How Do VPN Jurisdictions Affect You?

The world’s most powerful nations are members of secretive intelligence-sharing agreements called the Five Eyes, Nine Eyes, and Fourteen Eyes Alliances.

These countries work together to collect and share mass surveillance data, including your web browsing activity, phone calls, text messages, electronic documents, location history, and much more.

As such, they are the worst places to base a VPN company, as services located in these countries could be subject to intrusive surveillance, data retention, and data sharing laws, potentially even being forced to hand over your data to authorities.

This guide explains what a VPN jurisdiction is, its impact on your privacy, and details of the Five, Nine, and Fourteen Eyes Alliances in depth, crucial factors when choosing a VPN.

You can also find out exactly where the most popular VPN services are based in our VPN jurisdiction comparison table.

A VPN’s ‘jurisdiction’ is the country where the service provider is legally based or incorporated, and whose legal system will therefore dictate the laws and privacy regulations it’s subject to.

The level of government surveillance and control of the internet varies from country to country. The most intrusive jurisdictions may be able to force VPN services to monitor, collect, or share data about their users.

VPN servers are subject to the laws of the country where they are physically located.

Authorities may legally seize individual servers and examine them for data. However they are unable to compel the VPN service to share information because the company is based in a different country, beyond the reach of their legal powers. This is why a VPN’s logging policy is as important as its jurisdiction.

Depending on your country’s internet regulation, you may want to choose a VPN service located somewhere other than were you live, with strong privacy laws and not involved in any international data-sharing agreements.

If you’re trying to hide your internet activity, you should absolutely avoid using a VPN based in an invasive jurisdiction, as it could be forced to hand over its user data, which can then be shared internationally among intelligence allies.

However that’s the not the only jurisdiction you should be concerned about.

If any of these locations are subject to invasive laws, they could be susceptible to raids and other privacy compromises in the name of “security”.

While jurisdiction is important, it’s just one factor to consider when selecting a VPN. The level of protection you need will determine how much jurisdiction matters.

If you’re looking for protection from targeted surveillance, choosing a VPN in a safe jurisdiction is unlikely to be enough. National intelligence agencies have vast resources, and if singled out, you’ll need to worry about more than just the jurisdiction of your VPN.

Trust is also a major factor. A VPN can still lie to its customers and cooperate with authorities even if it operates in a “safe” jurisdiction.

Ultimately, the location of the servers you’re connecting to and the practices of the company controlling them are likely to be more important than where the company is incorporated.

That said, VPN jurisdictions are still important if you really care about your privacy. You could be vulnerable to the following issues:

Surveillance and Data Retention

National intelligence agencies like the NSA and GCHQ have the power to force domestic organizations to log, share, and decrypt private information.

In the U.S., laws like the Patriot Act give authorities the power to coerce legitimate businesses into becoming data gathering tools for state agencies through National Security Letters.

These requests may be accompanied by a gag order that makes it illegal for the company to disclose what they’re being compelled to do. Some VPN companies publish warrant canaries in an attempt to tackle this problem, which we’ll cover later.

There is precedent for this. In 2013, the secure email service Lavabit was targeted by the FBI in an attempt to gather information about Edward Snowden.

Lavabit was subpoenaed with a gag order for the encryption keys to its users’ email contents. This would have allowed the FBI to access communications in real-time for all of Lavabit’s customers, not just Snowden’s.

The founder of the company, Ladar Levison, handed over the company’s encryption keys then promptly shut down the service. US authorities threatened Levison with arrest, arguing that his actions violated the court order.

Similarly, Seattle-based VPN service Riseup was forced to collect user data for government authorities, and was also served with a gag order to stop them revealing this to their users.

HideMyAss, a VPN provider based in the UK, was also served with a court order to collect data and share it with authorities for a criminal investigation, which was not revealed until after the prosecution.

These are just examples of cases that have been made public — it’s highly likely that there are other examples we don’t yet know about.

Data-Sharing Agreements

International surveillance agreements like the Five, Nine, and Fourteen Eyes Alliances allow member countries to share mass surveillance data, benefiting from the “lowest common privacy denominator.”

Should any one nation gains access to your data after expanding its electronic surveillance capabilities, it can potentially be shared with other alliance members.

There is a strong chance therefore that your activity is being collected and shared with an intelligence agency no matter where in the world you are.

