Understanding VPN jurisdiction: 5 Eyes, 9 Eyes, 14 Eyes
When it comes to picking the right VPN provider, jurisdiction is important.
By jurisdiction, we mean where a VPN company is legally based and operates, not where its servers are located (although this matters too).
This is crucial for a number of reasons, but the major issue is state surveillance. You may not be aware of it, but security agencies in many developed nations have broad legal powers to monitor digital communications and collect metadata. As the 2013 revelations involving the National Security Agency (NSA) showed, large-scale surveillance programs do exist. It would be naive to assume that VPN companies are completely immune to government pressure or lawful data requests.
Globally, several powerful intelligence agencies cooperate through formal data-sharing alliances known as the 5 Eyes, 9 Eyes, and 14 Eyes. These groupings have implications for VPN providers headquartered within member countries, so let’s explore them in more depth.
If you’re looking for a VPN far away from prying eyes, several well-known providers operate from privacy-friendly jurisdictions. For example, NordVPN is headquartered in Panama, ExpressVPN in the British Virgin Islands, and Proton VPN in Switzerland. All three are based outside the 14Eyes alliance, and have undergone independent no-logs audits. CyberGhost (Romania) and PureVPN (Hong Kong) are also outside the 14 Eyes, though jurisdictional nuances should be considered alongside a provider’s logging policy and audit history.
5 Eyes alliance
The full Five Eyes list includes:
The alliance emerged from the UKUSA Agreement, signed in 1946, and has been updated for the digital age. The purpose of the agreement was to allow Cold War allies to share SIGINT (signal intelligence – intercepted communications and electronic data) seamlessly. The treaty remained classified for decades and was not officially acknowledged to the public until 2005.
Nowadays, the alliance focuses on intelligence sharing and cooperation, specifically in areas like counterterrorism, cybersecurity, and foreign intelligence. However, critics argue that surveillance practices in Five Eyes countries have included large-scale monitoring of online communications. And if certain laws prevent one member from digging into its people’s internet escapades, intelligence sharing between members has raised valid concerns that those agencies could instead simply obtain data that’s been collected by another partner country. For instance, the UK was found guilty of just that – asking the NSA to provide any data they pulled about United Kingdom residents before additional safeguards were clarified.
Why was the 5 Eyes agreement kept hidden from the people? Well, we still don’t know the full story and the true scope of information gathering carried out under the terms of the alliance. Nevertheless, the secrecy surrounding the alliance has raised concerns that the USA and its allies engaged in surveillance and intrusive activities that many citizens would find controversial.
It likely included the use of surveillance systems such as ECHELON, STONEGHOST, PRISM, and various other intelligence programs, which tapped into electronic communications across the world.
Do the 5 Eyes nations work alone?
If the surveillance activities that are associated with the UKUSA treaty were the only global intelligence-sharing framework, life would be easier for many privacy-conscious citizens. However, the core alliance doesn’t operate in complete isolation. Five Eyes countries maintain intelligence-sharing relationships with a range of other nations that supplement their capabilities, including:
- Israel
- Singapore
- Japan
- South Korea
- British Overseas Territories
Israel operates closely with the US government, providing and requesting security information on individuals of interest. It also has a thriving tech sector where cybersecurity is a major growth area. So users should be cautious about using Israeli VPNs.
Other partners include Asian nations like Singapore, Japan, and South Korea. Many of these countries came under the US sphere of influence during the Cold War, and continue to engage in intelligence cooperation. The same applies to British Overseas Territories like Bermuda or the Cayman Islands, which fall under UK jurisdiction.
9 Eyes alliance
We’ve looked at the famous 5 Eyes countries, but if you’ve been searching around for a VPN, there’s a good chance that you’ve also come across the 9 Eyes countries. This is where understanding VPN jurisdiction can get confusing, so it’s useful to be clear about who is in which “Eyes” group.
Here’s the full 9 Eyes list for reference:
- 5 Eyes countries
- Denmark
- France
- Norway
- Netherlands
Essentially, the 9 Eyes network is an extension of the 5 Eyes group, and there is a debate about how formalized its structures are, and how powerful it is.
The main reason we are having this debate is largely down to one man: Edward Snowden. When he went public with his revelations about the NSA back in 2013, Snowden exposed the scale of global surveillance programs and provided detailed insight into intelligence-sharing arrangements, including the 5 Eyes alliance.
What’s notable is that the 9 Eyes, and by extension the 14 Eyes, are generally understood to have more limited access to shared intelligence than the original 5 Eyes members. Not all information collected by 5 Eyes agencies is automatically shared with the rest of the group, and the inner circle is believed to maintain closer integration and deeper levels of cooperation.
