A common assumption is that VPNs based in the 5-9-14 Eyes countries are inherently less private. In reality, a VPN’s privacy level is shaped by its infrastructure, internal privacy and data-logging policies, as well as national data protection laws.
There are quite a few misconceptions surrounding the Eyes alliances, especially related to VPNs, so let’s see what the actual case is.
What are the Five-Nine-Fourteen Eyes?
The Five, Nine, and Fourteen Eyes are intelligence-sharing alliances that allow the allied countries to cooperate on signals intelligence (SIGINT).
It all started with the UKUSA Agreement — a secret pact signed in 1946 between the United States and the United Kingdom during the early Cold War — intended for sharing intercepted military and diplomatic communications to counter emerging global threats.
That agreement later added Canada, Australia, and New Zealand, forming what is now known as the Five Eyes alliance.
Over time, more allied countries were brought into this intelligence-sharing arrangement, giving rise to the Nine Eyes and Fourteen Eyes groups — although their access to shared data is generally more limited than that of the Five Eyes core.
|
Alliance
|
Members
|
Purpose
|
|
Five Eyes
|
US, UK, Canada, Australia, New Zealand
|
Core signals intelligence alliance
|
|
Nine Eyes
|
US, UK, Canada, Australia, New Zealand, France, Netherlands, Norway, Denmark
|
Extended cooperation
|
|
Fourteen Eyes
|
US, UK, Canada, Australia, New Zealand, France, Netherlands, Norway, Denmark, Germany, Belgium, Italy, Spain, Sweden
|
Wider intelligence sharing
|
Do the 5-9-14 Eyes alliances affect VPN users?
VPN safety depends on the provider, not the alliance membership. If a VPN provider is based in a country that is part of the Five, Nine, or Fourteen Eyes alliances, it doesn’t automatically make VPNs unsafe, but it does make factors like jurisdiction laws, provider’s logging practices, and infrastructure more important.
What actually matters for VPN users
Here are some things that VPN users need to take into account:
- Privacy laws of the jurisdiction — the country where a VPN provider is based determines which data protection and disclosure laws apply. When choosing a VPN, look for a privacy-friendly jurisdiction that limits mandatory data retention and has user-focused privacy laws — these privacy protections reduce how much information providers can or are required to collect and keep;
- No-logs VPNs have nothing to share — if a VPN provider doesn’t collect or store any logs, there’s no meaningful user data to hand over. This means that even if authorities request user information, the provider simply has nothing to share. That’s why you should be choosing a service with strict, independently audited no-logs policies;
- Modern infrastructure limits data retention — VPNs that use RAM-only servers don’t write data to physical hard drives and automatically wipe all data when servers are restarted. This eliminates the possibility of long-term storage and further reduces the risk of user data being retained or exposed.
Surfshark maintains a strict no-logs policy, meaning it does not track or store users’ browsing activity. This policy has also been independently verified, adding an extra layer of transparency and accountability. Surfshark’s RAM-only infrastructure ensures no data is ever written to physical storage, and it’s wiped on every reboot, while strong encryption protects your data and prevents unauthorized access.
Additionally, the Netherlands operates under GDPR (General Data Protection Regulation), one of the world’s strongest — if not the strongest — data protection frameworks.
The Netherlands distinguishes itself as one of the most privacy-oriented countries in the world. Its data protection is governed by Dutch and EU law, including the GDPR — widely recognized as the global gold standard for user privacy and personal data protection.
Goda Sukackaitė, Senior Privacy Counsel at Surfshark
What this means is that VPN providers can offer strong privacy protections as long as their policies and infrastructure are designed with privacy in mind. Being based in a country that belongs to the 5-9-14 Eyes countries, in practice, plays no role in defining how secure and private your VPN is.
How VPNs protect you
A well-designed VPN can significantly improve your online privacy, regardless of where it is based. If a service provider combines strong policies with privacy-first infrastructure, a VPN can limit what information is available, even under legal pressure.
