for yourself you will see the world in a different light.
I haven’t tested it.
Hi Sven,
I’m like Hard Sell, i’ve been using SoftEther for awhile for gaming online in Japan & Netflix overseas, i wanted to understand more aspects of VPN use before paying for it on a continual basis, SoftEther is *free* and an opensource community project afaik, what are your thoughts on saying ‘use it and see’ as a tutorial to how VPNs work?
Hello Cor’e =)
Happy to answer you.
With a VPN, your moving your trust, speed, viewable web data from an ISP provider you’ve paid for over to a VPN service provider.
The ISP no longer can easily intercept, snoop and view your data as it ‘s encrypted now.
– You’ll still use your ISP service to connect to the internet. A VPN service is not a replacement for your ISP. But, instead of your ISP provider communicating directly with a web page now, the ISP must talk to the VPN server (you’ve chosen) that in turn talks to the web page as an encrypted linked tunneled path through the installed VPN client on your device.
*It’s the VPN server that connects to the website you wish to reach. The key point now – is the connection between your device and the VPN server is encrypted in what’s called a VPN Tunnel.
Your ISP can still intercept the data, but that data is no longer viewable to it. In other words, the ISP is aware you’re sending and receiving things but has absolutely no way of knowing what those things are or where they come other than your chosen VPN server.
That is till your chosen server drops out of the devices control, and can occur in the VPN service at anytime for many reasons.
The moment a VPN connection drops, the encrypted VPN Tunnel is lost, and your ISP can once again view and analyze anything of your transmitted data. Good paid for VPN’s have a KILL SWITCH for this purpose and then likely will handle all you DNS requests on their ends as well being encrypted protected.
If a free VPN is the only way right now ok.
https://github.com/trailofbits/algo
https://restoreprivacy.com/vpn/free/
Be careful of the commercial like free ones where the more online users =
slower speeds and privacy intrusions in exchange for the no cost ride.
Browser based vpn are not a true vpn, but in proxying your browser traffic only.
You want your traffic hidden inside your ISP sourced internet by a VPN encryption tunnel.
Your interests in how VPNs work – I’ll bookmark what to see on the site.
https://restoreprivacy.com/vpn/
https://restoreprivacy.com/vpn/openvpn-ipsec-wireguard-l2tp-ikev2-protocols/
https://restoreprivacy.com/vpn/no-logs/
https://restoreprivacy.com/vpn/reviews/
https://restoreprivacy.com/vpn/best/
https://restoreprivacy.com/vpn/free-trial
https://restoreprivacy.com/vpn/coupons-discounts-deals/
Greetings and enjoy 🙂 : ) 🙂
Hi Hard Sell,
I don’t really feel my posted Q: “…, SoftEther is *free* and an opensource community project afaik, what are your thoughts on saying ‘use it and see’ as a tutorial to how VPNs work?” directed to Sven is being answered by a ‘what is VPN’ article, perhaps it was misread, but if that is all the focus it gets then well okay, it’s probably better to keep it somewhat a secret.
Sven,
I see your site has just been reorganized just recently, you must be busy, keep up the work.
Cheers!
Yep
I missed what you mean still.
Are you wanting SoftEther looked at like ‘What You Need’ to Know about free VPN’s?
A test review of SoftEther as Sven’s done on commercial VPN’s?
Comparison of SoftEther to either free or paid types of VPN’s.
Because there’s documentation and probably a tutorial at the SoftEther site as well online somewhere. SoftEther is a free offering that the average user won’t find handy or that convenient to setup and use. Maybe a better comparison would be against Tor.
Sorry
Thank you for this article.