According to Snowden’s disclosures, the original 5 Eyes are not intended to target each other directly under the principles of the UKUSA agreement. In theory, there should be no deliberate spying between the governments of member states. However, whether these rules are applied practically has been the subject of debate, particularly when intelligence is shared among partners.
14 Eyes alliance
As with the 9 Eyes countries, the 14 Eyes list includes:
This alliance is commonly associated with post-Cold War intelligence cooperation among NATO-aligned countries, and is often referred to as the “SIGINT Seniors Europe” grouping. But it is generally considered to be more loosely integrated into the circuits of global intelligence-sharing frameworks than countries in the core Five Eyes alliance.
In fact, this has led to some friction, with Germany calling for greater transparency and clarity around intelligence-sharing arrangements. In 2015, allegations emerged about the NSA spying on German government officials and institutions, so it’s easy to see why questions were raised about surveillance between allies and the limits of mutual protections.
However, the core nations have sought to protect their closer integration, leading some of the 14 Eyes countries to go their own way. In August 2018, the Germans announced a major new cybersecurity initiative along the lines of America’s DARPA, with the aim of strengthening digital independence from the USA/UK.
Recent years have also seen the rise of “Pirate Parties” in nations like Sweden, which prioritize digital freedom and privacy, contributing to broader public debates about surveillance and intelligence cooperation.
Surveillance systems used by the Eyes alliance
Naturally, this alliance has numerous ways to spy on people. And we only know about a fraction of programs used to collect and analyze citizen and communications information. Here are a few that received media attention, bringing them to light.
ECHELON
This surveillance program was originally created in the 1960s by the signatory states to the UKUSA Security Agreement to monitor communications from the Soviet Union and its Eastern Bloc allies. Today, those signatories form the core 5 Eyes countries, and ECHELON has greatly expanded beyond the original scope.
ECHELON’s existence was reported publicly as early as the 1990s, and later disclosures, including documents revealed by Snowden, provided further insight into its capabilities. Its systems have been described as capable of eavesdropping on telephones, faxes, computers, emails, bank accounts, and so much more. The infrastructure used for this purpose can process and store vast amounts of communication and individual metadata.
PRISM
A USA-led surveillance program that the NSA uses to request user data from technology and telecommunication companies under legal authority. Such information can include essentially any data that is passed over the company’s services, like emails, chat logs, photographs, documents, videos, etc.
The companies publicly identified in connection with PRISM are:
- Microsoft
- Yahoo!
- Paltalk
- YouTube
- AOL
- Skype
- Apple
- Dropbox
Do note that these companies have stated that they comply with lawful government requests rather than just handing out unrestricted access. As of today, the full scope and operational details of the PRISM program are still not publicly known.
XKeyscore
Another NSA-led program that allows near real-time monitoring of collected communications data. According to leaked documents, analysts could search through metadata, emails and their content, VoIP calls, browsing history, and other internet activity associated with a person.
It shouldn’t be surprising that the 5 Eyes countries share intelligence connected to data gathered through systems like this.
All eyes on VPN: using VPNs based in alliance member states
How do the 5 Eyes countries relate to VPN users?
In recent years, 5 Eyes governments have passed numerous laws that should concern VPN users.
For instance, the UK’s Investigatory Powers Act 2016 expanded surveillance and data retention powers, allowing authorities to require Internet Service Providers (ISPs) to retain and provide access to:
- Data on users’ browsing habits
- How long users spend connected to certain sites
- Users’ SMS messages
ISPs are legally obligated to comply with valid government requests and, in some cases, may be required to implement technical capabilities that enable lawful access to consumer data.
Most importantly, governments have recognized the growing use of VPNs and, in some jurisdictions, introduced regulations or enforcement measures affecting how VPN services operate. For privacy-conscious users, many experts now generally advise carefully considering a VPN provider’s jurisdiction and exercising caution when using servers located in 5 Eyes nations.
Are worries about the Five Eyes countries exaggerated?
While the intelligence-gathering abilities of Washington and GCHQ are formidable, they are generally focused on specific security threats and interests, not everyday web users.
- For many of us, government intrusion is less worrisome than the threat of cybercrime and identity theft, and your VPN jurisdiction is often less relevant when protecting yourself against these types of threats.
- Secondly, the 5 Eyes countries haven’t taken direct steps to ban or heavily restrict VPNs. Their efforts are focused more on ISPs and conventional traffic, along with cellphone networks. VPNs currently have very few requirements regarding data retention. If they state that they keep logs (or fail to make it clear that they don’t), that’s largely their decision, but companies must still comply with lawful government orders where applicable.
- VPNs based in 5 Eyes nations also tend to be transparent about their identity and how to reach them – in keeping with the regulatory environment in places like the UK, Australia, or Canada. This needs to be balanced against some non-5 Eyes operators, which can sometimes be less transparent about who they are and how they work.
