Five Eyes, Nine Eyes, and Fourteen Eyes Explained (2026 Guide)

Q: Should I avoid VPNs based in Five Eyes countries?

Not necessarily. Jurisdiction is one factor among several, and a well-implemented no-logs policy matters more in practice. Several highly respected VPN providers are based in Five Eyes countries — TunnelBear and Windscribe are in Canada, Private Internet Access is in the United States — and they remain trustworthy because they don't store the data anyone could compel them to hand over. The principle to focus on is: 'a provider can't disclose what it doesn't have.'

Q: Which countries are in the Five Eyes alliance?

The Five Eyes consists of the United States, the United Kingdom, Canada, Australia, and New Zealand. The alliance grew out of the BRUSA Agreement of 1943 and was formalized as the UKUSA Agreement in 1946 between the US and UK, with the other three countries joining over the following decade.

Q: Which countries are in the Nine Eyes alliance?

The Nine Eyes is the Five Eyes plus Denmark, France, the Netherlands, and Norway. It is a less formal expansion of the Five Eyes core, with cooperation focused on signals intelligence sharing across Western governments.

Q: Which countries are in the Fourteen Eyes alliance?

The Fourteen Eyes, formally known as SIGINT Seniors Europe (SSEUR), comprises the Nine Eyes countries plus Germany, Belgium, Italy, Spain, and Sweden. Its cooperation has been particularly focused on counterterrorism intelligence sharing since the early 2000s.

Q: Are there other intelligence-sharing arrangements beyond Fourteen Eyes?

Yes. The 'Five Eyes Plus' arrangement reportedly extends cooperation to Israel, Singapore, South Korea, and Japan on certain topics. The 'SIGINT Seniors Pacific' alliance includes additional Asia-Pacific partners. Most intelligence cooperation occurs through bilateral agreements that aren't part of any named multilateral grouping.

Q: Does StandVPN keep logs that could be shared under any of these alliances?

No. StandVPN runs a no-logs policy and is designed so that there is essentially nothing to hand over under any government data request, regardless of jurisdiction. Combined with post-quantum cryptography and an always-on kill switch, that's the practical posture that matters more than which country the company is registered in.

TL;DR — The Short Answer

The Five Eyes is an intelligence-sharing alliance between the United States, United Kingdom, Canada, Australia, and New Zealand, formalized by the 1946 UKUSA Agreement. The Nine Eyes adds Denmark, France, the Netherlands, and Norway. The Fourteen Eyes further adds Germany, Belgium, Italy, Spain, and Sweden. Each tier represents a different level of cooperation in sharing signals intelligence. In VPN terms, jurisdictions outside these alliances — like Switzerland, Panama, and the British Virgin Islands — are often preferred. But here's the honest truth: a properly built no-logs VPN is privacy-protective regardless of jurisdiction, because there is nothing for any government to obtain. Jurisdiction matters; a strong product matters more.

Jump to a section

Why this comes up in every VPN conversation
What the Five Eyes is
What the Nine Eyes is
What the Fourteen Eyes is
All the countries, at a glance
What the alliances actually do
A short history
Beyond Fourteen Eyes
Does this matter for VPN users?
Jurisdiction vs server location
Five common misconceptions
The "privacy-friendly" jurisdictions
Your jurisdiction checklist
How StandVPN thinks about jurisdiction
Frequently asked questions

Spend any time reading about VPNs and you'll quickly run into a phrase that sounds vaguely ominous: the Five Eyes. Or maybe its more comprehensive cousins, the Nine Eyes and the Fourteen Eyes. Most VPN marketing pages reference them. Most don't quite explain what they are.

This guide does. Written plainly, with respect for your time. We'll cover what the alliances actually are, what they actually do, what's legitimately worth thinking about as a VPN user, and — equally important — what's overstated. The goal is to leave you with a clear, balanced understanding that no marketing page will give you.

Why this comes up in every VPN conversation

QUICK ANSWER The Five Eyes and its extensions are intelligence-sharing alliances between Western democracies. They come up in VPN conversations because the country where a VPN provider is legally based determines what government data requests the company could face, and what intelligence sharing those requests could feed into.

The simple reason this topic comes up so often: a VPN provider is subject to the laws of the country where it's incorporated. If a government in that country can compel the VPN to share data — or to do so secretly without telling its users — that data could then be shared with allied governments under treaty arrangements like the Five Eyes.

