We’re breaking down 5, 9 and 14 Eyes, particularly concerning VPN privacy, to help you understand why it’s essential to take this matter into account when paying for a VPN subscription.
For instance, if you download illegal torrents using a VPN service that takes advantage of your trust, logs your information and hands it over to the legal firm that issued the request, you might have as well downloaded the torrent without the VPN since the effect is the same.
There are two problems here: the VPN service is recording your activity (although some promise not to) and the company is located in a country that has specific laws about prohibiting the downloading and uploading of illegal torrents, like the countries in the 5, 9, 14 Eyes.
Here’s what you need to know next (click to jump to topic):
- Examining the 5, 9, 14 Eyes alliances
- Mass surveillance by country
- 5, 9, 14 Eyes and VPN jurisdiction
Examining the 5, 9, 14 Eyes alliances
Five Eyes, Nine Eyes, and Fourteen Eyes are mass surveillance agencies that focus on monitoring the activity of people using any electronic means of communication to flush out terrorists and any other threats to national and international security.
Here are the known agency members and suspected third-party contributors (click to jump to topic):
- 5 Eyes: Australia, Canada, New Zealand, the United Kingdom, the United States.
- 9 Eyes: 5 Eyes + Denmark, France, the Netherlands, Norway.
- 14 Eyes: 9 Eyes + Germany, Belgium, Italy, Sweden, Spain.
- Other supporters: Israel, Singapore, South Korea, Japan.
The members use shared resources and freely share information (also known as intelligence) among themselves through a centralized database. The governments of most countries explicitly forbid them from spying on their own citizens without using the appropriate legal channels.
However, the Eyes have a sneaky workaround for this: a country can request the services of another country to spy on its citizens and then share this data, according to a remark made by American whistleblower Edward Snowden.
Right after World War II, a secret treaty between the UK and US governments formed the UKUSA Agreement, which eventually set the foundation for Five Eyes, a mass surveillance alliance focused on national and international security.
Five Eyes is made out of Australia, Canada, New Zealand, the United Kingdom, and the United States. Edward Snowden put the agency in the spotlight in 2013 as part of the active secret surveillance agencies employed by the US government and allies. As a result, Five Eyes has been at the center of many worldwide controversies.
Nine Eyes and Fourteen Eyes
There are little known differences about the Five, Nine and Fourteen Eyes. While 5 Eyes consists of Australia, Canada, New Zealand, the United Kingdom, and the United States, 9 Eyes includes all these members and adds Denmark, France, Netherlands, and Norway. Meanwhile, 14 Eyes consists of all members from 9 Eyes, adding Belgium, Germany, Italy, Spain, and Sweden.
Therefore, Nine Eyes is an extension of Five Eyes, while Fourteen Eyes is an extension of Nine Eyes. However, the members of Five Eyes may choose to not disclose some information with the other colleagues from Nine Eyes or Fourteen Eyes. Similarly, data known only to Five Eyes and Nine Eyes can be kept away from Fourteen Eyes.
Third-party partners to the Eyes
Although not formally part of the 5, 9, 14 Eyes alliances, evidence suggests that Israel, Singapore, South Korea, and Japan give them a helping hand. Subsequently, these third-party partners have a certain level of access to the information collected by the Eyes, so they cannot be ignored when discussing mass surveillance.
Mass surveillance by country
Mass surveillance techniques are officially used for monitoring and preventing threats to national and international security, such as terrorist acts. But they are frequently criticized for abusing privacy rights, and this is undoubtedly important when it comes to VPN services and their ability to protect user privacy.
Mass surveillance agencies like 5, 9 and 14 Eyes (along with third-party contributors) were put in the spotlight by whistleblower Edward Snowden in 2013. The former NSA contractor leaked a wide range of top secret documents, including intelligence files from Five Eyes.
Australia (member of 5, 9, 14 Eyes)
An Australian law called Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 is forcing telecom providers to collect information about the activity of citizens and keep it for two years. The info includes caller ID (incoming and outgoing), call date, time and duration, location, sender and receiver email address, and others, but not the content itself.
Twenty-two Australian agencies can access and view this data anytime, without a warrant (only the metadata of journalists require a permit). Snowden disclosed at least 15,000 intel files, according to Australian officials. Many other details about Australian mass surveillance methods were left unsaid.