So there’s room to question how dangerous the 5 Eyes alliance is when choosing a VPN jurisdiction. But bear in mind that we simply don’t know the full scope of how VPNs interact with bodies like the NSA, and given the past history of government surveillance programs, so some users prefer to minimize potential exposure by going with a VPN that’s based outside 5 Eyes countries.
Key VPNs in the 5 Eyes list
It might be handy to know a few popular VPNs that are based in 5 eyes nations, so here’s a quick list:
| VPN provider | Based in: |
| TunnelBear | Canada |
| Ace VPN | USA |
| BTGuard | Canada |
| FlyVPN | USA |
| LiquidVPN | USA |
| IPVanish | USA |
| StrongVPN | USA |
| VPNSecure | Australia |
| Windscribe | Canada |
| VyprVPN | Switzerland |
Should you worry if your VPN jurisdiction is on the 9 Eyes list?
Here’s another area where things get interesting. On one hand, third parties on the 9 Eyes list tend not to be as tightly connected as the core 5 Eyes members. As a result, some users view them as slightly safer jurisdictions for VPN providers. And plenty of VPNs have set up in these countries, such as GooseVPN (in the Netherlands) or ActiVPN (in France).
However, if you scroll through a list of the world’s most trusted VPNs, you’ll probably notice that many aren’t based in 9 Eyes countries. Some of the same security concerns that apply to 5 Eyes jurisdictions can also apply to the 9 Eyes members. VPNs located in places like Norway or France can still receive legal data requests from their own governments, and intelligence sharing between allied countries does happen.
Of course, you need to bear in mind that the risk is low for everyday users, but if you are using a VPN for sensitive business or political communications, the 9 Eyes alliance is just as perilous as the core 5 Eyes nations. In fact, while the 5 Eyes nations have rules about not targeting each other directly, intelligence cooperation between partners is still complex.
As with the 5 Eyes nations, this tends to lead experts to advise users who want the best possible security protection to think carefully before choosing a VPN based in a 9 Eyes country.
Some popular VPNs in the 9 Eyes countries include:
| VPN Provider | Based in: |
| ActiVPN | France |
| GooseVPN | Netherlands |
| ProXPN | Netherlands |
| VPN4All | Netherlands |
| Surfshark VPN | Netherlands |
Is it dangerous to use a VPN based in 14 Eyes countries?
The answer to this question is similar to the other alliances. Yes, it can be slightly riskier to use VPNs based in 14 Eyes countries compared to those outside the alliance.
There have been cases of these informal information-sharing networks being used to issue DMCA notices from US-based corporations, targeting file-sharers in other jurisdictions. And users in 14 Eyes nations can still be subject to surveillance laws, which can matter when transmitting sensitive information.
However, as we stressed above, these risks are relative.
In general, 14 Eyes countries are slightly more autonomous where privacy is concerned than their partners in the core alliances. And for ordinary users, the risks are small.
For reference, here are some major VPNs based in the 14 Eyes countries:
| VPN provider | Based in: |
| AirVPN | Italy |
| Avira Phantom VPN | Germany |
| AzireVPN | Sweden |
| ChillGlobal | Germany |
| PrivateVPN | Sweden |
| Integrity VPN | Sweden |
| Mullvad VPN | Sweden |
| OVPN | Sweden |
| Steganos Online Shield | Germany |
| Zenmate | Germany |
Should I use a VPN based outside the 14 Eyes list?
By now, you’re probably asking yourself whether you should always look for VPNs based outside the 14 Eyes umbrella. There are certainly plenty of good reasons to do so.
Most importantly, VPNs located outside the core nations may face fewer direct legal obligations and state surveillance originating in the USA. So if you intend to work around geo-blockers or torrent large amounts of data, they could be the right option.
This is especially important if you are worried about protecting personal communications from government surveillance. If privacy is your major concern, choosing a VPN jurisdiction outside the 14 Eyes can be an important factor.
So, where should you look? Given that the world now has over 200 nations, there shouldn’t be any lack of contenders. Several things you should pay attention to while picking a VPN provider:
- Jurisdiction. Ideally, the VPN is based outside the influence of the 14 Eyes alliance, including closely allied nations. Such services may face fewer obligations to collect or hand over any user data. Furthermore, they are generally not directly subject to data requests issued by foreign governments, but they must still comply with the laws of the country in which they operate.
- Audited no-logs policy. Any service can claim to have a no-logs policy they adhere to, but where’s the proof that no data collection is happening behind the scenes? Here’s where independent audits done by reputable third parties come into play. They help verify whether a provider’s logging practices match its public claims. Even better if you can view audit documentation and results yourself.