INCOMPLETE list of government surveillance projects and related databases throughout the world. https://en.wikipedia.org/wiki/List_of_government_mass_surveillance_projects
@jedi knight:
I recall that Cryptostorm.is had that rather slow (because it is rate-limited AND congested), but nevertheless free, service they call “Cryptofree”. Allows you to connect via latest OpenVPN but IIRC doesn’t allow you to cherrypick country (it balances you how it wants at the moment). They do not market that (or I’m dumb and can not see where they market it), but it exists – primarily, I suspect, to help clients whose tokens are just expired in a bad moment to surf a page or two. Last time I checked, I had pings at around 450msec, but it helped me to get the “job” done. Also I myself think that Cryptostorm security is good enough, but I admit that it is subjective (based on information available to me). To connect, go here https://github.com/cryptostorm/cryptostorm_client_configuration_files/tree/master/cryptofree
Disclaimer: regard me as satisfied old client of ’em, so yeah, I’m kinda biased.
Greetings Red Five,
I appreciate your mention and never tried it. I have tried SoftEther VPN and JonDo / JonDoFox / JonDonym.
Much earlier in my discover that the Internet is a pipeline into our personal data, enough so an industry sprang forth to capitalize on it.
.
Then (based on little I know), the whole dang system is comprised of elements working against us only to bring us the glory of web.
This use of high tech in delivery to the progression as modern devices visualization and basically the web elements/components needed to pull it all off.
.
Is a trail that we hope to make act like it’s inside other trails with VPN.
That ‘jedi knight’ don’t seem to be understanding of in a whole concept to the loss of privacy that is actually at work here against us all.
.
VPN are in a limited roll but needed as $ professional and reputable host.
[I don’t trust free or other venue is complicated setting up]
As all VPN, they don’t offer users an uniform appearance other that in IP adderess against todays data collection techniques.
Their inherent functionality normally doesn’t replace/filter a devices TCP packets in protecting against TCP timestamp attacks.
They can track and save all connections steps as they control the servers in the VPN.
SOURCE
https://anonymous-proxy-servers.net/en/help/otherServices.html
Hope to see more from you.
Thank you
Sven check this out https://2009-2017.state.gov/j/inl/rls/nrcrpt/2014/vol2/222469.htm
Full List of United States Mutual Legal Assistance Treaties and Agreements
MLATs, which are negotiated by the Department of State in cooperation with the Department of Justice to facilitate cooperation in criminal matters, are in force with the following countries: Antigua and Barbuda, Argentina, Australia, Austria, the Bahamas, Barbados, Belgium, Belize, Bermuda, Brazil, Canada, Cyprus, Czech Republic, Dominica, Egypt, Estonia, France, Germany, Greece, Grenada, Hong Kong, Hungary, India, Ireland, Israel, Italy, Jamaica, Japan, Latvia, Liechtenstein, Lithuania, Luxembourg, Malaysia, Mexico, Morocco, the Kingdom of the Netherlands (including Aruba, Bonaire, Curacao, Saba, St. Eustatius, and St. Maarten), Nigeria, Panama, Philippines, Poland, Romania, Russia, St. Lucia, St. Kitts and Nevis, St. Vincent and the Grenadines, South Africa, South Korea, Spain, Sweden, Switzerland, Thailand, Trinidad and Tobago, Turkey, Ukraine, United Kingdom (including Anguilla, British Virgin Islands, Cayman Islands, the Isle of Man, Montserrat, and Turks and Caicos), Uruguay, and Venezuela.
[Seems a jurisdictions to privacy provisions may have less importance than I would of guessed]
Interesting, thanks.
Hello Sven,
great and informative website. Regarding 5/9/14 Eyes, what do you think is more important when using a VPN service? The location/HQ of the VPN provider itself (e.g. Panama for NordVPN) or the location of the used server? Which jurisdiction is more important?
Definitely the location of the business, which is controlling the servers remotely. The US government can compel a US-business to log user data (examples in the article above) and provide this to authorities, but doing the same for a VPN in an offshore jurisdiction that does not fall under US laws would be very difficult, if not impossible. The agency could then go to the datacenter and seize the server, but this is also a dead end if the VPN is running their servers and correctly encrypting data. There have been a few examples of server seizures that have not been fruitful, as discussed in the no logs VPN guide.
I see it depends to on further factors for some actions. If a crime is associated say.
