When it comes to picking the right VPN provider, jurisdiction is important.
By jurisdiction, that means where the company providing a VPN is actually based, and not where its servers are located, but that matters too.
This is crucial for a number of reasons, but the major issue is state surveillance.
You may not be aware of it, but security agencies in most developed
nations have the ability to snoop and monitor almost everything you do.
And they use these powers to the full, as the NSA scandals showed.
It
would be naïve to think that VPNs are immune to their intrusive
activities.
5 Eyes alliance
The full five eyes list includes:It
emerged from the UKUSA security agreement, signed in 1946, and has been
updated for the digital age. The idea behind the agreement was to
ensure that Cold War allies could share SIGINT (signal intelligence)
seamlessly. And the treaty also sought to keep this information sharing
under wraps, remaining secret to the public until 2005.
Nowadays, the core aim of the alliance is to monitor their citizens’ online activity.
And if certain laws prevent one member from digging into its peoples’
internet escapades, they can just ask another Eye to do the dirty work
for them. The UK was found guilty of just that – asking the NSA to
provide any data they pulled about United Kingdom residents.
Why
was the 5 Eyes agreement kept hidden from the people? Well, we still
don’t know the full story and the true scope of information gathering
carried out under the terms of the alliance. But the implication is that
the USA and its allies were engaged in detailed surveillance and
intrusive activities which electorates would find controversial.
It
very likely included the use of ECHELON, STONEGHOST, PRISM, and various
other surveillance systems, which tapped into electronic communications
across the world.
Do the 5 Eyes nations work alone?
If
the intrusive operations permitted by the UKUSA treaty were the only
global surveillance network, life would be easier for many spying-wary
citizens. However, the core alliance doesn’t operate on its own. It has
also gathered a series of satellite partners, that supplement its
intelligence-gathering capabilities:
Israel
operates hand in glove with the US government, providing and requesting
security information on individuals of interest. It also has a thriving
tech sector where cybersecurity is a major growth area. So users should
be cautious about using Israeli VPNs.
Other partners include
Asian nations like Singapore, Japan, and South Korea. All of these
countries came under the US sphere of influence during the Cold War, and
retain intelligence sharing systems with Washington. The same applies
to British Overseas Territories like Bermuda or the Cayman Islands.
9 Eyes alliance
Here’s the full 9 Eyes list for reference:
Essentially the 9 Eyes network is an extension of the 5 Eyes group, and there is a debate about how formalized its structures are, and how powerful it is.
The main reason we are having this debate is down to one man: Edward Snowden.
When he went public with his revelations about the NSA back in 2013,
Snowden lifted the veil from the NSA’s global surveillance structures,
confirming the existence of the 5 Eyes list.
What’s notable is that the 9 Eyes, and by extension the 14 Eyes, don’t have the same privileges as the 5 Eyes.
Not all information collected by 5 Eyes members is available to the
rest of the group, but the core nations are privy to all data gathered
by the rest of the alliance countries, including satellite partners.
According to Snowden, the original 5 Eyes are not supposed to target each other.
So, there should be no wiretapping by the USA of UK government
meetings, and Australian ministers should be free to use the web without
their activities being logged by the NSA. But that doesn’t really apply
to other members.
14 Eyes alliance
As with the 9 Eyes countries,
the 14 Eyes list includes:
This
alliance also emerged directly from the Cold War and NATO structures,
being christened the “SIGINT Seniors Europe” grouping. But it is much
more loosely integrated into the circuits of global intelligence sharing
than countries in the core alliance.
In fact, this has led to some friction, with Germany demanding
greater access to intelligence data. In 2015, allegations emerged about
the NSA spying on German government meetings, so it’s easy to see why
they would want the protection from mutual spying that being in the 5
Eyes provides.
However, the core nations have sought to protect
their privileges, leading some of the 14 Eyes countries to go their own
way. In August 2018, the Germans announced a major new cybersecurity initiative along the lines of America’s DARPA, with the aim of establishing digital independence from the USA/UK.
Recent
years have also seen the rise of “Pirate Parties” in nations like
Sweden, which prioritize digital freedom and privacy, making governments
less inclined to strengthen their ties to bodies like the NSA.
Surveillance systems used by the Eyes alliance
Naturally,
this alliance has numerous ways to spy on people. And we only know
about a fraction of systems used to monitor and gather citizen
information. Here are a few that received media attention, bringing them
to light.
ECHELON
This surveillance program was originally
created in the 1960s to spy on the Soviet Union and its Eastern Bloc
allies by the signatory states to the UKUSA Security Agreement. Now,
they are the core 5 Eyes countries, and ECHELON has greatly expanded
beyond the original scope.
According to the documents leaked by
Snowden, ECHELON’s systems are capable of eavesdropping on telephones,
faxes, computers, emails, bank accounts, and so much more. And the
computers used for this purpose can store millions of records about
individuals.