Virtual Server Locations and Rented Servers

Some VPN services rent servers from data centers, as it’s significantly cheaper than owning an entire international network outright.

While this may be cost-efficient, it comes at a cost to privacy.

Data centers retain ownership of the servers they rent out and may log your activity, regardless of any logging policy the VPN provider might have.

Depending on the jurisdiction of the data center, local authorities could also compel the server host to retain or share user data.

In cases like this, the jurisdiction and logging policy of the VPN company is irrelevant. Local authorities can go directly to the server host to seize the information they need.

Learn more about rented VPN servers in virtual server locations guide.

If you care about your privacy, we recommend choosing a VPN service based outside of the Five, Nine, or Fourteen Eyes Alliances.

The countries involved in these alliances are more prone to invasive surveillance, data retention, and intelligence-gathering programs.

Additionally, the most powerful nations may force other members into logging or other forms of cooperation.

What Is a Privacy Haven?

We recommend you choose a VPN based in a country considered to be a “privacy haven”.

A privacy haven is somewhere with a legal and political environment that’s conducive to online privacy. These countries rarely take part in mandatory surveillance, data retention, or data-sharing agreements, and often have some of the world’s strongest privacy laws.

However, the trade-off is that while privacy havens are not obliged to share user data with international authorities, they tend to lack robust regulations to properly protect that data.

Countries often referred to as privacy havens include The British Virgin Islands, Panama, Seychelles, The Cayman Islands, and Malaysia.

Many VPN companies, like ExpressVPN and NordVPN, register their businesses in these countries to ensure maximum privacy.

There are also some VPN services proven trustworthy despite operating in “dangerous” jurisdictions. Private Internet Access (PIA), for example, could not provide data to the U.S. government in an official court case, despite a subpoena.

A handful of truly no-logs VPN services have passed real-life test cases or third-party audits. A VPN in a safe offshore jurisdiction simply adds protection by reducing chances of being compelled to hand over data.

Do VPN Services Need a Warrant Canary?

A warrant canary is a regularly-published statement designed to prove that a service provider has not been contacted by a government agency or forced to share user data.

Data requests like a U.S. National Security Letter (NSL) typically come with a gag order preventing the target from disclosing the compromise.

Warrant canaries aim to warn users their data may be unsafe, without violating the gag order.

They work by informing users there has not been a court-issued warrant, gag order, or subpoena as of a certain date. If the canary isn’t updated or removed, users should assume speech prohibition is in place and the host has received a legal request.

Many VPN services maintain warrant canaries to convince users they’re trustworthy.

However, having one doesn’t guarantee privacy or security. Reliable services may avoid them as their efficacy is contested.

Some experts argue governments can coerce companies to maintain canaries even when compromised, rendering them useless. Compromised services may also avoid changing canaries to retain customers, making canaries mere marketing ploys.

Unfortunately, there is no way to know for certain whether a canary change indicates a court order. Users must speculate on a missing or changed canary’s meaning.

We recommend treating warrant canaries as bonus features once you’ve identified a trustworthy VPN, rather than specifically seeking one with a canary.

The NSA is one of the most well-known signals intelligence (SIGINT) agencies, but almost every country has its own equivalent agency engaged in mass surveillance, and they often work together.

Their primary focus is on law enforcement, data collection, and counterintelligence activities through the interception of electronic signals and online communications.

The Five Eyes, Nine Eyes, and 14 Eyes alliances are three of the most significant international intelligence-sharing agreements that facilitate coordinated surveillance efforts among member nations.

Countries belonging to these alliances are the worst VPN jurisdictions in terms of user privacy, as they are more likely to comply with surveillance requests from allied agencies.

Here is a list of the main global surveillance entities you should be aware of:

1. The Five Eyes Alliance

The Five Eyes countries are the U.S., UK, Canada, Australia, and New Zealand.

This intelligence-sharing agreement can be traced back to World War II and the UKUSA agreement, which was originally devised as a partnership between the United States and United Kingdom.

Over the past few decades the treaty has expanded in both members and scope. Member nations, known as the Five Eyes Alliance, now work together to collect, analyze, and share intelligence both domestically and internationally.

While Five Eyes countries have agreed to not spy on each other as adversaries, documents leaked by Edward Snowden revealed that the nations do monitor each other’s citizens and share this intelligence amongst themselves.

As well as sharing surveillance data among themselves, Five Eyes countries also work together to send and enforce data retention notices. This means that one nation can compel another to hand over the logs of VPN users within their jurisdiction.