MLAT’s for Nations outside of the 14 eye’s cooperative’s level.
But your right, encryption on the servers and other steps taken will reduce what data there is that can be released.
https://en.wikipedia.org/wiki/Mutual_legal_assistance_treaty
http://www.mlat.is/
Related reading:
https://www.whitecase.com/publications/insight/how-us-laws-can-apply
.
https://arstechnica.com/tech-policy/2017/09/feds-google-stops-challenging-most-us-warrants-for-data-on-overseas-servers/
As MLAT agreements between two or more countries for the purpose of gathering and exchanging information in an effort to enforce public or criminal laws.
I’d be one to see MLAT’s as a one-way directional flow, where the US wants something from another nation outside of the 14 eyes and has used a subpoena to get at it.
I’ve ran across a piece (from 2004) where that’s not the case at all.
To me in the early mid-2000″s the power of MALT’s was used in anyway possible, {as here – intimidation of legitimate journalistic inquiry than crime-busting}.
https://en.wikibooks.org/wiki/California_Public_Policy_and_Citizen_Participation/Chapter_Ten#cite_note-27
[Servers seizures>Seizure of servers by the FBI> *paragraph’s 1,2,3,5]
1)On October 7, 2004, the FBI took possession of several Server (computing)|server hard drives used by a number of IMCs and hosted by US-based Rackspace Managed Hosting. The servers in question were located in the United Kingdom and managed by the British arm of Rackspace, but some 20 mainly European IMC websites were affected, and several unrelated websites were affected (including the website of a Linux distribution).
2)A statement by Rackspace stated that the company had been forced to comply with a court order under the procedures laid out by the Mutual Legal Assistance Treaty, which governs international police co-operation on “international terrorism, kidnapping and money laundering”. The investigation that led to the court order was said to have arisen outside of the U.S._ _ _Agence France-Presse reported FBI spokesman Joe Parris, who said the incident was not an FBI operation, but that the subpoena had been issued at the request of the Italy|Italian and the Swiss governments.
Switzerland, has a MLAT with the US.
3) and a request by the FBI to remove a post on Nantes IMC containing a photograph of alleged undercover Swiss police.
Italy’s a part of the 14 Eyes.
5)In Italy, the federal prosecutor of Bologna Marina Plazzi confirmed that an investigation against Indymedia had been opened because of suspected “support of terrorism”, in the context of Italian troops in the Iraqi city of Nasiriyah.
– – Give any thoughts of today with server seizures the world over possible and then, which might have your data?
Thing about Clouds are there bolted down somewhere…
Then the only action phrase in that piece I’d seen used was – ‘because of suspected’.
Documents were unsealed by a Texas district court in August 2005, the documents revealed that the government never officially demanded the computer servers—the subpoena to Rackspace only requested server log files.
It’s interesting, as the human side factors in the multi-directional flow.
And what do you think about cyberghost vpn ?
Here’s the CyberGhost VPN review.
Hi!…The best way to have a good privacy(from my point of view):use the chain of VPN’s,and avoid to use the free VPN(often are used for decoy).
All the best for all!
Fastest server for personal website for US visitors:
Bulgaria vs Romania vs Switzerland vs South Korea?
Romania…CyberGhost…umm..i think :))
Addition: The VPN service ‘OkayFreedom’ by Steganos is located in Germany
Hi, Sven! How are you?
First of all, I loved your site. I was searching for open source alternatives to Google and did find the ‘Alternatives to Google Products’ post. Very interesting.
Reading this post, I need to ask something: in your opinion, how do you think other services, seemingly secure and private, are affected by being hosted in one of the 14 Eyes Countries?
I ask that because there are a lot of services – mail, instant messaging apps and so on – that are hosted in those countries, like Tutanota e MailFence mail solutions.
What do you think? I would love to hear from you about that and, maybe, to read a long and detailed post about it.
