Does the Country a Service is Headquartered in Matter?

On my website, I list the country a service is located in as either a point for or against them. As a sort-of explanation, I also link to the Wikipedia page about the Five Eyes intelligence community. Likewise, you will often see people in the privacy community asking questions or debating about the location of a company and why it pertains to the privacy of a specific product. So this week I ask: does it really matter?

What is “Five Eyes”?

If you didn’t click the link above – or just didn’t understand it – the “Five Eyes” refers to an intelligence agreement between the US, UK, Australia, Canada, and New Zealand. It was originally born out of the cold war as a way for democratic countries to keep an eye on the spread of communism, but the agreement lives on to this day. The basic premise of Five Eyes is that those five countries share intelligence with each other generously. The agreement is primarily aimed at “signals intelligence,” which means basically any form of electronic or telephony communication, but they're known to share other intelligence as well.

The problem that pertains particularly to privacy is what Edward Snowden revealed about the Five Eyes agreement in 2013, which basically boils down to “the Five Eyes countries spy on each other’s citizens then share with each other as a loophole.” In the US, the US intelligence agencies aren’t supposed to spy on US citizens without a reason. Same thing in the UK. But the US is totally free to spy on UK citizens and then share that data with the UK, and vice versa. That’s a simplified version of how it works.

There are also other “Eyes,” such as Nine and Fourteen, as well as specific “Eyes” aimed at certain counties (ex: “Five Eyes Plus Three Against North Korea”). All this really means is how many countries are involved. Typically the wider the Eyes, the less comprehensive the data sharing. So the Five Eyes are the most invasive countries and share the most openly, while the Fourteen eyes are less invasive and share less (but still invasive).

How Does This Relate to Privacy and Services?

Country of origin determines the laws and practices a company is subject to. A company based in the United States will be subject to US law – taxes, worker rights, and even surveillance. A US-based company will be caught up in the Five Eyes dragnet, and a US company will have to turn over any data requested by a warrant from a US law enforcement agency such as the FBI. For example: I run a Nextcloud server out of my home. It’s small and it’s only for friends and family. If my city, county, or state police or the FBI came to my door with a warrant and said “we need you to clone your mom’s data and give us a copy,” legally I’d be forced to comply. But if I move to Canada, the situation changes. My mother – who still lives in the US – is under investigation. If it’s a local investigation, police aren’t going to bother with the international red tape of asking me to hand over her data. They might ask, but since it crosses international lines and their resources are limited, they probably won’t bother making it an official, legally-binding request (unless they suspect the data I possess is key to their case). Even the FBI will meet a few more roadblocks in the process. Not many. They have the resources, and Canada is a friendly country with the US, so they’d probably get the approval. But it’s not as easy as it was before when I lived in the US.

As such, a lot of people in the privacy community prefer to pick services that are run by companies that are based outside of the various Eyes communities. The further outside, the better. A company in Germany is superior to a company in America because Germany is part of the Fourteen Eyes, which is better than the Five Eyes. But a company based in Switzerland or Finland is even better because those companies aren’t part of any Eyes. The roadblocks required to get the data – from both a legal and a surveillance perspective – are much higher.

Is This Actually Effective?

The short answer, in my opinion, is no. This stuff doesn’t really matter. As my long-time readers know, I don’t encourage breaking the law. Ideally you shouldn’t be doing anything that gets you on the law-enforcement radar in the first place (I’ll come back to that in a moment). But first let’s talk about surveillance: the Five Eyes are spying on EVERYONE. The idea that your data is somehow magically safe because the server is in Finland is as ridiculous as saying that I’m somehow magically safe because I put my seatbelt on when I drive. Obviously I do, seatbelts dramatically increase my odds of survival in a traffic collision, but the seatbelts don’t do a thing to stop someone from hitting me. Likewise, putting my data in Switzerland helps, but it's not a magic bullet.

Before I go on, I need to explain how the internet works at the global level. At the very top of the network food chain are “Tier 1 networks,” which are basically the internet service providers of the internet service providers you and I know and use like Comcast or Time Warner. According to Wikipedia, most Tier 1 networks are headquartered in Western countries like France, Germany, the UK, and the US. A couple are in places like India and Hong Kong. If you remember the list of eyes from before, this means that virtually every single Tier 1 provider is based in an eyes country, over half of them in Five Eyes alone. Choosing a country that’s outside Eyes jurisdiction does make surveillance slightly harder, but considering that literally all network traffic needs to route through a Tier 1 network and 88% of them belong to the Eyes, it also makes that surveillance relatively trivial. The Eyes own the internet. Not to mention there's absolutely nothing to stop state actors from setting up totally legal shell corporations in foreign, non-Eyes countries and then using those to spy on the locals.

So does that mean you shouldn’t care at all? Of course not. As I said, picking a country outside the Eyes does make surveillance a little bit harder. While the traffic still passes through Eyes infrastructure and into Eyes territory on your device, if you're doing it right that traffic is encrypted and the data itself rests outside of Eyes jurisdiction. That does count for something. Earlier I mentioned not to get yourself caught in the crosshairs of law enforcement, but we all know that law enforcement is not perfect and mistakes happen. People get wrongfully targeted, arrested, and convicted all the time. Putting your potentially-incriminating data outside the hands of the law so that they can’t use it against you is a great consideration.

However, you should consider the location of a service a lot like the color of a car: ideally you’d like to have one color, but it shouldn’t be the deciding factor. The deciding factors should be the other things I discuss when I list services on my site: how strong is the encryption? Is the company transparent? How is the privacy policy? What information do they log? Can they access your data? Under what circumstances will they hand over their logs/data? I fully expect any legitimate company to comply with a lawful warrant or request, but I also take comfort in knowing that a company will push back on a request it considers unfair (Tutanota and ProtonMail both have a documented history of this, by the way). So rather than “where are they located?” you should ask “what kinds of requests will they push back on?” How is the company’s reputation? And then, once all factors have been weighed, that’s when you should give the country of origin a thought. One reason a lot of people prefer companies based in Germany and Switzerland is because those countries have privacy laws that are superior to the US (though also not perfect). But if you're using companies who are zero-knowledge, don't log data (or log as little as possible for as short a time as possible), and use strong encryption, then the country means almost nothing.

You can find more recommended services and programs at TheNewOil.xyz. You can also get daily privacy news updates at @thenewoil@freeradical.zone or support my work on Liberapay.