Australian residents should get equipped with a reliable VPN service to prevent ISPs from collecting their data. The VPN company shouldn’t be based in Australia either because it would be required by law to disclose details about its customers if it collects logs.
VPN services located in Australia: Celo VPN, VPNAUS, VPNSecure.
Canada (member of 5, 9, 14 Eyes)
According to Snowden, the official cryptologic agency of the Canadian Government called CSEC (Communications Security Establishment Canada) took advantage of airport wireless networks to track the location of residents. In 2013, Snowden revealed that the Canadian government gave free spying access to NSA at the G20 and G8 summits.
Later in 2015, Snowden exposed another mass surveillance project funded by the Canadian government, called Levitation. In this project, CSEC monitored and analyzed millions of videos and downloads globally downloaded by casual Internet users, in an attempt to detect any threats to national security. The same agency CSEC monitored millions of Canadian emails sent to the government.
As such, Canadian residents who use free public Wi-Fi and download content should employ the services of a VPN provider that’s not in Canada and which doesn’t store logs about their activity.
VPN services located in Canada: Betternet, Blockless, CactusVPN, GetFlix, RogueVPN, SurfEasy, TunnelBear, UnoTelly, VPN Land, Windscribe.
New Zealand (member of 5, 9, 14 Eyes)
In 2013, New Zealand’s leading provider of telecommunications cables, named Southern Cross Cable, was working closely with the NSA to spy on New Zealanders and collect user information about phone calls and Internet traffic through Internet cables.
In 2014, Snowden revealed that the spy agency of New Zealand called Government Communications Security Bureau (GCSB) was working hard to implement a mass surveillance tool named Project Speargun. It collected information about Internet citizens, although New Zealand’s Prime Minister at the time publicly denied the project’s existence.
GCSB was spying not only on New Zealand but also the Pacific Islands, China, and other countries. The project was eventually abandoned. But later in 2018, GCSB illegally gained information from the Customs and Immigration departments.
New Zealanders concerned with their online privacy can get around ISPs by turning to virtual private network services.
United Kingdom (member of 5, 9, 14 Eyes)
The Parliament of the United Kingdom approved the Data Retention and Investigatory Powers Act 2014. Authorities would still be able to access the metadata about phone call records and text messages that was collected and saved by companies. The bill also applied to organizations outside of the UK which used the country’s phone and Internet services. The act replaced the European Union’s Data Retention Directive that was repealed by the EU Court of Justice just two months before. Although the contents were normally inaccessible, the law made an exception if warrants were issued.
The act was annulled two years later. However, it was succeeded by the Investigatory Powers Act of 2016, which was heavily criticized by privacy experts. Dubbed as the IP Bill, it forced ISPs to retain data about Internet connection records for one year, such as visited websites and partial browsing history. It also allowed the police to access these logs without a warrant, as well as to hack into user devices and retrieve their data. The act was later ruled as unlawful by the European Court of Human Rights.
Considering the UK’s approach toward data privacy, it’s better for residents to hide their browsing habits by masking their online identity with a VPN application. Suffice it to say, VPN companies that collect logs receive negative marks if they’re also in the UK.
VPN services located in the United Kingdom: Expat Surfer, FlowVPN, HideMyAss, LibertyShield, My Expat Network, RUSVPN, TGVPN, TorVPN, TotalVPN, TVWhenAway, VPN.sh, VPNUK, WorldVPN, ZoogVPN.
The United States (member of 5, 9, 14 Eyes)
The most significant impact of the 2013 mass surveillance disclosures made by Edward Snowden was on the NSA. The intelligence files demonstrated that the NSA is capable of monitoring and intercepting phone calls and Internet traffic (including email and financial records) from any users in the world.
In June 2013, the first piece of information leaked by Snowden was a classified court order that showcased NSA getting hold of phone records from over 120 million Verizon subscribers.
On the very next day, the second piece of information was published by two newspapers at the same time, disclosing that a surveillance program called PRISM was collecting all sorts of useful details about foreigners and Americans, including email, text and video chats. The project was working on behalf of the USA and the UK. It was extracting data directly from the servers of US service providers, like Microsoft, Google, Facebook or Apple, demonstrating how these tech giants agreed to help the NSA.