Best regards from Brazil! 🙂
It really varies from provider to provider and how they handle data, and what, if anything they collect. Speaking of Tutanota, you might find this interesting: https://tutanota.com/blog/posts/data-privacy-germany/
Hi Sven,i use vpn PIA. i have had different ip addresses show up when doing a dns leak test and managed to get rid of them by changing connection to different countries and then back to Romania or rebooting.For the last week or so i have constantly had 146.185.236.26 G-Core labs S.A. show up and i can’t get rid of it.I believe it stores logs for 14 days.If i’m using my pia vpn cang-core labs stiil track and log sites visited.I have also tried ip config/stop outsidedns but it hasn’t worked.Any simple suggestions please,(not tech savvy).Thanks Sven,cheers.
Now that we think we know something, the question remains: then what? We are constantly bombarded by information about things we can never change. What is the purpose of that? Apart from that, it is not vitally necessary to be able to go on-line. The “safest” and most “private” computer is no computer at all.
Who taught you that there is such a thing as “privacy” and why do you believe that the universe will collapse without your so-called privacy? Privacy is an illusion. It is simply a chosen notion. Suddenly one decides to experience privacy (or not), based on … Simply having people around means you are being watched, judged, evaluated, etc. What exactly is privacy and why do you feel the need to experience it?
For me, privacy and freedom go hand in hand. Privacy continues to erode throughout the world, as various entities want to record, track, and control everything we do online. The tools I discuss on the site allow you to restore a large degree of privacy and freedom with minimal hassle.
Henry,
Come on guy the US public to business and vice versa world has to big and strong of a foothold with online interactions anymore for your mention of ‘it is not vitally necessary to be able to go on-line’ to be even remotely true. That’s where customer service of many have moved. Try to get a paper account statement without a charge, then e-statements are the only option. A lot of times prices are better online and no electronic identity (email) basically means your saying no to 2019 life today.
–
The privacy you relate to is pulling the drapes closed and specifically not the same as internet privacy, cause if you knew someone was peering into your homes windows you’d call the law. Who you going to call when it happens behind the scene’s at sites and as one transverses the web.
–
The US has laws for snail mail and landline phones because of privacy abuse and crime issues early in history, and in 2019 going forward we need the internet to be given the same consideration here. Because of the content is of the same nature that classified and standardized that same content of the past in snail mail and landline phones. My gosh if you sing bad in the shower you would want a recording floating around the internet – and if it did by your not accessing the internet who’s going to know you want it pulled.
Please read the site starting with what interests you and learn to be grounded on and for your privacy rights on the internet as well as everyone else connecting where the business end requires it or moving that direction.
Henry,
Do you ever think about someone obtaining your userids and passwords to accounts with your financial institutions? If you don’t use computers, do you perform all transactions via checks, at banks, and on the phone?
Are you at all concerned with someone stealing your identity by obtaining your tax forms sent to the IRS (via snail mail and/or electronic transfer)?
If you don’t think privacy is that important, just send us all your full name, mother’s maiden name, ssn, credit card numbers, and all user ids, passwords and account numbers. Then you may not be, or appear to be, as care free.
With multi hop like perfect privacy what jurisdictions would you choose to not even pick up phone from 14 eyes? They have China, Czech Republic, Denmark, Egypt, France, Iceland, Luxembourg, Netherlands, Norway, Romania, Russia, Serbia, Switzerland, or Turkey? China Russia and Serbia maybe least friendly to 14 eyes, or stay away from China Russia because they have their own eyes?
Todd I think the actual location of the server(s) is less important than just using a multi-hop cascade over different jurisdictions.
See the multi-hop VPN guide.
If chaining several VPNs would you put tor in the middle of the chain? Ignore speed decrease. Just for privacy.
I personally wouldn’t, no, especially after researching the Tor project.
Would you still recommend a vpn for someone outside the countries mentioned? Or would that just be adding unnecessary layers?
Yes, a VPN is still necessary regardless of where you’re at for privacy and security reasons.
What no comments about the LEO “tunneling” arrangement with China and Russia? Sort of like a VPN for spying.
