Five, Nine, Fourteen Eyes: does VPN jurisdiction matter?

The "Five Eyes" framing dominates VPN marketing. Every privacy listicle warns about Five Eyes countries; every VPN provider not in one brags about it. Most of the framing is misleading.

This is the honest version. What the alliances actually are, what they can and cannot do to a VPN provider, why "no-logs" matters more than jurisdiction, and where Fexyn (Wyoming, US — Five Eyes) sits in the landscape.

What the alliances actually are

Five Eyes. The original signals-intelligence sharing agreement among the United States, United Kingdom, Canada, Australia, and New Zealand. Roots in the 1946 UKUSA Agreement. Formalised through the BRUSA Agreement and various amendments since. Members share SIGINT (intercepted communications) with each other.

Nine Eyes. Five Eyes plus Denmark, France, Netherlands, and Norway. Less formal than Five Eyes — additional sharing relationships rather than a single unified treaty.

Fourteen Eyes. Nine Eyes plus Germany, Belgium, Italy, Spain, and Sweden. Even less formal.

Beyond Fourteen Eyes, various bilateral and multilateral SIGINT-sharing relationships exist with other countries. The alliances are not bright legal lines; they are clusters of cooperation. Israel, Japan, Singapore, and South Korea participate in some sharing without being formal members.

What the alliances can do to VPN providers

Three concrete capabilities, in order of severity:

1. Compel log handover. A VPN provider in a member country, served with a legal order, must hand over whatever logs it has. If the provider has detailed connection logs, those go to the requesting agency. If the provider has no logs (genuinely — no browsing history, no DNS query records, no per-session connection metadata), there is nothing to hand over.

2. Issue gag orders. Some legal mechanisms (US National Security Letters, UK Investigatory Powers Act notices) prohibit the recipient from disclosing the request. A provider may receive such an order and be unable to publicly disclose. The "warrant canary" pattern — a periodic statement that no such order has been received — is the workaround.

3. Mandate ongoing assistance. In limited circumstances, providers can be ordered to install monitoring infrastructure or modify systems to enable monitoring. This is rare and aggressively contested in court when it happens (Apple-FBI 2016 was the public example for a non-VPN service).

What the alliances cannot do:

Break encryption. AES-256, ChaCha20-Poly1305, X25519 — the modern crypto VPNs use is not breakable through known cryptanalysis.
Compel a non-member-country provider to hand over logs to a member country directly. Mutual legal assistance treaties (MLATs) provide indirect pathways, but they are slower and more legally constrained.
Force a no-logs provider to fabricate logs they do not have. The provider can be ordered to begin logging from the date of the order forward, but cannot retroactively produce logs that were never collected.

The third point is the key one. A genuinely no-logs provider in a Five Eyes country has nothing meaningful to hand over for activity that happened before the order. A logging provider in Switzerland has plenty.

The real question: logging, not jurisdiction

The Five Eyes framing assumes the VPN provider has logs. If they do, jurisdiction matters because cooperative jurisdictions can compel production. If they do not, jurisdiction matters less.

The relevant questions for evaluating a VPN provider are:

Does the provider keep logs that could identify a specific user's specific session? Most providers say "no logs." The honest version is that almost every provider keeps SOME logs (account email for support, payment records for billing, aggregate bandwidth for capacity planning). The question is whether the logs that exist could answer a subpoena like "who used exit IP X.X.X.X at time T?"

A no-logs provider's answer to that subpoena is "we cannot produce that data because we do not retain the mapping." A logging provider's answer is the user's account.

Has the no-logs claim been independently verified? Audit reports from Cure53, Deloitte, KPMG, PricewaterhouseCoopers add weight. ProtonVPN has multiple Cure53 audits. Mullvad has audits. NordVPN, Surfshark, ExpressVPN have all had audits with varying scope. Fexyn does not yet have a published audit; we acknowledge this gap.

What does the provider's payment infrastructure leak? If you paid by card, there is a card-issuer-to-provider link that exists regardless of logging. Crypto payment limits this link. For users with elevated threat models, payment trail is its own consideration.

What jurisdiction is the provider in? Yes, this still matters — but as a secondary factor, after logging is established.

Country-by-country reality

The notable VPN-provider jurisdictions and what they actually mean:

United States (Wyoming, Delaware, etc.). Five Eyes member. NSLs and FISA court orders exist. The mitigation is no-logs structure plus crypto payment plus minimal account data collection. Fexyn is here. So is IPVanish, PIA (after the Kape Technologies acquisition complicates things). The honest case: a US-domiciled no-logs provider is meaningfully secure for typical threat models; for users specifically threat-modeling US intelligence agencies, a non-US provider is a reasonable choice.

United Kingdom. Five Eyes member. The Investigatory Powers Act gives broader powers than US framework, including bulk-intercept authorisations. Few major commercial VPNs are UK-domiciled for this reason. Hide.me's parent is UK-affiliated; eVenture has UK presence.

British Virgin Islands (BVI). ExpressVPN is incorporated here. BVI is a UK overseas territory but operates under its own legal framework. ExpressVPN is now owned by Kape Technologies (UK-based parent). The "BVI is offshore therefore safe" argument has weakened post-acquisition.

Switzerland. ProtonVPN's home. Swiss law has strong privacy protections; mutual legal assistance with foreign agencies is more constrained than US/UK. However, Switzerland cooperates with Western intelligence on counter-terrorism cases. The "Switzerland = privacy haven" framing oversimplifies.

