What do SMS phishing scams and the last big data breach that compromised tens of millions of email addresses have in common? They’re both the work of bad actors exploiting vulnerabilities in very sophisticated networks to steal our personal information and then put it up for sale.
But what if the entities “stealing” our data weren’t “bad”? In fact, what if they were our own governments, exploiting vulnerabilities in their own tech laws to keep tabs on our online activity?
Sound scary? Pull up a seat. Kick up your legs. We’ve just entered the strange and nefarious world of the 14 Eyes.
What’s the 14 Eyes?
If you think your favorite Marvel superhero has a complex origin story, I guarantee you, the 14 Eyes backstory is even more complicated. It spans decades, involves superpowers, and, yes, there are good guys and bad guys. But here’s the general picture.
In 1982, a consortium of powerful Western nations pledged to share intelligence with each other so they could stay one step ahead of the “bad guys.” The bad guys, in this case, were the Soviet Union and the People’s Republic of China. Remember, this was the Cold War, or at least the tail end of it.
The kind of intel the consortium was sharing was “signal intelligence” or SIGNIT. Basically, they were intercepting and hacking encrypted messages from the communists, and then sharing the goods with each other. “They” being the U.S., U.K., Australia, Canada, New Zealand, Belgium, Denmark, France, Germany, Italy, the Netherlands, Norway, Spain, and Sweden.
But the 14-member data-filching cabal didn’t sprout out of the ground fully formed. Like many Western espionage efforts, we can trace its origin story back to the 1940s. And if you’re thinking, Cool. Just like “Hellboy,” you’re actually not far from the mark.
Did You Know: Like the Choctaws in WWI, the Navajos helped the Allies defeat the Axis Powers in WWII. The difference was, while the Choctaws simply passed messages in Choctaw, the Navajo Code Talkers made their own coded alphabet (38 symbols), reinforced with 41 new words.1 The Navajo code was unbreakable.
The UKUSA Agreement (aka the 5 Eyes and the 9 Eyes)
Computer science as we know it got its start in World War II with the birth of cryptography (remember Alan Turing and Bletchley Park2?). Battling the Third Reich taught us a lot about the value of good intel. It also taught us to share what we found. The U.S. and U.K. became intel-sharing besties, running Hitler into the ground.
After it was all over, and the “bad guys” were wiped out, the U.S. and the U.K. codified their message-hacking cooperation and invited three other English-speaking nations onboard: Canada, New Zealand, and Australia. They called themselves the 5 Eyes, or FVEY. The agreement they signed was called the UKUSA Agreement (formerly BRUSA3).
FYI: Alan Turing was a man of many hats. Known as the “Father of Computer Science,” Turing was a mathematician, logician, and cryptographer. He also broke the Nazi Enigma code for the Allies, turning the tide of WWII.
The 5 Eyes and the 9 Eyes
The whole FVEY operation was shrouded in complete mystery. Its network, STONEGHOST, became the original dark web, holding the West’s most heavily guarded secrets. (The UKUSA Agreement was so secret that the Prime Minister of Australia, a member country, was in the dark about it until 1973.)
All was well and good for the 5 Eyes for years; in fact, it was so good that they expanded in the 1950s: Denmark, France, the Netherlands, and Norway joined the group. Now they were the 9 Eyes.
You know the rest of the story. In 1982, the 9 Eyes became the 14 Eyes. Soon, Japan may even become a member, taking us full circle. After all, it was the hacking of Japan’s wartime cipher machine, Purple, that convinced the U.S. and U.K. to partner up for the good of datakind.
And just so that we’re perfectly clear about this. STONEGHOST might sound like comic book or B-movie material, but none of it is conspiracy; the whole story is very well documented. The 14 Eyes are real.
And here’s why you should be paying attention.
Pro Tip: Want to protect yourself against all the eyes in the world? Consider using a quality virtual private network (VPN). VPNs are still the best way to guard against snooping internet service providers (ISPs), hackers, and governments.
The 14 Eyes and Beyond
In 1982, the “bad guys” were still out there. As I mentioned, this time around they were the Soviets and the People’s Republic of China. But like the Third Reich, the USSR crumbled, too. In 1989, the Berlin Wall fell. Three years later, in 1992, the Soviet Union became Russia.
SIGNIT technology did not, however, go away. It did what any smart technology would have done: It found a new home.
By this time, during the mid-90s, the digital revolution was apace. The SIGNIT tech Cold War governments had used to bust through enemy secrets entered the consumer market.
Encryption Becomes a Household Word
When encryption technology went “civilian” in the 2000s, it was a big win for households in countries where it was available. Our lives were already going digital by that point. In the next decade, this would include most of our business and personal items: photos, videos, music, docs, bank accounts, email accounts, etc. Basically, our entire identities were online and there was a new league of “bad guys” who wanted to “steal the keys”: hackers, data farmers, and ISPs.
Security tech stepped up to the challenge, giving us encrypted files and passwords, bank grade identity theft protection software, and malware-stomping apps on our laptops and mobiles. It even let us seal off our internet connections — the very air we breathe — with VPNs.