While there may intense intelligence competition in the military, scientific and national political arenas — it a pretty open secret that these superpowers bypass internal limits on LEOs (both legal and political) via exchanges and leaks of foreign intelligence.
That is, if its impractical to gather LEO info directly with your own LEOs or intelligence —
*** just submit a request to an enemy intelligence service to spy the needed info out and then leak or trade the info to your intelligence agencies. ***
Such a system of intelligence favors has been around for many years and has really seen explosive growth in the modern era of terrorism and well connected international criminals.
Mr Hudson, what about CyberGhost VPN based on Romania?
CyberGhost review here.
Thanks a ton for such a deep and valuable insight into the subject and also the well-thought reviews (which I’m going through at the moment).
Possible to review ZoogVPN? [https://zoogvpn.com/]
Need to buy a service soon and I see they have a “No” everywhere in this list.
[https://thatoneprivacysite.net/vpn-comparison-chart/]
I’d appreciate it.
Cheers
ZoogVPN
Jurisdiction: United Kingdom => 5 eyes
additionally: 27 servers/ 18 contries
no kill switch
to avoid
Hi Sven,
I think it’s time to seriously work for internet decentralization. The situation is getting worse every day.
If we do nothing internet will soon become our prison.
People must think about political system and capitalism more deeply and by themselves.
Things are going really bad on our world. Earth should be a paradise, not a hell. It’s all in our hands.
Regards.
Would tor be within the eyes if they are based in Germany??
Well, the Tor project is based in the US, Tor was built by US military contractors, and it is still funded by the US government today. Plus, anyone can operate a Tor nodes and collect data.
Is Tor Trustworthy and Safe?
I need a free vpn that doesn’t log and require opening an account, recommendations?
Please do not recommend vpns that have trials attached to them.
I’d avoid free VPNs. If it’s free, then you are likely the product.
Spot on
I use Opera’s free VPN feature, and VPN addons with Firefox. I don’t see how this makes me a product, and meanwhile I benefit from the advantages of a VPN connection.
Read Opera’s privacy policy, where they describe how your data is collected and shared with third parties, then you will understand. Also, Opera is lying when they claim to offer a VPN. It’s not a VPN, it’s a proxy server that many consider to be insecure. Final point: Opera was sold to a Chinese consortium for $600 million. No data protection in China, I’m afraid.
You know they are not trustworthy when they lie at the start calling a proxy service a VPN.
What is your opinion on Epic Browser’s VPN proxy ? :
https://www.epicbrowser.com/
Not recommended.
Browser-based proxies are not VPNs.
If it is like the “free VPN” in Opera’s browser, then it is a data collection tool.
You know they are not trustworthy when they lie at the start calling a proxy service a VPN.
Hi Sven,I’m not tech savvy,so this may seem a stupid question.If i’m using PIA and firefox when browsing,will this be recorded on my hard drive? thanks for your help.
Hi Jim, the VPN will not be recording anything, but Firefox may be storing your browsing data depending on your browser’s settings/configurations. You can modify Firefox for more privacy using the steps in this guide.
Hi Sven,i use avast internet security and also avast vpn.I have recently set up PIA and quite often find avast softlayer technologies appearing with the country chosen through PIA(very concerning and frustrating).Most common one is 173.192.103.7 US.another is 169.57.1.216. BTW my avast vpn is not on when this occurs.An earlier comment shed some doubt on PIA no logs,your opinions please.Also,if i use firefox and PIA will browsing be recorded on harddrive.thanks.
Hi, you should configure Firefox to keep as little data as possible. PIA is a US-based provider, which is not a good jurisdiction, but it has also had their “no logs” claims confirmed in court.
Regarding Avast, I’m not sure what is going on. I’ve seen that avast antivirus collects quite a bit of data, and last time I checked their privacy policy, this data could also be shared with third parties. I’m not sure about their VPN though.
Something for you to be aware of Sven, to be honest, I think it’s important enough to have it’s own article.
