While there are privacy concerns with the other countries in the greater 14 Eyes alliances, the big one to avoid is the Five Eyes. Therefore, when data security is critical, simply avoid the Five Eyes: US, UK, Canada, Australia, and New Zealand
Some people say concerns about these surveillance jurisdictions are overblown or misguided, and that it really doesn’t matter. You often hear this argument from VPN companies (and their marketers) that are based in the US or Canada, for example. This line of thinking is misinformed and ignores reality.
There are many examples that prove the real-world risks associated with privacy-focused companies operating in Five Eyes jurisdictions. Here are just a few that we’ve discussed before on RestorePrivacy over the years:
- Riseup, a Seattle-based VPN and email service, was forced to collect user data for government agents and was also hit with a “gag order” to prevent any disclosure to their users. (They also could not update their warrant canary.)
- Lavabit, another US-based email service, was forced to provide encryption keys and full access to user emails. Rather than comply, the owner decided to shut down Lavabit email.
- IPVanish, a US-based VPN service, was forced to collect user data for an FBI criminal investigation. This all transpired while IPVanish was claiming to be a “no logs VPN” — and they could not alert their users to what was happening. (See the IPVanish logs case.)
- HideMyAss, a UK VPN service was also ordered by a court to collect user data and hand this over to authorities for a criminal investigation. News about this came out after-the-fact.
VPNs operating in the US, and by extension all of their users, can also be the targets of lawsuits involving copyright infringement. A recent court case involved TorGuard VPN, which was forced to block torrenting on all US servers as part of the settlement agreement. This is why we recommend avoiding US-based VPNs when using a VPN for torrenting.
These are just a few cases that have publicly come to light, but you can be sure there are other examples we don’t know even about.
Secret demands for user data + gag orders = privacy nightmare
As we can see from these examples, when authorities compel businesses to collect and hand over data, they usually serve them with a gag order as well. This is done through National Security Letters and it prevents the business from disclosing any information to their customers.
These laws basically give the government the authority to compel a legitimate privacy-focused company to become a data collection tool for state agencies, without any warning or notification. Even warrant canaries are ineffective in places like the United States.
Ignoring the jurisdiction of a privacy-focused business is foolish and ignores these well-documented risks.
Recommended privacy services (in good jurisdictions)
One of the main purposes of RestorePrivacy is to test, research, and recommend privacy and security tools that meet specific criteria. Given our emphasis on data security and trust, jurisdiction is a key factor we consider.
In terms of jurisdiction, our main concern is avoiding Five Eyes countries. After all, some of the 9 and 14 Eyes countries do indeed have strong privacy laws, especially in comparison to the US and UK.
Secure email outside Five Eyes
Using a secure and private email service in a safe jurisdiction is a no-brainer. Consider this:
- Yahoo was found to be scanning emails in real-time for US surveillance agencies.
- Gmail was found to be giving third parties full access to user emails and also tracking all purchases via receipts in your inbox.
- Advertisers were allowed to scan Yahoo and AOL accounts to “identify and segment potential customers by picking up on contextual buying signals, and past purchases.”
Alternatives – Here are some of our favorite secure email services that we tested:
- Mailfence review (Belgium)
- Tutanota review (Germany)
- ProtonMail review (Switzerland)
- Mailbox.org review (Germany)
- Posteo review (Germany)
- Runbox review (Norway)
- Countermail website (Sweden)
- KolabNow website (Switzerland)
- Startmail website (The Netherlands)
All of our email reviews are here.
Best VPNs outside the Five Eyes
As mentioned above, internet service providers are actively collecting data for government agencies around the world. They do this by either actively snooping on connections or simply recording all your DNS requests. Additionally, advertisers and other third-parties will track and record your online activity that is tied to your unique IP address.
A good VPN service is absolutely essential for basic online privacy, especially when ISPs are logging everything. A VPN encrypts all your traffic between your computer/device and the VPN server you are connected to. Not only does this make your traffic and online activities completely unreadable to your ISP and other third parties, it also hides your IP address and location.