Sweden. Mullvad's home. Strong privacy law; data retention requirements have been struck down by EU courts. Mullvad's no-logs posture is among the strongest in the industry.

Romania. CyberGhost's home. Strong privacy framework for VPN providers. Romania has resisted EU data retention pushes. Multiple privacy-focused providers chose Romania for this reason.

Panama. NordVPN's home (though parent company structure is complex — Tesonet/Nord Security in Lithuania). Panama has no mandatory data retention law for VPN providers. The corporate structure complicates the simple "Panama = good" framing.

Cyprus, Gibraltar, Seychelles. Various smaller VPN providers chose these for permissive frameworks. Reality varies by specific provider.

Russia. Federal Law 276-FZ (2017) requires VPN providers serving Russian users to cooperate with Roskomnadzor. Russian-domiciled VPNs are surveillance vehicles by design.

China. No legitimate non-state VPN industry. Foreign-VPN providers operate without licences and are subject to GFW blocking.

Where Fexyn sits

Wyoming, US. Five Eyes. We are honest about this.

The structural mitigations:

No-logs operation. No browsing history. No DNS query logs. No traffic content logs. No per-session connection metadata that could identify a specific user's session.
Short-lived 24-hour client certificates rotated through Vault PKI. Limits retroactive correlation.
Crypto-only billing as an option for users who want minimal payment-trail-to-account linkage.
WFP-based kernel kill switch so traffic does not leak around the tunnel during connection drops.
VLESS Reality with Vision flow for users in markets where standard protocols are blocked.

What we have not yet done:

Independent third-party audit of the no-logs claim. Planned for 2026. We acknowledge the gap.
Bare-metal-only servers. Some providers (Mullvad) operate exclusively on owned bare-metal hardware. We use a mix of bare-metal and well-vetted cloud providers.
Open-source clients. Our helper service is open-source (Rust); the desktop client is proprietary. Some users prefer fully open-source clients. Mullvad and IVPN are stronger here.

For users whose threat model is "I want my ISP not to see my browsing": Fexyn is sufficient. For users whose threat model is "I do not trust the US government and need a non-Five-Eyes provider": ProtonVPN (Switzerland) or Mullvad (Sweden) are reasonable choices and we would recommend them over us in that specific scenario.

What "non-Five-Eyes" actually buys you

The marketing pitch is that a non-Five-Eyes provider is fundamentally safer. The reality is more nuanced:

A non-Five-Eyes provider with detailed logs is less secure than a Five-Eyes provider with genuine no-logs. The logging matters more than the jurisdiction.
A non-Five-Eyes provider with strong audited no-logs operation IS more resistant to certain specific compulsion attacks. Switzerland or Sweden is more constrained in handing over data than the US or UK.
For most users in most threat models, the difference is theoretical. The probability that your specific browsing data ends up in an intelligence-sharing arrangement because of your VPN provider's jurisdiction is low; the probability that your ISP or a data broker has that data is much higher.

The honest framework: jurisdiction is one factor among five (logging, audits, payment, infrastructure, jurisdiction). Treating it as the primary factor is the marketing version, not the analytical version.

When jurisdiction actually matters

For users where jurisdiction is genuinely the most important factor:

Journalists working in source-protection-critical contexts. Switzerland or Sweden, with verified no-logs and crypto payment.
Activists in countries with extradition relationships to your home country. Avoid your home country's jurisdiction; consider non-treaty jurisdictions.
Users specifically modeling intelligence-agency adversaries. Non-Five-Eyes plus self-hosted exit options plus operational security beyond what any commercial VPN provides.

For everyone else — privacy from ISP tracking, geo-bypass, public-Wi-Fi protection, censorship circumvention — the logging-and-payment questions are more load-bearing than the country flag on the provider's incorporation papers.

Frequently asked

Is the US a Five Eyes country?

Yes. The US is the founding member of the original Five Eyes alliance.

Are NordVPN and ExpressVPN safe given their jurisdictions?

NordVPN is in Panama (parent in Lithuania); not Five Eyes. ExpressVPN is in BVI (parent in UK, Kape Technologies). Both have been audited multiple times. The jurisdiction-based concerns are real but do not by themselves make the products unsafe; the audited no-logs structure is the more important consideration.

Should I avoid Fexyn because of US jurisdiction?

It depends on your threat model. For typical privacy-from-ISP use, Fexyn is appropriate. For users who specifically threat-model US intelligence agencies, ProtonVPN or Mullvad are better choices and we recommend them over us in that specific scenario.

What about ProtonVPN's Swiss jurisdiction?

Switzerland has strong privacy law and limited mutual assistance with foreign intelligence services. ProtonVPN has multiple independent audits. For users who want non-Five-Eyes plus audited no-logs, ProtonVPN is one of the strongest choices available.

Where do warrant canaries fit?

Some providers (notably IVPN) maintain warrant canaries — periodic statements that they have not received any secret legal orders. The legal effectiveness is debated; the symbolic value is real. Fexyn does not currently maintain a warrant canary; we are evaluating.

Try Fexyn free for 7 days — Wyoming, US-domiciled with no-logs structure, crypto payment available, kernel-level kill switch. The no-logs policy entry covers what no-logs actually means; How to choose a VPN covers the broader buying decision honestly.

Last reviewed 2026-05-09.