5-Eyes, 9-Eyes, and 14-Eyes agreement explained

Discussions of online privacy often refer to Five Eyes, Nine Eyes, or Fourteen Eyes countries. This extended alliance of governments has been linked to surveillance across the globe, including the unconstitutional collection of data on their own citizens. Although the origins of this organization go back to the 1940s, little was known about it until the media leaks over the past decade, including the Snowden revelations of 2013.

So what exactly are the 5-Eyes, 9-Eyes, and 14-Eyes alliances? What exactly do they do? How dangerous are they for your privacy and wellbeing? And crucially, how do you minimize exposure? I’ll answer all these questions in my article.

5-Eyes alliance

The Five Eyes alliance (FVEY) consists of the 5 parties to the UKUSA Agreement:

• US
• UK
• Canada
• Australia
• New Zealand

The main purpose of this agreement is to provide a framework for sharing signals intelligence data among its signatories. What exactly does that imply?

To understand the Five Eyes, it’s important to know what signals intelligence (SIGINT) is. This term essentially means two things:

• Communications intelligence (COMINT) – interception of voice communications, such as telephone calls, as well as text comms (emails, text messages, etc.)
• Electronic intelligence (ELINT) – use of electronic sensors to signals unrelated to communication, e.g. signals from radars or surface-to-air missile systems

5 Eyes countries have intelligence agencies such as the NSA (US) or GCHQ (UK) gathering mass signals intelligence data (i.e. spying) on people in various parts of the world and sharing it with each other.

Although these activities are mainly directed towards geopolitical adversaries (China, Russia, Iran, etc.), no country is truly exempt from such surveillance. As a matter of fact, documents leaked by Edward Snowden reveal that the US is paying UK’s GCHQ to gather data on US citizens and share it with the NSA – although warrantless “wiretapping” of citizens is illegal, the UKUSA Agreement offers a workaround to do it anyway.

Born out of the Atlantic Charter in 1941 (formalized as the BRUSA Agreement in 1943), initially, the Five Eyes had the objective of monitoring the Soviet Union and its allies. However, as the political landscape changed, so did the alliance’s targets and powers. Crucially, there has been a steady shift towards the collection of private communications (particularly during the “War on Terror”).

9-Eyes alliance

The Nine Eyes is an extension of the FVEY and consists of the following countries:

5-Eyes states +

• Denmark
• France
• Netherlands
• Norway

Little is known about how the rights and responsibilities differ between 9-Eyes and FVEY countries. However, it’s clear that these additional states are not exempt from surveillance within the alliance.

14-Eyes alliance

The Fourteen Eyes are a further extension of the UKUSA Agreement, known as the SIGINT Seniors Europe (SSEUR). The countries belonging to it are:

9-Eyes states +

• Belgium
• Germany
• Italy
• Spain
• Sweden

Again, this is a group of states adjacent to the 5-Eyes inner circle. The specific details of the agreement between the 14-Eyes and 5-Eyes are not fully known.

What are third-party contributors?

Aside from the 5-9-14 Eyes country groups, there are other third-party contributors to the UKUSA Agreement alliance. These countries share with and receive intelligence data from the Eyes group, but have fewer rights and responsibilities. 

Among the third-party contributors are countries belonging to NATO (Iceland, Greece, Hungary, Romania, the Baltics and many other European countries), as well as other strategic allies – Israel, Singapore, South Korea, Japan, and more.

How does the 5/9/14 eyes alliance affect your privacy?

The 5/9/14 Eyes alliance is essentially a global surveillance alliance, which has far-reaching implications for personal privacy. The full extent of how much the intelligence agencies in these countries know about you is vague, but Snowden’s leaks and other media stories make it clear that your online activities, phone conversations, and other sensitive information is all fair game.

For example, the global ECHELON program uses communications satellites to intercept your private communications (telephone, computer, fax, etc.), which are then stored and analyzed. Meanwhile, the PRISM program collects the private communications data of US citizens from tech companies like Facebook, Google, and others.

Aside from sharing private communications data cross-border, the Five Eyes countries have been responsible for a wider push to undermine privacy. The most notorious example is the USA PATRIOT Act of 2001, which has allowed an unprecedented level of surveillance on US citizens. But the US (sadly) doesn’t have a monopoly on mass surveillance:

• In 2016, the UK passed the Investigatory Powers Act (affectionately known as the Snoopers’ Charter), giving intelligence agencies the mandate to collect bulk communications data of citizens, and requiring ISPs and telecommunications companies to store data on users
• In 2015, Australia passed a similar law, the Telecommunications (Interception and Access) Amendment (Data Retention) Act. Among other things, it requires ISPs to store user data for a period of 2 years

UKUSA Agreement countries have also pushed for an end to encryption and have advocated other privacy violations in service of “security.”

Why should you avoid the 5 eyes?

ISPs in the West and elsewhere have been doing the dirty work of intelligence agencies and law enforcement for years now. That’s why people have turned to VPN services, private email services, and encrypted messaging apps to reclaim their privacy. Unfortunately, if you’re using a service based in a Five Eyes country, there’s only so much privacy you can get from it.

Five Eyes against end-to-end encryption

In 2018, the Five Eyes nations released a statement saying they would try to force tech companies to provide encryption backdoors. Australia has already followed through with a bill allowing government agencies to force companies to hand over user data and create backdoors if that data is encrypted.

While other alliance nations haven’t followed in Australia’s footsteps yet, they have expressed that intention. For example, US Attorney General William Barr has repeatedly called for a similar bill. And a similar sentiment has been echoed by the UK, Canada, New Zealand, and others.