- Any past controversies. Some VPNs have cooperated with law enforcement in the past, often because they were keeping connection logs at the time or their policies were simply unclear. Examples frequently cited include services like Riseup or HMA VPN. A little research can help you identify past incidents and decide whether a provider’s current policies and audit history meet your expectations.
Leading VPNs that operate outside the 5/9/14 Eyes systems
| VPN provider | Based in: |
| NordVPN | Panama |
| VPNArea | Bulgaria |
| Perfect Privacy | Switzerland |
| Proton VPN | Switzerland |
| VPN.ac | Romania |
| ZorroVPN | Belize |
| PureVPN | British Virgin Islands |
| ExpressVPN | British Virgin Islands |
| CyberGhost | Romania |
Generally, VPNs in countries like Switzerland or Panama are often seen as offering stronger legal privacy protections, especially if they offer features like “multi-hop” transmission. So when choosing your next VPN, take jurisdiction into account. It’s an important part of ensuring online security, so it pays to keep your eyes open and exercise caution.
Other online privacy measures to consider
With so much data and our lives being shared on the web, you should think about minimizing how much you share of yourself online. We recommend:
- Pseudonyms and anonymous mail. Anonymous mail services encrypt your emails and are designed to minimize the amount of personal information that could be traced back to you.
- Privacy-friendly browsers. Many popular web browsers, like Chrome and various other Chromium-based options, collect browsing and usage data for analytics or marketing purposes. Switching to a more privacy-focused browser can help reduce such data collection. The most popular choices include Brave and Tor.
- Encrypted messaging apps. Not all messaging apps that utilize end-to-end encryption fully protect your metadata or avoid collecting other identifiable data (for example, WhatsApp collects certain metadata). There are better alternatives, like Signal, that do not participate in such practices. Meanwhile, other popular options like Telegram also offer end-to-end encryption in its Secret Chats mode.
- Just don’t overshare. While it might be tempting to post the latest vacation photos on Instagram or share life updates on Facebook or X/Twitter, is it really worth it? Any kind of personal information you put on the internet can remain accessible for a long time, even after deletion. And it can potentially be accessed or misused by third parties, whether governments, companies, or cybercriminals.
Bottom line
With so much data being collected online, privacy is a major concern for many internet users. And the 5, 9, and 14 Eyes alliances aren’t the only groups involved in large-scale surveillance. Countries like China, Russia, India, and countless other countries also maintain extensive surveillance capabilities.
If you wish to retain some semblance of privacy, at least invest in a secure VPN. Data encryption is one of the best ways to protect your online activity, as it makes your traffic unreadable to outsiders. When choosing a provider, pay attention to jurisdiction, audited no-logs policies, and overall security features. Services like NordVPN (Panama), ExpressVPN (British Virgin Islands), Proton VPN (Switzerland), PureVPN (Hong Kong), and CyberGhost (Romania) are strong, secure VPN options since they operate outside the 14 Eyes and have undergone independent audits. In the end, understanding the laws behind your VPN can protect you just as much as the features on its website.
![Surfshark weekly deals logo [IN USE]](https://media.vpnpro.com/surfshark-weekly-deals.svg){kind=small}
![Proton VPN winner logo [IN USE]](https://media.vpnpro.com/2025/05/protonvpn-winner.png){kind=small}
FAQ
What does 5 Eyes country mean?
The 5 Eyes alliance is an intelligence-sharing network comprising the United States, the United Kingdom, Canada, Australia, and New Zealand. While large-scale data collection has happened, its primary purpose is to cooperate on signals intelligence (SIGINT), specifically by collecting and sharing information that’s related to national security and foreign threats.
Is there a VPN outside the Eyes?
Yes, there are multiple VPNs located outside the 5/9/14 Eyes alliances. A few of the more popular options are NordVPN, ExpressVPN, CyberGhost, Proton VPN, and PureVPN.
Is Surfshark outside of 14 Eyes?
Surfshark is headquartered in the Netherlands, a member of the 9 Eyes alliance. However, the company adheres to a no-logs policy that has been audited by an independent third parties. Hence, it’s one of the few trustworthy VPNs based within the alliance.
Is NordVPN outside of 14 Eyes?
Yes, NordVPN is based outside of the 14 Eyes alliance – Panama. The country does not have mandatory data retention laws specifically requiring VPN providers to collect and store their user activity logs. Furthermore, the service has undergone several no-logs policy audits without any troublesome findings.
Can you be tracked with a VPN?
Yes, you can still be tracked while using a VPN. While a VPN encrypts your internet traffic and hides your IP address from your ISP, it does not stop tracking through cookies, browser fingerprinting, or logged-in accounts. For better online privacy, use a VPN together with a privacy-focused browser like Firefox or Tor Browser, along with tracker-blocking extensions.
