5 Eyes, 9 Eyes, 14 Eyes: What It Means for VPN Users
The Five Eyes is an intelligence-sharing alliance between the US, UK, Canada, Australia, and New Zealand. If you use a VPN based in one of these countries, authorities can potentially compel the provider to log and share data — sometimes without the provider being able to notify you. However, if the VPN keeps no logs, the alliance is largely irrelevant.
The Five Eyes countries
The Five Eyes (FVEY) alliance was formalized in the post-WWII UKUSA Agreement. These five countries share signals intelligence (SIGINT) with each other, including internet communications data:
If a VPN is based in a Five Eyes country, it can be issued a National Security Letter (US) or equivalent order requiring it to log user data — with a gag order preventing disclosure to users.
- United States (NSA)
- United Kingdom (GCHQ)
- Canada (CSE)
- Australia (ASD)
- New Zealand (GCSB)
The Nine Eyes and Fourteen Eyes
Beyond the core Five, there are extended intelligence-sharing arrangements:
- Nine Eyes: Five Eyes + Denmark, France, Netherlands, Norway
- Fourteen Eyes: Nine Eyes + Germany, Belgium, Italy, Spain, Sweden
- Plus informally: Japan, South Korea, Singapore, Israel
VPN jurisdictions and what they mean
- Switzerland (ProtonVPN): Outside EU and Five/Nine/Fourteen Eyes. Strong Swiss Federal Privacy Act. No mandatory data retention.
- Panama (NordVPN): Outside 14 Eyes. No data retention laws. Cannot be compelled by US/EU courts directly.
- British Virgin Islands (ExpressVPN): UK territory but with separate laws — no mandatory data retention and difficult for UK authorities to compel.
- Sweden (Mullvad): In 14 Eyes. BUT Mullvad has no-email account creation and accepts cash — if there are no accounts, there's nothing to log.
- Netherlands (Surfshark): In 9 Eyes but EU GDPR protections apply.
Does jurisdiction actually matter if a VPN has no logs?
This is the crucial question. If a VPN genuinely keeps no logs, there's nothing to share regardless of jurisdiction. The risk scenario where jurisdiction matters: authorities order a VPN to start logging your future traffic. Even then, they'd need to identify you as a specific target first. For most users' threat models, a reputable no-logs VPN in any jurisdiction is adequate. For journalists, activists, or high-risk individuals — Swiss or Panamanian jurisdiction adds a meaningful additional layer.
Jurisdiction matters at the margins. A genuinely no-logs VPN in the US (like PIA, with proven court history) is safer than a Swiss VPN that secretly keeps connection logs.
Frequently asked questions
Is NordVPN in the 14 Eyes?
NordVPN is incorporated in Panama, which is outside the 5/9/14 Eyes alliances. Its parent company Nord Security has offices in multiple countries including Lithuania (EU), but the VPN service itself operates under Panamanian law.
Should I avoid 5 Eyes VPNs entirely?
Not necessarily. Private Internet Access (US-based) has had multiple FBI subpoenas and has never produced user data because none exists. The no-logs policy, if genuine, matters more than jurisdiction for most use cases.
Which country has the best VPN privacy laws?
Switzerland is generally considered the gold standard — outside EU and US jurisdiction, strong privacy laws, and a history of protecting privacy. Iceland, Panama, and the British Virgin Islands are also frequently cited as favorable jurisdictions.