by Stephen Gielda
Founder, Packetderm LLC
Understanding Global Surveillance
In discussions of online privacy, you’ll often hear passionate debates about jurisdiction, with particular focus on avoiding the “Five Eyes” intelligence alliance countries (USA, UK, Canada, Australia, and New Zealand). The argument goes that by choosing a service provider outside these nations, you can somehow escape their surveillance reach.
But let’s pause and think about that for a moment. In a world where digital information flows freely across borders, where undersea cables connect continents, and where global tech infrastructure is deeply interconnected, does it really make sense to think that physical jurisdiction offers meaningful protection from surveillance?
Focusing solely on “Five Eyes” in 2025 is like worrying about a single searchlight while standing in a stadium flooded with powerful LEDs. Modern surveillance capabilities have evolved into a complex, global web that makes traditional jurisdictional boundaries increasingly irrelevant. The reality is that sophisticated monitoring systems operate far beyond official alliances, with capabilities that weren’t publicly known until decades after their implementation.
This isn’t just speculation – historical revelations have consistently shown that surveillance programs routinely transcend geographical and legal boundaries, often operating in ways that only come to light years or even decades later. As technology advances, these capabilities have only grown more sophisticated and pervasive, creating a surveillance landscape far more intricate than simple jurisdictional considerations would suggest.
Before you place your trust in the supposed safety of any service selling itself based upon jurisdictions, let’s examine what modern surveillance really looks like, and why your privacy strategy might need a more comprehensive approach than simply choosing the right country on a map.
Cross-Border Operations and Cooperation
The landscape of international surveillance cooperation reveals a complex web of relationships that transcend traditional political boundaries. At the core of this web lies the Five Eyes alliance, a sophisticated intelligence-sharing arrangement between the United States, United Kingdom, Canada, Australia, and New Zealand. This partnership, formalized through the UKUSA Agreement, has evolved from its Cold War origins into a comprehensive digital surveillance network. The alliance maintains integrated systems for sharing signals intelligence, with facilities like Pine Gap in Australia and GCHQ Bude in Cornwall serving as joint operations centers.
This core alliance has expanded into what is known as the Fourteen Eyes (including the original Five Eyes plus Denmark, France, Netherlands, Norway, Germany, Belgium, Italy, Spain, and Sweden) and effectively the Fifteen Eyes with the inclusion of Israel as a key intelligence partner. These expanded arrangements, while less integrated than the core Five Eyes, enable extensive sharing of both raw intelligence and processed surveillance data. The 2021 SIGINT Seniors Europe (SSEUR) conference in Copenhagen revealed the deployment of shared monitoring systems at major European internet exchange points, allowing participating agencies to pool resources and surveillance capabilities.
China has developed its own extensive network of surveillance partnerships, particularly through the Shanghai Cooperation Organisation (SCO) and bilateral agreements. The SCO’s Regional Anti-Terrorist Structure (RATS) serves as a framework for sharing surveillance capabilities among member states, including Russia, Kazakhstan, Kyrgyzstan, Tajikistan, and Uzbekistan. China has also established bilateral surveillance sharing agreements with Pakistan, Cambodia, and Laos, providing both technology and operational support. These arrangements often involve the deployment of Chinese-developed surveillance systems, creating a network of compatible monitoring capabilities across participating nations.
In the Asia-Pacific region, similar patterns emerge through different mechanisms. The Japan-India-Australia trilateral intelligence sharing agreement, formalized in 2021, established a framework for sharing signals intelligence and surveillance capabilities across the region. South Korea’s National Intelligence Service (NIS) maintains documented cooperation with both Western and regional partners, including joint surveillance operations with Singapore’s Security and Intelligence Division (SID) targeting regional communications infrastructure.
Middle Eastern cooperation networks show another dimension of cross-border surveillance. The Gulf Cooperation Council’s joint security agreement enables member states to share surveillance capabilities and data. The UAE’s signals intelligence agency has established partnerships with counterparts in Egypt and Saudi Arabia, creating a regional surveillance network that operates across national boundaries. These arrangements were revealed through documentation of shared surveillance infrastructure at major regional internet exchange points.
African nations have developed their own cooperative frameworks. The Eastern Africa Police Chiefs Cooperation Organisation (EAPCCO) has implemented shared surveillance systems, with Kenya, Uganda, and Rwanda establishing joint monitoring capabilities at their shared internet exchange points. South Africa’s State Security Agency has documented cooperation with both regional partners and international agencies, maintaining surveillance sharing agreements that span multiple continents.
Latin American surveillance cooperation shows similar patterns. Brazil’s ABIN (Brazilian Intelligence Agency) maintains technical surveillance sharing agreements with Argentina’s AFI and Colombia’s DNI, creating a regional signals intelligence network. Mexico’s CISEN has established partnerships with multiple Central American agencies, enabling cross-border surveillance operations throughout the region.
The Russian-led Collective Security Treaty Organization (CSTO) has implemented shared surveillance systems across member states, with technical centers in Moscow coordinating operations across Central Asia. This includes standardized monitoring equipment at internet exchange points and shared access to telecommunications monitoring systems.
The extent of intelligence cooperation extends far beyond these formal alliances, as demonstrated by the historic case of Crypto AG – a Swiss company secretly owned by the CIA and German BND that dominated the global encryption device market for decades. This operation, codenamed “Thesaurus” and later “Rubicon,” enabled Western intelligence agencies to read encrypted communications of more than 120 countries from the 1970s through the 2000s. This case exemplifies how surveillance capabilities often transcend official alliances and jurisdictional boundaries through covert arrangements and technical operations.