This is why "where is the VPN based?" is a standard question in any thoughtful privacy comparison. It's also why several of the most respected privacy VPNs are deliberately based outside these alliances: ProtonVPN (Switzerland), NordVPN (Panama), ExpressVPN (British Virgin Islands), Mullvad (Sweden — inside Fourteen Eyes but with a deliberately minimal-data posture). You can read more about how this plays out in practice in our Mullvad vs ProtonVPN comparison.

What the Five Eyes is

QUICK ANSWER The Five Eyes (FVEY) is an intelligence-sharing alliance comprising the United States, United Kingdom, Canada, Australia, and New Zealand. It was formalized by the 1946 UKUSA Agreement and is the oldest and most integrated of the Eyes alliances.

The Five Eyes — sometimes written FVEY — is an intelligence alliance between five English-speaking countries:

United States
United Kingdom
Canada
Australia
New Zealand

It originated as the BRUSA Agreement between the US and UK in 1943, during the Second World War. After the war, this became the UKUSA Agreement in 1946. Canada joined the arrangement in 1948, with Australia and New Zealand joining in 1956. The alliance was kept secret from the public for decades — its existence was not formally acknowledged by the UK government until 2010.

The Five Eyes is the most formal and most integrated of the Eyes alliances. Cooperation between member intelligence agencies — the NSA in the US, GCHQ in the UK, CSE in Canada, ASD in Australia, and GCSB in New Zealand — is deep, ongoing, and covers signals intelligence (SIGINT), satellite intelligence, and aspects of human intelligence as well.

What the Nine Eyes is

QUICK ANSWER The Nine Eyes is an expanded version of the Five Eyes that adds Denmark, France, the Netherlands, and Norway. It is less formal than the Five Eyes core and represents a wider European cooperation framework.

The Nine Eyes extends the Five Eyes by adding four more European countries:

Denmark
France
Netherlands
Norway

The Nine Eyes is less formally structured than the Five Eyes core. It's better understood as a working level of cooperation — a circle of countries that share intelligence on specific topics, rather than a single unified treaty arrangement. The grouping became publicly known largely through documents disclosed by Edward Snowden in 2013.

What the Fourteen Eyes is

QUICK ANSWER The Fourteen Eyes — formally known as SIGINT Seniors Europe (SSEUR) — adds Germany, Belgium, Italy, Spain, and Sweden to the Nine Eyes countries. Cooperation has historically been focused on counterterrorism intelligence sharing.

The Fourteen Eyes is the widest of the named alliances. It adds five more countries to the Nine Eyes group:

Germany
Belgium
Italy
Spain
Sweden

The Fourteen Eyes has a formal name: SIGINT Seniors Europe (SSEUR). It was established in the late 1980s and has been particularly focused on signals-intelligence cooperation across Western Europe, including counterterrorism work after the September 11, 2001 attacks. It is the broadest of the three Eyes groupings most commonly mentioned in VPN privacy discussions.

All the countries, at a glance

Here's the full picture in one place. The Five Eyes is the innermost circle; each subsequent ring adds countries on top of the previous one.

Alliance	Member countries
Five Eyes (FVEY)	United States United Kingdom Canada Australia New Zealand
Nine Eyes	United States · United Kingdom · Canada · Australia · New Zealand Denmark France Netherlands Norway
Fourteen Eyes (SSEUR)	USA · UK · Canada · Australia · NZ · Denmark · France · Netherlands · Norway Germany Belgium Italy Spain Sweden

Red highlighted countries are the new additions at each tier. The Fourteen Eyes is, in effect, a near-comprehensive map of major Western democracies.

What the alliances actually do

QUICK ANSWER The Eyes alliances enable member governments to share signals intelligence — intercepted communications, metadata, and electronic surveillance data — with each other. They are not a single unified spying organization. Each member country operates its own intelligence services under its own laws and chooses what to share.

This is where many marketing pages get carried away. Let's be precise.

The Eyes alliances are not a unified surveillance apparatus that monitors everyone in member countries. They are cooperation frameworks — treaties and informal agreements that govern how member intelligence agencies share information they collect through their own legal processes.

What they enable, in practice:

Sharing of signals intelligence (SIGINT) — intercepted communications, metadata about who-talks-to-whom, and similar electronic surveillance data.
Joint operations on shared targets — terrorism investigations, organized crime, foreign-intelligence threats.
Mutual assistance with technical capabilities — sharing decryption advances, surveillance technology, and methodology.
Reduced political friction when one member needs data the other already has — formal request processes are smoother between allies than between non-allies.

