What Is Five Eyes / Nine Eyes / 14 Eyes?
The Five Eyes, Nine Eyes, and 14 Eyes are intelligence-sharing alliances between governments that cooperate to collect and exchange surveillance data. For VPN users, they matter because a VPN provider headquartered in a member country can, in principle, be compelled to hand over user data that may then be shared across the alliance — which is why VPN jurisdiction (the country a provider is legally based in) is a factor in choosing a privacy-focused VPN.
Who's in each alliance
Five Eyes (the original, from a post-WWII signals-intelligence pact): the United States, United Kingdom, Canada, Australia, and New Zealand. These countries share intelligence most closely.
Nine Eyes adds Denmark, France, the Netherlands, and Norway. 14 Eyes (formally SIGINT Seniors Europe) further adds Germany, Belgium, Italy, Sweden, and Spain. The wider the circle, the looser the cooperation — but all involve formalized intelligence-sharing arrangements.
Why VPN jurisdiction matters
A VPN provider is subject to the laws of the country where it's legally headquartered. In a Five/Nine/14 Eyes country, a provider can face data-retention requirements, gag orders, and legal demands to log or hand over user data — which could then be shared with allied governments. A provider outside these alliances faces fewer such obligations.
This is why privacy-focused providers often base themselves in jurisdictions like the British Virgin Islands (ExpressVPN), Panama (NordVPN), or Switzerland (Proton VPN) — places without mandatory data-retention laws and outside the Eyes alliances. The headquarters choice is a deliberate privacy signal.
How much should jurisdiction actually weigh in your choice?
Jurisdiction is a meaningful tiebreaker, but it's secondary to what a provider actually logs. A VPN with an independently audited no-logs policy and RAM-only servers has little to hand over no matter where it's based — you can't disclose data you never recorded. Surfshark, for example, is based in the Netherlands (Nine Eyes) yet maintains an audited no-logs policy and a strong reputation, because the no-logs architecture matters more than the flag.
Our weighting: prioritize audited no-logs and RAM-only infrastructure first; treat a non-Eyes jurisdiction as a bonus rather than a requirement. A provider with proven no-logs in a 14 Eyes country is generally a safer bet than an unaudited provider in an exotic jurisdiction making unverifiable claims.
Frequently Asked Questions
Should I avoid VPNs based in Five Eyes countries?
Not necessarily. Jurisdiction is a tiebreaker, not a dealbreaker. What matters more is whether the provider keeps logs: an audited no-logs VPN with RAM-only servers has nothing to hand over regardless of location. A proven no-logs provider in a 14 Eyes country is safer than an unaudited one in an exotic jurisdiction.
Which countries are in the Five Eyes?
The United States, United Kingdom, Canada, Australia, and New Zealand. Nine Eyes adds Denmark, France, the Netherlands, and Norway; 14 Eyes further adds Germany, Belgium, Italy, Sweden, and Spain.
Where are the major VPNs headquartered?
ExpressVPN is in the British Virgin Islands, NordVPN in Panama, and Proton VPN in Switzerland — all outside the Eyes alliances and without mandatory data-retention laws. Surfshark is in the Netherlands (Nine Eyes) but maintains an audited no-logs policy. Private Internet Access is US-based (Five Eyes) but has proven its no-logs policy in court.
Can a Five Eyes government force a VPN to log me?
A provider in a member country can be subject to legal demands and gag orders, potentially including orders to begin logging a specific user. What this can't do is retroactively produce data that was never collected — which is why audited no-logs policies and RAM-only servers are the real protection, more than jurisdiction alone.