Proton VPN homepage
ProtonVPN

The Snowden revelations(new window) revealed that the NSA is carrying out electronic surveillance on a global scale and unveiled the shadowy networks of intelligence agencies that act as accomplices.

When people think of mass surveillance, they rightly think of the NSA, but nearly every country in the world has its own signals intelligence (SIGINT) agency. From the UK’s GCHQ to Germany’s BND, these organizations focus on intelligence gathering, counterintelligence operations, and law enforcement by intercepting communications and other electronic signals. SIGINT covers a wide range of activities, from tapping phones to accessing a user’s email database with XKEYSCORE(new window)

Typically, one of the few legal restrictions set upon these agencies is that they cannot spy on their own citizens. This creates a strong incentive for them to cooperate and trade information with each other. The Five Eyes, Nine Eyes, and Fourteen Eyes are the largest and most important agreements that create the legal framework for such coordinated intelligence gathering across borders.

In addition to the Five, Nine, and Fourteen Eyes agreements, there are also similar non-Western intelligence-sharing agreements. This means there are few places in the world where your personal data is safe from snooping, so you should use extra measures, such as strong encryption, to keep it from prying eyes.

The below table shows the countries that participate in the Five Eyes, Nine Eyes, and Fourteen Eyes intelligence-sharing agreements. For more information about each of these agreements, jump ahead to:

CountryFive EyesNine EyesFourteen EyesOther
United Kingdom
United States
Australia
Canada
New Zealand
Denmark
Netherlands
France
Norway
Germany
Belgium
Spain
Sweden
Italy
Israel
Japan
Singapore
South Korea

How do these governments get your private data?

All SIGINT agencies rely on telecommunication companies and internet service providers(new window) to gain access to individuals’ private data. By installing fiber-optic splitters at ISP junction points, the SIGINT agency can make an exact copy of the data being processed at that point. This data is then analyzed using deep packet inspection and stored at different data centers.

Five Eyes intelligence-sharing agreement

five eyes countries

Five Eyes(new window) (also 5 Eyes or FVEY) is the name of the multilateral intelligence-sharing alliance created by the UKUSA Agreement(new window). The agreement was originally conceived as a post-WWII pact between the UK and the US in 1946 to spy on foreign governments, specifically the USSR. Over the years, the treaty grew in both members and scope. As the internet and the amount of data available to intercept grew exponentially, the agreement began to focus more on domestic surveillance.

The “five” in the Five Eyes refers to the five Anglophone countries that observe the treaty: 

  • Australia
  • Canada
  • New Zealand
  • The UK
  • The US

The treaty has built upon its Cold War roots to become the basis for ECHELON(new window), a series of electronic spy stations around the globe that can intercept data transmitted via telephones, faxes, and computers. Essentially, ECHELON stations can intercept data from transmissions to and from satellite relays.

How the Five Eyes agreement works

The Five Eyes alliance is the foundation of an extensive web of partnerships between SIGINT agencies in Western nations to share intelligence with each other. In nearly all respects, the NSA is the global leader in SIGINT, thus most SIGINT agreements, be they multilateral (like the Five Eyes) or bilateral, focus on who has access to NSA data and technology. 

Signatories to the UKUSA Agreement are known as “second parties,” and they have the greatest amount of access to NSA data and the closest ties to the agency. Other Western nations, such as members of NATO or South Korea, are “third parties.” These third-party agreements are formal, bilateral arrangements between the NSA and the national SIGINT agency. Third parties can still trade raw data with the NSA, but they have less access to its database.

Technically, second parties’ citizens are generally exempt from being spied on without approval from the host country, but the Snowden revelations(new window) have shown that the NSA has created a framework that could bypass these blocks. There have been no official comments from any Five Eyes members, and it is unclear if these countries have carried out unapproved surveillance in the past. No such restriction exists for third parties(new window).

It is important to note that the membership of these different groups is constantly changing(new window) in response to global and political developments. Furthermore, the knowledge we have of these groups has come primarily from leaks, leading to a fuzzy picture and pointing out how little oversight these intelligence agencies — who have access to near infinite amounts of personal data — are subject to.