PRISM
USA-led surveillance program
the NSA uses to request user data from technology and telecommunication
companies. Such information includes essentially anything that is
passed over the company’s network. We’re talking about emails, chat
logs, photographs, documents, videos, etc.
The confirmed companies participating in PRISM are:
- AOL
- Apple
- Dropbox
- Facebook
- Google, YouTube
- Microsoft
- Paltalk
- Skype
- Yahoo!
As of today, the true extent of the PRISM program is still unknown.
XKeyscore
Another
NSA-led program that allows surveillance in real-time and the agents
intercepting your communications don’t require a warrant to do so. With
XKeyscore, they can parse through metadata, emails and the content on
them, VoIPs, browser history, and any other internet activity associated
with a person.
It shouldn’t be surprising that the 5 Eyes countries have access to these surveillance databases.
All eyes on VPN: using VPNs based in alliance member states
How do the 5 Eyes countries relate to VPN users?
In recent years, 5 Eyes governments have passed numerous laws which should concern VPN users.
For instance, the UK’s Investigator Powers Act empowered GCHQ to collect the following:
- Data on users’ browsing habits
- How long users spend connected to certain sites
- Users’ SMS messages
These nations have also beefed up their powers to force Internet Service Providers (ISPs) to hand over data regarding individual users,
again using national security as an excuse. And ISPs have tended to
comply, adding backdoors when asked which allow security agencies to
access the flow of consumer data.
Most importantly, governments
have recognized the increasing usage of VPNs and taken steps to
neutralize the threat they pose. Experts now generally advise users to avoid companies based in 5 Eyes nations and to exercise caution when using servers located in these nations.
Are worries about the Five Eyes countries exaggerated?
While the intelligence-gathering abilities of Washington and GCHQ are formidable, they are generally focused on specific security threats and interests, not everyday web users.
- For many of us, government intrusion is less worrisome than the threat of cyber-crime and theft, and your VPN jurisdiction doesn’t matter too much when facing down these threats.
- Secondly, the 5 Eyes countries haven’t taken direct steps to regulate VPNs. Their efforts are focused more on ISPs
and conventional traffic, along with cellphone networks. VPNs currently
have very few requirements regarding data retention. If they state that
they keep logs (or fail to make it clear that they don’t), that’s their
decision, not the state’s.
- VPNs based in 5 Eyes nations also tend to be transparent about their identity and how to reach them
– in keeping with the regulatory environment in places like the UK,
Australia or Canada. This needs to be balanced against non-5 Eyes
operators, who can sometimes be very hazy about who they are, and how
they work.
So there’s room to question how
dangerous the 5 Eyes is when choosing a VPN jurisdiction. But bear in
mind that we simply don’t know the full scope of how VPNs interact with
bodies like the NSA, and given the past history of governments, there’s a
decent chance that VPNs in 5 Eyes countries have working relationships
with spooks.
Should you worry if your VPN jurisdiction is on the 9 Eyes list?
Here’s another area where things get interesting. On one hand, third parties on the 9 Eyes list tend to have less intrusive surveillance agencies than the 5 Eyes.
So they should be more trustworthy as hosts for VPN providers. And
plenty of VPNs have set up in these countries, such as GooseVPN (in the
Netherlands) or ActiVPN (in France).
However, if you scroll
through a list of the world’s most trusted VPNs, you’ll probably notice
that many aren’t based in 9 eyes countries. The same security concerns apply to 9 Eyes jurisdictions
as to those in the five eyes list. VPNs located in places like Norway
or France are liable to be subpoenaed by the FBI or other agencies, forcing them to either release logs or hand over encryption key data.
Of
course, you need to bear in mind that the risk is low for everyday
users, but if you are using a VPN for sensitive business or political
communications, the 9 Eyes alliance is just as perilous as the core 5
Eyes nations. In fact, given that the 5 Eyes nations have an agreement
not to spy on each other, there may be a higher probability of VPNs in
third party nations being compromised.
As with 5 Eyes nations,
this tends to lead experts to advise those in need of the best possible
security protection to avoid a VPN jurisdiction in the 9 Eyes network.
Is it dangerous to use a VPN based in 14 Eyes countries?
The answer to this question is exactly the same as with the other alliances. Yes, it tends to be riskier to use VPNs based in 14 Eyes countries than those outside the alliance.
There
have been cases of these informal information-sharing networks being
used to issue DMCA notices from US-based corporations, targeting
file-sharers in other jurisdictions. And anyone in a 14 Eyes nation can
expect the same kind of intrusion from state surveillance agencies,
making them dangerous for transmitting sensitive information.
In general, 14 Eyes countries will be slightly more autonomous where privacy is concerned than their partners in the core alliances. And for ordinary users, the risks are small.
Should I use a VPN based outside the 14 Eyes list?
By
now, you’re probably asking yourself whether you should always look for
VPNs based outside the 14 Eyes umbrella. There are certainly plenty of
good reasons to do so.
Most importantly, VPNs located outside the core nations will be much more tightly protected against legal challenges and state surveillance originating in the USA. So if you intend to work around geo-blockers or torrent large amounts of data, they could be the right option to go for.
