The 5 Eyes, 9 Eyes, 14 Eyes VPN Marketing Bullshit

Your “Panama-based” NordVPN has 1,970 servers in the USA and 12 in Panama. ExpressVPN claims British Virgin Islands jurisdiction but has exactly zero servers there. Your data passes through 14 Eyes countries regardless of where a VPN keeps their PO Box.

I respect VPNs as privacy tools. What I don’t respect is, in my opinion, the theatrical marketing about “jurisdiction” that ignores how the internet actually works. The 5/9/14 Eyes intelligence alliance is real, but I believe VPN marketing has turned it into a boogeyman to justify higher prices for “offshore” incorporation that provides minimal actual protection.

The truth? Mullvad operates from Sweden, right in the heart of 14 Eyes, and provides better privacy than every “Panama-based” VPN combined. Because jurisdiction doesn’t matter. Architecture does.

“Caring about VPN jurisdiction is like worrying about which state your umbrella was manufactured in while standing in a hurricane.”

Let me show you why your VPN’s “safe” jurisdiction is complete performance art.

⚡ 30-Second Truth Bomb

In my opinion, “14 Eyes” jurisdiction is largely meaningless marketing
Your “Panama-based” VPN has 99% of servers in 14 Eyes countries
ExpressVPN claims BVI, reportedly has ZERO servers there
Mullvad is IN 14 Eyes (Sweden) but arguably more private than “Panama” VPNs
Intelligence agencies don’t respect borders when they want data

What The “Eyes” Actually Are

Let me explain what VPN marketing turned into a boogeyman:

The 5 Eyes (The OG Surveillance Squad):

🇺🇸 USA (NSA)
🇬🇧 UK (GCHQ)
🇨🇦 Canada (CSEC)
🇦🇺 Australia (ASD)
🇳🇿 New Zealand (GCSB)

The 9 Eyes (5 Eyes + Friends):

+ 🇩🇰 Denmark
+ 🇫🇷 France
+ 🇳🇱 Netherlands
+ 🇳🇴 Norway

The 14 Eyes (The Whole Gang):

+ 🇩🇪 Germany
+ 🇧🇪 Belgium
+ 🇮🇹 Italy
+ 🇸🇪 Sweden
+ 🇪🇸 Spain

What VPN marketing wants you to think: These countries share your VPN data with each other!

Reality: These countries share SIGNALS INTELLIGENCE. They’re not sitting around discussing your NordVPN subscription.

The Jurisdiction Myth

VPN companies love to brag:

“Based in Panama!” (NordVPN)
“Swiss privacy laws!” (ProtonVPN)
“British Virgin Islands!” (ExpressVPN)
“Romania!” (CyberGhost)

Here’s what they don’t tell you:

Where They’re “Based” vs Where They Actually Are:

ExpressVPN:

Claims: British Virgin Islands 🏝️
Reality: Servers in 94 countries (including all 14 Eyes)
Actual office: Hong Kong, Singapore
Owner: Kape (UK-based)

NordVPN:

Claims: Panama 🇵🇦
Reality: Servers primarily in the US
Development: Lithuania
Data centers: Everywhere

It doesn’t matter where your company is registered when:

Your servers are in 14 Eyes countries
Your traffic passes through 14 Eyes infrastructure
Your developers are in 14 Eyes countries
Your payment processor is in the US

The Server Location Reality

Here’s the dirty secret: YOUR DATA IS IN 14 EYES COUNTRIES ANYWAY

NordVPN "Panama-based" servers:
- USA: 1,970 servers
- UK: 440 servers
- Canada: 480 servers
- Germany: 240 servers
- France: 230 servers
- Actual Panama servers: 12

ExpressVPN "BVI-based" servers:
- USA: 23 locations
- UK: 5 locations
- Australia: 5 locations
- Actual BVI servers: 0 (ZERO!)

Your “Panama-based” VPN is running on servers in Virginia, probably in an NSA-friendly data center.

Why Jurisdiction Doesn’t Mean Shit

Scenario 1: Legal Request

NSA wants your data → 
Asks VPN company nicely → 
VPN says "we're in Panama!" →
NSA goes to hosting provider (AWS/Google) or payment provider (Stripe) →
Gets your data anyway

Scenario 2: Technical Surveillance

Your traffic → 
VPN server in USA →
NSA taps the data center →
Jurisdiction irrelevant

Scenario 3: International Cooperation

FBI wants your data →
Asks Panama nicely →
Panama cooperates (they always do) →
Or FBI just hacks them →
Jurisdiction irrelevant

The MLAT Reality (What They Don’t Tell You)

Mutual Legal Assistance Treaties (MLATs) exist between almost everyone:

Panama has MLATs with the US ✓
BVI cooperates with UK requests ✓
Switzerland has agreements with everyone ✓
Romania is in the EU (GDPR, shares everything) ✓

“But Panama doesn’t have mandatory data retention!”

Cool. Neither does the US for VPNs. Doesn’t stop them from keeping logs anyway.

