The Snowden revelations(neues Fenster) revealed that the NSA is carrying out electronic surveillance on a global scale and unveiled the shadowy networks of intelligence agencies that act as accomplices.
When people think of mass surveillance, they rightly think of the NSA, but nearly every country in the world has its own signals intelligence (SIGINT) agency. From the UK’s GCHQ to Germany’s BND, these organizations focus on intelligence gathering, counterintelligence operations, and law enforcement by intercepting communications and other electronic signals. SIGINT covers a wide range of activities, from tapping phones to accessing a user’s email database with XKEYSCORE(neues Fenster).
Typically, one of the few legal restrictions set upon these agencies is that they cannot spy on their own citizens. This creates a strong incentive for them to cooperate and trade information with each other. The Five Eyes, Nine Eyes, and Fourteen Eyes are the largest and most important agreements that create the legal framework for such coordinated intelligence gathering across borders.
In addition to the Five, Nine, and Fourteen Eyes agreements, there are also similar non-Western intelligence-sharing agreements. This means there are few places in the world where your personal data is safe from snooping, so you should use extra measures, such as strong encryption, to keep it from prying eyes.
The below table shows the countries that participate in the Five Eyes, Nine Eyes, and Fourteen Eyes intelligence-sharing agreements. For more information about each of these agreements, jump ahead to:
Country | Five Eyes | Nine Eyes | Fourteen Eyes | Other |
United Kingdom | ✓ | ✓ | ✓ | |
United States | ✓ | ✓ | ✓ | |
Australia | ✓ | ✓ | ✓ | |
Canada | ✓ | ✓ | ✓ | |
New Zealand | ✓ | ✓ | ✓ | |
Denmark | ✓ | ✓ | ||
Netherlands | ✓ | ✓ | ||
France | ✓ | ✓ | ||
Norway | ✓ | ✓ | ||
Germany | ✓ | |||
Belgium | ✓ | |||
Spain | ✓ | |||
Sweden | ✓ | |||
Italy | ✓ | |||
Israel | ✓ | |||
Japan | ✓ | |||
Singapore | ✓ | |||
South Korea | ✓ |
How do these governments get your private data?
All SIGINT agencies rely on telecommunication companies and internet service providers(neues Fenster) to gain access to individuals’ private data. By installing fiber-optic splitters at ISP junction points, the SIGINT agency can make an exact copy of the data being processed at that point. This data is then analyzed using deep packet inspection and stored at different data centers.
Five Eyes intelligence-sharing agreement
Five Eyes(neues Fenster) (also 5 Eyes or FVEY) is the name of the multilateral intelligence-sharing alliance created by the UKUSA Agreement(neues Fenster). The agreement was originally conceived as a post-WWII pact between the UK and the US in 1946 to spy on foreign governments, specifically the USSR. Over the years, the treaty grew in both members and scope. As the internet and the amount of data available to intercept grew exponentially, the agreement began to focus more on domestic surveillance.
The “five” in the Five Eyes refers to the five Anglophone countries that observe the treaty:
- Australia
- Canada
- New Zealand
- The UK
- The US
The treaty has built upon its Cold War roots to become the basis for ECHELON(neues Fenster), a series of electronic spy stations around the globe that can intercept data transmitted via telephones, faxes, and computers. Essentially, ECHELON stations can intercept data from transmissions to and from satellite relays.
How the Five Eyes agreement works
The Five Eyes alliance is the foundation of an extensive web of partnerships between SIGINT agencies in Western nations to share intelligence with each other. In nearly all respects, the NSA is the global leader in SIGINT, thus most SIGINT agreements, be they multilateral (like the Five Eyes) or bilateral, focus on who has access to NSA data and technology.
Signatories to the UKUSA Agreement are known as “second parties,” and they have the greatest amount of access to NSA data and the closest ties to the agency. Other Western nations, such as members of NATO or South Korea, are “third parties.” These third-party agreements are formal, bilateral arrangements between the NSA and the national SIGINT agency. Third parties can still trade raw data with the NSA, but they have less access to its database.
Technically, second parties’ citizens are generally exempt from being spied on without approval from the host country, but the Snowden revelations(neues Fenster) have shown that the NSA has created a framework that could bypass these blocks. There have been no official comments from any Five Eyes members, and it is unclear if these countries have carried out unapproved surveillance in the past. No such restriction exists for third parties(neues Fenster).
