The eye problem: do 5-9-14 Eyes matter?

Life in the post-Snowden leak world has left us with one certainty: we are being watched. The governments have a secret system, an alliance that spies on you every hour of every day. This, of course, means the old Five Eyes intelligence-sharing agreement and its cousins, Nine Eyes and Fourteen Eyes. But if a VPN is established in one of those countries, does it automatically mean that it’s unsecure or that its users are being spied on? Actually, not really.

What are the Five Eyes?

Five Eyes countries are the ones that belong to the UK-USA Agreement for sharing signal intelligence. Nine Eyes and Fourteen Eyes add more countries to this list via some other pacts.

Five Eyes countries:

  • Australia,
  • Canada,
  • New Zealand,
  • The United Kingdom,
  • The United States

Nine Eyes countries:

  • Five Eyes + Denmark,
  • France,
  • The Netherlands,
  • Norway

Fourteen Eyes countries:

  • Nine Eyes + Belgium,
  • Germany,
  • Italy,
  • Spain,
  • Sweden

These pacts and alliances are meant to share signal intelligence – or, to translate into common parlance, all sorts of electronic eavesdropping. Collecting your browsing logs from the internet service provider (ISP) is probably the least esoteric of their tools and the one that’s most worrying to the people. Still, it can occur in a variety of ways and evolve into gargantuan monsters like ECHELON

What does that mean for a virtual private network provider?

What does that mean for a virtual private network provider?

The easiest way to measure the threat level is to consider where the service is based. If your VPN provider is in Belgium, they have to comply with Belgian laws. If, hypothetically, Belgian law states that VPN providers have to keep connection logs for five months and hand them over to anyone ranking higher than a traffic police officer, then the VPN would have to do that. 

However, the countries outside the primary grouping of Five Eyes can have substantially varying laws regarding privacy. Sweden, a Fourteen Eyes signatory, hasn’t applied laws establishing data retention requirements to VPNs, thus allowing them to operate with a no logs policy. However, there are still laws for demanding information and raiding the premises to seize data. 

Meanwhile, in the Netherlands, a Nine Eyes member, the Intelligence and Security Services Act (WIV in Dutch) caused a referendum in 2018, with most people opposing the measure. A special independent panel of judges was formed, and any surveillance requests have to go through it. The restrictions placed after the referendum make the intelligence services irritated to no end

However, the government can still request logs from a VPN established there. What would a provider have to do? Well, a VPN provider with a no-logs policy wouldn’t have anything to give. And if the state decided to seize the servers physically, it would run into the issue of their local police not being able to raid a server in another country. 

If the infrastructure in-country was attacked, RAM-only servers would automatically wipe even the least bit of encrypted data passing through them when disconnected from the electrical grid. At the same time, having a VPN based in a country doesn’t mean that the developer or marketing department are located there as well. This means a raid is unlikely to accomplish much. To really get to sensitive data, the country would have to organize raids in other states – not a trivial task to do. This decentralized model of organization makes it that much easier for a VPN to relocate to another country.

Of course, a question that cannot be ignored is intelligence services tapping a VPN provider illegally. While a VPN provider can do a lot to secure their servers, there are no measures that can prevent the physical tapping of the communication links. However, it also has limited impact. 

The thing about VPN servers is that they’re country-specific. So servers in Norway only handle the traffic that is connecting via the Norwegian servers. A spy won’t be able to read traffic between the server and the user (as it is encrypted) and will have a hard time determining what outgoing traffic belongs to whom.

In fact, a VPN service provider established in a Fourteen Eye country with clearly expressed laws on surveillance like the Netherlands might be a more secure option than one placed in a random place like the Seychelles. If anything, a more lawful country with a history of standing up for their citizens’ privacy will have more protections in place (as well as an interest in keeping intelligence services, foreign or domestic, on a leash) than a country only known as a tax haven.

More than that, with a VPN established in an EU country, even one belonging to one of the -Eyes alliances, you can rely on one thing: General Data Protection Regulation. GDPR shook up the online world when it came out in 2018. So a VPN provider established in an EU country will have to be GDPR compliant, ensuring adequate protections for collected private data (if that data is being collected) while also making sure to not share it for purposes not outlined in the law.

At the end of the day, a VPN being established in an -Eyes country doesn’t mean anything. Local data retention laws, history of electronic data collection, and the infrastructure established by the VPN provider do. And no matter what country a VPN is established in, a UK VPN server will be located in the UK, potentially within reach of UK intelligence services if they want to tap it. And at that point, the technical expertise and sophistication of the VPN provider’s infrastructure will matter a lot more than whether or not the HQ is established in Bolivia.