What they do not do:

They don't constitute a single agency reading everyone's email.
They don't mean every country in the alliance shares everything with every other country — much intelligence is bilateral, not multilateral.
They don't override domestic law. A VPN provider in the UK still has to respond to UK legal processes, not to direct requests from the US (which would typically have to be routed through a UK legal process).

The honest summary: the alliances are real, they matter for some user threat models, and they're nothing like the cinematic picture some VPN ads imply.

A short history

1943

The BRUSA Agreement establishes formal SIGINT cooperation between the US and UK during the Second World War.

1946

BRUSA evolves into the UKUSA Agreement, formalizing post-war intelligence cooperation between the two countries. Canada, Australia, and New Zealand are added in subsequent years to form what becomes the Five Eyes.

1956

Australia and New Zealand formally join. The Five Eyes alliance as we know it today is now in place, though kept secret from the public.

1980s

European cooperation grows. SIGINT Seniors Europe (SSEUR) — the Fourteen Eyes — is established to coordinate signals intelligence sharing between Western European countries and the Five Eyes core.

2001

The European Parliament publishes a report on the ECHELON surveillance system, the first major public acknowledgment that Five Eyes-style global signals monitoring existed.

2010

The UK government, for the first time, publicly acknowledges the existence of the UKUSA Agreement.

2013

The Edward Snowden disclosures reveal the scope and detail of Five Eyes signals-intelligence cooperation. The Nine Eyes and Fourteen Eyes groupings enter mainstream privacy discussion for the first time.

2017

A trove of NSA tools is leaked by the Shadow Brokers, further illuminating the technical capabilities of Five Eyes signals intelligence.

2020s

Five Eyes cooperation expands publicly into new domains — particularly cybersecurity, foreign-influence operations, and cooperation with non-member partners like Japan and South Korea.

Beyond Fourteen Eyes — the wider picture

The Five Eyes, Nine Eyes, and Fourteen Eyes are the formal named tiers. The reality of international intelligence cooperation extends well beyond them.

Five Eyes Plus arrangements reportedly extend cooperation to additional countries on specific topics. Israel, Japan, South Korea, and Singapore are often mentioned in this context.
SIGINT Seniors Pacific is the Pacific counterpart to SSEUR, with additional Asia-Pacific partners.
The Quintet of Attorneys General (US, UK, Canada, Australia, New Zealand) is a Five Eyes-aligned legal cooperation framework.
Bilateral agreements — most actual intelligence cooperation happens through pairs of countries with specific treaties, rather than through named multilateral groupings.

For practical purposes as a VPN user, the named alliances are still the most useful framework. The wider picture is mainly relevant if your threat model includes specific state actors and you want a very deep dive.

Does this matter for VPN users?

QUICK ANSWER It matters more than VPN marketing sometimes admits, and less than VPN marketing often implies. Jurisdiction determines what legal demands a VPN could face. But a well-implemented no-logs policy means there's little to hand over regardless of jurisdiction. The strongest privacy posture is "no logs, audited, regardless of country."

This is the honest, balanced answer that most "Eyes" articles avoid. Let's break it down.

When jurisdiction matters more

Jurisdiction matters most when a VPN does retain user data — connection logs, IP-mapping records, session timestamps, browsing history. If the data exists, the question of who can legally compel its disclosure becomes important.

It also matters more for users with specific high-risk threat models — journalists protecting sources, activists in restrictive networks, business travelers carrying sensitive information through hostile jurisdictions. For these users, choosing a VPN incorporated outside the Five Eyes is a sensible additional layer.

When jurisdiction matters less

For most users, the practical privacy difference between a Switzerland-based VPN and a Canada-based VPN — assuming both run audited no-logs policies on RAM-only infrastructure — is small. There is little to disclose in either case, because there is little to keep.

Several highly respected privacy-focused VPNs are based in Five or Fourteen Eyes countries and remain trustworthy precisely because their data-minimization posture matters more than their jurisdiction. Mullvad (Sweden — in Fourteen Eyes) is one of the most privacy-respected VPNs in the world. Windscribe (Canada) is in the Five Eyes core but maintains a strong privacy track record. Private Internet Access (US) has been audited and has track record of resisting legal demands.

The principle: a provider can't disclose what it doesn't have. That's a stronger guarantee than jurisdiction alone.

Jurisdiction vs server location — they're not the same thing

QUICK ANSWER Jurisdiction is the country where a VPN company is legally incorporated, and whose laws govern the company's obligations. Server location is the country where the physical or virtual servers are located. These are different things — and they affect privacy in different ways.