As such, VPNs or email services based in a Five Eyes country could be forced to provide access to your data, even if it’s encrypted. Needless to say, that may have serious consequences.

US and UK governments force VPNs to hand over user data

VPN service providers in the US and UK have been forced to collect and share user data with law enforcement on at least a few occasions. An important thing to note is that such an order may be accompanied by a gag order, which means you may be unaware of the danger to your privacy until it’s too late.

Here are some examples of that happening:

• IPVanish, a prominent US-based VPN, collected and gave user data to an FBI investigation, despite claiming to operate under a no logs policy in 2016
• Riseup, a US-based VPN/email provider complied with 2 warrants for user data and were prevented from speaking about it until later due to a gag order 
• Lavabit, a US email provider, closed shop after refusing to give agencies encryption keys in 2013. Ironically, the target of surveillance was Edward Snowden
• HideMyAss, a UK VPN provider, collects user data and has given it to the authorities – the company is transparent about this

User data travels between Five Eyes countries

So, let’s imagine you are using a VPN service operated by a UK company. Due to the Snoopers’ Charter, the VPN provider would collect data about you and share it with the UK government when necessary. Yet the problem doesn’t end there.

Due to the UKUSA Agreement, your data may end up in the hands of an intelligence agency in the US, Australia, Canada, or some other party to this treaty.

Those arguing for security over privacy often ask why anyone would care about being watched if they have nothing to hide. The Five Eyes topic is a great illustration because the idea of some foreign intelligence agency knowing your browsing habits feels completely outlandish. Yet the truth is governments are not as benevolent they seem, and they might get a lot worse in the future. One need look no further than the social credit system in China to understand how.

Most popular cybersecurity services based in 5 eyes nations

The Five Eyes states are some of the most technologically developed in the world. Naturally, they are home to many cybersecurity businesses, including VPN services, password managers, encrypted email services, secure messaging app developers, and more.

Just because these services operate from within the US, UK, or elsewhere in the Five Eyes doesn’t necessarily mean they’re bad. With that said, if you don’t want to take your chances (however slim they may be), keep these in mind.

5-Eyes VPNs: Private Internet Access, IPVanish, TorGuard, Windscribe, HideMyAss

VPNs are a very popular tool in the Five Eyes, and the US in particular. It’s no surprise that these countries are home to some of the most prominent VPN providers. 

3 of these (PIA, IPVanish, and TorGuard) are based in the US and of these, PIA certainly has a great reputation among casual users and privacy advocates alike. Why is that?

Well, Private Internet Access has always been adamant about not keeping any user data. Unlike everyone else, however, PIA has been tested in court on several occasions. Proving their no-logs policy in the wild is a powerful statement in the VPN industry – better than any marketing promise.

Unfortunately, some on this list don’t have PIA’s reputation. IPVanish has been caught logging in the past (albeit this was under a different owner), whereas HideMyAss has to collect user data by law.

5-Eyes private email services: Hushmail, Thexyz

Email services may even be more sensitive than VPNs when it comes to privacy. It’s fortunate, then, that there are few email services operating from Five Eyes countries. Hushmail and Thexyz are 2 of the most prominent ones – both Canadian.

Of these two Hushmail is the one to look at in more detail. In 2007, the company handed over 12 CDs of emails to the FBI. To quote Wired, the FBI made Hushmail “store the suspects’ secret passphrase or decryption key, decrypt their messages and hand [the emails] over.” Granted, this isn’t specifically related to the UKUSA agreement, but it goes to show the privacy issues in Five Eyes countries as well as the level of cooperation between them.

There are also plenty of email services operating out of the 14-Eyes countries, including:

• Tutanota (Germany)
• CounterMail (Sweden)
• Posteo (Germany)
• Mailbox.org (Germany)
• StartMail (Netherlands)
• Runbox (Norway)
• Mailfence (Belgium)

Harkening back to themes mentioned earlier in this article, Tutanota has been ordered by a regional court to implement encryption backdoors. The company is fighting several such requests at the moment.

You may also like to read: The most secure email providers

5-Eyes encrypted messaging services: WhatsApp, Signal, Wickr

Similarly to emails, there aren’t so many encrypted messaging services based in Five Eyes countries. However, some of the most prominent ones are: WhatsApp is the most popular app in the category and it’s owned by Facebook.

With what we know about the UKUSA Agreement, this is a huge red flag because of PRISM. According to the Snowden leaks, the NSA has a surveillance program to collect communications data from US tech companies, including Facebook (and therefore, WhatsApp as well).

Also, in 2018, the FBI were able to decrypt WhatsApp and Signal messages on Donald Trump’s lawyer Michael Cohen’s phone – make of that what you will.

Surveillance systems of the 5-Eyes alliance

The Five Eyes alliance operates various surveillance systems, some of which we know very little about. However, the media has discussed a few of these systems (or programs) quite a bit. For example:

• ECHELON

Probably the oldest Five Eyes surveillance system, with origins in the Cold War. ECHELON was formally established in 1971 with the objective of intercepting the communications of the Soviet Union and other Soviet bloc countries.

• PRISM

One of the newer and more troubling Five Eyes surveillance systems, PRISM was established in 2007. Its purpose is to collect communications data from large tech companies, including Microsoft, Yahoo!, Google, Facebook, and others.

• XKeyscore

Another relatively new Five Eyes system with the objective of internet surveillance. Edward Snowden paints XKeyscore as the be-all and end-all tracking system that lets the NSA read any online communication and know the location of any smart device.

FAQ