The Five Eyes Surveillance Network & Countries of Origin
In the privacy community, people will frequently ask about or cite the country that a particular service is based in. This site used to do this very thing, citing the country as either a pro or con for a particular service. We no longer do this, nor do we believe this should be a consideration in most cases.
What Are “The Five Eyes”?
The “Five Eyes” refers to an intelligence agreement between the United States, United Kingdom, Australia, Canada, and New Zealand. It was originally born out of the Cold War as a way for Democratic countries to keep an eye on the spread of Communism, but the agreement lives on to this day. The basic premise of Five Eyes is that those five countries share intelligence with each other generously. The agreement is primarily aimed at “signals intelligence,” which means basically any form of electronic or telephony communication.
The problem that pertains particularly to privacy is what Edward Snowden revealed about the Five Eyes agreement in 2013, which basically boils down to “the Five Eyes countries spy on each other’s citizens then share with each other as a loophole.” In the US, for example, the US intelligence agencies aren’t supposed to spy on US citizens without court approval. The same goes for the UK. But the US is free to spy on UK citizens and then share that data with the UK, and vice versa. That’s a simplified version of how it works.
There are also other “Eyes,” such as Nine and Fourteen, as well as specific “Eyes” aimed at certain counties (ex: “Five Eyes Plus Three Against North Korea”). All this really means is how many countries are involved. Typically the wider the Eyes, the less comprehensive the data sharing. So the Five Eyes are the most invasive countries and share the most openly, while the Fourteen eyes are less invasive and share less (but still invasive).
Does This Matter?
For the average person, no. For privacy-minded individuals, the main logic behind avoiding a service based in a Five Eyes country is the idea that such services are more susceptible to sharing with intelligence agencies or law enforcement. There are several reasons this website does not address this. First, if an intelligence agency wants information about you, they are not above using illegal means. This was the entire crux of Snowden’s revelations in 2013: the NSA’s spying was illegal (courts around the world have since agreed with this sentiment). This website does not cater to people who are being individually targeted by advanced adversaries. If that sentence doesn’t describe you, you generally don’t need to worry about country of origin. If it does describe you, then you are likely being individually targeted by a highly-resourced state actor, and you should be taking measures far above what this site has to offer.
For the average person who is not being targeted, the main reason not to care comes down to the trustworthiness of the service. For example: Signal is a US-based company, yet numerous court orders have repeatedly proven that Signal has nothing of value to turn over. Furthermore, Signal’s open source nature allows experts to ensure that the data truly is end-to-end encrypted and secure: the only way a government can access Signal messages - at this time - is to gain control of the device on either end. The country of origin means nothing here. The CIA’s own Vault 7 leaks confirmed this in 2017: Signal is secure, even the US intelligence agencies - epicenter of the Five Eyes surveillance network - could only get around it by compromising the devices where the messages are decrypted and vulnerable. ProtonMail is another example of this: despite compliance with law enforcement, they simply do not have access to certain data or metadata.
The only time, in my opinion, that a country of origin matters is for the individual. Being a citizen of the European Union, for example, allows one access to certain rights and recourses under the EU’s General Data Protection Regulation (GDPR), such as the right to be forgotten, the right to request deletion of your data, and the right to get certain government authorities involved if your requests are not honored. Being a citizen of the United States, on the other hand, offers virtually no such protections or recourses, except in a few states, and even then the laws are generally very limited. This is not a call for readers to move to the EU - that is a highly personal decision with many, many other factors to consider like family, resources, economic opportunity, and more. But it does show that there can sometimes be advantages to where you live worth being aware of. Again though, this applies to where the individual user lives, not where the service is based out of. Even US companies are subject to GDPR if there is reasonable expectation that they may have EU customers.