Contents
Chapter 1 — What are the Eyes alliances?
From the Cold War to the global data network
The story begins at the end of the Second World War. In 1946, the US and the UK signed the UKUSA AgreementUKUSAThe secret 1946 agreement between the US and the UK for joint signals intelligence. Forms the foundation of all Eyes alliances and was not officially confirmed until 2010. — originally intended for joint signals intelligenceSIGINTSignals intelligence — the interception and analysis of electronic communications: phone calls, emails, internet traffic, radio transmissions. The core activity of all Eyes intelligence agencies. (SIGINT) against the Soviet Union. What began as a military alliance has evolved over 80 years into the most comprehensive surveillance infrastructure in human history.
Today the network consists of three concentric rings, each with different access rights and obligations:
5
Five Eyes (FVEY) — Core alliance
Highest classification level · full data exchange · mutual spying on behalf of others
🇺🇸 USA (NSANSANational Security Agency — the largest US foreign intelligence agency with over 30,000 staff. Responsible for signals intelligence and code-breaking. Operates PRISM, XKeyscore and numerous other programmes.)
🇬🇧 UK (GCHQGCHQGovernment Communications Headquarters — the UK's signals intelligence agency. NSA partner and operator of Tempora. Snowden called GCHQ "worse than the US".)
🇨🇦 Canada (CSE)
🇦🇺 Australia (ASD)
🇳🇿 New Zealand (GCSB)
9
Nine Eyes — Extended circle
Restricted access · contribute to SIGINT collection · cooperate on terrorism & cybercrime
🇺🇸 USA
🇬🇧 UK
🇨🇦 Canada
🇦🇺 Australia
🇳🇿 New Zealand
🇩🇰 Denmark (FE)
🇫🇷 France (DGSEDGSEDirection Générale de la Sécurité Extérieure — France's foreign intelligence service. Operates its own mass surveillance programmes and is part of the Nine Eyes.)
🇳🇱 Netherlands (AIVD)
🇳🇴 Norway (NIS)
14
Fourteen Eyes (SSEUR) — Full network
Also known as SIGINT Seniors Europe · exchange as needed · also subject to privacy criticism
🇺🇸 USA
🇬🇧 UK
🇨🇦 Canada
🇦🇺 Australia
🇳🇿 New Zealand
🇩🇰 Denmark
🇫🇷 France
🇳🇱 Netherlands
🇳🇴 Norway
🇧🇪 Belgium (SGRS)
🇩🇪 Germany (BNDBNDBundesnachrichtendienst — Germany's foreign intelligence service. Mass-forwarded data to the NSA and used XKeyscore./BfVBfVBundesamt für Verfassungsschutz — Germany's domestic intelligence service. Was granted access to the NSA tool XKeyscore — without knowing exactly what it does.)
🇮🇹 Italy (AISE)
🇪🇸 Spain (CNI)
🇸🇪 Sweden (FRA)
Germany is part of the 14 Eyes. The Federal Intelligence Service (BND) and the Federal Office for the Protection of the Constitution (BfV) actively cooperate with the network. NSA documents from the Snowden leak showed: the NSA was working to influence the German government to interpret data protection laws "more laxly in the long run". The BfV was also granted access to the NSA surveillance tool XKeyscore — and the head of the relevant department told the Bundestag's NSA inquiry committee: "We do not know what the thing does when it is connected to the internet."
Chapter 2 — The surveillance programmes in detail
PRISM, XKeyscore, Tempora: The tools
Snowden's leaks revealed in 2013 a networked infrastructure of specialised programmes. Each has a different function — together they form a system capable in principle of capturing all internet communication.
PRISMPRISMNSA programme for direct access to the servers of Google, Microsoft, Apple, Facebook and other tech giants. Captures emails, chats, videos and login credentials. Revealed by Snowden in 2013.
NSA (USA) + GCHQ (UK)
Direct access to the servers of Microsoft, Google, Yahoo, Facebook, Apple, Skype, YouTube and Dropbox. Captures emails, chats, videos, photos, voice calls, video conferences and login credentials — under court order from the secret FISAFISAForeign Intelligence Surveillance Act — US law establishing a secret court (FISC) that approves surveillance orders. In 2012, not a single application was rejected. court, which rejected not a single application in 2012.
XKeyscoreXKeyscoreThe intelligence agencies' "Google search": searches browser histories, emails and chats worldwide in real time. Over 700 servers at 150 locations. NSA analysts could search without a court order.