Did You Know: In the U.S., home security systems were around long before the digital revolution, but they weren’t as sophisticated. In the 1920s, for example, you could hire a “door shaker” to come and turn your doorknob at night to make sure it was locked.
This story would have had a much happier ending if we were all so well protected that the “bad guys” went back to their day jobs and our governments hung up their spy badges to study sustainable farming.
But, of course, it didn’t work out that way. Today, the bad actors are proliferating at a near-pandemic rate with their phishing, malware, data farming, tracking, and hacking schemes. And our governments? The Nazi-flouting, USSR-crushing 14 Eyes?
Make sure you’re sitting down for this, folks.
FYI: The term “data farming” was first used by the U.S. Marines in 1998 to describe the process of simulating and then gathering results from a set of military challenges.
The 14 Eyes Finds a Loophole in the Law to Snoop on Their Own Citizens
Somewhere between the fall of the Berlin Wall in 1989 and the rise of TikTok in 2018, our governments turned the focus of their intel-gathering operations partially onto their own citizens.
This became shockingly clear as far back as 1996, when The Independent, a British newspaper, revealed that the U.K.’s MI6 was paying the United States’ National Security Agency (NSA) to tap phones in the U.K.4 Seventeen years later, in 2013, Edward Snowden’s leaks5 revealed that the NSA had paid the U.K. Government Communications Headquarters (GCHQ) over £100 million to do the same.
The scariest part of the new 14 Eyes? They were doing it this way to circumvent their own privacy laws. In other words, the U.S. couldn’t spy on its own citizens, but they could ask the U.K. to do it for them, and vice versa.
The 14 Eyes were watching us all.
Did You Know: Since 2013, American intelligence contractor-turned-internet freedom activist Edward Snowden has shared over 7,000 top secret NSA documents with the press, or less than 1 percent of all the classified documents believed to be in his possession.
Can Your VPN Protect Your Online Privacy From the 14 Eyes?
At this point, you may be scratching your head. (Or stamping your feet and biting your cheeks.) I can’t say I blame you. Is your $7.99 per month VPN any match for the NSA?
Practically speaking, yes. Here’s why.
Yes, a VPN Can Be Hacked, but It’s Not Going to Happen to You
There are two ways to bust through a VPN, or any encrypted network for that matter: brute force or stealing the key. To bust your way into a VPN tunnel like Thanos is pretty much impossible. Even if you exploited vulnerabilities in the Diffie-Hellman algorithms that underpin popular VPN protocols like OpenVPN and IPSec, you’d still need millions of dollars, immense computing power, and about a year to safecrack a decent VPN. And, sorry to say, most of us are just not that important to the NSA.
Pro Tip: The Diffie-Hellman key exchange allows two parties talking over an open channel to encrypt their communication to an exponential degree that makes hacking it almost impossible.
Stealing the encryption key (hackers), or more likely, simply asking for user records (14 Eyes), are real privacy violation scenarios. That’s why the sanest advice I can offer you is to choose a VPN that has a sterling reputation for security. Here’s how you can do that.
Digital Privacy 101: Choose a VPN That’s Serious about Privacy
First, choose a VPN based in a country outside the jurisdiction of the 14 Eyes (i.e., Switzerland, the British Virgin Islands, Panama, and Romania, to name four). VPN providers in these countries don’t have to cooperate with subpoenas requesting user data.
FYI: Not sure about your 14 Eyes-free VPN options? Try VyprVPN or ProtonVPN, both based in Switzerland. There’s also CyberGhost in Romania. One of our favorites is Panama-based NordVPN. Check out our NordVPN review for the whole security story.
Secondly, find a VPN with outstanding server security. The very best, like ExpressVPN, own and operate their own DNS servers, and use RAM, not hard drives, to store data.
The first means your VPN provider won’t be routing your data through subpar, third-party servers. This happens when VPN providers “rent” out servers from other providers. The second means there’s no data for hackers to steal even if they had a key, because RAM-based servers wipe themselves clean every time they’re restarted.
If I’ve lost you in the jargon, check out our hands-on ExpressVPN review, where we’ve got a simple breakdown of this VPN’s impressive server security.
Did You Know: When you use an encrypted VPN tunnel, a DNS server acts as a secure middleman between your device and the website, app, or platform you’re connecting to.
The 14 Eyes is real. They’re out there (they have been since 1943), and, if we’ve learned anything from the Snowden leaks, they can find you. Throughout the 2010s, the NSA collected telephone and user records from millions of Verizon, Google, and Facebook users6.
All of which means, for better or worse, we’re living in a surveillance state. But protecting our digital privacy is still possible, and more necessary now than ever.
The best advantage you can give yourself? Practice good digital hygiene (be vigilant against phishing scams and beef up your passwords), and use a privacy-minded VPN with first-rate malware protection. If you do, you won’t have to worry about the 5 Eyes, the 9 Eyes, the 14 Eyes — or any other snooping eyes out there — because your digital footprint will be completely hidden.