5 Eyes, 9 Eyes, 14 Eyes nations: Who are they? What do they do? And what do they have to do with VPNs? Read on and we'll answer all these questions and more.

Do you remember in 2013, when former NSA contractor, Edward Snowden, leaked thousands of classified documents to the Press? 

Those documents brought to light the scope of the mass surveillance conducted by the NSA. They provided critical details on the surveillance technology the NSA built and deployed in secret. 

In that stash of documents were details of many of the NSA’s spying programs, such as XKEYSCORE or PRISM, to name but a few. There have been countless revelations made public from the Snowden archive. Many of which are quite disturbing. 

But there was something else in the archive. The documents also confirmed the existence of a spying alliance forged between many powerful nations. That is the Five Eyes, the Nine Eyes, and the Fourteen Eyes. 

That enough eyes for you? 🙂

5 Eyes

In 1946, the United States and the United Kingdom forged an intelligence-sharing alliance, to facilitate spying on foreign nations, with a particular focus on the USSR. This agreement was initially called BRUSA and later renamed the UKUSA Agreement. As time went by, the alliance accepted new members and expanded its mission to include domestic surveillance. 

The alliance enabled the member nations to bypass the legal barriers that prevent a State from spying on its citizenry. One member State could spy on another's citizenry and share the gathered intelligence. For example, the UK spies on US citizens and then shares that intelligence with the US.

In 1948, Canada joined the alliance. And by 1956, Australia and New Zealand had also joined. They were five nations - the Five Eyes:

The 5 Eyes member States include:​

• United States
• United Kingdom
• Canada
• Australia
• New Zealand

In time, electronic communication became more prevalent. Our communications were increasingly going through telephones, faxes, computers, and mobile devices. The Five Eyes alliance adapted to this reality by deploying ECHELON. By the end of the 20th century, ECHELON had grown to become "a global system for the interception of private and commercial communications". 

ECHELON is a distributed network of electronic spying sites. The Guardian describes it as follows: 

“A global network of electronic spy stations that can eavesdrop on telephones, faxes, and computers. It can even track bank accounts. This information is stored in Echelon computers, which can keep millions of records on individuals. Officially, however, Echelon doesn't exist”.​

This alliance is constantly evolving. As such, other nations beyond the original five have since joined the alliance. This is why you may have heard the names 9 Eyes and/or 14 Eyes.

9 Eyes

The 9 Eyes is an expanded alliance, which includes Denmark, France, the Netherlands, and Norway, on top of the original five nations. The 9 Eyes alliance is not as closely knit as 5 Eyes. The types of access Denmark, France, the Netherlands, and Norway have to 5 Eyes resources and intelligence is somewhat limited. 

These four “extra” nations are considered third parties. A third party is a member State who participates in a given intelligence program on a case by case basis. The 9 Eyes alliance is not backed by any treaty. It is more an arrangement between the member State’s intelligence agencies. 

The 9 Eyes member States include:

• United States
• United Kingdom
• Canada
• Australia
• New Zealand
• Denmark
• France
• Netherlands
• Norway

14 Eyes

The 14 Eyes alliance is much like the 9 Eyes, with more countries involved. But it is a separate group from the 9 Eyes. The 14 Eyes alliance includes the 9 Eyes member States, plus Belgium, Germany, Italy, Spain, and Sweden. These fourteen nations cooperate in signals intelligence sharing. 

These additional five States are considered third parties. Like the 9 Eyes, it is simply an arrangement between intelligence agencies. However, the 14 Eyes alliance is referred to more formally as the SIGINT Seniors of Europe (SSEUR).

The 14 Eyes member States include:​

• United States
• United Kingdom
• Canada
• Australia
• New Zealand
• Denmark
• France
• Netherlands
• Norway
• Belgium
• Germany
• Italy
• Spain
• Sweden

What does this mean for VPNs?

So what does this spying network mean for VPN users? Well, it means that if you use a commercial VPN based in one of the 14 Eyes countries, your data could be intercepted. Or, your VPN provider forced to hand over your data to the authorities. 

If your VPN provider is compelled by law to hand over your data, likely, it was also served a gag order. A gag order prevents them from informing you they were forced to provide a copy of your data to law enforcement. Once in the hands of one member State, your data could well be shared with the others. 