NSA · Access: BND, BfV, Sweden, Denmark and others
The intelligence service's "Google": searches vast amounts of data in real time — browser histories, emails, chat logs, search queries. In 2008: 700+ servers at 150 locations worldwide. NSA analysts could launch queries without prior court authorisation. Germany used it for years without a security concept.
TEMPORATemporaGCHQ programme for tapping transatlantic fibre-optic cables. Stores all internet traffic for 30 days. Enables searching of virtually all European internet communication.
GCHQ (UK)
Tapping transatlantic fibre-optic cablesFibre-optic cablesUndersea cables made of optical fibres through which over 95% of global internet traffic flows. Anyone who taps these cables can read the bulk of global communications.. Stores all internet traffic for up to 30 days, metadata for up to 30 days longer. Snowden called GCHQ "worse than the US" as a result. NSA analysts actively used Tempora data.
MUSCULARMUSCULARJoint NSA/GCHQ programme that directly tapped data connections between Google and Yahoo data centres — without the companies' knowledge, without a court order. 181 million records per month.
NSA + GCHQ jointly
Pure hacking — no judge, no order, no corporate cooperation. Directly accesses the internal data streams between Google and Yahoo data centres. In a single month (Jan. 2013): 181.3 million records obtained.
ECHELONECHELONThe oldest mass surveillance programme of the Five Eyes, active since the 1960s. Intercepts phone calls, faxes and data lines via a worldwide network of listening stations.
Five Eyes (since 1960s)
The great-grandfather of all programmes. Originally aimed at satellite communications, today part of the comprehensive SIGINT infrastructure. Intercepts phone calls, faxes and data lines via a worldwide network of listening stations.
BULLRUN / EDGEHILLBULLRUNSecret NSA and GCHQ programmes to deliberately undermine encryption standards. By inserting backdoors into software, the security foundation of the entire internet is compromised.
NSA (BULLRUN) · GCHQ (EDGEHILL)
Deliberate undermining of encryption standards worldwide. Cooperation with technology companies to insert backdoors into encryption software. Compromises the security foundations of the entire internet.
The Five Eyes are a supranational intelligence organisation that does not answer to the laws of the countries in which it operates.
Chapter 3 — The decisive privacy loophole
How states legally spy on their own citizens
The biggest legal scandal of the Eyes alliances is not so much that they conduct surveillance at all — but how they circumvent national data protection laws in doing so. The mechanism is simple yet alarmingly effective:
🔄 The "mutual spying" trick
1
A CIA analyst wants to monitor a US citizen. The Fourth Amendment to the US Constitution prohibits this without a court order.
2
He calls his colleague at the British GCHQ and asks them to monitor the target. GCHQ is permitted to do this — US citizens are "foreigners" as far as British intelligence is concerned.
3
GCHQ shares the data with the NSA. The CIA analyst receives all the information — without ever having crossed a constitutional boundary.
4
The same works in reverse: the UK outsources surveillance of British citizens to the NSA. And France, Germany and the Netherlands follow the same pattern with their respective partners.
Concretely documented: GCHQ demonstrably monitored US citizens at the NSA's request. The NSA monitored Germans, including Chancellor Angela Merkel — with the BND's help, which forwarded data on European and German targets to the NSA. In effect, German intelligence was spying against its own citizens and allies — for the United States.
What exactly is collected?
The alliances have long since moved beyond phone calls from terrorist suspects. Snowden's documents, confirmed through court proceedings and parliamentary inquiry committees in Germany, the UK and the US, show:
| Data category | Collected via | Scope |
|---|---|---|
| Emails (content) | PRISM, MUSCULAR | In bulk, without specific suspicion |
| Browser histories | XKeyscore | Real-time, no authorisation required |
| Phone metadataMetadataNot the content but the circumstances of communication: who called whom, when, for how long, from where. NSA chief Michael Hayden said: "We kill people based on metadata." | NSA (Verizon order) | All connections, daily |
| Social networks | PRISM | Facebook, Google, Skype directly |
| Cloud data | MUSCULAR | Google Drive, Dropbox etc. without authorisation |
| Encrypted communication | BULLRUN/EDGEHILL | Partially compromised via backdoors |
| Tor users | NSA + GCHQ jointly | De-anonymisation attempts, partly successful |
Chapter 4 — What Snowden revealed
The timeline of a global shock
June 2013
PRISM goes public. The Guardian and Washington Post publish Snowden's documents. The NSA can directly access the servers of Microsoft, Google, Apple, Facebook and six other tech giants. The public learns for the first time the true scale of digital mass surveillance.
July 2013
XKeyscore revealed. The Guardian shows: NSA analysts can search virtually everything anyone does online — emails, Facebook activity, browser histories — without prior court authorisation. The BND is also granted access.
