The Five Eyes is an intelligence-sharing alliance between the United States, United Kingdom, Canada, Australia, and New Zealand, formalized by the 1946 UKUSA Agreement. The Nine Eyes adds Denmark, France, the Netherlands, and Norway. The Fourteen Eyes further adds Germany, Belgium, Italy, Spain, and Sweden. Each tier represents a different level of cooperation in sharing signals intelligence. In VPN terms, jurisdictions outside these alliances — like Switzerland, Panama, and the British Virgin Islands — are often preferred. But here's the honest truth: a properly built no-logs VPN is privacy-protective regardless of jurisdiction, because there is nothing for any government to obtain. Jurisdiction matters; a strong product matters more.
- Why this comes up in every VPN conversation
- What the Five Eyes is
- What the Nine Eyes is
- What the Fourteen Eyes is
- All the countries, at a glance
- What the alliances actually do
- A short history
- Beyond Fourteen Eyes
- Does this matter for VPN users?
- Jurisdiction vs server location
- Five common misconceptions
- The "privacy-friendly" jurisdictions
- Your jurisdiction checklist
- How OllaVPN thinks about jurisdiction
- Frequently asked questions
Spend any time reading about VPNs and you'll quickly run into a phrase that sounds vaguely ominous: the Five Eyes. Or maybe its more comprehensive cousins, the Nine Eyes and the Fourteen Eyes. Most VPN marketing pages reference them. Most don't quite explain what they are.
This guide does. Written plainly, with respect for your time. We'll cover what the alliances actually are, what they actually do, what's legitimately worth thinking about as a VPN user, and — equally important — what's overstated. The goal is to leave you with a clear, balanced understanding that no marketing page will give you.
Why this comes up in every VPN conversation
The simple reason this topic comes up so often: a VPN provider is subject to the laws of the country where it's incorporated. If a government in that country can compel the VPN to share data — or to do so secretly without telling its users — that data could then be shared with allied governments under treaty arrangements like the Five Eyes.
This is why "where is the VPN based?" is a standard question in any thoughtful privacy comparison. It's also why several of the most respected privacy VPNs are deliberately based outside these alliances: ProtonVPN (Switzerland), NordVPN (Panama), ExpressVPN (British Virgin Islands), Mullvad (Sweden — inside Fourteen Eyes but with a deliberately minimal-data posture). You can read more about how this plays out in practice in our Mullvad vs ProtonVPN comparison.
What the Five Eyes is
The Five Eyes — sometimes written FVEY — is an intelligence alliance between five English-speaking countries:
- United States
- United Kingdom
- Canada
- Australia
- New Zealand
It originated as the BRUSA Agreement between the US and UK in 1943, during the Second World War. After the war, this became the UKUSA Agreement in 1946. Canada joined the arrangement in 1948, with Australia and New Zealand joining in 1956. The alliance was kept secret from the public for decades — its existence was not formally acknowledged by the UK government until 2010.
The Five Eyes is the most formal and most integrated of the Eyes alliances. Cooperation between member intelligence agencies — the NSA in the US, GCHQ in the UK, CSE in Canada, ASD in Australia, and GCSB in New Zealand — is deep, ongoing, and covers signals intelligence (SIGINT), satellite intelligence, and aspects of human intelligence as well.
What the Nine Eyes is
The Nine Eyes extends the Five Eyes by adding four more European countries:
- Denmark
- France
- Netherlands
- Norway
The Nine Eyes is less formally structured than the Five Eyes core. It's better understood as a working level of cooperation — a circle of countries that share intelligence on specific topics, rather than a single unified treaty arrangement. The grouping became publicly known largely through documents disclosed by Edward Snowden in 2013.
What the Fourteen Eyes is
The Fourteen Eyes is the widest of the named alliances. It adds five more countries to the Nine Eyes group:
- Germany
- Belgium
- Italy
- Spain
- Sweden
The Fourteen Eyes has a formal name: SIGINT Seniors Europe (SSEUR). It was established in the late 1980s and has been particularly focused on signals-intelligence cooperation across Western Europe, including counterterrorism work after the September 11, 2001 attacks. It is the broadest of the three Eyes groupings most commonly mentioned in VPN privacy discussions.