This distinction trips up a lot of readers, and it's worth being explicit about.

Jurisdiction is where the company is incorporated. Switzerland, Panama, BVI, Sweden, etc. Determines what laws the company itself must obey.
Server location is where individual VPN servers are physically or virtually located. A company based in Switzerland might run servers in fifty countries.

When you connect to a Switzerland-based VPN's New York server, you are routing your traffic through New York. That traffic is subject to US server-location law for as long as it exists on those servers. But — and this is the important part — if the VPN runs a no-logs policy on RAM-only servers, the server-location matters less than people think, because nothing persists. The encrypted traffic is in transit, processed, and forgotten.

For users who want to be especially careful, the strongest posture combines company jurisdiction outside Five Eyes + RAM-only server infrastructure regardless of location + audited no-logs policy + strong encryption. That's belt and suspenders — and it's what the most privacy-conscious VPNs aim for.

Five common misconceptions about the Eyes alliances

Myth 1

"VPNs based in Five Eyes countries are unsafe."

Untrue as a blanket statement. A no-logs VPN with strong technical practices can be highly privacy-protective regardless of jurisdiction. The "no logs to hand over" posture is what really protects you. Several highly respected privacy VPNs are based in Five or Fourteen Eyes countries.

Myth 2

"The Five Eyes share everything with each other automatically."

Untrue. Intelligence sharing within Five Eyes is selective and based on specific agreements. Member countries don't dump all their data into a shared pool. Much intelligence cooperation is bilateral rather than multilateral, and each country still operates under its own legal framework.

Myth 3

"If I use a VPN, the Five Eyes can't see my traffic at all."

Misleading. A VPN encrypts your traffic between your device and the VPN server. After that, your traffic exits to its destination in the normal way. Surveillance at the destination side, or at the website you're visiting, is unaffected by your VPN. What the VPN reliably hides is your IP address and your specific browsing activity from anyone watching your local network.

Myth 4

"Switzerland is completely safe from intelligence cooperation."

Partial truth. Switzerland is outside the Five and Fourteen Eyes, and it has strong privacy laws. But Switzerland cooperates with other governments through ordinary diplomatic and legal channels, and Swiss intelligence has its own interests. The benefit of Swiss jurisdiction is real, not absolute.

Myth 5

"The Eyes alliances mean a VPN in those countries will spy on me."

Untrue. The alliances are about government intelligence cooperation. A VPN company in a Five Eyes country isn't part of the intelligence apparatus and doesn't proactively monitor users. The relevant concern is whether the company could be compelled to share data it has — which loops back to the no-logs question, not directly to the alliances themselves.

The "privacy-friendly" jurisdictions

If you do want to factor jurisdiction into your VPN choice — and we think it's a reasonable thing to consider, just not the only thing — these are the jurisdictions most commonly cited as privacy-friendly for VPN providers.

Switzerland — outside Five and Fourteen Eyes, strong personal-privacy laws, long tradition of bank secrecy and data protection. Home to ProtonVPN, PrivadoVPN, and others.
Panama — outside Five and Fourteen Eyes, no mandatory data-retention laws for VPN providers. Home to NordVPN.
British Virgin Islands — outside Five and Fourteen Eyes, requires data requests to be processed through formal legal channels. Home to ExpressVPN.
Iceland — outside the Eyes alliances, with relatively strong privacy laws. Less commonly chosen by major VPNs but considered favorable.
Romania — EU member but historically resistant to mandatory data-retention requirements. Home to several privacy-focused services.

The point isn't that other jurisdictions are bad — many aren't. The point is that these are jurisdictions where the legal environment tilts a little further in the user's favor by default.

Your jurisdiction checklist

If you want to evaluate a VPN's jurisdiction story honestly, here's the framework.

The four questions that actually matter

Does the VPN run an audited no-logs policy? This is the most important question. A no-logs provider has little to hand over regardless of jurisdiction.
Where is the company legally incorporated? The country whose laws govern the company. Outside Five/Fourteen Eyes is a small additional safeguard.
Does the company use RAM-only diskless servers? Servers that store no data on disk dramatically reduce the practical impact of any legal demand.
Has the company been tested under real legal pressure? A company that has actually faced a demand and successfully demonstrated it had no data to hand over is more reassuring than one that has only made the claim.

If a VPN passes all four, jurisdiction becomes a minor footnote. If it fails some, jurisdiction matters more.

