The 5 / 9 / 14 eyes misleading VPN argument

The 5 / 9 / 14 eyes misleading VPN argument

Introduction

The VPN provider market is a jungle of operators competing for customers, using many marketing arguments. One of the most bizarre argument used is the so called 5 / 9 / 14 eyes issue.

The argument here is about “no-logging” as a countermeasure to the “surveillance threat” inside those 5 / 9 / 14 eyes countries, ending with the argument that the location outside those “eyes” countries makes the place perfect for a VPN provider.

In this article, I will examine this marketing argument by splitting it into two points:

  • the jurisdiction together with the no-logging part
  • the surveillance threat from the “eyes” countries.

The jurisdiction and no-logging part

As an example, let us look at the advertisement used by ExpressVPN, with its location in the British Virgin Island (BVI). On their hompage, they explain that:

There are no data retention laws in the BVI
The BVI is an offshore jurisdiction renowned for privacy protection. This is in contrast to many European countries and Australia, which have laws requiring ISPs to retain metadata related to their users’ internet activity.

Another VPN provider, NordVPN, uses similar advertisement of the fact that they are located in Panama:

Jurisdiction we operate in
We are based and operate under the jurisdiction of Panama. There is no mandatory data retention law in Panama so we do not need to store logs which is perfect for a VPN provider.

More locally, we can look to a Swedish VPN provider, Mullvad. Mullvad is located in Sweden, a member of the 14 eyes countries, and explains the Swedish legislation as follows:

The Electronic Communications Act (2003:389) (LEK)
LEK is the Swedish law that implements the EU Directive (2002:58) on Privacy and Electronic Communications. LEK covers all electronic communications networks and electronic communications services. According to LEK’s definitions, LEK does not apply to us, since we as a VPN service provider are not regarded as an electronic communications network nor an electronic communications service (see more information below).

Act (2012:278) on Collection of Data in Electronic Communication in the Crime Combating Authorities’ Intelligence Service (IHL)
This law can only be used to request user data from businesses having the LEK reporting obligation. This means authorities can not use LEK nor IHL to request information from us.

In reading this, it is clear that Mullvad, as with most other VPN providers have a policy which is not all that different from the two first mentioned providers.

Mullvad further explains:

No-logging data policy
The underlying policy of Mullvad is that we never store any activity logs of any kind. We strongly believe in having a minimal data retention policy because we want you to remain anonymous.

Another Swedish VPN provider, AzireVPN, explains similar things in their terms and conditions:

§ Logging
AzireVPN does NOT log any traffic or user activity while using our service.
AzireVPN does NOT log timestamps or any information relating to when a user connects/disconnects from our service.
AzireVPN does NOT log or shape any bandwidth on our servers.
AzireVPN does NOT log the original IP addresses of our users when they connect OR their AzireVPN IP address when they are using our service.
AzireVPN does NOT log the number of your active sessions or total sessions.
AzireVPN does NOT log your DNS requests on our servers.

The false non-logging advertisement

Having a no-logging policy, then, is nothing unique for the VPN providers located outside the 5-9-14 eyes countries. Indeed, having such a policy is something which appears consistent across most VPN providers (at least, so they say/write), even if a few of them keep more logs than others, (for example F-Secure Freedome).

Taking a look at the examples above shows clearly that a VPN providers location and legislation doesn’t make as much of a difference as the common argument may suggest. From my point of view, the argument and marketing used on the “no-logging” part is pure nonsense and at worst, may even rise to the level of false marketing.

It is worth noting that those who support the argument are right when it comes to idea of:

laws requiring ISPs to retain metadata related to their users’ internet activity

This is valid for ISP’s and not for VPN providers in the “eyes” countries (at least not in Sweden). Suggesting that even this statement may be stretching things a bit.

If there are legal changes in the future, that require even VPN providers to log traffic, then this will most likely impact all VPN providers that are operating in that country. In such an instance, it will not matter where the VPN company is located, as it is operating in the country and must follow the laws that apply there. We have seen this in the past were PIA have ceased to have a presence in Russia due to legal changes impacting that country.

This brings me to the second argument used, the surveillance part.

Surveillance from 5 / 9 / 14 eyes countries

The website Restoreprivacy.com published an article that proclaims the “eyes” problem in their own words. Specifically, they explain that:

In short, these are just international surveillance alliances representing various countries around the world. These surveillance alliances work together to collect and share mass surveillance data. In other words, they are essentially acting as one global-surveillance entity to spy on you and record your activities.

ExpressVPN describes the “eyes” in a similarly negative fashion:

“14 Eyes,” also known as SIGINT Seniors Europe, refers to a collection of 14 countries whose foreign intelligence agencies are reported to share military and counterterrorism information with one another.

As these intelligence agencies strive to intercept all communications internationally (not only from within their national borders), it is unclear whether there is incremental risk associated with operating a VPN service from within a 14 Eyes country.

Nevertheless, because the BVI is a tiny nation without any foreign intelligence operations, it is most certainly not a party to any 14 Eyes intelligence sharing agreements. Therefore, the BVI is not considered as belonging to the 14 Eyes group of countries.

In reality, what does this have to do with the place where a VPN provider is located? Nothing at all. Again, just another false argument used to stir up distrust an potentially engage in false marketing.

The interesting part here is that ExpressVPN is even writing about it in their article: “unclear whether there is incremental risk associated with operating a VPN service from within a 14 Eyes country”. Nerveless they are operating several VPN servers within those 14 Eyes countries.