USA residents are particularly vulnerable to privacy leaks due to the meddling of the NSA. Therefore, they should use a security solution like VPN to remove themselves from the NSA’s scope. However, USA-based VPN companies that collect and save user logs should be avoided.
VPN services located in the USA: AceVPN, AnonVPN, Anonymizer, BTGuard, CloakVPN, CrypticVPN, CryptoHippie, Disconnect.me, Encrypt.me, FlyVPN, FoxyProxy, FrostVPN, GhostPath, GoTrusted, Hide My IP, HideIPVPN, Hotspot Shield, IncognitoVPN, IntroVPN, IPinator, IPVanish, LibertyVPN, LiquidVPN, MyIP.io, MyVPN.Pro, Namecheap VPN, Netshade, Newshosting, Norton WiFi Privacy, OctaneVPN, Private Internet Access, PrivateTunnel, RA4W VPN, SigaVPN, SlickVPN, Speedify, Spotflux, StrongVPN, SunVPN, SuperVPN, Torguard, Tunnelr, Unseen Online, Unspyable, VikingVPN, Virtual Shield, VPN Master, VPN Unlimited, VPNJack, VPNMe, WiTopia.
Denmark (member of 9, 14 Eyes)
Since 2016, Denmark has been testing an automatic number plate recognition system (ANPR). With several stationary cameras and mobile cameras set up on police cars, ANPR’s goal was to monitor and analyze the activity of citizens to detect and prevent crime. It is currently being implemented with POL-INTEL, a modern Danish framework that lays the grounds of intelligence-based police work.
However, the ANPR system retains all license plates: not only the ones that the Danish police is interested in but also those who don’t raise any suspicions. Subsequently, this turns ANPR into a mass surveillance tool and has received public criticism.
VPN services located in Denmark: BeeVPN, Unlocator.
France (member of 9, 14 Eyes)
In 2015, the French parliament passed a bill called International Electronic Communications Law, which granted enhanced power to the French Directorate General for External Security (DGSE). It allowed DGSE to monitor and collect information about international communications without a warrant.
We’re not talking about just metadata as in the case of previously discussed countries, but also the exact contents. Phone calls or emails can be saved for up to 1 year, metadata for up to 6 years, and encrypted files for up to 8 years (possibly longer, in case of emergency). Moreover, the bill forces ISPs to collect and analyze the metadata of its clients to distribute it to intel groups. The UN Human Rights Council criticized this mode of operation.
French citizens concerned about secure browsing are better off opting for a VPN service that doesn’t store logs. And if it does, then it shouldn’t be based in France because it means sharing the records with the local authorities at their request.
VPN services located in France: ActiVPN, IdealVPN, IPjetable, Le VPN, MonVPN.
The Netherlands (member of 9, 14 Eyes)
In 2017, the Dutch government drafted the Intelligence and Security Agencies Act. With a focus on preventing crime, it would permit spying organizations to set up relays in households to intercept phone calls and Internet traffic, keep this information for up to three years, and distribute it to allies.
Both houses of parliament agreed to the new law. While an independent digital rights organization from the Netherlands was busy preparing to take the matter in a court of law, a group of students started gathering signatures required for triggering a nation-wide referendum. It was held in 2018, and most Dutch citizens voted against the bill.
Although the act never became law, it says much about the Dutch government’s intentions. Therefore, Dutch residents should practice caution when going online and resort to a VPN service to hide their online identity. At the same time, they should keep in mind that VPN companies based in the Netherlands are required by law to share logs with the police.
VPN services located in the Netherlands: GooseVPN, ProXPN, RootVPN, ShadeYou, WASEL Pro, WifiMask.
Norway (member of 9, 14 Eyes)
An investigation conducted in 2018 by The Intercept and the Norwegian Broadcasting Corporation looked into a surveillance base built in Norway with the help of the NSA. It appeared to support military troops overseas and to fight against terrorism. However, the station was collecting and storing metadata about emails and phone calls made between Norwegian citizens and their foreign acquaintances.
In 2015, a Norwegian was caught operating a torrenting website similar to The Pirate Bay. He was sentenced to six months in prison (with suspension) and forced to pay a steep fine.
In 2018, the Oslo District Court gave free access to a Danish law firm to pursue the real identity of almost 22,000 Norwegian IP addresses. Using this information, the law firm could seek cases involving illegal file sharing.
