Should Gibraltar be classified as a member of the 'five eyes' alliance?

ThatOnePrivacyGuy here,

I’m inferring that this blog post is in direct response to my VPN Comparison Chart in which I mark Gibraltar as a “Fourteen eyes country” (with a note explaining Gibraltar itself isn’t a fourteen eyes country, but it is a British Overseas Territory of the UK, which is). I have created a thread on reddit on the /r/vpn subreddit where I will respond to questions and comments and in which I have posed the question to the community after providing the information I originally used to make this decision. The relevant thread can be found here:

https://www.reddit.com/r/VPN/comments/421973/should_gibraltar_be_classified_as_a_fourteen_eyes/

ThatOnePrivacyGuy here,

After some consideration, I have changed my VPN Comparison Chart in the /r/vpn sidebar to show Gibraltar NOT as a Fourteen Eyes Country, but I have left the note that was there in place as a warning for the reasons discussed in my thread.

It’s clear to see how these Alliances have been operating for probably longer than we realised. Australian’s wanted to cut ties to the Commonwealth quite some time ago but of course that did not eventuate. Aus ticks a lot of boxes from above but that one tie to the “Commonwealth” keeps us in the FVEY’s.

I have noticed using IVPN tuneling via the UK recently that there have been “Read this about changes in how we handle your data” type notices on G0ggleye sites.

Switch to the US or NL and the notice is gone. It seems the UK are digging their claws in. I guess most will click “Okay I got it” rather than read it.

Privacytools.io has and maintains a very informative collection of tools and explains the 5-14 eyes agreements for anyone who is interested.

Thanks for the informative blog post @Ed Holden.

Gibraltar is a British territory, so although it isn’t a part of the UK and has its own parliament and judiciary, the UK is still responsible for its defense and foreign policy.

This means that Gibraltar is within GCHQ’s jurisdiction through the UK’s membership in the Five Eyes, the Nine Eyes, and the Fourteen Eyes.

I am sort of on the fence with this one. Do I believe that Gibraltar is able to be controlled by high authority government entities within the UK? Yes. Do I think this is at all likely to happen? No. Let me do some explaining.

I have always told people that security, privacy and anonymity come in multiple levels. In this day and age, we can’t just rely on a home security system to keep us safe and never lock our front door. The same applies for the digital world as well. In the Reddit post, someone mentioned “for OPSEC purposes..” and I immediately saw the flaw in that because one would be outright foolish to place their unconditional trust in a VPN company if it was life or prison for them.

I am a firm believer that IVPN is standing up for our privacy in the digital world on incredible levels. I also believe they could improve the system to garner more trust from their user-base (which I would happily discuss with their admins :P). But in the end, they are a great job at providing a service that is secure and keeps who we are anonymous and what we do private. Should they receive such a high-powered lawful request to turn on logs and identify a customer, from an Intelligence agency like the GCHQ, it is you who is at fault if they are able to fulfill this request and come knocking on your door with a search warrant. Placing all your eggs in one basket is a surefire way to get owned.

Chaining multiple VPNs together or using the Tor Browser on top of IVPN is not only easy to do, but can only further the anonymity you acquire. **

Crypto | Seb

https://twitter.com/cryptoseb

iVPN should get a lot of credit for being transparent about what they can and cannot do. On this topic, the crucial question is probably data retention. Can the jurisdiction of the company’s incorporation compel iVPN to keep and turn over customer data, including actual internet traffic, logs, and other items related to clients? iVPN’s data privacy policy is spelled out here:

https://www.ivpn.net/privacy/

That’s about as good as it gets for vpn services. If your vpn service does not keep the data, they can’t turn it over to whoever compels them to do so.

That is not completely bulletproof, but it is a good start. As far as Gibraltar goes, it is a British Overseas Territory, and each territory has differences in how it is governed. Unlike British Crown Dependencies (the channel islands, Isle of Mann) territories can have varying degrees of separation from the UK government. If GHCQ (that large Doughnut shaped building in Cheltenham) is listening to internet traffic in and out of Gibraltar, what would they “hear”? iVPN’s entry and exit node servers are not in Gibraltar. The British government is responsible for Gibraltar’s defense and foreign policy, so could some part of it compel a private Gibraltarian company like iVPN to hand over client data, or force it to “split tunnel” or “mirror” their server traffic in foreign countries?

It may be possible, but unlikely. Gibraltar is self-governing, and it would be a stretch for the Brits to ask for this. Gibraltar is pretty good when it comes to the privacy of companies incorporated there, so they would be unlikely to go along.

I would worry about the Brits, but I would worry a lot more about the American and EU governments, and, at the moment, Spain. The EU might have good data privacy laws for individuals, but for companies like iVPN it might be different. Spain after the Brexit vote now wants “co-sovereignity” over Gibraltar, which the citizens of Gibraltar have fiercely rejected (and rightly so).

Australia has never sought to ‘cut ties’ with the Commonwealth of Nations- the majority of Commonwealth members are republics, and had the referendum in 1999 gone the other way, existing agreements like the Five Eyes agreements would have remained the same.

In theory, the UK still has the right to legislate for Gibraltar and suspend its Constitution (just as it did that of another Overseas Territory, the Turks and Caicos) whereas the 1986 Australia Act removed the UK Parliament’s right to legislate for Australia - in addition, the Privy Council was also removed as Australia’s highest court of appeal.

In conclusion, not the same as Australia.

Er guys, the spooks have been seen to break the law, time and time again. That’s why giving them more power is dangerous. If it’s a serious case like stopping a terrorist nuke or WMD no one is going to give a sh1t, but most of the spying by volume by definition of mass surveillance, has 0% to do with that. Thus, breaking the law, it is encouraging love of the power that the technology gives them, mission-creep and corruption by power, plain and simple. An Age-old problem for humans. The same failure of restraint that some extremist is doing, just different tools and a lot more cold-blooded. So, why is the discussion about whether spying is happening under the laws of the UK / Gibraltar? What about illegally? Thus the geographic region is irrelevant! When they have secret courts where you don’t get to challenge the evidence? That’s dangerous, to assume that they aren’t doing something, just because it is illegal to do it… With the ignorant corrupt culture in the UK today, who’s to stop them? They know it’s like that! Superhumans don’t exist, and power corrupts, end of story. They’re spooks - at least some of whom are the best professional liars in the UK, arguably. Or certainly are working hand-in-hand with their counterparts in Westminster. All this debate, implying they cannot use something against you in legal proceedings because it was gathered illegally, which is NOT a point of law in the UK. There, even cops can lie and break the law to gather evidence but the evidence is still admissible - shameful and rights-abusing but true - that “evidence must be gathered legally” is the USA you’re thinking about. So, sure, RIPA and IPA don’t apply (or do?) so one of the TENS of UK Gov agencies that have powers to snoop on you since RIPA (let alone the Investigatory Powers Act) won’t have such an easy time doing so… but you’re naive if you think they go so far into intelligence gathering via electronic means, but suddenly stop at the Gibraltan border etc. The UK maintains a whole base in Cyprus for one reason only: Sigint. Well, maybe the sexy Cypriot women help sway it, but people need to realize the mentality of these British Government / Establishment people. They are power-crazy. Now, obviously your threat model may fear none of that, it doesn’t matter, etc. But they (Gov ministers) keep talking about banning encryption, guys! Like it was an any-way-near sane option to consider! Scary times, and I don’t want to sow FUD, honestly. It’s just… well, naivety in others is a tool they use, too, remember that.