Let us take a short look at the princip by which a VPN works and why some people may choose to use one:

You connect to a VPN server in any country of your choice. The communication from your computer to that VPN server is encrypted. From the VPN server, your traffic appears as it would if it came straight from your local ISP (Internet Service Provider). The traffic is later handled by an ISP located in the country to which you are connected.

A VPN service can be used to protect yourself from a “Man-in-the-middle-attack”. Such as when using a public Wi-Fi connection at an airport, or to avoid the monitoring of your internet traffic from an ISP or country from which you are connecting.

Mullvad VPN explains this in their Swedish legislation post as follows:

Act (2008:717) on Signal Surveillance for Defense Intelligence Activities
This piece of legislation gives Sweden’s National Defence Radio Establishment the authority to carry out surveillance on cross-border communications (for example  phone calls and internet traffic). Other countries do so similarly. To protect electronic communications crossing the Swedish border, consumers can use a VPN service to protect their user activity.

In the example above, you would be using a VPN connection to connect to an internet egress point in another country that in which you are located. Again, this has nothing to do with the location where the VPN provider itself is located.

The false argument about surveillance

The Intelligence Services of all countries are doing more or less SIGINT (Signals intelligence).

For example, the German Federal Intelligence Service (BND) openly mention this on their homepage:

Ob Satelliten- oder leitungsgebundene Kommunikation, E-Mails oder Voice-over-IP:
Das Spektrum elektronischer Kommunikation ist breit und verändert sich ständig.

Modernste Erfassungs- und Filtertechnik für weltweite Datenströme stellt dennoch sicher, dass der BND an genau die Informationen gelangt, die er zur Erfüllung seines Auftrags braucht.

English translation:

Whether satellite or wired communication, e-mails or Voice-over-IP:
The range of electronic communication is wide and constantly changing.

The most up-to-date collection and filter technology for worldwide data streams nevertheless ensures that the BND gets exactly the information it needs to fulfil its mission.

To summarize the statement above in one sentence:

Whether satellite or wired communication, e-mails or voice over IP, collection and filter technology for worldwide data streams ensures that the Intelligence service gets exactly the information it needs.

Coming, once again, back to ExpressVPN’s explanation already mentioned above:

… whose foreign intelligence agencies are reported to share military and counterterrorism information with one another.

Yes … military and counterterrorism information! What does that have to do with your normal internet traffic? Not much I suppose! (if you are not an terrorist)

Also taking another look at Sweden, one of the “eyes” countries. According to the law the Swedish intelligence agency (FRA), can not automatically share SIGNT information with the police. Information sharing here is very limited and for example connected to counterterrorism information, if requested by the Swedish secret service, when related to Sweden’s safety.

Based on the above you could presume that the “eyes” argument is only relevant for terrorists and marketing departments at some VPN providers, but not for regular internet users.

Now a question for you as a reader and VPN user:

Are you using a VPN server and by this, an internet egress point in one of the “Eyes” countries? Then you will likely be a potential “victim” of that country’s SIGINT activities!

If you are connecting to a VPN server located in any particular “eyes” country, then you are using that country’s infrastructure (as any country’s infrastructure you are connecting to). Once connected to that country, you are a part of that surveillance issue explained in the argument above, because you are using an internet egress point in that country. It doesn’t matter whether the VPN provider is located inside or outside the group of “eyes” countries. Here we have the second false marketing argument!

Additionally, we have to keep in mind, that VPN providers usually don’t own their VPN servers. The VPN servers are typically rented at different hosting providers all over the world. Those hosting providers are very often the same, as I documented in my blog article from last year “mapping of egress points used by VPN providers“. Even if some VPN providers are allowed to deploy their own hardware they still use the same hosting provider and by this their internet connection.

The trust issue

When it comes to trusting a VPN provider, I would rather place my trust in a provider connected to the “eyes” countries than a VPN provider located on an off “eyes” island or country near the Caribbean region. I say this basically because many of the VPN providers in the “Eyes” countries are located within the EU. EU has several strong privacy laws, for example (95/46/EC (“Data Protection”) or the EU General Data Protection Regulation 2016/679).

In contrast to this, we know very little about “non-eyes” countries like the British Virgin Island or Panama.

Verdicts

Whether a VPN provider has its jurisdiction within a 5, 9 or 14 eyes country or not doesn’t matter when it comes to privacy or trustworthiness.

It just tells you where the VPN provider is located. It doesn’t tell you where the provider is operating. The operational part, is in general, the same, whether you are using a VPN provider from an “eyes” country or not.

When using VPN services in any of the “eyes” countries (regardless of the provider’s location), than you are connecting to a country where the police or the secret service will see you as a part of the SIGINT processes completed by the authorities in that country. Using a VPN doesn’t make you anonymous, even not when using a VPN provider from a “non-eyes” country. To improve your anonymity you may use Tor or other tools in addition to a VPN service.

The whole 5 / 9 / 14 eyes argument that I’ve discussed throughout is in my opinion  just a misleading marketing campaign. If you don’t want to be a “victim” to the “eyes” issue, then simply don’t surf through an internet egress point (VPN server) from one of the “eyes” countries! Or, don’t use any service of those countries, which excludes a significant part of internet.

In the end, it’s just a question of  who you trust. Specially, should you trust those VPN providers, and by this their VPN service, when they are using a misleading argument about the superiority of a location outside the “eyes” countries? Are those providers more trustworthy than those inside the 5 / 9 / 14 eyes, with many of those inside the EU, the latter of which have more and strong privacy laws? It’s up to you to decide, but don’t be fooled by the false marketing of the 5 / 9 / 14 eyes argument.

Finally don’t forget option to rent your own virtual server at a place of your choice, or use a Pi at home, and configure this as your own private VPN service.

Kommentarer är stängda.