No-logs policy
A true no-logs VPN doesn’t track or store what you do online. Surfshark’s no-logs policy has been independently verified, meaning external experts found no usable data that can be handed over if authorities make a request.
RAM-only servers and diskless architecture
Using RAM-only or diskless architecture means no data is written to hard drives. Surfshark’s RAM-only servers ensure that everything runs in temporary memory and is automatically wiped whenever a server turns off or reboots. This reduces the risk of data retention — no user data can be physically stored or recovered — and makes physical server seizure meaningless.
Strong, modern encryption
VPN encryption prevents third parties from reading your internet traffic. Surfshark uses robust, industry-standard encryption like AES-256 and ChaCha20, and supports modern, secure VPN protocols, such as WireGuard, OpenVPN, and IKEv2.
Kill switch and leak protection
Built-in safety features like a kill switch and DNS/IP leak protection help ensure your real IP (Internet Protocol) address isn’t accidentally exposed if the VPN connection drops. This adds an extra layer of protection, especially on public or unstable networks.
Unlimited devices for full-coverage privacy
Privacy shouldn’t be limited to one device. Surfshark allows unlimited simultaneous connections, helping protect your phone, laptop, tablet, and other compatible devices under one account so that your privacy stays consistent.
Common misconceptions about the 5-9-14 Eyes
Discussions around the Five, Nine, and Fourteen Eyes alliances often come with a lot of confusion and, sometimes, exaggeration. A lot of the information about these alliances is not fully public — most of what is available to our knowledge comes from leaked documents and investigative reporting done by media outlets.
However, we can address some of the most common myths regarding Five, Nine, and Fourteen Eyes VPNs:
- Being in a 5-9-14 Eyes country automatically makes a VPN unsafe. In reality, a VPN’s safety depends more on its logging policy and infrastructure than on its location. A VPN that doesn’t keep logs and uses privacy-focused technology can effectively protect users, even if it’s based in or operates within an Eyes country;
- Using a VPN in 5-9-14 Eyes countries is illegal. In actuality, VPNs are completely legal in all allied countries, including the US, the UK, Canada, and Australia, and across most of Europe. VPNs here are widely used for everyday privacy, security on public Wi-Fi networks, and even remote work;
- Governments can see all VPN traffic. Connecting to a VPN encrypts your internet traffic, making it unreadable to outside parties. So, while governments can request data from VPN providers under certain legal conditions, encrypted traffic itself isn’t visible. And if a VPN keeps no logs, there’s little to obtain.
Jurisdiction vs. server location
Another thing that people commonly confuse is the difference between where a VPN company is registered and where its servers are located:
- VPN jurisdiction refers to the country where the VPN company is legally based. This is what determines which laws apply for user data collection, retention, and sharing;
- Server location refers to the actual geographic location of individual VPN servers around the world. A VPN provider can operate servers in multiple countries across the globe, even if the company itself is headquartered in a single country.
This is an important distinction, as legal obligations typically apply to the company, not to every country where it operates servers.
Recent developments
In recent years, we’ve seen a shift toward clearer rules around data sharing, including the EU–US Data Privacy Framework in 2023 that aims to regulate how personal data moves between Europe and the United States.
At the same time, allied countries started focusing on tackling cybercrime and ransomware, as well as focusing on infrastructure security, not just traditional intelligence gathering. Despite these changes, VPN encryption remains a key user-level safeguard, helping protect personal data from interception, regardless of how governments cooperate behind the scenes.
Final thoughts: choose a privacy-first VPN
Choosing a privacy-first VPN ultimately comes down to what the provider does with your data, not just where it’s based. Strong internal privacy policies, a proven no-logs approach, and privacy-focused infrastructure matter far more than jurisdiction alone.
That’s why VPNs like Surfshark — with independently verified no-logs policies, RAM-only servers, and modern encryption — are a great choice. When privacy is the priority by design, you can stay protected without relying on fear or assumptions.