Fourteen Eyes agreement countries

fourteen eyes countries

Fourteen Eyes (or 14 Eyes) refers to the intelligence group that consists of the Five Eyes member countries plus:

  • Belgium
  • Denmark
  • France
  • Germany
  • Italy
  • The Netherlands
  • Norway
  • Spain
  • Sweden 

These countries participate in SIGINT sharing as third parties. The official name of the Fourteen Eyes is the SIGINT Seniors of Europe (SSEUR), which has existed in one form or another since 1982. Similar to the UKUSA Agreement, its original mission was to uncover information about the USSR. 

A SIGINT Seniors Meeting is attended by the heads of the SIGINT agencies (NSA, GCHQ, BND, the French DGSE, etc.) and is where they can share intelligence and discuss related issues. While this group has many of the same members as the “Nine Eyes”, it is a different group. According to leaked documents, the Fourteen Eyes is not a formal treaty but rather an agreement made between SIGINT agencies.

Nine Eyes intelligence alliance

nine eyes countries

Nine Eyes(new window) (9 Eyes) refers to a group of nations that share intelligence, composed of the Five Eyes member countries plus:

  • Denmark
  • France
  • The Netherlands
  • Norway

These countries participate as third parties. This group seems to be a more exclusive club of SSEUR and is not backed by any known treaty. Like the Fourteen Eyes, it is simply an arrangement between SIGINT agencies.

Other partners

Israel(new window), Japan(new window), Singapore, and South Korea(new window) are all suspected to be third parties with the NSA as well. Just as there is a SIGINT Seniors of Europe, there is also a SIGINT Seniors of the Pacific(new window), which was formed in 2005. Its members include the Five Eyes member countries as well as:

  • France
  • India
  • Singapore
  • South Korea
  • Thailand

There are also non-Western intelligence-sharing alliances, such as the Shanghai Cooperation Organization(new window) between:

  • China
  • India
  • Kazakhstan
  • Kyrgyzstan
  • Pakistan
  • Russia
  • Tajikistan
  • Uzbekistan

What this means for you

The existence of international surveillance agreements like Fourteen Eyes allows member countries to take advantage of, as the Electronic Frontier Foundation puts it, “the lowest common privacy denominator(new window).” Other members of the Five Eyes get to benefit from the mass surveillance data the NSA’s XKEYSCORE project brings in. In time, the Five Eyes countries will also benefit from all the data that the UK’s Investigatory Powers Act collects. 

If a sweeping act that expands electronic surveillance passes in any one of these countries, it is as though the act has passed in every country. It also means that there is a good chance that your digital activity is being captured and shared with the NSA or other SIGINT agencies, no matter where in the world you are.

How to avoid surveillance

The best safeguard against this widespread surveillance is strong encryption. If you encrypt your data before it enters the network, it makes it much harder for you to be targeted by surveillance. 

Protecting your emails

When you use your Proton Mail (new window)account to email someone else with a Proton Mail account, your emails are protected with end-to-end encryption(new window), meaning that no one can decrypt the contents of your message except for you and your recipient. You can also protect the messages you send to people who use different email providers with end-to-end encryption with our Encrypt for Outside(new window) feature. With end-to-end encryption and proper device security, it is more difficult for any SIGINT agencies to intercept, decrypt, and read the contents of your email.

Additionally, all messages on Proton Mail’s servers are stored with zero-access encryption(new window), which means we cannot share the content of your messages with surveillance agencies. Zero-access encryption means we encrypt your messages in such a way that even though they are stored on our servers, we cannot access them. Other email providers can decrypt your messages without your permission or knowledge as they control the keys they use to encrypt your messages on their server. By using end-to-end and zero-access encryption, we are unable to provide the contents of our users’ emails to anyone, even governments or law enforcement bodies.

Find out more about end-to-end email encryption and why it matters.(new window)

Using a VPN

Using a VPN service like ProtonVPN(new window) also makes it much harder for surveillance agencies to record and track your internet activity. A VPN encrypts your internet traffic, which means your ISP is not able to record your online activity, which prevents SIGINT agencies from getting that data from the ISP junction points mentioned previously.

By using a VPN with Perfect Forward Secrecy (PFS)(new window), like Proton VPN, you also benefit from extra security. By using a different key for each session, PFS means that even if any of the keys used to encrypt one browsing session become compromised, all your other sessions remain secure. So even in the unlikely event that a SIGINT agency was able to decrypt the VPN data from one browsing session, they would not be able to decrypt all of them.

Other apps

Similar encrypted apps such as Wire(new window) or Signal(new window) also exist for chat communications, and there are some privacy-friendly web browsers(new window), like Brave and Firefox, that go further in protecting your privacy online.

