When it comes to picking the right VPN provider, jurisdiction is important.
By jurisdiction, that means where the company providing a VPN is actually based, and not where its servers are located, but that matters too.
This is crucial for a number of reasons, but the major issue is state surveillance.
You may not be aware of it, but security agencies in most developed nations have the ability to snoop and monitor almost everything you do. And they use these powers to the full, as the NSA scandals showed.
It would be naïve to think that VPNs are immune to their intrusive activities.
5 Eyes alliance
It emerged from the UKUSA security agreement, signed in 1946, and has been updated for the digital age. The idea behind the agreement was to ensure that Cold War allies could share SIGINT (signal intelligence) seamlessly. And the treaty also sought to keep this information sharing under wraps, remaining secret to the public until 2005.
Nowadays, the core aim of the alliance is to monitor their citizens’ online activity. And if certain laws prevent one member from digging into its peoples’ internet escapades, they can just ask another Eye to do the dirty work for them. The UK was found guilty of just that – asking the NSA to provide any data they pulled about United Kingdom residents.
Why was the 5 Eyes agreement kept hidden from the people? Well, we still don’t know the full story and the true scope of information gathering carried out under the terms of the alliance. But the implication is that the USA and its allies were engaged in detailed surveillance and intrusive activities which electorates would find controversial.
It very likely included the use of ECHELON, STONEGHOST, PRISM, and various other surveillance systems, which tapped into electronic communications across the world.
Do the 5 Eyes nations work alone?
If the intrusive operations permitted by the UKUSA treaty were the only global surveillance network, life would be easier for many spying-wary citizens. However, the core alliance doesn’t operate on its own. It has also gathered a series of satellite partners, that supplement its intelligence-gathering capabilities:
- Israel
- Singapore
- Japan
- South Korea
- British Overseas Territories
Israel operates hand in glove with the US government, providing and requesting security information on individuals of interest. It also has a thriving tech sector where cybersecurity is a major growth area. So users should be cautious about using Israeli VPNs.
Other partners include Asian nations like Singapore, Japan, and South Korea. All of these countries came under the US sphere of influence during the Cold War, and retain intelligence sharing systems with Washington. The same applies to British Overseas Territories like Bermuda or the Cayman Islands.
9 Eyes alliance
Here’s the full 9 Eyes list for reference:
- 5 Eyes countries
- Denmark
- France
- Norway
- Netherlands
Essentially the 9 Eyes network is an extension of the 5 Eyes group, and there is a debate about how formalized its structures are, and how powerful it is.
The main reason we are having this debate is down to one man: Edward Snowden. When he went public with his revelations about the NSA back in 2013, Snowden lifted the veil from the NSA’s global surveillance structures, confirming the existence of the 5 Eyes list.
What’s notable is that the 9 Eyes, and by extension the 14 Eyes, don’t have the same privileges as the 5 Eyes. Not all information collected by 5 Eyes members is available to the rest of the group, but the core nations are privy to all data gathered by the rest of the alliance countries, including satellite partners.
According to Snowden, the original 5 Eyes are not supposed to target each other. So, there should be no wiretapping by the USA of UK government meetings, and Australian ministers should be free to use the web without their activities being logged by the NSA. But that doesn’t really apply to other members.
14 Eyes alliance
This alliance also emerged directly from the Cold War and NATO structures, being christened the “SIGINT Seniors Europe” grouping. But it is much more loosely integrated into the circuits of global intelligence sharing than countries in the core alliance.
In fact, this has led to some friction, with Germany demanding greater access to intelligence data. In 2015, allegations emerged about the NSA spying on German government meetings, so it’s easy to see why they would want the protection from mutual spying that being in the 5 Eyes provides.
However, the core nations have sought to protect their privileges, leading some of the 14 Eyes countries to go their own way. In August 2018, the Germans announced a major new cybersecurity initiative along the lines of America’s DARPA, with the aim of establishing digital independence from the USA/UK.
Recent years have also seen the rise of “Pirate Parties” in nations like Sweden, which prioritize digital freedom and privacy, making governments less inclined to strengthen their ties to bodies like the NSA.
Surveillance systems used by the Eyes alliance
Naturally, this alliance has numerous ways to spy on people. And we only know about a fraction of systems used to monitor and gather citizen information. Here are a few that received media attention, bringing them to light.
ECHELON
This surveillance program was originally created in the 1960s to spy on the Soviet Union and its Eastern Bloc allies by the signatory states to the UKUSA Security Agreement. Now, they are the core 5 Eyes countries, and ECHELON has greatly expanded beyond the original scope.
According to the documents leaked by Snowden, ECHELON’s systems are capable of eavesdropping on telephones, faxes, computers, emails, bank accounts, and so much more. And the computers used for this purpose can store millions of records about individuals.