All the countries, at a glance
Here's the full picture in one place. The Five Eyes is the innermost circle; each subsequent ring adds countries on top of the previous one.
| Alliance | Member countries |
|---|---|
| Five Eyes (FVEY) | United States United Kingdom Canada Australia New Zealand |
| Nine Eyes | United States · United Kingdom · Canada · Australia · New Zealand Denmark France Netherlands Norway |
| Fourteen Eyes (SSEUR) | USA · UK · Canada · Australia · NZ · Denmark · France · Netherlands · Norway Germany Belgium Italy Spain Sweden |
Red highlighted countries are the new additions at each tier. The Fourteen Eyes is, in effect, a near-comprehensive map of major Western democracies.
What the alliances actually do
This is where many marketing pages get carried away. Let's be precise.
The Eyes alliances are not a unified surveillance apparatus that monitors everyone in member countries. They are cooperation frameworks — treaties and informal agreements that govern how member intelligence agencies share information they collect through their own legal processes.
What they enable, in practice:
- Sharing of signals intelligence (SIGINT) — intercepted communications, metadata about who-talks-to-whom, and similar electronic surveillance data.
- Joint operations on shared targets — terrorism investigations, organized crime, foreign-intelligence threats.
- Mutual assistance with technical capabilities — sharing decryption advances, surveillance technology, and methodology.
- Reduced political friction when one member needs data the other already has — formal request processes are smoother between allies than between non-allies.
What they do not do:
- They don't constitute a single agency reading everyone's email.
- They don't mean every country in the alliance shares everything with every other country — much intelligence is bilateral, not multilateral.
- They don't override domestic law. A VPN provider in the UK still has to respond to UK legal processes, not to direct requests from the US (which would typically have to be routed through a UK legal process).
The honest summary: the alliances are real, they matter for some user threat models, and they're nothing like the cinematic picture some VPN ads imply.
A short history
Beyond Fourteen Eyes — the wider picture
The Five Eyes, Nine Eyes, and Fourteen Eyes are the formal named tiers. The reality of international intelligence cooperation extends well beyond them.
- Five Eyes Plus arrangements reportedly extend cooperation to additional countries on specific topics. Israel, Japan, South Korea, and Singapore are often mentioned in this context.
- SIGINT Seniors Pacific is the Pacific counterpart to SSEUR, with additional Asia-Pacific partners.
- The Quintet of Attorneys General (US, UK, Canada, Australia, New Zealand) is a Five Eyes-aligned legal cooperation framework.
- Bilateral agreements — most actual intelligence cooperation happens through pairs of countries with specific treaties, rather than through named multilateral groupings.
For practical purposes as a VPN user, the named alliances are still the most useful framework. The wider picture is mainly relevant if your threat model includes specific state actors and you want a very deep dive.
Does this matter for VPN users?
This is the honest, balanced answer that most "Eyes" articles avoid. Let's break it down.
When jurisdiction matters more
Jurisdiction matters most when a VPN does retain user data — connection logs, IP-mapping records, session timestamps, browsing history. If the data exists, the question of who can legally compel its disclosure becomes important.
It also matters more for users with specific high-risk threat models — journalists protecting sources, activists in restrictive networks, business travelers carrying sensitive information through hostile jurisdictions. For these users, choosing a VPN incorporated outside the Five Eyes is a sensible additional layer.
When jurisdiction matters less
For most users, the practical privacy difference between a Switzerland-based VPN and a Canada-based VPN — assuming both run audited no-logs policies on RAM-only infrastructure — is small. There is little to disclose in either case, because there is little to keep.
Several highly respected privacy-focused VPNs are based in Five or Fourteen Eyes countries and remain trustworthy precisely because their data-minimization posture matters more than their jurisdiction. Mullvad (Sweden — in Fourteen Eyes) is one of the most privacy-respected VPNs in the world. Windscribe (Canada) is in the Five Eyes core but maintains a strong privacy track record. Private Internet Access (US) has been audited and has track record of resisting legal demands.
The principle: a provider can't disclose what it doesn't have. That's a stronger guarantee than jurisdiction alone.
Jurisdiction vs server location — they're not the same thing
This distinction trips up a lot of readers, and it's worth being explicit about.
- Jurisdiction is where the company is incorporated. Switzerland, Panama, BVI, Sweden, etc. Determines what laws the company itself must obey.
- Server location is where individual VPN servers are physically or virtually located. A company based in Switzerland might run servers in fifty countries.
