This was originally compiled for a Reddit post by me in response to IVPN’s blog post on the same subject. Some of the wording may sound strange because of this, but it is being copied over in its entirety here to preserve it.
Written Jan 21, 2016
ThatOnePrivacyGuy here (creator of the VPN Comparison Chart in the /r/vpn sidebar). Recently, I’ve received lots of questions and comments from users and companies to clarify and explain certain data points.
Among these questions came one that sparked some controversy and a blog post from IVPN. IVPN claims that Gibraltar (the country they are based in) should not be classified as a Fourteen eyes country. They go on to list various reasons for why they think this is the case (implying that it should be changed on my sheet). Obviously IVPN has an interest in maintaining that the country they’ve chosen the establish their operation is such that would not potentially compromise their customers data.
This is why I’d like to take some time and provide some background as to why it was originally changed to fall under that umbrella and pose the question to the community. This will be a long and complicated post.
What is a “Fourteen Eyes” Country? (Definition and links from privacytools.io)
The UKUSA Agreement is an agreement between the United Kingdom, United States, Australia, Canada, and New Zealand to cooperatively collect, analyze, and share intelligence. Members of this group, known as the Five Eyes, focus on gathering and analyzing intelligence from different parts of the world. While Five Eyes countries have agreed to not spy on each other as adversaries, leaks by Snowden have revealed that some Five Eyes members monitor each other’s citizens and share intelligence to avoid breaking domestic laws that prohibit them from spying on their own citizens. The Five Eyes alliance also cooperates with groups of third party countries to share intelligence (forming the Nine Eyes and Fourteen Eyes), however Five Eyes and third party countries can and do spy on each other.
Five Eyes 1. Australia 2. Canada 3. New Zealand 4. United Kingdom 5. United States of America
Nine Eyes 6. Denmark 7. France 8. Netherlands 9. Norway
Fourteen Eyes 10. Belgium 11. Germany 12. Italy 13. Spain 14. Sweden
What is Gibraltar?
Gibraltar is a British Overseas Territory. An Anglo-Dutch force captured Gibraltar from Spain in 1704 during the War of the Spanish Succession on behalf of the Habsburg pretender to the Spanish throne. The territory was subsequently ceded to Britain “in perpetuity” under the Treaty of Utrecht in 1713. During World War II it was an enormously important base for the Royal Navy as it controlled the entrance and exit to the Mediterranean Sea, which is only eight miles (13 km) wide at this point.
The sovereignty of Gibraltar is a major point of contention in Anglo-Spanish relations as Spain asserts a claim to the territory. Gibraltarians overwhelmingly rejected proposals for Spanish sovereignty in a 1967 referendum and again in 2002 – in conjunction with the UK Parliament’s “British Overseas Territories Act of 2002”. Under the Gibraltar constitution of 2006, Gibraltar governs its own affairs, though some powers, such as defence and foreign relations, remain the responsibility of Government of the United Kingdom.
What is a British Overseas Territory?
The fourteen British Overseas Territories are territories under the jurisdiction and sovereignty of the United Kingdom, but not part of it. They are those parts of the former British Empire that have not chosen independence or have voted to remain British territories. While each has its own internal leadership, most being self-governing, they share the British monarch (Elizabeth II) as head of state.
In the case of all British Overseas Territories, Foreign affairs (including presumably intelligence community cooperation) are handled by the Foreign and Commonwealth Office in London.
The Foreign and Commonwealth Office Website itself lists UK government agencies it cooperates with, among which is the SIS or Secret Intelligence Service (sometimes known as MI6)
Further, Interpol itself considers Gibraltar as belonging to the UK.
Response to IVPN’s specific points
Gibraltar is not “a part of” the UK any more than Andorra (who recognizes the French President as their co-monarch) is not “a part of” France.
IVPN states that the only thing that associates Gibraltar with the UK is that they recognize the queen as their monarch. This above analogy is flawed. Andorra (over a thousand years ago) was a vassal of France. Their recognition of the President of France today is more traditional or ceremonial. Gibraltar is a British Overseas Territory (a legal term established as per the UK Parliament’s British Overseas Territories Act of 2002)
Gibraltar has its own system of governance, including a parliament, legal system, etc
As a British Overseas Territory, Gibraltar is allowed a degree of self-governance, however, as stated above, many functions of government (what I’d call “big picture” items) are handled by the UK Government and coordinated through the Foreign and Commonwealth Office.
IVPN further points to the Gibraltar parliament website, which states: “And whereas the people of Gibraltar have in a referendum held on 30th November 2006 freely approved and accepted the Constitution annexed to this Order which gives the people of Gibraltar that degree of self-government which is compatible with British sovereignty of Gibraltar (emphasis mine) and with the fact that the United Kingdom remains fully responsible for Gibraltar’s external relations”.
Gibraltar is not subject to UK Digital Economy Act of 2010, UK Regulation of Investigatory Powers Act 2000, etc
This unfortunately is where things get murky. What a country SHOULD be subject to was the whole point of the Snowden leaks and revelations. Many of these laws supposedly protect companies and individuals privacy rights. Snowden showed that none of this mattered. A scheme was operating in which governments were bypassing their own country’s laws forbidding them from spying on their citizens. They accomplished this by spying on the citizens of other countries and exchanging notes. As governments participating in this kind of bulk data collection sharing is inherently unlawful (if only in the spirit of the law), citing the laws a country is bound by doesn’t mean much to me.
So where does this leave us?
Is Gibraltar free from the influence and pressure of the UK in matters of international intelligence and spying? I think based on the information above that the UK has its political hooks in Gibraltar enough to pressure them to compromise a company in their borders’ data. I believe there is enough evidence the conclude that a VPN service based in Gibraltar cannot expect the same kinds of protections from prying eyes as a company based in a country that is not associated in such a way.
I don’t wish to imply in any way that IVPN specifically is at fault or guilty of cooperating with any such requests or pressure. Quite the contrary in fact. I think that IVPN has shown they are serious privacy advocates based on the research I’ve done (see my chart for more specific data). I believe VPN Companies in such countries are victims like citizens when it comes to the betrayals of trust exposed in the Snowden documents.
The crux of this argument:
Imagine you are a potential customer of a VPN company, referencing the sidebar link on /r/vpn for the VPN Comparison Chart. Would you consider it more accurate to read that Yes, Gibraltar counts a Fourteen Eyes country? Would it be misleading to say No, Gibraltar is not a Fourteen Eyes Country”.
I fell somewhere in between: Currently, the cell indicating “Is the company based in a ‘Fourteen Eyes Country'” marked as “See Note” which when the user hovers their cursor over the cell displays, “Gibraltar itself isn’t technically a fourteen eyes country, but it is a British Overseas Territory of the UK, which is and may have influence in matters of international spying.”).
Is this adequate to warn the user of potential privacy issues? Is my concern warranted or is IVPN correct that Gibraltar is far enough removed from UK intelligence that such spying would never affect their customers?
Edit: Added info and link from Interpol.
Edit 2: I’m satisfied that a “See Note” entry for that cell is the right way to go. I’ll update the note to include the Interpol info as well.
Note: “See Note” has since become “Owned” under the Jurisdiction on the VPN Comparison Chart.