PRISM
USA-led surveillance program the NSA uses to request user data from technology and telecommunication companies. Such information includes essentially anything that is passed over the company’s network. We’re talking about emails, chat logs, photographs, documents, videos, etc.
The confirmed companies participating in PRISM are:
- AOL
- Apple
- Dropbox
- Google, YouTube
- Microsoft
- Paltalk
- Skype
- Yahoo!
As of today, the true extent of the PRISM program is still unknown.
XKeyscore
Another NSA-led program that allows surveillance in real-time and the agents intercepting your communications don’t require a warrant to do so. With XKeyscore, they can parse through metadata, emails and the content on them, VoIPs, browser history, and any other internet activity associated with a person.
It shouldn’t be surprising that the 5 Eyes countries have access to these surveillance databases.
All eyes on VPN: using VPNs based in alliance member states
How do the 5 Eyes countries relate to VPN users?
In recent years, 5 Eyes governments have passed numerous laws which should concern VPN users.
For instance, the UK’s Investigator Powers Act empowered GCHQ to collect the following:
- Data on users’ browsing habits
- How long users spend connected to certain sites
- Users’ SMS messages
These nations have also beefed up their powers to force Internet Service Providers (ISPs) to hand over data regarding individual users, again using national security as an excuse. And ISPs have tended to comply, adding backdoors when asked which allow security agencies to access the flow of consumer data.
Most importantly, governments have recognized the increasing usage of VPNs and taken steps to neutralize the threat they pose. Experts now generally advise users to avoid companies based in 5 Eyes nations and to exercise caution when using servers located in these nations.
Are worries about the Five Eyes countries exaggerated?
While the intelligence-gathering abilities of Washington and GCHQ are formidable, they are generally focused on specific security threats and interests, not everyday web users.
- For many of us, government intrusion is less worrisome than the threat of cyber-crime and theft, and your VPN jurisdiction doesn’t matter too much when facing down these threats.
- Secondly, the 5 Eyes countries haven’t taken direct steps to regulate VPNs. Their efforts are focused more on ISPs and conventional traffic, along with cellphone networks. VPNs currently have very few requirements regarding data retention. If they state that they keep logs (or fail to make it clear that they don’t), that’s their decision, not the state’s.
- VPNs based in 5 Eyes nations also tend to be transparent about their identity and how to reach them – in keeping with the regulatory environment in places like the UK, Australia or Canada. This needs to be balanced against non-5 Eyes operators, who can sometimes be very hazy about who they are, and how they work.
So there’s room to question how dangerous the 5 Eyes is when choosing a VPN jurisdiction. But bear in mind that we simply don’t know the full scope of how VPNs interact with bodies like the NSA, and given the past history of governments, there’s a decent chance that VPNs in 5 Eyes countries have working relationships with spooks.
Should you worry if your VPN jurisdiction is on the 9 Eyes list?
Here’s another area where things get interesting. On one hand, third parties on the 9 Eyes list tend to have less intrusive surveillance agencies than the 5 Eyes. So they should be more trustworthy as hosts for VPN providers. And plenty of VPNs have set up in these countries, such as GooseVPN (in the Netherlands) or ActiVPN (in France).
However, if you scroll through a list of the world’s most trusted VPNs, you’ll probably notice that many aren’t based in 9 eyes countries. The same security concerns apply to 9 Eyes jurisdictions as to those in the five eyes list. VPNs located in places like Norway or France are liable to be subpoenaed by the FBI or other agencies, forcing them to either release logs or hand over encryption key data.
Of course, you need to bear in mind that the risk is low for everyday users, but if you are using a VPN for sensitive business or political communications, the 9 Eyes alliance is just as perilous as the core 5 Eyes nations. In fact, given that the 5 Eyes nations have an agreement not to spy on each other, there may be a higher probability of VPNs in third party nations being compromised.
As with 5 Eyes nations, this tends to lead experts to advise those in need of the best possible security protection to avoid a VPN jurisdiction in the 9 Eyes network.
Is it dangerous to use a VPN based in 14 Eyes countries?
The answer to this question is exactly the same as with the other alliances. Yes, it tends to be riskier to use VPNs based in 14 Eyes countries than those outside the alliance.
There have been cases of these informal information-sharing networks being used to issue DMCA notices from US-based corporations, targeting file-sharers in other jurisdictions. And anyone in a 14 Eyes nation can expect the same kind of intrusion from state surveillance agencies, making them dangerous for transmitting sensitive information.
In general, 14 Eyes countries will be slightly more autonomous where privacy is concerned than their partners in the core alliances. And for ordinary users, the risks are small.
Should I use a VPN based outside the 14 Eyes list?