Considering the laws toward illegal file sharing, it’s essential for Internet users living in Norway to conceal their true identity with a dependable VPN service before downloading or uploading data to the web.
Belgium (member of 14 Eyes)
According to an allegation made by Snowden which was later backed by a confidential report submitted by Belgian prosecutors, Belgium’s infrastructure was hacked by the UK in 2013. It represented the first time when a member of the European Union was caught spying on an ally. Acting on ministry orders, hackers from the UK surveillance group Government Communications Headquarters (GCHQ) infiltrated the largest Belgian telecommunications provider, Belgacom (now known as Proximus).
The spying mission was made possible by previously planting listening devices in crucial areas of Belgacom in a covert operation named “Operation Specialist.” The purpose of GCHQ was to steal information about Belgacom subscribers, although the nature of this information remained unclear. The Minister of Foreign Affairs at the time made an unusual suggestion that the Belgian government allowed GCHQ to meddle in its affairs. It would be the reason why Belgium took no action against the UK.
Belgium has mandatory data retention legal acts that companies must comply with, including telecom providers. But they are only applicable in scenarios of strong suspicion and which require a warrant. Nevertheless, the Belgian government has expressed itself in favor of “blanket data retention.” The term means to indiscriminately collect all user data and create a pool of raw information, which can be further filtered by authorities to obtain what they need.
The attitude alone is enough to put off Belgian Internet users concerned with their privacy. Therefore, when seeking a trustworthy VPN service, it’s mandatory to inspect its logging policy.
Germany (member of 14 Eyes)
German airlines are required by law to collect and store data about their passengers for up to five years. In August 2017, the German government made a last-minute amendment to a bill about driving bans. It mentioned police using malware (“state Trojan“) to hack into devices and deactivate their defenses (such as end-to-end encryption used by WhatsApp or Viber) to retrieve useful information about suspects.
Injecting the state Trojan means that the computers and smartphones of all citizens are continuously monitored for suspicious activity. However, only police investigations dealing with severe cases could legally use the malware, like money laundering or counterfeiting. The bill eventually became law.
In March 2019, civil rights activists accused the German government of attempting to expand its mass surveillance powers. It’s because it drafted a bill that would permit spying agencies to hack into any Internet-enabled computer.
The intentions of the German government toward monitoring Internet traffic are pretty clear, so it shouldn’t be a surprise that many residents turn to virtual private network application to conceal their browsing habits. German-based VPN companies should be carefully inspected, mainly to check if they store logs.
VPN services located in Germany: Avira Phantom VPN, ChillGlobal, GoVPN, Internetz.me, Steganos, Traceless.me, Zenmate.
Italy (member of 14 Eyes)
Many Italian organizations filter access to over 6,000 websites, including streaming and P2P. It’s an ongoing operation, as more and more sites become restricted every day. ISPs directly block The Pirate Bay, and this was reinforced by the Supreme Court, which said it was necessary for preventing copyright infringement.
The Data Retention Directive issued by the European Union in 2006 became Italian law. As a consequence, all Internet service providers from Italy are legally obligated to collect and store details about their customers, which includes public IP address, visited websites, email contacts, and billing info.
There are no specific laws that prohibit file sharing, but this isn’t probably necessary since the Italian government swiftly takes measures to block websites. Nevertheless, Italian residents can remain on the safe side and avoid receiving ISP letters by resorting to a VPN service that can protect their privacy and unblock websites.
VPN services located in Italy: AirVPN.
Spain (member of 14 Eyes)
All ISPs have been blocking The Pirate Bay on multiple URLs since 2015. Spain is one of the EU countries that enforces the harshest fines meant to protect the privacy of Internet users. According to a ruling made by the European Court of Justice, search engines like Google must exclude links to third-party websites from search results, which contain sensitive information about the Spanish citizens who made the direct claim. It’s also known as “the right to be forgotten.”
However, freedom of speech was put into question in 2016, when a young woman named Cassandra Vera Paz posted several tweets, mocking a former prime minister’s mode of assassination in 1973 (involving a terrorist attack). Subsequently, she was sued for adding verbal injury to victims of terrorism. The case sparked the national and international outrage of people and organizations which considered that distasteful jokes on Twitter shouldn’t be enough to put someone behind bars. Even so, Paz was sentenced to 1 year in prison and a 7-year penalty of absolute disqualification by the National Court. The sentence was canceled in 2018 by the Supreme Court of Spain.