Oct. 2013
Merkel's phone tapped. Der Spiegel reveals: the NSA has been monitoring the mobile phone of Chancellor Angela Merkel. Obama has known since 2010. Germany expresses outrage — yet fails to exit the 14 Eyes network.
Dec. 2013
MUSCULAR programme. Washington Post: the NSA and GCHQ directly hack the data connections between Google's and Yahoo's data centres — without the companies' knowledge, without a court order. 181.3 million records in one month.
2015/16
Bundestag NSA inquiry committee. Confirmed: the BND mass-forwarded data on Europeans to the NSA, including data on German citizens. XKeyscore deployed by the BfV without an IT security concept.
May 2021
Operation Dunhammer / Denmark. Revelation: Denmark's FE intelligence service used XKeyscore to monitor politicians of allied states — including Sweden, Norway, the Netherlands, France and Germany.
2025/26
Programmes continue. None of the core surveillance infrastructures has been shut down. PRISM continues in adapted form. XKeyscore is being expanded. The alliances operate unabated — with more legally grounded foundations following FISA reforms in the US (RISAA, April 2024). ⚠️ FISA Section 702 — the legal basis for PRISM — expires again on 20 April 2026; a new reauthorisation debate is under way in Congress.
Chapter 5 — Why this is personally relevant to you
Not a terrorist? Still affected.
The most common misconception: "I have nothing to hide, so I'm safe." This logic overlooks several fundamental realities:
Bycatch surveillance: Mass surveillance never captures only its targets. Millions of law-abiding citizens are caught up because they communicate with a target, use similar search terms or simply happen to be in the wrong place at the wrong time. Snowden's documents confirmed: US citizens were "routinely scooped up as bycatch" despite constitutional protections.
What happens to your data — and where the Eyes alliance has influence
When you use an app whose servers are in a 5 Eyes country, the following can theoretically happen:
1,800+
Secret FISA surveillance orders in 2012 alone — not a single application was rejected
£17.2M
NSA funding for GCHQ's British "Mastering the Internet" programme
100+
Global intelligence contacts of the Swiss NDB — even "safe" countries are networked
The situation is particularly problematic for journalists, activists, lawyers and anyone working with sensitive information. Source protection is effectively impossible in the Eyes world when communication runs over US or UK servers. In 2013 the British government detained the Guardian journalist Glenn Greenwald's partner for nine hours at Heathrow Airport, interrogating him under anti-terrorism laws — in order to obtain information about Snowden's documents.
The freedom question: Research shows that people change their behaviour when they know they are being watched — even when they are doing nothing forbidden. Surveillance effectively restricts free expression, political activism and the willingness to maintain privacy. This is not a data protection problem — it is a question for democracy.
VPNs and cloud services: what the Eyes alliance means for your everyday technology
The law is clear: if a VPN provider or cloud service is based in an Eyes country, the authorities there can compel data access and legally oblige the provider to stay silent about it. Concrete cases:
- Hushmail (Canada, 5 Eyes): in 2007 handed twelve CDs of encrypted emails to the FBI — including the stored key needed to decrypt them.
- IPVanish (USA, 5 Eyes): marketed as a "no-logs" VPN. Kept user logs and thereby enabled Homeland Security to identify a user.
- Riseup (USA, 5 Eyes): handed user data to the FBI to avoid contempt-of-court proceedings.
- Tuta (formerly Tutanota, Germany, 14 Eyes): was ordered in 2020 by a German regional court to carry out real-time interception (TKÜ) on a single account — intercepting unencrypted emails before they are encrypted. The end-to-end encryption itself was not broken and no backdoor was installed. Tuta complies with lawful interception orders but maintains its encryption architecture.
- Apple iCloud (USA, 5 Eyes): In January 2025, the UK Home Office served Apple with a secret Technical Capability Notice demanding global backdoor access to end-to-end encrypted iCloud backups. Apple responded by disabling Advanced Data Protection for all UK users. Under US pressure (Vance, Gabbard), the UK claimed to drop the demand — but promptly issued a narrower follow-up order covering British users' data. The legal dispute remains unresolved.
Chapter 6 — What you can do
Protection in a surveilled world
Complete anonymity is virtually impossible — that is the honest answer. But anyone who wants to act with greater risk awareness can take concrete steps:
VPNVPNVirtual Private Network — encrypts your internet connection and hides your IP address. Protects against surveillance — but only if the provider is not based in an Eyes country and genuinely keeps no logs. outside Eyes countries
Providers based in Switzerland, Iceland, Romania or Panama are not subject to Eyes legislation. Still scrutinise carefully: does the provider have a genuine no-logs audit?
