What Is the Five Eyes Alliance
Five Eyes (FVEY) is an intelligence-sharing agreement between the United States, United Kingdom, Canada, Australia, and New Zealand. The alliance originated during World War II and formalized in the post-war UKUSA Agreement. Today, the five governments share signals intelligence (SIGINT) -- including surveillance data, intercepted communications, and metadata -- with each other under a mutual access framework.
Why It Matters for VPN Users
The practical implication: if a VPN provider is based in a Five Eyes country, the government of that country can compel the provider to log and hand over user data -- and can also be required not to tell users about the request (a gag order). Even a VPN with a strong no-logs policy can be compelled to start logging by a national security letter (NSL) in the US or equivalent instruments in other Five Eyes countries.
Five Eyes vs. Nine Eyes vs. Fourteen Eyes
Five Eyes: US, UK, Canada, Australia, New Zealand. Nine Eyes adds: Denmark, France, Netherlands, Norway. Fourteen Eyes adds: Germany, Belgium, Italy, Spain, Sweden. The extended alliances have different data-sharing protocols and are less formalized than the core Five Eyes agreement, but membership still indicates a cooperative surveillance relationship with the core alliance. For VPN jurisdiction purposes, Five Eyes countries represent the highest risk, Nine/Fourteen Eyes represent moderate risk.
Low-Risk Jurisdictions for VPN Providers
The following countries are commonly cited as favorable VPN jurisdictions because they have no mandatory data-retention laws, no intelligence alliance membership, or strong constitutional privacy protections: Panama (NordVPN), British Virgin Islands (ExpressVPN until acquisition), Switzerland (ProtonVPN), Iceland (various providers), Romania (CyberGhost, though now owned by a US holding company). Note: jurisdiction is one factor among several -- a VPN based in Panama that has poor security practices is not necessarily better than a Swiss-based provider with a court-audited no-logs policy.
What Actually Protects You
Jurisdiction matters less than: (1) whether the VPN keeps logs at all (audited no-logs policy is the gold standard), (2) what data the provider could hand over even if compelled (if they genuinely have nothing, a court order produces nothing), (3) the provider's transparency report history (have they ever received and complied with government requests?). A VPN in Switzerland with poor security is worse than a VPN in a Five Eyes country with genuinely zero logs and a RAM-only server architecture.