Spanish residents who find their freedom of speech to be challenging can add a layer of security with a VPN application. It can help preserve their anonymity when going online. At the same time, they should question VPN companies located in Spain, particularly if they record logs.
Sweden (member of 14 Eyes)
Swedish ISPs are required by law to record and store user metadata for a minimum of 6 months, based on the EU’s 2006 Data Retention Act that was finally implemented in 2012. This metadata includes IP addresses, visited websites, email logs, and logging times, among others. Afterward, a study showed that more and more Swedes are turning to anonymizers like VPN services to protect their online privacy.
In 2018, a court ruling requested Bahnhof, one of Sweden’s leading ISPs, to provide the personal information of its customers who were allegedly suspected of downloading pirated content. However, the ISP refused to comply in lack of judicial review or suspicion of crime.
In 2019, three Internet operators (Telia, Com Hem, Telenor) freely handed over their customer’s private information to copyright companies. Using this data, law firms acting on behalf of movie production companies would send extortion letters.
It’s clear that regular Internet users are blackmailed for allegedly downloading illegal content. To overcome this, Swedish residents can hide their online activity by securing their Internet sessions with a VPN solution.
VPN services located in Sweden: AzireVPN, FrootVPN, Integrity.st, IPredator, Mullvad, OVPN.com, PrivateVPN, PRQ.
Israel (third-party contributor)
2017 marked the beginning of Israel’s decision toward issuing Internet restriction laws. The legislative branch of the Israeli government (called Knesset) passed a law that permits ISPs to block websites linked to criminal activity, but only after receiving explicit permission from a district court judge. If the website’s company is in Israel, then its website must be removed entirely.
There are no laws about file sharing. However, iMesh, the Israel-based file-sharing network, was sued by eighteen music labels for copyright infringement at a US district court. Also, a study conducted in 2009 suggests that two big ISPs from Israel manipulate Internet traffic using Deep Packet Inspection (DPI).
As such, Israeli residents should consider using VPN applications to share files safely and hide their browsing activity from ISPs. Since Israel is a third-party contributor to the Eyes, you should pay attention to Israel-based VPN providers, especially if they save logging info.
VPN services located in Israel: SaferVPN, VPNShazam.
Singapore (third-party contributor)
Media Development Authority (MDA) is the body responsible for implementing and monitoring web censorship in Singapore. Three key players provide Internet services: Singtel, StarHub, M1. It’s mandatory for all ISPs to restrict access to banned websites which contain deemed as offensive by the MDA, such as adult-oriented and dating websites.
In May 2019, Singapore’s lawmakers approved a law that grants the government the right to remove any online content suspicious of promoting fake news. Named the Protection from Online Falsehoods and Manipulation Bill, it’s supposed to prevent any form of mass media manipulation that would affect Singapore citizens.
To exercise freedom of speech as well as unlock websites restricted by the MDA, Singapore residents can connect to the Internet through a virtual private network service.
VPN services located in Singapore: NolimitVPN.
South Korea (third-party contributor)
South Korea restricts access to any domains favoring North Korea, even the ones showing the slightest sign of sympathy. Any residents attempting to reach North Korea’s websites must suffer the consequences. Also, sites that host pornographic content are blocked by law.
South Korea is considered the first country that passed laws related to Internet censorship. It all started in 1995 with the Electronic Communication Business Law (ECBL), which lead to the Internet Communications Ethics Committee (ICEC). The ICEC was responsible for overseeing Internet traffic and making suggestions to the Minister of Communication concerning the type of content to remove. Roughly 220,000 messages were taken down in 1996.
In 2008, the South Korean government replaced ICEC with the Korea Communications Standards Commission (KCSC). KCSC obligated popular websites (with more than 100,000 daily visitors) to accept only visitors willing to sign up with their real name and social security number. Further, KCSC has permission to remove any content for 30 days immediately after a complaint is filed. No evidence is required to support the claim when it comes to this automatic removal.
In February 2019, South Korea was preparing a new law requiring foreign companies to cooperate with national organizations, so that they will be officially in South Korea’s jurisdiction. The government would be able to terminate the activity of any outside company that has personal user information about South Koreans, like Google or Facebook.