Yesterday, I found that UK mobile networks require “adult verification” when unblocking adult content restrictions, by submitting driving licence or passport details, if you are using a sim car that isn’t on a contract.
Now, the uninformed might think “It’s just to make sure that children aren’t accessing pornography & to safe guard the vulnerable”.
No. This is used to get a registrar of people who use encrypted communication over their ISP’s, plain & simple, because it explains all of the following…
Yesterday, I had to update my NordVPN Windows app, which at the time, was connected to my 4G hotspot. Upon doing this, I could no longer access the Nord app at all.
In addition, on an un-encrypted connection:
-I couldn’t LOAD any VPN website AT ALL.
-As a test, I tried a number of websites that some might consider “fringe” or “politically controversial” & I couldn’t load them without the “adult verification” prompt.
-I tried to install offline, the NordVPN windows app, couldn’t login.
-I setup the Windows 10 VPN IKEv2 & I couldn’t connect to the internet.
-I tried to install a Express VPN (trial) & ProtonVPN on my mobile & it wouldn’t configure (i.e blocked)
Eventually, I solved the problem by connecting to wifi & setting the connection type to “obfuscated”, but if I was with a VPN provider (or was technically unaware) & using a 4G hotspot to access the internet, I would no longer be able to use a VPN without verifying my identity…at all.
Now, what has prompted all this? It’s a recently passed UK law to “protect children”
This is some background info on the law, prior to it’s passing:
https://www.independent.co.uk/news/uk/politics/internet-laws-social-media-child-safety-terrorism-facebook-twitter-matt-hancock-a8360081.html
I wouldn’t be surprised if public wifi does the same thing soon.
I would now say that any VPN provider that doesn’t have a type of obfuscated connection, cannot be recommended for UK users, at all.
Hi Richard. Wow, this is interesting. If you don’t mind me asking, what is the internet provider you noticed this on? So you are saying that standard OpenVPN (non-obfuscated) connections are getting blocked on 4G mobile networks (without verification) and home networks (your WiFi) – correct? It looks like the UK is following in the steps of China and Saudi Arabia with internet censorship. And then there was the recent EU law passed regarding content filters, copyright for news articles, and link taxes. Probably it’s time for an article on EU censorship…
With home (landline) networks, some providers, by default, will have “adult content” restriction & you’ll need to login to your account to remove it. I know that Virgin & Sky have their adult filter enabled by default & while you can load a VPN site, you’d have to disable it to use a VPN connection. I don’t know about BT or Plusnet (BT owned).
https://betanews.com/2016/07/07/sky-broadband-web-filters/
I don’t know exactly how the recent law change may have affected the landline providers outside of what I’ve seen myself, but considering you need to be 18+ to sign a contract, it might vary from provider to provider & might require more research.
But…mobile networks, non-contract pay as you go…100% have adult verification. If you had a new phone & new sim card & tried to install a VPN app using a 3/4G connection, it won’t work, you would need to login to wi-fi to install & then you can use VPN (I was mistaken, non-obfuscated connections work on 3/4G connection…for now), BUT…if you turn on the hotspot feature on the phone & try & connect a laptop that ALSO has a VPN app…that won’t connect using a non-obfuscated connection using windows 10, which means many VPN servers in countries that can’t or for commercial reasons, aren’t available on a obfuscated connection type, if you’re using a 4G hotspot that isn’t age verified.
That is 100%. My concern is that the government will then force Google & Apple to also do age verification.
https://www.thesun.co.uk/tech/5783907/porn-verification-age-scheme-check-date-uk-when/ <— this gives a simple explanation of the law.
I sent the info to NordVPN, which they said they were unaware of & would investigate what to do about it.
https://www.vpncompare.co.uk/wp-content/uploads/2015/10/o2-age-block.png <—this is the screen I was getting when I tried to access some various "alt-media" that was more "right-leaning".
This dispels the lie of "protecting children from porn".
All the mobile networks are forced to comply with this law, I use 02…I checked the other main ones (Three, Vodafone, EE), they all state that age-verification requires an upload passport/Driving licence details, I think it also said about using a card payment, probably to use the credit check facility to confirm identity.