This
is especially important if you are worried about protecting personal
communications from the eyes of the state. If privacy is your major
concern, choosing a VPN jurisdiction outside the 14 Eyes is essential.
So,
where should you look? Given that the world now has over 200 nations,
there shouldn’t be any lack of contenders. Several things you should pay
attention to while picking a VPN provider:
- Jurisdiction.
Ideally, the VPN is based outside the influence of the 14 Eyes
alliance, including the satellite nations. Such services won’t be forced
to collect or hand over any user data. Furthermore, they aren’t
required to comply with data requests dished out by other countries.
- Audited no-logs policy.
Any service can claim to have a no-logs policy they adhere to, but
where’s the proof no data collection is happening behind the scenes?
Here’s where independent audits done by reputable third parties come
into play. And better yet if you can view audit documentation and
results yourself.
- Any past controversies. Many
VPNs with “strict no-logs audits” have cooperated with governments in
the past, like Riseup, HMA VPN, and such. A little digging around with
Google helps reveal services that you shouldn’t trust from the get-go.
Generally, VPNs in countries like Switzerland or Panama will deliver enhanced protection against snoopers,
especially if they offer techniques like “multi-hop” transmission. So
when choosing your next VPN, take jurisdiction into account. It’s a key
part of ensuring online security, so it pays to keep your eyes open and
exercise caution.
Other online privacy measures to consider
With
so much data and our lives being shared on the web, you should think
about minimizing how much you share of yourself online. We recommend:
- Pseudonyms and anonymous mail. Anonymous mail services encrypt your emails and usually don’t contain any information that could be traced back to you.
- Privacy-friendly browsers.
Most web browsers like Chrome and various others that run on Chromium
collect your browsing data for marketing purposes. Switching to a secure browser helps solve this. The most popular choices include Brave and Tor.
- Encrypted messaging apps.
Not all messaging apps that utilize end-to-end encryption protect your
metadata or abstain from collecting other identifiable data. (WhatsApp
is notorious for this). There are better alternatives, like Telegram or
Signal, that do not participate in such practices.
- Just don’t overshare.
While it might be tempting to post the latest vacation photos on
Instagram or share life updates on Facebook or Twitter, is it really
worth it? Any kind of personal information you put on the internet stays
there forever. And it’s easy pickings for any entity (government or
not).
What is also important is who owns your VPN.
When it comes to the true ownership of various VPN products and
brands, it’s crucial to know which company owns or operates the users’
data. There are two big possible issues to consider.
1. Data privacy
If the parent companies are actually located in Fourteen Eyes countries, which are typically high-surveillance countries, users’ data could be wide open to the governments.
Suppose
they are in Russia, China, and other authoritarian or repressive
regimes. Then, the governments force them to provide data on a default
basis (we discussed this in our Chinese surveillance analysis). The parent company may also be willing to sell user data.
In
2019, US senators planned an investigation into the foreign servers
used to redirect traffic when using a VPN. Senators Marco Rubio (R-FL)
and Ron Wyden (D-OR) noted the following [pdf]:
“If
US intelligence experts believe Beijing and Moscow are leveraging
Chinese and Russian-made technology to surveil Americans, surely DHS
should also be concerned about Americans sending their web browsing data
directly to China and Russia.”
For ultimate safety, a VPN shouldn’t operate in any of the 5, 9, or 14 Eyes alliance countries.
A privacy-friendly jurisdiction means there’s no push to collect your
data or what you do while the VPN is turned on. As such, locations like
Panama, Switzerland, The British Virgin Islands, Romania, and so on, are
what you should look for. If you want the best VPN service tucked away
from the clutches of the Eyes alliance, we recommend getting NordVPN, now 74% off.
2. Data security
If
the owning company is untrustworthy, it could bring up many problems.
We’re talking about parent companies with major vulnerabilities or even suspicious add-ons and possible phishing emails with malware. This could lead to stolen data user data or even hacked computers.
This is especially applicable if you’re entrusting yourself to free VPN brands. We understand the appeal, but, ultimately, they aren’t worth it since you’re paying for these services with your data instead. In fact, numerous costless VPN providers have been caught collecting various information about their users.
Let’s take Betternet.
They promise utmost privacy and security, yet what’s actually happening
behind the scenes couldn’t be further away from it. The company behind
it was busted for logging and selling user data to third parties, as
well as embedding third-party trackers into its VPN Android app.
Another example is Hola VPN.
For them, stealing and reselling your bandwidth is fair game. And the
VPN itself isn’t really a private virtual network, but rather a P2P
network. Here, the user itself is the endpoint other people connect to,
meaning strangers are cloaking themselves in your IP address. If they do
something that’s illegal, you’re the one who’s going to get busted for
it, not the actual perpetrators.
Whatever VPN you choose, make sure you know it's current place of business and the country's current law with regards to privacy, as changes to the law are getting worse and worse with regards to your privacy.