Why Proton is based in Switzerland

Proton Mail and Proton VPN are based in Switzerland, which has some of the world’s strongest privacy laws and is not a signatory(new window) to any of these surveillance agreements. This provides an additional layer of legal protection on top of the encryption we utilize.

Swiss companies, like Proton, cannot be compelled to cooperate with requests for user data from other governments. If the government of another country wanted the little data we hold on any of our users, they would have to make a request to the proper Swiss authorities, which have strict requirements and will typically not work with governments that have poor records on human rights. In the case we are presented with a legal request for user data that we must comply with, we cannot hand over the contents of emails as our zero-access encryption means we do not have access to them.The scale of mass surveillance operations is truly breathtaking and a major threat to democratic society(new window). This is why, at Proton, we do not rely on any government to protect the privacy of those who use Proton Mail or Proton VPN. Instead, we rely on the mathematical strength of our open-source encryption methods. Fortunately, there are now tools for protecting your privacy and safeguarding your right to online freedom.

FAQ

How can I protect myself against mass surveillance?

Encrypting your data is the best way to protect yourself against mass surveillance. By using a VPN(new window), you prevent your ISP from collecting data about your online activity (and any government agencies that are copying that data). If your ISP does not have information about what you do online, they cannot share it with SIGINT agencies in Five Eyes countries.

However, if you use a VPN that is based in a Five Eyes country, any logs they keep on your online activity can be shared with all the SIGINT agencies in the UKUSA agreement. Proton VPN is based in Switzerland(new window), which is not part of the Five, Nine, or Fourteen Eyes agreements.

The same can be said of encrypting your emails. By encrypting your emails, you ensure that no one else can access the contents of your messages. (Note: If you email someone who is not using an encrypted email service, the contents of your emails will not be protected by zero-access encryption on their side.)
You can also use privacy-focused browsers(new window) and encrypted messengers(new window) to further protect yourself from mass surveillance.

Why is it called the Five Eyes?

The Five Eyes (sometimes written as 5 Eyes or FVEY) is a reference to the five anglophone countries that are members of the UKUSA agreement: Australia, Canada, New Zealand, the United Kingdom, and the United States. Although you would be forgiven for thinking “Eyes” refers to snooping, the term “Five Eyes” was actually originally used as shorthand for “AUS/CAN/NZ/UK/US EYES ONLY”(new window) on secret documents. As more intelligence alliances — the Nine Eyes and Fourteen Eyes — were formed, they adopted the same naming convention, although there is no evidence that they were used as shorthand in the same way.

What is SIGINT?

SIGINT is short form for signals intelligence, and refers to the interception of transmission signals. This usually takes the form of gathering communications intelligence between people (sometimes called COMINT), though can also include electronic intelligence (ELINT), which uses electronic sensors (such as radar) to gather information.

How is SIGINT used?

SIGINT was originally used in warfare and did not affect everyday citizens. However, since the Cold War, SIGINT agencies have started collecting more and more intelligence from everyday people’s communications. This increased dramatically after the invention of the World Wide Web, as governments were able to get more data than ever on people from around the world, as the Snowden revelations(new window) showed.

When was UKUSA formed?

The UKUSA agreement (then called BRUSA) was signed by the UK and the US in 1946. In the following decade, the “second parties” — Australia, Canada, and New Zealand — also became signatories of the Agreement.

Related articles

A lock with the colors of the Dutch flag
We ran a survey in the Netherlands and found that 51% of Dutch adults are worried about their online privacy. See the rest of the results.
s AliExpress reliable?
  • Privacy basics
Chinese shopping platform AliExpress is undoubtedly cheap. But is it also safe and reliable, or you are likely to get scammed?
How to fix a 502 error
In this article, we explain what a 502 bad gateway error is and explore possible ways to fix it as a visitor to a website.
Watch Thanksgiving Day football with Proton VPN
Here's how you can live stream this year's Thanksgiving football games using Proton VPN, whether you're watching from home or abroad.
Where to watch Macy's Thanksgiving day parade
Here's how and where to watch Macy's Thanksgiving Day Parade live from anywhere in the world with Proton VPN.
What we've been up to, and what's next
Here are the main things Proton VPN delivered this spring and summer and the exciting changes that lie ahead on our product roadmap this winter.