I did mention in my post yesterday about public wifi, well…I've noticed my local supermarket Morrisons blocks VPN (even obfuscated), as well as another large high street business which…I can't remember who it was, just that it wouldn't work, but that is probably related to the fact these business mine the user data for commercial purposes, maybe…
As for the EU…that article 13 is something that should concern us all.
Thanks for the information, Richard. I’m going to do an article on censorship in Europe, and perhaps also one for the UK specifically.
It seems NordVPN fixed the issue in their last update, although the Killswitch doesn’t work now, trying to connect always times out.
Had a similar issue with Virgin Media here in Ireland using NordVPN. When using NordVPN on an iPhone, servers would connect but no website would be reachable and no apps would be able to access the internet, found out later that the NordVPN iOS app only supports using IKEv2. Setting up manually on the OpenVPN app worked, no issues at all, same when using the NordVPN client with OpenVPN on Windows 10 and Android, worked fine. Issue could be replicated across Virgin Media’s Cellular and Cable internet services, with other providers like Vodafone and Eir having no issues using IKEv2 or NordVPN. Found forum posts littered with people reporting IKEv2 connectivity issues on VM too. So seems some unscrupulous ISPs are blocking IKEv2 and the only way to know if an ISP is doing it is to try using it. A fresh reminder that not all ISPs are created equal.
Hi,
Be very careful with ProtonVPN. They will allow a FREE Version Download/Install. But, should you wish to uninstall/remove it, you will be required to buy a “one year subscription” to have access to that option. My Bitdefender Shredder cannot rid me of it.
I would more than appreciate it, if someone could share a method of accomplishing that feat.
That sounds unlikely to me.
If you’re still afflicted with this uninstall issue maybe you can post a screen capture of the window with the stipulation?
Q: did you download the installer direct from ProtonVPN?
Q: what platform?
A) if possible use another computer in case it’s compromised.
If you can isolate it from the internet and still follow up as mentioned below, disable it’s internet connection(s) physically if possible and make sure any wifi is not able to connect to any hotspot except one(s) you could turn off or unplug (ones you control), then disable the wifi network adapter on the computer.
If by some chance that stipulation is in fact in the terms I’d personally ignore it and go about culling that software from the system manually. If you do not know how to do that yourself you should have no problem finding help with it.
B) do not use the free VPN service anymore on the outside chance you have actually violated/exceeded some sort of limits to the free server which in turn has obligated you via its terms to pay for the excess use.
In the US, courts have been lax on enforcing various types of onerous garbage in terms weather they read the TOS or not. Hijacking your freedom to operate your computer is perhaps even criminal if it is in the terms. They in turn would perhaps be granted the ability to bill you even for predatory terms, read or not.
C) call or write ProtonVPN for support and bring this up to them. At least it should clarify if they are actually responsible for the issue.
D) try to discover if your system is compromised. Snag the Emergency Kit : https://www.emsisoft.com/en/home/antimalware/#emergency-kit
That’s for starters,
JN
Hello, Is there safe to use a VPN provider from Panama and connect to a local location for accessing local content when the local country is on the 9 eyes list?
Hi,
Thank you very much for this site and your work.
Sad for me to see my VPN provider here, It’s office based in Italy.
I noticed, you sometimes advice PerfectPrivacy and VPN.ac, so I looked at their info. I just want to mention that the software they provide is closed-source, so you never can be sure what does this software do exactly. As for me, it looks strange a bit in the context of usage. And it has poor functionality. For example, the VPN I use (but now will look for another) provides an open-source client software, available on gitHub, with lots of views and commits, and so on. It also has much advanced options than PerfectPrivacy’s do, because there is a big suggestion thread on the forum.
VPN.ac looks great for me if there was a way to manage double tunnel on linux with easy steps. I’ll try to find it.
Thank you for this article.
What VPN do you use? Since it’s open source I will check it out on GitHub. Thanks in advance.