When you connect to a Switzerland-based VPN's New York server, you are routing your traffic through New York. That traffic is subject to US server-location law for as long as it exists on those servers. But — and this is the important part — if the VPN runs a no-logs policy on RAM-only servers, the server-location matters less than people think, because nothing persists. The encrypted traffic is in transit, processed, and forgotten.
For users who want to be especially careful, the strongest posture combines company jurisdiction outside Five Eyes + RAM-only server infrastructure regardless of location + audited no-logs policy + strong encryption. That's belt and suspenders — and it's what the most privacy-conscious VPNs aim for.
Five common misconceptions about the Eyes alliances
"VPNs based in Five Eyes countries are unsafe."
Untrue as a blanket statement. A no-logs VPN with strong technical practices can be highly privacy-protective regardless of jurisdiction. The "no logs to hand over" posture is what really protects you. Several highly respected privacy VPNs are based in Five or Fourteen Eyes countries.
"The Five Eyes share everything with each other automatically."
Untrue. Intelligence sharing within Five Eyes is selective and based on specific agreements. Member countries don't dump all their data into a shared pool. Much intelligence cooperation is bilateral rather than multilateral, and each country still operates under its own legal framework.
"If I use a VPN, the Five Eyes can't see my traffic at all."
Misleading. A VPN encrypts your traffic between your device and the VPN server. After that, your traffic exits to its destination in the normal way. Surveillance at the destination side, or at the website you're visiting, is unaffected by your VPN. What the VPN reliably hides is your IP address and your specific browsing activity from anyone watching your local network.
"Switzerland is completely safe from intelligence cooperation."
Partial truth. Switzerland is outside the Five and Fourteen Eyes, and it has strong privacy laws. But Switzerland cooperates with other governments through ordinary diplomatic and legal channels, and Swiss intelligence has its own interests. The benefit of Swiss jurisdiction is real, not absolute.
"The Eyes alliances mean a VPN in those countries will spy on me."
Untrue. The alliances are about government intelligence cooperation. A VPN company in a Five Eyes country isn't part of the intelligence apparatus and doesn't proactively monitor users. The relevant concern is whether the company could be compelled to share data it has — which loops back to the no-logs question, not directly to the alliances themselves.
The "privacy-friendly" jurisdictions
If you do want to factor jurisdiction into your VPN choice — and we think it's a reasonable thing to consider, just not the only thing — these are the jurisdictions most commonly cited as privacy-friendly for VPN providers.
- Switzerland — outside Five and Fourteen Eyes, strong personal-privacy laws, long tradition of bank secrecy and data protection. Home to ProtonVPN, PrivadoVPN, and others.
- Panama — outside Five and Fourteen Eyes, no mandatory data-retention laws for VPN providers. Home to NordVPN.
- British Virgin Islands — outside Five and Fourteen Eyes, requires data requests to be processed through formal legal channels. Home to ExpressVPN.
- Iceland — outside the Eyes alliances, with relatively strong privacy laws. Less commonly chosen by major VPNs but considered favorable.
- Romania — EU member but historically resistant to mandatory data-retention requirements. Home to several privacy-focused services.
The point isn't that other jurisdictions are bad — many aren't. The point is that these are jurisdictions where the legal environment tilts a little further in the user's favor by default.
Your jurisdiction checklist
If you want to evaluate a VPN's jurisdiction story honestly, here's the framework.
The four questions that actually matter
- Does the VPN run an audited no-logs policy? This is the most important question. A no-logs provider has little to hand over regardless of jurisdiction.
- Where is the company legally incorporated? The country whose laws govern the company. Outside Five/Fourteen Eyes is a small additional safeguard.
- Does the company use RAM-only diskless servers? Servers that store no data on disk dramatically reduce the practical impact of any legal demand.
- Has the company been tested under real legal pressure? A company that has actually faced a demand and successfully demonstrated it had no data to hand over is more reassuring than one that has only made the claim.
If a VPN passes all four, jurisdiction becomes a minor footnote. If it fails some, jurisdiction matters more.
How OllaVPN thinks about jurisdiction
Our position on this whole question is straightforward: the strongest privacy posture is to have nothing worth sharing in the first place. Jurisdiction is a meaningful factor, but it's not the primary factor — and the privacy industry has historically over-weighted it relative to product fundamentals.
OllaVPN's approach reflects that view:
- A no-logs policy means there is essentially nothing for any government to obtain through any legal process, regardless of jurisdiction.
- An always-on kill switch means the connection fails closed — your traffic doesn't leak even briefly during reconnects.