By now, you’re probably asking yourself whether you should always look for VPNs based outside the 14 Eyes umbrella. There are certainly plenty of good reasons to do so.
Most importantly, VPNs located outside the core nations will be much more tightly protected against legal challenges and state surveillance originating in the USA. So if you intend to work around geo-blockers or torrent large amounts of data, they could be the right option to go for.
This is especially important if you are worried about protecting personal communications from the eyes of the state. If privacy is your major concern, choosing a VPN jurisdiction outside the 14 Eyes is essential.
So, where should you look? Given that the world now has over 200 nations, there shouldn’t be any lack of contenders. Several things you should pay attention to while picking a VPN provider:
- Jurisdiction. Ideally, the VPN is based outside the influence of the 14 Eyes alliance, including the satellite nations. Such services won’t be forced to collect or hand over any user data. Furthermore, they aren’t required to comply with data requests dished out by other countries.
- Audited no-logs policy. Any service can claim to have a no-logs policy they adhere to, but where’s the proof no data collection is happening behind the scenes? Here’s where independent audits done by reputable third parties come into play. And better yet if you can view audit documentation and results yourself.
- Any past controversies. Many VPNs with “strict no-logs audits” have cooperated with governments in the past, like Riseup, HMA VPN, and such. A little digging around with Google helps reveal services that you shouldn’t trust from the get-go.
Generally, VPNs in countries like Switzerland or Panama will deliver enhanced protection against snoopers, especially if they offer techniques like “multi-hop” transmission. So when choosing your next VPN, take jurisdiction into account. It’s a key part of ensuring online security, so it pays to keep your eyes open and exercise caution.
Other online privacy measures to consider
With so much data and our lives being shared on the web, you should think about minimizing how much you share of yourself online. We recommend:
- Pseudonyms and anonymous mail. Anonymous mail services encrypt your emails and usually don’t contain any information that could be traced back to you.
- Privacy-friendly browsers. Most web browsers like Chrome and various others that run on Chromium collect your browsing data for marketing purposes. Switching to a secure browser helps solve this. The most popular choices include Brave and Tor.
- Encrypted messaging apps. Not all messaging apps that utilize end-to-end encryption protect your metadata or abstain from collecting other identifiable data. (WhatsApp is notorious for this). There are better alternatives, like Telegram or Signal, that do not participate in such practices.
- Just don’t overshare. While it might be tempting to post the latest vacation photos on Instagram or share life updates on Facebook or Twitter, is it really worth it? Any kind of personal information you put on the internet stays there forever. And it’s easy pickings for any entity (government or not).
1. Data privacy
If the parent companies are actually located in Fourteen Eyes countries, which are typically high-surveillance countries, users’ data could be wide open to the governments.
Suppose they are in Russia, China, and other authoritarian or repressive regimes. Then, the governments force them to provide data on a default basis (we discussed this in our Chinese surveillance analysis). The parent company may also be willing to sell user data.
In 2019, US senators planned an investigation into the foreign servers used to redirect traffic when using a VPN. Senators Marco Rubio (R-FL) and Ron Wyden (D-OR) noted the following [pdf]:
“If US intelligence experts believe Beijing and Moscow are leveraging Chinese and Russian-made technology to surveil Americans, surely DHS should also be concerned about Americans sending their web browsing data directly to China and Russia.”
For ultimate safety, a VPN shouldn’t operate in any of the 5, 9, or 14 Eyes alliance countries. A privacy-friendly jurisdiction means there’s no push to collect your data or what you do while the VPN is turned on. As such, locations like Panama, Switzerland, The British Virgin Islands, Romania, and so on, are what you should look for. If you want the best VPN service tucked away from the clutches of the Eyes alliance, we recommend getting NordVPN, now 74% off.
2. Data security
If the owning company is untrustworthy, it could bring up many problems. We’re talking about parent companies with major vulnerabilities or even suspicious add-ons and possible phishing emails with malware. This could lead to stolen data user data or even hacked computers.
This is especially applicable if you’re entrusting yourself to free VPN brands. We understand the appeal, but, ultimately, they aren’t worth it since you’re paying for these services with your data instead. In fact, numerous costless VPN providers have been caught collecting various information about their users.
Let’s take Betternet. They promise utmost privacy and security, yet what’s actually happening behind the scenes couldn’t be further away from it. The company behind it was busted for logging and selling user data to third parties, as well as embedding third-party trackers into its VPN Android app.
Another example is Hola VPN. For them, stealing and reselling your bandwidth is fair game. And the VPN itself isn’t really a private virtual network, but rather a P2P network. Here, the user itself is the endpoint other people connect to, meaning strangers are cloaking themselves in your IP address. If they do something that’s illegal, you’re the one who’s going to get busted for it, not the actual perpetrators.
No comments:
Post a Comment