Five Eyes, Nine Eyes, 14 Eyes: What UK VPN Users Must Know
International surveillance alliances shape the global privacy landscape — and the UK sits at the very heart of the most powerful one. Here is how these alliances affect your VPN choice and what you can do about it.
What Are the Eyes Surveillance Alliances?
The "Eyes" alliances are international agreements between national intelligence agencies to share signals intelligence — intercepted communications, internet traffic, and electronic data. These are not trade agreements or diplomatic formalities; they are operational intelligence-sharing partnerships that enable member countries to pool surveillance capabilities and, crucially, to collect data on one another's citizens, potentially circumventing domestic legal restrictions on spying on their own populations.
For VPN users, these alliances matter because a VPN provider based in an Eyes country may be subject to government demands for user data, compelled to install backdoors, or served with secret orders that prevent them from disclosing the request. A provider's jurisdiction determines which laws apply and which agencies have authority to compel cooperation.
Five Eyes: The Core Alliance
The Five Eyes alliance is the oldest and most integrated signals intelligence partnership in the world. It comprises the United Kingdom (GCHQ), the United States (NSA), Canada (CSE), Australia (ASD), and New Zealand (GCSB). The arrangement traces its origins to the UKUSA Agreement of 1946, initially a bilateral pact between Britain and America to share intelligence gathered during the Second World War. The other three nations joined over the following decade.
Five Eyes members share intelligence almost without restriction. Edward Snowden's disclosures in 2013 revealed the staggering scale of this cooperation: programmes like PRISM (US), Tempora (UK), and XKeyscore allowed agencies to collect and search vast quantities of internet traffic, email content, social media activity, and phone records. The alliance enables each member to access surveillance capabilities far beyond what any single country could build alone.
Nine Eyes and 14 Eyes: The Extended Network
The Nine Eyes alliance adds Denmark, France, the Netherlands, and Norway to the Five Eyes core. These countries have secondary intelligence-sharing agreements that, whilst not as deeply integrated as Five Eyes, still involve significant cooperation on signals intelligence and surveillance operations.
The 14 Eyes, formally known as SIGINT Seniors Europe (SSEUR), further expands the network to include Belgium, Germany, Italy, Spain, and Sweden. These nations participate in intelligence sharing at varying levels. Whilst the 14 Eyes arrangement is less tightly bound than Five Eyes, member nations can and do share data when mutual interests align — particularly in counter-terrorism, cybercrime, and national security investigations.
How These Alliances Affect VPN Users
When a VPN provider is headquartered in a Five Eyes country, the government can compel that company to hand over user data using legal instruments such as national security letters (US), technical capability notices (UK), or equivalent mechanisms in other member states. Some of these orders come with gag provisions, meaning the provider cannot inform affected users or even acknowledge the order's existence.
A provider with a genuine no-logs policy mitigates this risk substantially — if there are no logs to hand over, a government order yields nothing useful. This has been proven in practice: several VPN providers have had servers seized by authorities and no usable data was recovered. However, a provider in a Five Eyes jurisdiction could theoretically be compelled to begin logging prospectively — to start collecting data on specific users going forward — even if they do not retain historical logs.
The UK's Role in Five Eyes
The United Kingdom is arguably the most significant European member of Five Eyes. GCHQ, headquartered in Cheltenham, is one of the most capable signals intelligence agencies in the world. Its Tempora programme, revealed by Snowden, involved tapping undersea fibre optic cables carrying internet traffic in and out of the UK — collecting content and metadata on a truly massive scale.
The Investigatory Powers Act 2016 provides the legal framework for much of this activity, authorising bulk data collection, equipment interference (government hacking), and compelling companies to assist with interception. For UK internet users, this means your data is not only collected domestically but may also be shared with partner agencies in the US, Canada, Australia, and New Zealand. For a detailed look at how this affects your daily privacy, read our guide to online privacy in the UK.
VPN Jurisdiction Matters: Safe Havens vs Eyes Countries
Privacy-conscious VPN providers have deliberately chosen to incorporate in jurisdictions outside the Eyes alliances, selecting countries with strong privacy laws and no mandatory data retention requirements.
Panama is home to NordVPN. Panama has no mandatory data retention laws and is not party to any international surveillance agreements. Panamanian law does not require companies to log user activity, and foreign government requests for data carry no legal weight unless processed through specific, limited mutual legal assistance treaties.
The British Virgin Islands (BVI) is where ExpressVPN is incorporated. Despite being a British Overseas Territory, the BVI has its own independent legal system with no data retention requirements. UK surveillance laws do not apply directly in the BVI, and local courts must approve any foreign data requests — a process with significant legal hurdles.
Switzerland hosts Proton VPN, benefiting from some of the strongest privacy protections in Europe. Switzerland is not an EU member and not part of any Eyes alliance. Swiss law provides robust data protection, and the country has a long tradition of privacy and neutrality.
Romania, outside the 14 Eyes, is the jurisdiction of CyberGhost VPN. Romania's Constitutional Court has twice struck down data retention legislation as unconstitutional, making it one of the most privacy-friendly jurisdictions in Europe for technology companies.
Sweden, whilst a 14 Eyes member, is home to Mullvad VPN. Mullvad takes a unique approach by accepting anonymous payments (including cash by post) and not requiring any personal information to create an account. Even within a 14 Eyes jurisdiction, Mullvad's operational model means there is virtually no user data to collect.
Practical Advice for UK Users Concerned About Surveillance
First, choose a VPN provider headquartered outside the Five Eyes — and ideally outside all 14 Eyes — jurisdictions. Providers in Panama, the BVI, Switzerland, and Romania offer the strongest jurisdictional protection. Second, verify that your chosen provider has a no-logs policy that has been independently audited. Claims are easy to make; independent verification by firms like PricewaterhouseCoopers, Deloitte, or Cure53 provides genuine assurance.
Third, use a VPN provider that operates RAM-only (diskless) servers. This technology means that if a server is physically seized, all data is lost when power is disconnected — there are no hard drives to image. NordVPN, ExpressVPN, and Surfshark all operate RAM-only server networks. Fourth, consider your payment method. Paying with cryptocurrency or prepaid vouchers adds an extra layer of disconnection between your real identity and your VPN account.
Finally, remember that jurisdiction is one factor among many. A VPN provider in a Five Eyes country with a genuinely verified no-logs policy and RAM-only servers may be more trustworthy in practice than a provider in a "safe" jurisdiction that has never undergone an audit. The complete picture matters more than any single criterion.
Choosing the Right VPN for Privacy
Understanding the Eyes alliances is essential for making an informed VPN choice, particularly as a UK user sitting within the Five Eyes core. Use our VPN comparison tool to filter and compare providers by jurisdiction, audit status, and privacy features. For personalised recommendations based on your specific concerns, our VPN recommendation quiz will guide you to the right provider. You can also explore our individual reviews of NordVPN, ExpressVPN, and Proton VPN — our top picks for privacy-focused UK users.