Not the ideal scenario for a VPN user, right? Right.

Jurisdiction Wisdom​

Most articles on this subject will warn VPN users to stay away from VPN providers in 14 Eyes countries. The rationale is covered in the two above paragraphs. Your data could end up in their hands. 

But is that all there is to it? Choose a VPN operating from other parts of the world and you’re fine? Of course not. Like most things, the reality is more subtle. 

Using a VPN in a 14 Eyes nation does indeed expose you to the risk that your data may be collected by these Sates. But do you have a guarantee that a non-14 Eyes nation-State won’t coerce your provider into sharing your data with them? No, you don't. And nation-States can cooperate in any number of ways and on any number of issues. Your data could still end up their hands. The risk may be lower, but it is still there, to be sure.

And inversely, would your data automatically be shared with 14 Eyes nation-States, if using a VPN in one of those countries? The answer is again, no.

No Logs, Please​

Much more important than jurisdiction is the VPN provider’s logging policy.

When you use a VPN, all your traffic first transits through the VPN server. It is then sent on its way to the website you queried. You implicitly trust your VPN provider significantly. Your VPN provider has the ability to view all your traffic and could easily build detailed profiles on its users, à la Google.

This is the main reason why it is common wisdom to stay away from free VPN services. They typically serve you ads, which lower your level of privacy. They also often log your traffic to sell it to marketing firms. As you have probably heard many times by now: If you’re not paying for a service, you are the product.

A trustworthy commercial VPN won’t be free and will have a strong no-logging policy. It will also back that policy with a technological infrastructure setup for no-logging. You will still need to trust them to be true to their word. But a commercial VPN that does not prominently display their no-logging policy on their website, does not deserve your trust.

What Does No-Logging Mean?​

No-logging obviously means that your VPN provider does not log your traffic. That is, the web sites & services you query, or your DNS requests.

No-logging means your payment information is not tied to your account. This could be difficult if paying with PayPal or a credit card. If you are very concerned about the privacy of your data, choose a VPN provider that accepts cash or bitcoins.

And no-logging also means that they don’t keep your origin IP address (your ISP-provided IP address). It also means they don't keep timestamps of when you connect and disconnect to the server(s).

If a VPN provider is properly set up to run a no-logging service, when law enforcement comes knocking, they'll have nothing to hand over.

The Private Internet Access Example​

In 2016, the FBI was investigating a man called Preston McWaters, for making a false bomb threat.

McWaters stalked a former co-worker, named Devon Kenny. He harassed her in a number of ways, including text messages, social media posts and just showing up at her house. His harassment then escalated to making several fake bomb threats in the name of Kenny’s current boyfriend, at the time.

Through the course of their investigation, the FBI compelled Facebook and Twitter to hand over data on McWaters. From there, they started investigating different IP addresses they had associated with McWaters.

One of the IP addresses associated with McWaters was traced back to USA-based VPN provider, Private Internet Access. Private Internet Access has always stood by their strict no-logging policy. And as we just stated, they are based in the US.

So what happened?

According to TorrentFreak:

“A subpoena was sent to London Trust Media and the only information they could provide is that the cluster of IP addresses being used was from the east coast of the United States”.​

PIA had nothing more to give the FBI than a vague statement. It is only because of their no-logging policy and infrastructure, that PIA was able to “opt-out” of sharing its data with the FBI. You can’t share what you don’t have…

Here is London Trusts Media Executive Chairman, Andrew Lee’s statement on the matter, as reported by TorrentFreak:

“Our company was subpoenaed by the FBI for user activity logs relating to this matter. After scrutinizing the validity of the subpoena and confirming it, we restated as we always do the content of our privacy policy and then we notified the agent that we do not log any user activity. The agent confirmed his understanding of our company’s policy and position and then pursued alternative leads. This report makes it clear that PIA does not log user activity and we continue to stand by our commitment to our users.”

Eyes Vs. Logs

We are in the golden age of mass surveillance. That much is clear. Using a VPN based in 5, 9 or 14 Eyes nations does put you at a higher risk of having your data harvested. But using a VPN based in a non-14 Eyes nation is no guarantee that it won’t be. 

The real factor is the no-logging policy and technological infrastructure. So do your homework before giving your trust. Here is a good overview of Which VPN Providers Keep You Anonymous to start your research. Stay safe!