It is important to note that the membership of these different groups is constantly changing(neues Fenster) in response to global and political developments. Furthermore, the knowledge we have of these groups has come primarily from leaks, leading to a fuzzy picture and pointing out how little oversight these intelligence agencies — who have access to near infinite amounts of personal data — are subject to.
Fourteen Eyes agreement countries
Fourteen Eyes (or 14 Eyes) refers to the intelligence group that consists of the Five Eyes member countries plus:
- Belgium
- Denmark
- France
- Germany
- Italy
- The Netherlands
- Norway
- Spain
- Sweden
These countries participate in SIGINT sharing as third parties. The official name of the Fourteen Eyes is the SIGINT Seniors of Europe (SSEUR), which has existed in one form or another since 1982. Similar to the UKUSA Agreement, its original mission was to uncover information about the USSR.
A SIGINT Seniors Meeting is attended by the heads of the SIGINT agencies (NSA, GCHQ, BND, the French DGSE, etc.) and is where they can share intelligence and discuss related issues. While this group has many of the same members as the “Nine Eyes”, it is a different group. According to leaked documents, the Fourteen Eyes is not a formal treaty but rather an agreement made between SIGINT agencies.
Nine Eyes intelligence alliance
Nine Eyes(neues Fenster) (9 Eyes) refers to a group of nations that share intelligence, composed of the Five Eyes member countries plus:
- Denmark
- France
- The Netherlands
- Norway
These countries participate as third parties. This group seems to be a more exclusive club of SSEUR and is not backed by any known treaty. Like the Fourteen Eyes, it is simply an arrangement between SIGINT agencies.
Other partners
Israel(neues Fenster), Japan(neues Fenster), Singapore, and South Korea(neues Fenster) are all suspected to be third parties with the NSA as well. Just as there is a SIGINT Seniors of Europe, there is also a SIGINT Seniors of the Pacific(neues Fenster), which was formed in 2005. Its members include the Five Eyes member countries as well as:
- France
- India
- Singapore
- South Korea
- Thailand
There are also non-Western intelligence-sharing alliances, such as the Shanghai Cooperation Organization(neues Fenster) between:
- China
- India
- Kazakhstan
- Kyrgyzstan
- Pakistan
- Russia
- Tajikistan
- Uzbekistan
What this means for you
The existence of international surveillance agreements like Fourteen Eyes allows member countries to take advantage of, as the Electronic Frontier Foundation puts it, “the lowest common privacy denominator(neues Fenster).” Other members of the Five Eyes get to benefit from the mass surveillance data the NSA’s XKEYSCORE project brings in. In time, the Five Eyes countries will also benefit from all the data that the UK’s Investigatory Powers Act collects.
If a sweeping act that expands electronic surveillance passes in any one of these countries, it is as though the act has passed in every country. It also means that there is a good chance that your digital activity is being captured and shared with the NSA or other SIGINT agencies, no matter where in the world you are.
How to avoid surveillance
The best safeguard against this widespread surveillance is strong encryption. If you encrypt your data before it enters the network, it makes it much harder for you to be targeted by surveillance.
Protecting your emails
When you use your Proton Mail (neues Fenster)account to email someone else with a Proton Mail account, your emails are protected with end-to-end encryption(neues Fenster), meaning that no one can decrypt the contents of your message except for you and your recipient. You can also protect the messages you send to people who use different email providers with end-to-end encryption with our Encrypt for Outside(neues Fenster) feature. With end-to-end encryption and proper device security, it is more difficult for any SIGINT agencies to intercept, decrypt, and read the contents of your email.
Additionally, all messages on Proton Mail’s servers are stored with zero-access encryption(neues Fenster), which means we cannot share the content of your messages with surveillance agencies. Zero-access encryption means we encrypt your messages in such a way that even though they are stored on our servers, we cannot access them. Other email providers can decrypt your messages without your permission or knowledge as they control the keys they use to encrypt your messages on their server. By using end-to-end and zero-access encryption, we are unable to provide the contents of our users’ emails to anyone, even governments or law enforcement bodies.