End-to-end encryptedE2E encryptionEncryption where only the sender and recipient can read the message — not even the provider. Even if an intelligence service taps the line, it sees only unreadable data noise. communication
Signal (metadata remains exposed, content encrypted), ProtonMail or Tuta for email. Important: both sides must encrypt, otherwise it achieves nothing.
Check cloud storage location
Google Drive, iCloud, OneDrive = USA (5 Eyes). Alternatives: Nextcloud on your own server, Tresorit (Switzerland), Filen (Germany, GDPR). Encrypt sensitive data locally before uploading.
Privacy-friendly browsers & search engines
Firefox + uBlock Origin instead of Chrome. DuckDuckGo or Startpage instead of Google. For the highest requirements: Tor Browser — but slower and more limited.
Check service jurisdiction
Before installing an app: where is the company legally registered? A company with an EU registered office is still within the 14 Eyes network, but is at least better regulated through GDPRGDPRGeneral Data Protection Regulation — the EU data protection law. Provides citizens with strong rights, but cannot prevent intelligence service access, as national security is exempt from the GDPR..
Maintain realism
Even Switzerland is not isolated: the NDB has 100+ intelligence contacts worldwide. Absolute security does not exist — but there are significantly worse and better decisions to be made.
Important to know: No Eyes country is automatically "bad" — counter-terrorism and cybersecurity are legitimate objectives. The criticism is directed at mass surveillance of law-abiding citizens without concrete grounds for suspicion, at the circumvention of national rule of law through mutual spying, and at the lack of democratic oversight of these infrastructures.
🔎 Conclusion: what does this really mean?
The Eyes alliances are not a conspiracy theory — they are officially confirmed reality, documented through court proceedings and parliamentary committees. They show that the location of a service, its server location and the legal jurisdiction of its home authorities are fundamental privacy questions. Germany is part of the system. The programmes continue to run. Anyone who takes digital privacy seriously must know which country's jurisdiction their data falls under — and what that means in practice.
Sources & further reading
01
Tuta Mail — "Fourteen Eyes Countries: How does this alliance affect your privacy?"
Comprehensive explanation of the Eyes alliances including Snowden's revelations and practical protection measures (Jan. 2026)
tuta.com/blog/fourteen-eyes-countries
02
Privacy Affairs — "What Are the 5, 9, and 14 Eyes Countries?"
Detailed overview of all member countries with respective legal situation and intelligence agencies
privacyaffairs.com/5-9-14-eyes-countries/
03
Comparitech — "A guide to the 5, 9, and 14 Eyes Alliances"
Explains what data is collected, which programmes are used and how VPN users are affected
comparitech.com/blog/vpn-privacy/guide-to-the-5-9-14-eyes-alliances/
04
CyberNews — "Five, Nine, and Fourteen Eyes alliances explained"
Explains the Hushmail, IPVanish and Riseup cases as well as encryption backdoors via BULLRUN/EDGEHILL
cybernews.com/resources/5-eyes-9-eyes-14-eyes-countries/
05
Privacy Journal — "What are the Five Eyes, Nine Eyes, & 14 Eyes?"
Explains the mutual spying trick and how states legally circumvent their own data protection laws
privacyjournal.net/five-eyes/
06
Privacy Journal — "Edward Snowden & the NSA PRISM Program: 2026 Update"
Detailed description of PRISM, XKeyscore, Tempora, MUSCULAR, BULLRUN and further programmes
privacyjournal.net/edward-snowden-nsa-prism/
07
Wikipedia (DE) — XKeyscore
German Wikipedia article on XKeyscore with BND/BfV involvement and Operation Dunhammer (Danish intelligence)
de.wikipedia.org/wiki/XKeyscore
08
Wikipedia — Snowden Disclosures
Comprehensive documentation of all revelations, confirmed facts and countries involved, based on primary documents
en.wikipedia.org/wiki/Snowden_disclosures
09
Heise Online — "NSA surveillance scandal: from PRISM, Tempora, XKeyScore and the super-fundamental right"
Chronological overview from the German IT specialist publication covering all revelations (Aug. 2013, historical)
heise.de/news/NSA-Ueberwachungsskandal
10
VPN Overview — "5 Eyes, 9 Eyes, 14 Eyes Alliances: Everything You Need to Know"
Practical guide to self-protection measures, assessment of VPN providers by jurisdiction and privacy risks
vpnoverview.com/privacy/anonymous-browsing/5-9-14-eyes/