Here are the best VPN services that are located outside of the Five Eyes countries:
- NordVPN (Panama) – see our NordVPN review
> Grab the 57% Off NordVPN Coupon
- Surfshark (The Netherlands) – see our Surfshark VPN review
- ExpressVPN (British Virgin Islands) – see our ExpressVPN review
- VPN.ac (Romania) – see our VPN.ac review
- VyprVPN (Switzerland) – see our VyprVPN review
- Perfect Privacy (Switzerland) – see our Perfect Privacy review
- OVPN (Sweden) – see our OVPN review
- TrustZone VPN (Seychelles) – see our TrustZone VPN review
- ProtonVPN (Switzerland) – see our ProtonVPN review
We do our best to keep the VPN reviews updated to reflect the latest test results, company changes, and new features.
Note: Some people are worried about logs and data collection with VPNs. Fortunately, there are a few verified no logs VPNs that have undergone independent audits to confirm their no-logs policies:
- NordVPN was audited to PwC AG in Zurich, Switzerland to confirm essential privacy-protection measures and the no-logs policy. NordVPN has committed to annual third-party audits, while also undergoing independent security audits and penetration testing carried out by Versprite.
- ExpressVPN has been audited twice by PwC to verify its no-logs policy. Additionally, ExpressVPN has passed security audits conducted by Cure53.
- VyprVPN underwent a no-logs audit carried out by Leviathan Security a few years ago.
Private search engines outside Five Eyes
Most of the big search engines, such as Google, record all your search queries and then link this to your identity and data profile, so you can be hit with targeted ads. Unless you want to give Google and its partners all your search activities, consider using alternatives.
Here are some private search engines you may want to consider:
There are a few search engines based in Five Eyes countries that we still recommend. These include:
- DuckDuckGo (United States)
- Mojeek (United Kingdom)
- Brave Search (United States)
For additional tools and tips, see the main privacy tools page.
Trust and jurisdiction
In the end, jurisdiction is just one of many factors to consider when selecting reliable privacy tools for your unique needs. How much it matters depends on your own circumstances, particularly your threat model and the types of adversaries you are looking to protect yourself against.
For those seeking higher levels of privacy and security, jurisdiction is indeed important, especially when you consider the growing power of governments to force companies to hand over data and log users.
Trust is also a major factor you should consider. After all, a VPN can operate in a “good” overseas jurisdiction, yet still lie to customers and provide data to government agencies. Take for example PureVPN, a “no logs” service based in Hong Kong that gave US authorities connection logs for a criminal case.
This is where trust is key. Fortunately, to strengthen trust, more privacy-focused businesses are undergoing independent audits and third-party verifications. In addition to the VPN audits we mentioned above, we also see this trend with password managers and occasionally with secure email services.
Are these the only international intelligence alliances?
Most definitely not. In addition to the Five Eyes (FVEY), Nine Eyes, and 14 Eyes (SIGINT Seniors Europe), there are other organizations we know of. Examples include the SIGINT Seniors Pacific, the Quadrilateral Security Dialog (the Quad), and the Club de Berne. There may also be other such organizations that we still don’t know about.
Will Japan become a “Sixth Eye”?
Japan has publicly suggested that they would like to work more closely with the Five Eyes, and perhaps some day become a Sixth Eye. As of now it appears to be only talk, but growing tension between Japan and China seems to be moving Japan toward ever stronger connections with the Five Eyes countries. Only time will tell if we’ll be talking about Six Eyes instead of Five Eyes soon.
Conclusion: Use services operating in safe jurisdictions for 2023
The Five Eyes is the most powerful surveillance alliance in the world. While it arguably works well to protect its member countries (USA, UK, Canada, Australia, and New Zealand), it makes those countries less than ideal jurisdictions for pro-privacy companies and products.
Ultimately, we also need to acknowledge that everyone has different needs, use cases, and threat models. This means that selecting products and services is a very subjective matter, and only you can find the best fit for your needs.