While VPN users across the globe might assume their internet activity is safe from prying eyes, the privacy of millions could be jeopardised by little-known information sharing treaties, designed to sidestep surveillance law.
According to data collated and analysed by TechRadar Pro, almost half (46.6%) of all VPN services are headquartered in countries known to participate in the Fourteen Eyes intelligence sharing pact.
Members of this agreement – including the UK, USA, Canada and more – could reportedly use its terms to circumvent laws that prohibit the surveillance of citizens, which poses a significant threat to privacy-focused VPN users.
As per the intelligence sharing pact, a VPN provider could be forced into sharing information about its users with its government, which could in turn distribute that information to fellow members – all without the knowledge of the end user.
Fourteen Eyes intelligence pact
The genesis of the Fourteen Eyes pact can be found in the Five Eyes alliance (FVEY) – an agreement between the US and UK established in the 1940s, and expanded to include Australia, New Zealand and Canada.
The intelligence sharing agreement was originally military in nature, designed to give participating nations an advantage in the Cold War, but now also encompasses information relating to internet activity.
According to documents leaked by Edward Snowden, the group later swelled to include Denmark, Norway, France, Italy, Belgium, Germany, Spain, Sweden and the Netherlands, creating the Fourteen Eyes pact (also referred to as SIGINT Seniors Europe).
While not quite as intimate as the FVEY nations, members of the less official Fourteen Eyes syndicate participate in similar intelligence collaboration activities, outside the legal jurisdiction of any single state.
The existence of the Fourteen Eyes agreement could have significant ramifications for VPN users, whose primary objectives relate to information privacy and cybersecurity.
If our calculation is expanded to countries suspected of collaborating with Fourteen Eyes (such as Israel and Singapore), the proportion of VPN services based in affected localities rises to 48.4%.
Our data also shows that Windows and MacOS users are equally at risk, with 86.8% of VPN services based in member nations compatible with Windows and 86.0% with Mac.
iOS users are least likely to use an affected VPN, with only 65.9% of Fourteen Eyes-based VPNs operating on Apple’s mobile OS, compared to 70.5% on Android.
The potential privacy issues are amplified by the widespread use of free VPNs, which are more likely to keep activity logs than their paid counterparts, despite claims surrounding zero-log or logless policies.
Information collected could include websites visited, connection timestamps, bandwidth usage, server location and even original IP address – all of which could be shared among members of the intelligence pact.
To avoid privacy issues attached to this agreement, users are advised to opt for a paid VPN with an audited no-logging policy, based in a country that does not fall under the Fourteen Eyes alliance.
For example, popular services such as Express VPN and Nord VPN are headquartered in the British Virgin Islands and Panama respectively, and so avoid any association with the problematic and privacy-compromising alliance.