- Post-quantum cryptography from day one, on every connection including the lifetime free plan, protects against the "harvest now, decrypt later" threat — the encrypted traffic captured today that adversaries hope to decrypt years from now.
- DNS is handled inside the encrypted tunnel by default — see our DNS leak guide for what that means.
- Free for life — privacy upgrades worth having shouldn't be paywalled.
OllaVPN — built around the things that actually matter:
Try OllaVPN free — no card, no email required.
A broader-context closing thought
One pattern we've noticed across every privacy-and-networking topic we cover: the gap between what most users believe about a given topic and what the technical reality is keeps widening. Marketing departments have gotten better at producing confident-sounding claims; the underlying technology has gotten more complex; the threats have gotten more sophisticated; and the time most users have to evaluate any single claim has, if anything, gotten shorter. The result is that confident-sounding wrongness has a structural advantage over carefully-hedged correctness.
The remedy we've settled on is to publish at depth — long enough to cover the topic honestly, with primary sources and named authors and explicit limits — and to publish free verification tools so the reader does not have to take our word for the technical claims. Both are choices that don't optimise for "users who skim and click." They optimise for users who actually want to understand what they're using.
If you've read this far, you're in the second group. That's the group we're writing for, and it's the group whose privacy outcomes most depend on having access to honest information. We try to keep this material updated quarterly so the facts don't drift, and we add notes when something material changes (a competitor's audit completes, a new threat is documented, a piece of regulation shifts the calculus). The main free-VPN comparison, the technology overview, and the free privacy tools are the three pages most worth bookmarking from the OllaVPN site if you've found this guide useful.
Verify and cross-reference
For any claim on this page that affects a decision you're about to make, the verification path we recommend:
Verify the technical claim from your own device. Our DNS lookup, WebRTC leak test, what-is-my-IP, and the other tools at our tools page are free, require no account, and run entirely in your browser. Most claims about VPN behavior can be verified from your own device in under fifteen minutes using these tools.
Cross-reference at least one third-party source. We are an operator with a commercial interest in the conclusion. The most reputable independent voices in the privacy-VPN category in 2026 are Mullvad's blog (technical depth without sales pressure because they don't run affiliate programs), the Privacy Guides project documentation, the Restore Privacy site, and the academic literature on consumer VPN security (the canonical paper is Ikram et al. 2016, "An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps," in ACM IMC). Read across multiple sources before forming a strong view.
Read the primary sources where they exist. Government regulations, NIST publications, IETF RFCs, and court rulings are primary sources. Vendor marketing pages and most commentary pieces are derivatives. When a claim is specific enough to have a primary source (a specific regulation, a specific standard, a specific court case), find the primary source and read it yourself rather than relying on summaries.
Update your view when the facts update. Privacy concerns shift, operators change, standards evolve. The view you formed two years ago about a specific operator may not be accurate today. We refresh our material quarterly; the operators worth trusting most are the ones who do the same.
Why this topic matters beyond the immediate question
The topic above sits at the intersection of several broader concerns that are worth understanding even if your immediate question has been answered:
The privacy-tooling category has matured rapidly. What was leading-edge in 2020 is table stakes in 2026. Standards have finalized (NIST PQC, RFC 9116 security disclosure, the IETF MASQUE work), jurisdictions have clarified (post-CERT-In, post-DSA, post-Investigatory Powers Act), and a clear trustworthy/untrustworthy line has emerged in the consumer VPN category specifically. Decisions you make today should reflect the 2026 state of the market, not the 2020 state.
The threat landscape has shifted. Bulk traffic capture by intelligence services is well-documented and continuous. The "harvest now, decrypt later" threat against captured-today-decrypted-tomorrow ciphertext is operational, not theoretical. ISP-level metadata sales to advertising data brokers are routine in the US. Geo-blocking and censorship are both more sophisticated and more widespread. The tools that defended you adequately five years ago may not be adequate now.
The user has more power than ever — if they use it. Strong free privacy tools exist in every category. The question is whether the user knows about them, knows how to verify they actually work, and is willing to take the small additional steps required. We try to make the verification path as short as possible because users who can verify are users who can choose well.
What to actually do about it
If the topic above suggests you should take action, the practical next steps in priority order:
Pick a trustworthy VPN and start using it by default. Even on the free tier. The threat model on every internet-connected device benefits from VPN coverage, and a free VPN you can trust is materially better than no VPN. Our best free VPN 2026 guide compares the trustworthy options across platforms.