How StandVPN thinks about jurisdiction

Our position on this whole question is straightforward: the strongest privacy posture is to have nothing worth sharing in the first place. Jurisdiction is a meaningful factor, but it's not the primary factor — and the privacy industry has historically over-weighted it relative to product fundamentals.

StandVPN's approach reflects that view:

A no-logs policy means there is essentially nothing for any government to obtain through any legal process, regardless of jurisdiction.
An always-on kill switch means the connection fails closed — your traffic doesn't leak even briefly during reconnects.
Post-quantum cryptography from day one, on every connection including the lifetime free plan, protects against the "harvest now, decrypt later" threat — the encrypted traffic captured today that adversaries hope to decrypt years from now.
DNS is handled inside the encrypted tunnel by default — see our DNS leak guide for what that means.
Free for life — privacy upgrades worth having shouldn't be paywalled.

StandVPN — built around the things that actually matter:

Lifetime free

$0 · 10 Mbps

Unlimited data. Every country we serve. Post-quantum protection on by default. No email required.

Paid plan

$2 / month · 10 Gbps

Five devices on one account. Same protection, faster connection.

Try StandVPN free — no card, no email required.

Frequently asked questions

What are the Five Eyes, Nine Eyes, and Fourteen Eyes?

They are concentric intelligence-sharing alliances between governments. The Five Eyes (USA, UK, Canada, Australia, New Zealand) is the original and most formal, established by the 1946 UKUSA Agreement. The Nine Eyes adds Denmark, France, the Netherlands, and Norway. The Fourteen Eyes — formally known as SIGINT Seniors Europe — further adds Germany, Belgium, Italy, Spain, and Sweden.

Should I avoid VPNs based in Five Eyes countries?

Not necessarily. Jurisdiction is one factor among several, and a well-implemented no-logs policy matters more in practice. Several highly respected VPN providers are based in Five Eyes countries — TunnelBear and Windscribe in Canada, Private Internet Access in the US — and they remain trustworthy because they don't store the data anyone could compel them to hand over.

Which countries are in the Five Eyes alliance?

The Five Eyes consists of the United States, United Kingdom, Canada, Australia, and New Zealand. The alliance grew out of the BRUSA Agreement of 1943 and was formalized as the UKUSA Agreement in 1946.

Which countries are in the Nine Eyes alliance?

The Nine Eyes is the Five Eyes plus Denmark, France, the Netherlands, and Norway. It is a less formal expansion focused on signals intelligence sharing.

Which countries are in the Fourteen Eyes alliance?

The Fourteen Eyes — formally SIGINT Seniors Europe (SSEUR) — comprises the Nine Eyes countries plus Germany, Belgium, Italy, Spain, and Sweden.

What can the Five Eyes alliances actually do?

The Eyes alliances enable member governments to share signals intelligence — intercepted communications, metadata, and other electronic surveillance data. They do not constitute a single shared spying organization. Each member country operates its own intelligence services under its own laws but cooperates on data sharing.

Does VPN jurisdiction really matter?

It matters less than people often think, and more than VPN marketing often admits. Jurisdiction determines what legal demands a VPN provider could face. If the provider has nothing to hand over — because it doesn't log activity and uses RAM-only servers — the practical impact of jurisdiction is small.

Are there other intelligence-sharing arrangements beyond Fourteen Eyes?

Yes. The "Five Eyes Plus" arrangement reportedly extends cooperation to Israel, Singapore, South Korea, and Japan on certain topics. Most intelligence cooperation occurs through bilateral agreements that aren't part of any named multilateral grouping.

Which countries are considered privacy-friendly for VPN providers?

Switzerland, Panama, the British Virgin Islands, and Iceland are often cited because they are outside the Five and Fourteen Eyes structures, lack mandatory data-retention laws for VPN providers, and have strong personal-privacy protections.

Does StandVPN keep logs that could be shared under any of these alliances?

No. StandVPN runs a no-logs policy and is designed so that there is essentially nothing to hand over under any government data request, regardless of jurisdiction. Combined with post-quantum cryptography and an always-on kill switch, that's the practical posture that matters more than which country the company is registered in.

Pillar guide written and reviewed by the StandVPN team. Sources include the 1946 UKUSA Agreement (declassified 2010), publicly disclosed Snowden documents (2013), the European Parliament's 2001 ECHELON report, and official government statements from Five Eyes member governments. We update this guide whenever the underlying landscape changes meaningfully.