It is widely acknowledged that many of the Five Eyes countries are among the most significant threats to digital privacy.

If you’re concerned about privacy while using a VPN, the Five Eyes countries are considered to be the worst VPN jurisdictions possible.

ECHELON Surveillance System

The Five Eyes nations utilize ECHELON, a network of spy stations designed for global surveillance and data collection.

ECHELON can intercept data sent via telephones, faxes, and computers. Its stations can track bank accounts and intercept data from satellite relays. All data is stored in extensive databases that can keep millions of records on individuals.

Although evidence of ECHELON has been growing for almost 30 years, the US denies its existence, while the UK government has been evasive.

Despite these denials, various whistleblowers have confirmed aspects of the ECHELON project by documenting certain details.

2. The Nine Eyes Alliance

The Nine Eyes Alliance is an extension of Five Eyes and consists of a larger group of countries that cooperate to share intelligence. It includes all the Five Eyes countries plus France, Denmark, Norway, and The Netherlands.

The existence of the Nine Eyes Alliance became well-known following the revelations of Edward Snowden in 2013. It is essentially an extension of the Five Eyes agreement that cooperates to gather and distribute mass surveillance data.

While the four additional nations do not have domestic surveillance programs as extensive as the U.S., UK, or Australia, they still cooperate with each other and all five countries in the original alliance.

The Nine Eyes Alliance is an arrangement between SIGINT entities and is not officiated by any formal treaty.

3. The Fourteen Eyes Alliance

The Fourteen Eyes Alliance includes all members of Nine Eyes plus Germany, Belgium, Italy, Sweden, and Spain.

The official name of the alliance is the SIGINT Seniors of Europe (SSEUR), which has existed in various forms since 1982. Once designed to exchange military intelligence, it has now been expanded to include surveillance information on everyday citizens.

The SIGINT Seniors Meeting is held annually and attended by the leaders of SIGINT agencies, where they discuss cooperation and development.

The SIGINT Seniors of the Pacific is a similar entity created in 2005. Member states include all of the Five Eyes countries as well as India, France, Singapore, Thailand, and South Korea.

Other notable countries including Israel and Japan are also believed to work closely with the 14 Eyes alliance and the NSA.

4. The European Union (EU)

The EU is a collection of sovereign European nations. While not as invasive as the Five, Nine, and Fourteen Eyes Alliances, EU member states still engage in data-sharing agreements, compromising privacy.

However, in 2009, Romania’s Constitutional Court ruled that EU demands violated citizens’ privacy rights, making it a safe haven for user privacy in the EU. This helps explains why VPN services like CyberGhost base operations there.

While some EU countries prioritize privacy more than others, many cooperate with Five Eyes or SSEUR authorities, sharing data. This is an important consideration when choosing a VPN based in an EU jurisdiction.

5. The Shanghai Cooperation Organization (SCO)

The Shanghai Cooperation Organization (SCO) — also known as the Shanghai Pact — is a Eurasian political and economic alliance between Russia, China, Pakistan, India, Kyrgyzstan Kazakhstan, Uzbekistan, and Tajikistan.

The SCO is primarily focused on its members’ national security, with a particular focus on fighting extremism.

Recently, the SCO’s activities have expanded to include increased military cooperation, intelligence-sharing, and counterterrorism. It’s highly likely that SCO member countries collect and share data in a similar way to Western intelligence alliances.

6. Highly-Censored Countries

Certain countries ban VPN usage and invade their citizens’ privacy regardless of international agreements.

The worst offenders for internet restriction include China, UAE, Turkey, Russia, Oman, Iraq, and Belarus, although this list is far from exhaustive.

While it’s unlikely to find a VPN or server physically based in any of these countries, be vigilant. Our investigation into Chinese ownership of free VPN apps found numerous VPNs with ties to questionable Chinese companies.

Jurisdictions with close ties to these governments, like Hong Kong, should also be avoided if data privacy is a concern.

For more information on the legality of VPNs and usage restrictions, read our guide to VPN laws.

We checked the privacy policies of popular VPN services. We found a significant number are based in jurisdictions with the potential to put user data at risk.

The following table lists all 80 VPN services we investigated, their jurisdiction, and whether they maintain a warrant canary. Where a warrant canary is no longer up-to-date and therefore suspected as being tripped, it’s marked in red.