Run a privacy-properties check on your current setup. Even if you already use a VPN, run our DNS lookup, WebRTC leak test, and what-is-my-IP tools while connected. The results tell you whether your current VPN is actually delivering the privacy properties it claims.
Update your threat-model evaluation periodically. Privacy concerns shift. The tools and operators that were appropriate three years ago may need re-evaluation now. Quarterly is a reasonable cadence for non-targeted users; monthly is appropriate if you're in a higher-risk situation.
Combine layers. No single tool covers the full threat surface. VPN + privacy-respecting browser + tracker blocker + password manager + virtual cards + careful account hygiene — together they're materially better than any one alone. Each layer is cheap (most are free); the compound effect is large.
About this guide
Maintained by Nathan Pratt, OllaVPN's Privacy & Security Lead. Fact-checked by Hannah Wu, Senior Security Engineer. We refresh this post quarterly so its facts, recommendations, and competitor comparisons stay accurate as the category evolves. The last full re-evaluation was 23 June 2026; the next is scheduled for September 2026.
If you spot a fact that's drifted or an addition we should make, email guides@ollavpn.com. Reader corrections drive a meaningful percentage of our quarterly updates.
What to remember from this guide
- Why this comes up in every VPN conversation
- What the Five Eyes is
- What the Nine Eyes is
- What the Fourteen Eyes is
- All the countries, at a glance
Frequently asked questions
What are the Five Eyes, Nine Eyes, and Fourteen Eyes?
They are concentric intelligence-sharing alliances between governments. The Five Eyes (USA, UK, Canada, Australia, New Zealand) is the original and most formal, established by the 1946 UKUSA Agreement. The Nine Eyes adds Denmark, France, the Netherlands, and Norway. The Fourteen Eyes — formally known as SIGINT Seniors Europe — further adds Germany, Belgium, Italy, Spain, and Sweden.
Should I avoid VPNs based in Five Eyes countries?
Not necessarily. Jurisdiction is one factor among several, and a well-implemented no-logs policy matters more in practice. Several highly respected VPN providers are based in Five Eyes countries — TunnelBear and Windscribe in Canada, Private Internet Access in the US — and they remain trustworthy because they don't store the data anyone could compel them to hand over.
Which countries are in the Five Eyes alliance?
The Five Eyes consists of the United States, United Kingdom, Canada, Australia, and New Zealand. The alliance grew out of the BRUSA Agreement of 1943 and was formalized as the UKUSA Agreement in 1946.
Which countries are in the Nine Eyes alliance?
The Nine Eyes is the Five Eyes plus Denmark, France, the Netherlands, and Norway. It is a less formal expansion focused on signals intelligence sharing.
Which countries are in the Fourteen Eyes alliance?
The Fourteen Eyes — formally SIGINT Seniors Europe (SSEUR) — comprises the Nine Eyes countries plus Germany, Belgium, Italy, Spain, and Sweden.
What can the Five Eyes alliances actually do?
The Eyes alliances enable member governments to share signals intelligence — intercepted communications, metadata, and other electronic surveillance data. They do not constitute a single shared spying organization. Each member country operates its own intelligence services under its own laws but cooperates on data sharing.
Does VPN jurisdiction really matter?
It matters less than people often think, and more than VPN marketing often admits. Jurisdiction determines what legal demands a VPN provider could face. If the provider has nothing to hand over — because it doesn't log activity and uses RAM-only servers — the practical impact of jurisdiction is small.
Are there other intelligence-sharing arrangements beyond Fourteen Eyes?
Yes. The "Five Eyes Plus" arrangement reportedly extends cooperation to Israel, Singapore, South Korea, and Japan on certain topics. Most intelligence cooperation occurs through bilateral agreements that aren't part of any named multilateral grouping.
Which countries are considered privacy-friendly for VPN providers?
Switzerland, Panama, the British Virgin Islands, and Iceland are often cited because they are outside the Five and Fourteen Eyes structures, lack mandatory data-retention laws for VPN providers, and have strong personal-privacy protections.
Does OllaVPN keep logs that could be shared under any of these alliances?
No. OllaVPN runs a no-logs policy and is designed so that there is essentially nothing to hand over under any government data request, regardless of jurisdiction. Combined with post-quantum cryptography and an always-on kill switch, that's the practical posture that matters more than which country the company is registered in.