The Technical Reality They Ignore

Even if your VPN company was on the moon, it doesn’t matter because:

1. Internet Infrastructure

Your data path:
You → ISP (monitored) → 
Internet backbone (NSA tapped) → 
VPN server (in 14 Eyes country) → 
Destination (probably monitored)

2. Payment Processing

You pay with:
- Credit card (US company)
- PayPal (US company)
- Crypto (traced anyway)
- All processed through 14 Eyes

3. Cloud Infrastructure

VPN servers hosted on:
- AWS (US company)
- Google Cloud (US company)
- Azure (US company)
- All subject to US jurisdiction

The Real Examples That Prove It’s Bullshit

Case 1: HideMyAss (UK-based)

Claim: UK privacy laws protect you
Reality: Handed over logs to FBI, user arrested
Jurisdiction: Didn’t matter

Case 2: IPVanish (US-based)

Claim: No logs policy
Reality: Provided logs to DHS
Jurisdiction: Didn’t matter

Case 3: PureVPN (Hong Kong)

Claim: Outside 14 Eyes!
Reality: Gave logs to FBI anyway
Jurisdiction: Didn’t matter

Case 4: Riseup VPN (US-based)

Claim: Activist-run, fights government
Reality: Compromised by FBI, users arrested
Jurisdiction: Didn’t matter

What Actually Protects You (Hint: Not Jurisdiction)

Things That Don’t Matter:

❌ Company registration location ❌ “14 Eyes” membership ❌ Marketing claims about privacy laws ❌ PO boxes in exotic locations

Things That Actually Matter:

✅ Not keeping logs (verified by audit) ✅ RAM-only or Secure-core servers (can’t store data) ✅ Open source code (verifiable) ✅ Warrant canary (still updated?) ✅ Actually fighting in court (not just claiming they would)

The Mullvad Example (How to Actually Do It Right)

Mullvad (Sweden - IN THE 14 EYES!) does this:

No email required
No account info stored
Payment by random number
Cash payments accepted
Regular audits
Open source

They’re in the 14 Eyes and more private than every “Panama-based” VPN.

Why? Because jurisdiction doesn’t matter. Architecture does.

The Reddit Reality Check

🔥 r/VPN Posted by u/boredintalla 70mo ago

↑ 49

For "14 eyes", what's the effective difference between the country a VPN company is based in -VS- the country that you choose within a US-based VPN?

Please clear up my confusion.

I heard it's unsafe (privacy-wise) to use a VPN company that's based in a "14 eyes" country.

OK, but what if you use a US-based VPN company, but then choose a non-"14 eyes" country within the VPN? So like if I used a US-based VPN service, but then chose 'Switzerland' within the program.

Am I protected then, 14-eyes -wise? Or what is the deal? I don't understand effectively the difference between these two concepts.

Thanks!

💬 29 comments 🏆 49 upvotes 📈 89% upvoted 🤬 Rant-o-Meter: High

Top Comments (7)

u/[deleted] ↑ 16 70mo ago

Just choose a company that doesn't log IP addresses

u/[deleted] ↑ 9 70mo ago

[removed]

u/Modularis ↑ 7 70mo ago

It is not unsafe to use a VPN based in a "14 eyes" country, it is a common lie propogated by certain VPN companies. There are intelligence sharing agreements between these countries that is it. It is fine to connect to servers located in any country. If you are using a VPN that actually keeps no identifiable logs, then it makes no difference if the VPN is located in a 14 eyes country or not, as wh...

u/Sweden78 ↑ 4 70mo ago

Don’t listen to much on the 14 eyes false marketing argument.
Interessant reading about this topic in this article:
[The 5-9-14 eyes misleading VPN argument ](https://www.skadligkod.se/vpn/the-5-9-14-eyes-misleading-vpn-argument/)

u/[deleted] ↑ 2 70mo ago

Countries in the 14 eyes, 5 eyes, is what we usually talk about, can be subpoenaed, and can be unable to even tell their customers that. They just file it under bullshit terrorist/national security laws.

You want a country that’s going to bin a US subpoena.

View all 29 comments on Reddit →

“Should I avoid VPNs in 14 Eyes countries?”

Top comment: “It’s marketing bullshit. ExpressVPN claims BVI but uses US servers. NordVPN claims Panama but processes payments through the US. Your data touches 14 Eyes countries regardless.”

“But the YouTube review said jurisdiction matters!”

“The YouTube review was sponsored by a VPN company.”

🔍 Don’t Trust Me? Verify This Yourself

Want to see the raw data behind my claims? Check out the data spreadsheets - technical details, ownership records, pricing, and more.

Check NordVPN servers: 1,970 in USA, only 12 in Panama
Search “ExpressVPN British Virgin Islands servers” (find zero)
Google “MLAT treaties Panama United States”
Look up “AWS datacenters locations” (where VPNs actually host)
Find “Mullvad Sweden 14 Eyes” - yet they’re the most private

The Bottom Line

Jurisdiction is theater. It’s a marketing checkbox that sounds important but means nothing in practice.

Your data passes through 14 Eyes countries anyway. The internet’s infrastructure guarantees it.

If they want your data, they’ll get it. Through legal means, technical means, or just buying it from your VPN company.

Real privacy comes from architecture, not geography. No logs, RAM-only servers, cash payments - not PO boxes in Panama.

Stop believing that three letters in Panama will protect you from three letters in Washington.

They won’t.

🧪 Test This Yourself

Prove jurisdiction is meaningless:

Trace your VPN route: traceroute to any website (see it hit 14 Eyes countries)
Check server locations: “[VPN name] server count by country”
Find the infrastructure: Most use AWS/Google Cloud/Stripe (US companies)
Search “[VPN name] MLAT compliance”
Test the theory: Try to find ONE case where Panama jurisdiction protected anyone

P.S. In my opinion, VPN review sites that emphasize “14 Eyes” are either misinformed or financially motivated. ExpressVPN reportedly pays $95 per sale whether they’re based in BVI or Baltimore.

P.P.S. In my view, intelligence agencies probably aren’t reading your VPN traffic because you’re likely not that interesting. But if they wanted to, I believe BVI or Panama jurisdiction wouldn’t stop them.