Find out more about end-to-end email encryption and why it matters.(neues Fenster)
Using a VPN
Using a VPN service like ProtonVPN(neues Fenster) also makes it much harder for surveillance agencies to record and track your internet activity. A VPN encrypts your internet traffic, which means your ISP is not able to record your online activity, which prevents SIGINT agencies from getting that data from the ISP junction points mentioned previously.
By using a VPN with Perfect Forward Secrecy (PFS)(neues Fenster), like Proton VPN, you also benefit from extra security. By using a different key for each session, PFS means that even if any of the keys used to encrypt one browsing session become compromised, all your other sessions remain secure. So even in the unlikely event that a SIGINT agency was able to decrypt the VPN data from one browsing session, they would not be able to decrypt all of them.
Other apps
Similar encrypted apps such as Wire(neues Fenster) or Signal(neues Fenster) also exist for chat communications, and there are some privacy-friendly web browsers(neues Fenster), like Brave and Firefox, that go further in protecting your privacy online.
Why Proton is based in Switzerland
Proton Mail and Proton VPN are based in Switzerland, which has some of the world’s strongest privacy laws and is not a signatory(neues Fenster) to any of these surveillance agreements. This provides an additional layer of legal protection on top of the encryption we utilize.
Swiss companies, like Proton, cannot be compelled to cooperate with requests for user data from other governments. If the government of another country wanted the little data we hold on any of our users, they would have to make a request to the proper Swiss authorities, which have strict requirements and will typically not work with governments that have poor records on human rights. In the case we are presented with a legal request for user data that we must comply with, we cannot hand over the contents of emails as our zero-access encryption means we do not have access to them.The scale of mass surveillance operations is truly breathtaking and a major threat to democratic society(neues Fenster). This is why, at Proton, we do not rely on any government to protect the privacy of those who use Proton Mail or Proton VPN. Instead, we rely on the mathematical strength of our open-source encryption methods. Fortunately, there are now tools for protecting your privacy and safeguarding your right to online freedom.
FAQ
Encrypting your data is the best way to protect yourself against mass surveillance. By using a VPN(neues Fenster), you prevent your ISP from collecting data about your online activity (and any government agencies that are copying that data). If your ISP does not have information about what you do online, they cannot share it with SIGINT agencies in Five Eyes countries.
However, if you use a VPN that is based in a Five Eyes country, any logs they keep on your online activity can be shared with all the SIGINT agencies in the UKUSA agreement. Proton VPN is based in Switzerland(neues Fenster), which is not part of the Five, Nine, or Fourteen Eyes agreements.
The same can be said of encrypting your emails. By encrypting your emails, you ensure that no one else can access the contents of your messages. (Note: If you email someone who is not using an encrypted email service, the contents of your emails will not be protected by zero-access encryption on their side.)
You can also use privacy-focused browsers(neues Fenster) and encrypted messengers(neues Fenster) to further protect yourself from mass surveillance.
The Five Eyes (sometimes written as 5 Eyes or FVEY) is a reference to the five anglophone countries that are members of the UKUSA agreement: Australia, Canada, New Zealand, the United Kingdom, and the United States. Although you would be forgiven for thinking “Eyes” refers to snooping, the term “Five Eyes” was actually originally used as shorthand for “AUS/CAN/NZ/UK/US EYES ONLY”(neues Fenster) on secret documents. As more intelligence alliances — the Nine Eyes and Fourteen Eyes — were formed, they adopted the same naming convention, although there is no evidence that they were used as shorthand in the same way.
SIGINT is short form for signals intelligence, and refers to the interception of transmission signals. This usually takes the form of gathering communications intelligence between people (sometimes called COMINT), though can also include electronic intelligence (ELINT), which uses electronic sensors (such as radar) to gather information.
SIGINT was originally used in warfare and did not affect everyday citizens. However, since the Cold War, SIGINT agencies have started collecting more and more intelligence from everyday people’s communications. This increased dramatically after the invention of the World Wide Web, as governments were able to get more data than ever on people from around the world, as the Snowden revelations(neues Fenster) showed.
The UKUSA agreement (then called BRUSA) was signed by the UK and the US in 1946. In the following decade, the “second parties” — Australia, Canada, and New Zealand — also became signatories of the Agreement.