The "14 Eyes" Alliance vs VPN.

[Fixxx]

The VPN provider market is a jungle where competing companies fight for customers using all possible marketing arguments, including misleading users. One example of this is the so-called problem of the "5 (9, 14) Eyes" intelligence alliances and how VPNs can protect users from them. The 5 Eyes, 9 Eyes and 14 Eyes are real international alliances for mass surveillance, consisting of 5, 9, and 14 Western countries, respectively, along with partner satellite countries. Through agreements at the core of these alliances, the intelligence agencies of developed countries form a unified surveillance and control machine over almost any communication activity of people in their countries and around the world, including all types of online communications.

The "5 Eyes" Alliance

​

• United States
• United Kingdom
• Canada
• New Zealand
• Australia

The "Five Eyes" (FVEY) alliance grew out of a secret security agreement between the US and the UK known as UKUSA (United Kingdom - United States of America), signed in 1946. The idea of the agreement was to ensure seamless exchange of SIGINT (signals intelligence) among Cold War ally countries. This agreement remained a secret from the public until 2005. Currently, the main goal of the alliance is to monitor online activity. If the laws of some countries don't allow intelligence agencies to dig into the internet activities of their citizens, they can simply ask colleagues from other countries to do the dirty work for them. For example, the UK was caught doing just that: they requested all data collected by the US National Security Agency (NSA) about residents of the United Kingdom. Why has the "Five Eyes" been kept hidden from the public for so long? We still don't know the full story and the true extent of information gathering within the alliance. However, we can confidently assume that the US and its allies within it have been and are engaged in detailed surveillance and intrusion into private information to a degree that wouldn't be appreciated by many voters. It almost certainly includes the use of ECHELON, STONEGHOST, PRISM and various other surveillance systems for electronic communications worldwide. The "Five Eyes" don't operate alone: the alliance has a number of satellite partners that enhance its intelligence-gathering capabilities:

• Israel
• Singapore
• Japan
• South Korea
• British Overseas Territories

Israel closely collaborates with the US, providing and requesting secret information about persons of interest and has its own thriving IT sector where cybersecurity is a primary area of growth. Some of the most powerful developments that allow hacking into almost any smartphone simply by knowing the victim's phone number originate from there. Other satellites of the "Five Eyes" include Asian countries such as Singapore, Japan and South Korea. All of them have been under US influence since the Cold War and have intelligence-sharing systems with Washington. The same applies to British Overseas Territories such as Bermuda or the Cayman Islands.

The "9 Eyes" Alliance

​

• Countries of the 5 Eyes +
• Denmark
• France
• Norway
• Netherlands

Essentially, the 9 Eyes network is an extended version of the 5 Eyes, but how formalized and strong its structures are is publicly unknown. The main reason we can even discuss this is due to one person: Edward Snowden. By revealing his revelations about the NSA back in 2013, Snowden lifted the veil on the global surveillance structures of the NSA, confirming the existence of the "5 Eyes" list. Former NSA employee Edward Snowden described the "Five Eyes" as "a supranational intelligence organization that is not subject to the known laws of its countries". An interesting fact: the "Nine Eyes Committee" was a fictional agreement underlying the villainous plan of the penultimate James Bond film "Spectre". Many people who saw this film still don't know that, unlike other villainous projects in the Bond franchise, this one is merely a modest, even understated reflection of reality.

The "14 Eyes" Alliance

​

• Countries of the 5 and 9 Eyes +
• Germany
• Belgium
• Sweden
• Spain
• Italy

This alliance also directly emerged from Cold War and NATO structures, known as the SIGINT Seniors Europe grouping, but differs in having a weaker integration of intelligence data exchange than among the core five countries. Members of the extended fourteen-country alliance don't have the same privileges as FVEY: the core five countries have access to all intelligence information from the 14 countries and satellite partners, but not all information from the "Five Eyes" is available to the rest of the alliance. According to Snowden, the countries of the "Five Eyes" are not supposed to spy on each other: the US should not eavesdrop on phone calls during UK government meetings and Australian ministers should have the right to use the internet without the NSA tracking their actions. However, this doesn't apply to the participants of the 9 and 14 Eyes - hence the diplomatic scandals triggered by Snowden's revelations, such as the Americans spying on then-German Chancellor Angela Merkel. After allegations emerged in 2015 that the NSA was spying on German government meetings, Germany demanded broader access to intelligence data. In response to the unequal relationships within the "14 Eyes", countries in the extended alliance are beginning to develop their own solutions. In August 2018, Germany announced a major cybersecurity initiative modeled after the American DARPA, aimed at establishing digital independence from the US/UK. In recent years, there has also been a rise of "pirate parties" in countries like Sweden, which prioritize digital freedom and privacy, making governments less inclined to strengthen their ties with organizations like the NSA.

