Oh What Big Eyes You Have!
Fourteen Eyes countries
Before we can begin examining the structure and operation of the Fourteen Eyes countries, we need to step back and look at the start of the current global surveillance apparatus, which has its roots in WWII. This leviathan of espionage began informally at Bletchley Park during the British and American effort to break the German Enigma Machine. The formal beginning can be found in the UK-USA Agreement which was enacted in March of 1946. The alliance quickly grew with the addition of Canada, Australia, and New Zealand.
This core group of national intelligence agencies has since come to be known as the Five Eyes countries or FVEY, consisting of the USA, UK, Canada, Australia, and New Zealand.
The Five Eyes spent the Cold War gathering intelligence on the Soviet Union, with different nations operating in specific global locations. Later on, other nations came to be involved in this intelligence gathering operation of the five eyes countries, and they are commonly referred to as third-parties.
It is the activity of these third-parties which later spawned groups like the Five Eyes Plus, Six Eyes, Nine Eyes, Fourteen Eyes, and other third-parties.
List of surveillance partner countries
Five Eyes Plus Countries: Five Eyes Plus is an information sharing network between the Five Eyes, France, Germany, and Japan with the goal of countering threats from China and Russia.
Six Eyes Countries: Six Eyes was a failed agreement between the Five Eyes, France, Israel, Singapore, South Korea, and Japan. However the agreement fell through due to rejection by the CIA director and US President Barack Obama.
Nine Eyes Countries: Nine Eyes is an intel sharing partnership between the Five Eyes nations, Denmark, France, the Netherlands, and Norway.
Fourteen Eyes Countries: Fourteen Eyes is an extension of the Nine Eyes plus Germany, Belgium, Italy, Spain, and Sweden.
With all of these nations contributing and sharing intelligence, what does this mean if you live in one of these countries or store your data there?
All The Better To See You With.
We know from Edward Snowden’s global surveillance disclosures that intelligence agency's data collection programs do not always avoid collecting data of their own citizens – even though the right to privacy is enshrined in many constitutions, such as the US constitution and the German equivalent. Surveillance of foreign targets can often snare data on a nation's citizens during the collection process which depending on legal interpretation may be considered a violation of civil rights.
One legal "work-around" commonly employed was for partner nations to spy on interesting citizens on behalf of their host nation. This enables a country like the United States to monitor a journalist of interest by allowing another nation like the UK or France to keep tabs on the US citizen. This leaves the host nation happy, the spying nation receives information that may be of interest to them in return for their efforts, and technically no laws are broken.
Countries which don't belong to these agreements may not receive information from this organization in the same quid pro quo manner, but nothing prevents the Five Eyes nations from directly monitoring online traffic.
So what can you do if you find yourself living in one of these countries or if you use an online service which operates within the jurisdiction of the Fourteen Eyes countries?
The best way to protect your data from the prying eyes of nation states, hackers, insider threats, or over zealous advertising companies is to keep as much of your data as possible encrypted. By securing your data with strong encryption the contents of messages, images, or documents are no longer accessible. If you were encrypt your tax documents correctly using AES before uploading them to the cloud, there is a high degree of certainty that this data cannot be accessed by any unauthorized actors. This kind of encryption is so trustworthy that in 2003 the United States government made the ruling that the AES algorithm was secure enough to be used to protect classified documents. Privacy hinges upon the power of your data encryption and not necessarily just the location of your data.
Hiding in Switzerland?
Many privacy oriented services like to pretend that the physical location of their services exempts them from falling into the nets of the global surveillance apparatus. One commonly cited case of a “Fourteen Eyes Free Zone” is the small nation of Switzerland.
Despite claiming that data hosted in Switzerland is more secure as the country is outside of the 14 Eyes (which is technically true as Switzerland does not belong to the 14 Eyes agreement), the Swiss Federal Intelligence Service (NDB) does monitor the communication of non-Swiss persons, just like any other secret service. The NDB uses an intelligence gathering system known as Onyx. One active collection site operated by this service can be found in the city of Leuk. The NDB also has confirmed that they maintain over 100 contacts to other global intelligence and law enforcement agencies and regularly share intelligence reports, dispelling the notion that this country has somehow isolated itself from the larger global surveillance apparatus.
While it may be that the Swiss government does not belong to any disclosed surveillance agreements, this does not exempt companies from complying with legal requests from their local authorities. This is an often overlooked course which is taken to gain information about users of online services based in Switzerland.
Foreign countries can request such information directly from the Swiss authorities, for instance via mutual legal assistance treaties such as the Council of Europe. Most recently Switzerland was a signing party to the “Second Additional Protocol to the Convention on Cybercrime on enhanced co-operation and disclosure of electronic evidence.” This seems to cut against the popular idea that this nation operates as a data haven against surveillance requests.
For example, if I have an email account in Switzerland and the Swiss police presents my mail provider with a valid Swiss subpoena, they will be required to turn over the requested information. This occurs regularly between global law enforcement agencies and these relationships are overlooked when claiming ‘Switzerland would be a safe haven as it is outside of the Fourteen Eyes’.
Although Iceland or Switzerland claim to be outside the reach of the Fourteen Eyes countries, both of these countries’ law enforcement agencies cooperate regularly with Europol requests which makes their services just as prone to turning over user information as any service based inside of the Fourteen Eyes.
Here’s Looking At You.
Regardless of where you or your data are located what is important is that your data is properly encrypted. By taking advantage of Tutanota's secure email platform you can rest assured that your data is encrypted both over the wire and at rest.
By keeping your data encrypted, it doesn't matter who might be trying to listen in on your conversations as your communications can only be decrypted with your securely stored key. In the event of receiving a valid court order, data can only be turned over in its fully encrypted form. Without the key for decryption, which only you possess, your data is as legible as a mud puddle.
To better protect your data against future threats, Tutanota is currently working with multiple research institutes to develop a post-quantum encryption algorithm which will ensure that your data can resist attacks by quantum computers. This will also better protect the forward secrecy of your emails, to prevent them from being collected now and decrypted later.
When we think about personal privacy and operational security in general, we need to create an accurate threat model for ourselves to base our privacy decisions upon. The average individual will likely never be the target of an advanced persistent threat from a nation state. For some people, the goal is to protect the unwanted spread of personal information, others may be trying to avoid a stalker or prevent doxxing.
Threat models are as unique as the person they apply to and it is crucial that you make an accurate threat model for yourself and your privacy needs before beginning your privacy journey. The needs of a whistle blower will require a much higher degree of operational security than those of a student.
Encrypted and anonymous
Regardless, of your own personal threat model, Tutanota can meet your needs by providing you with a secure, easy-to-use, encrypted platform for your digital communications. Tutanota also allows you to sign up for an email address without a phone number to protect your anonymity.
The claim that Tutanota being based in a “Fourteen Eyes country” makes its data more accessible to the authorities is simply not true. The point with Tutanota is that all data is end-to-end encrypted – so not even the German Federal Intelligence Service, the BND, has access to the encrypted data stored in Tutanota. Thus, any data stored in Tutanota can not be shared with other intelligence agencies either. Being based in a Fourteen Eyes country, thus, becomes insignificant. Protecting your online privacy is not a sprint or a one-time task, it’s a marathon. By better understanding your privacy needs and setting clear goals for protecting your personal data, you are that much closer to maintaining a healthier digital life.