Since South Korea is keen on mass surveillance techniques, anyone who lives there should seriously consider adopting a VPN solution for securing their Internet activities.
Japan (third-party contributor)
It seems that Japan is generally favorable toward unrestricted Internet access and doesn’t hamper freedom of speech and expression on online channels. However, there have been some indicators pointing to Japan’s government encouraging self-censorship.
In 2001, the Japanese government issued the Provider Liability Limitation Act. It refers to the obligation of ISPs to handle removal requests that involve copyright infringement, defamation, and illegal or offensive content. Any person directly affected by this content can submit a request to the ISP to either take down the material or to find out who uploaded it.
Japan’s Copyright Act prohibits online piracy involving software, movies, anime, music, and manga. Illegal file sharing is not just a civil offense like in most countries, but a criminal one, having stricter penalties for uploading (up to ten years in prison) compared to downloading (up to two years). As such, anonymous P2P clients like Winny, Share and Perfect Dark are more popular among Japanese citizens than BitTorrent clients.
In 2016, the National Police Agency of Japan arrested 44 people suspected of copyright infringement via P2P networks. The report also says that downloading is now illegal in Japan. In 2019, a foreigner living in Japan was arrested for uploading an anime episode to the BitTorrent network, although it was available for free on YouTube.
Suffice it to say, Internet users living in Japan risk going to jail for illegal file sharing, so it’s better to opt for a VPN service to conceal their real identity.
VPN services located in Japan: VPN Gate.
5, 9, 14 Eyes and VPN jurisdiction
We have already established that people living in one of the Eyes countries or the third-party contributors risk compromising their digital privacy when connecting to the Internet through an unprotected network.
At the same time, those who have decided to resort to virtual private network services to secure their browsing activity should double-check before paying a VPN subscription to a company based within the Eyes jurisdiction. It must abide by the laws of its country, and this could mean exposing details about your online profile if requested by the police or law firms seeking compensation.
What about VPNs with a no-logs policy?
Not all VPN companies who are unfortunate enough to operate within a risky country will automatically betray you at the first sign of danger. Some of them go to great lengths to collect as little information as possible about your online profile, so there will be nothing worth exposing.
Such an example is Mullvad VPN. Although it’s in Sweden, it adopts a unique approach toward registering new users and also accepts cash payments to help preserve your anonymity.
What about using VPN servers in an Eyes country?
People investigating the 5, 9, 14 Eyes and their impact on VPN jurisdiction are right also to question VPN servers located in Eyes countries. Even if the VPN company itself is located somewhere safe, the VPN servers hosted in an Eyes country must follow its rules.
The Eyes country could demand the VPN server provider all information it has on the Internet connections made through the VPN, which can be traced back to you if the VPN company stores logs.
Therefore, if you want to remain on the safe side and if you don’t need to access a specific VPN server to unlock content that’s only available in an Eyes country, it’s better to opt for a VPN company and connect to servers that are outside of the 5, 9, 14 Eyes jurisdiction.
VPN companies based in safe countries
Here are some VPN services located outside of the 5, 9, 14 Eyes’ influence, whose countries practice safe laws and are not involved in mass surveillance:
- ExpressVPN, Surfshark – British Virgin Islands
- VPNArea – Bulgaria
- FastestVPN – Cayman Islands
- Avast Secureline – Czech Republic
- F-Secure Freedome – Finland
- AnonymousVPN, Buffered, IVPN – Gibraltar
- ZoogVPN – Greece
- BlackVPN, DotVPN, OneVPN, PureVPN, VPN.ht – Hong Kong
- Hide Me VPN – Malaysia
- NordVPN – Panama
- CyberGhost VPN, IBVPN, VPN.ac – Romania
- SpyOFF – San Marino
- Anonymous VPN, Astrill VPN, BolehVPN, Trust.Zone, VPNTunnel – Seychelles
- Perfect Privacy, ProtonVPN, VyprVPN – Switzerland
The 5, 9, 14 Eyes mass surveillance alliances play a huge role in online privacy, and they must not be overlooked when choosing a VPN service to hide your browsing activity from your ISP. It’s essential to check the whereabouts and logging policy of the company before paying for a premium VPN subscription.