Capabilities and Tools of Intelligence Agencies​

Intelligence agencies in all countries engage in SIGINT (signals intelligence) to varying degrees. If you are using a VPN server and thus an exit point to the internet in one of the "Eyes" countries, then you are likely a potential "victim" of SIGINT activities in that country. For example, the Federal Intelligence Service of Germany (BND) openly states this on its website:

Whether it's satellite or wired communication, email or voice transmission over IP - the spectrum of electronic communications is broad and constantly changing. Nevertheless, the most modern technology for collecting and filtering data streams worldwide ensures that the BND receives exactly the information it needs to fulfill its mission.​

In short, the German intelligence claims it has access to any data it needs, regardless of the channels through which it is transmitted - whether satellite or wired communication, email or voice transmission over IP.

Surveillance Systems Used by the Alliance​

We only know about a portion of the systems used to monitor and collect information on citizens. Here are some that have attracted media attention.

ECHELON​

The ECHELON surveillance program was originally created in the 1960s to spy on the Soviet Union and its Eastern Bloc allies that signed the UKUSA security agreement. Now, they are the main countries of the 5 Eyes and ECHELON has significantly expanded beyond its original scope. According to documents released by Snowden, ECHELON systems are capable of intercepting phones, faxes, computers, emails, bank accounts and much more. The computers used for this purpose can store millions of records about individuals.

PRISM​

An American surveillance program that the NSA uses to request user data from technology and telecommunications companies. This information includes almost everything transmitted over the company's network: emails, chat logs, photos, documents, videos, etc. Confirmed companies participating in PRISM include:

• Microsoft
• Yahoo!
• Google
• Facebook
• Paltalk
• YouTube
• AOL
• Skype
• Apple
• Dropbox

To date, the true scale of the PRISM program remains unknown.

XKeyscore​

Another NSA-led program that allows real-time surveillance without a warrant. With XKeyscore, NSA agents can analyze metadata, emails and their content, VoIP, browsing history, and any other internet activity related to a person. The harsh reality of the "alliances" is that we don't know the whole truth about the potential and actual application of mass surveillance by Western governments - primarily the US. It may even be, paradoxically, that we have a much better understanding of the limits of Russian intelligence agencies: on one hand, we know about their constantly expanding capabilities through relevant Russian legislation; on the other, due to the corruption of the Russian system, real data operated by Russian surveillance agencies and intelligence services is constantly leaked for sale on the black market and covered by investigative journalists. Meanwhile, the undoubtedly more powerful and far less "leaky" Western intelligence agencies can operate completely unchecked. The very fact of not knowing even the limits of possible mass surveillance guarantees that intelligence agencies operate beyond what was illuminated ten years ago by Snowden's revelations: if their capabilities are unknown, they cannot be limited. This makes them practically limitless within the realm of what is technically possible. In other words, all methods of mass and individual surveillance that we can imagine are surely being used by Western intelligence agencies - along with a couple of other innovations that we are not even aware of.

Intelligence Alliances and VPN Marketing​

Naturally, such a rich topic as international cooperation among intelligence agencies, which places "under the lid" almost all Western countries and affects all digital communications on the planet, cannot help but be used to promote privacy protection tools like VPNs. Moreover, VPN companies are among the main propagandists of this information. This is, of course, for the good. But at the same time, they also distort the reality of the "Eyes", on one hand exaggerating their threat to ordinary internet users and VPN service consumers and on the other hand misleading about their capabilities to counteract them. Here’s how ExpressVPN describes the "Eyes":

14 Eyes, also known as SIGINT Seniors Europe, refers to a group of 14 countries whose foreign intelligence agencies reportedly exchange military and counter-terrorism information with each other. Since these intelligence services aim to intercept all communications internationally (not just within their national borders), it's unclear whether there is an additional risk associated with using a VPN service from a "14 Eyes" country. However, since the British Virgin Islands is a tiny country with no foreign intelligence operations, they are certainly not a party to any intelligence-sharing agreements of the 14 Eyes. Thus, the British Virgin Islands don't belong to the group of "14 Eyes".​

However, what relevance does the country of registration of a VPN provider have to the mechanisms of digital surveillance if their servers are located in the territories of alliance countries? None at all. This is just another false argument of unethical VPN marketing. Interestingly, ExpressVPN even acknowledges this in their article: "It's unclear whether there is an additional risk associated with using a VPN service from a "14 Eyes country". Nevertheless, they offer VPN servers in all 14 countries of the alliance - perhaps that is the answer. Let’s briefly recall how a VPN works and why some people prefer to use it: you connect to a VPN server in any country of your choice. The data transmission from your computer to this VPN server is encrypted. Then, the traffic is processed by the internet provider in the country where your chosen VPN server is located. A VPN can be used to protect against "man-in-the-middle" attacks. For example, when using a public Wi-Fi connection in an airport or to avoid monitoring of your internet traffic by your internet provider or the country from which you are connecting. Mullvad VPN explains this in their post about Swedish legislation:

"The Law (2008:717) on Signals Intelligence for Military Intelligence Activities. This legislation empowers the Swedish National Defence Radio Establishment to conduct surveillance of cross-border communications (e.g., phone calls and internet traffic). Other countries do the same. To protect electronic messages crossing the Swedish border, consumers can use a VPN service to safeguard their user activity".​

In the example above, you would use a VPN connection to connect to an exit point on the internet in a different country than the one you are in. Again, this has nothing to do with the location of the VPN provider itself. If you connect to a VPN server located in a specific country, you are using the infrastructure of that country (as well as the infrastructure of any country you connect to). Once connected to that country, you become part of the surveillance issue described in the argument above because you are using an internet exit point in that country. It doesn't matter whether the VPN provider is inside or outside the "Eyes" group of countries. Moreover, VPN providers typically don't own their VPN servers. VPN servers are usually rented from various hosting providers around the world. These hosting providers are often the same, as I documented in my blog post last year comparing exit points used by VPN providers. Even if some VPN providers are allowed to deploy their own hardware, they still use the same hosting provider and, therefore, their internet connection.

The False User Problem​

Having delved into the enormous legal and, in a literal sense, unimaginable illegal capabilities of intelligence agencies, it's important to consider this issue from the user's perspective. The argument about total surveillance and the complete transparency of internet traffic is primarily used in marketing aimed at ordinary internet users. From the perspective of the average user, things are not as dire. The fact is that the legislation in Western countries regulates what data intelligence agencies are allowed to share and with whom. For example, in Sweden, the Swedish National Defence Radio Establishment (FRA) cannot automatically pass on SIGINT information to the police. The exchange of information between intelligence agencies and other government departments is limited to information relevant to counter-terrorism when it comes to Sweden's national security.

Yes, we mentioned earlier that intelligence agencies likely operate beyond their legal mandates when gathering information. There's no contradiction here: if they need information, they will obtain it by any legal or illegal means. However, when it comes to sharing information with other government agencies, such as the police - they enter the legal realm and are limited in their capabilities. In other words, intelligence agencies can certainly see what somewhat questionable activities you are engaging in online: piracy, purchasing illegal substances and even worse. But even if this activity violates not only decency but also the law, it doesn't mean that intelligence agencies will take action. They have other priorities and what citizens are up to doesn't concern them, even if they see it, as long as it doesn't cross the line into terrorist activity. This leads to the conclusion that the threat of being caught in the "Eyes" is relevant only for terrorists, not for ordinary internet users. But not because they are not being watched (they are) but because the threshold for them to move from surveillance to action is extremely high for the average user. Thus, this brings us to a somewhat paradoxical conclusion for ordinary users and VPN users in particular:

1. Mass surveillance by intelligence agencies on the internet is real; we don't know its actual limits - even the publicly stated capabilities are extremely broad and in reality, it's quite possible that the internet is practically transparent to intelligence agencies.
2. From the perspective of using a VPN (and, consequently, VPN marketing), this doesn't change anything: the threat of being scrutinized by intelligence agencies depends on the physical location of the server you connect to, regardless of the formal country of registration of your VPN provider or even in the absence of one (if you set up your VPN on a rented server, for example).
3. At the same time, there is no practical difference for the average user as long as their activities, whatever they may be under the cover of a VPN, don't reach the threshold of national security threats - primarily, terrorist threats. In other words, you may be transparent - but that doesn't mean you will be of interest.