These cross-border operations often exploit jurisdictional differences while maintaining technical compliance with local laws. For instance, joint operations centers frequently operate under diplomatic cover, allowing them to function within host nations while maintaining immunity from local privacy regulations. The proliferation of these arrangements demonstrates how traditional concepts of jurisdictional privacy protection have been systematically undermined through international cooperation and technical sharing agreements.
The Political and Legal Framework
MLATs (Mutual Legal Assistance Treaties) have evolved far beyond their original scope, transforming from tools for legitimate law enforcement cooperation into mechanisms that routinely override local privacy laws. The U.S.-Switzerland MLAT exemplifies this transformation, repeatedly challenging Swiss privacy protections despite Switzerland’s reputation as a data privacy haven. Notable cases include ProtonMail being compelled to provide IP logs related to climate activists in 2019, and Swiss web hosting provider Private Layer being required to provide server data to U.S. authorities investigating cybercrime in 2020.
Department of Justice list of US MLATs
These cases represent just the visible tip of a much larger system of international legal cooperation. The recent expansion of the U.S. CLOUD Act and similar legislation has further eroded jurisdictional protections, creating a legal framework that asserts authority over data regardless of its physical location. This combination of MLATs and new extraterritorial legislation effectively neutralizes many traditional data privacy protections, forcing service providers to either comply with foreign government demands or cease operations entirely.
Commercial and State Surveillance Integration
The relationship between commercial entities and government surveillance has grown increasingly complex, creating a web of surveillance that transcends traditional boundaries between private and state actors.
Intelligence Agency Contractors
Major technology companies have become deeply integrated with government intelligence operations. Palantir Technologies maintains extensive contracts with the CIA, FBI, and numerous other agencies, providing data analysis capabilities that merge commercial and government data sources. The company’s Gotham platform is documented processing data for agencies in at least 30 countries, including controversial programs in Denmark and the Netherlands.
Amazon Web Services’ $600 million CIA cloud contract and subsequent $10 billion NSA contract demonstrate the deep integration of commercial cloud infrastructure with intelligence operations. Through these arrangements, AWS operates classified data centers while simultaneously providing commercial services, creating potential conflicts between customer privacy and government access.
Microsoft’s Azure Government division provides cloud infrastructure to 17 U.S. intelligence agencies while operating data centers in numerous other countries under local government agreements. In China, Microsoft’s partnership with 21Vianet for Azure operations requires compliance with local surveillance laws, effectively creating a dual-use infrastructure serving both commercial and surveillance purposes.
In August 2024, Palantir partnered with Microsoft to offer AI services to U.S. defense and intelligence agencies, integrating Microsoft’s large language models with Palantir’s AI platforms within Microsoft’s government cloud environments. This collaboration aims to enhance national security capabilities but also raises questions about the ethical implications of such deep integration between private tech companies and government surveillance operations.
Commercial Spyware Vendors
The commercial spyware industry has become a crucial component of global surveillance capabilities. NSO Group’s Pegasus software has been documented in use by at least 45 countries, with confirmed cases of surveillance against journalists, activists, and political figures in Mexico, India, Saudi Arabia, and the UAE. The company’s targeting database, revealed in 2021, showed over 50,000 phone numbers selected for surveillance worldwide.
Candiru, another Israeli firm, has sold spyware to governments including Uzbekistan, Saudi Arabia, and Singapore, as revealed in CitizenLab investigations. Their infrastructure was identified operating in at least 16 countries, with spyware installations detected on networks of civil society organizations and media outlets.
Italian company Hacking Team (now part of Memento Labs) provided surveillance tools to Ethiopia, Morocco, and the UAE, as documented in leaked emails. Their Remote Control System (RCS) was found operating in 35 countries, often used to target human rights activists and journalists. The company’s successor, Memento Labs, continues to provide similar capabilities while operating under new corporate structures.
German company FinFisher’s surveillance software has been found operating in at least 25 countries, including Belarus, Egypt, and Vietnam. Their products were identified targeting pro-democracy activists in Turkey and dissidents in Pakistan, all while maintaining corporate offices in privacy-conscious European jurisdictions.
Telecommunications Integration
Telecommunications companies frequently serve as direct partners in government surveillance efforts. The British GCHQ’s Operation TEMPORA worked directly with telecommunications providers to tap over 200 fiber optic cables passing through the UK, capturing hundreds of gigabytes of data daily. These companies, including BT, Vodafone Cable, Global Crossing, and Viatel, were revealed to have secretly collaborated in providing access to their network infrastructure.
AT&T’s Project Hemisphere provides U.S. law enforcement with access to decades of phone records, processing over 4 billion queries annually. The program includes data from non-AT&T customers whose traffic crosses their network. Similarly, Verizon’s “Special Services” division maintains dedicated facilities for government surveillance operations, providing direct access to both domestic and international communications.
Deutsche Telekom’s cooperation with the BND for fiber optic surveillance was exposed through parliamentary investigations, revealing systematic access to international traffic at major internet exchange points. The company’s facilities in Frankfurt serve as key monitoring points for European communications. Similar arrangements exist with France’s Orange (formerly France Télécom), which provides direct access to traffic through the DGSE’s monitoring stations.
In Asia, India’s major telecoms including Bharti Airtel, Vodafone India, and Reliance Jio provide direct access to their networks through the Centralized Monitoring System (CMS). South Korea’s SK Telecom and KT Corporation maintain direct connections to government monitoring facilities under the country’s Communications Privacy Protection Act. Japan’s NTT Group operates surveillance equipment under the “Communications Monitoring Law,” providing capabilities to multiple government agencies.
The Netherlands’ primary telecoms KPN and Vodafone Netherlands were revealed to have provided access to the AIVD intelligence service at the Amsterdam Internet Exchange. Swedish provider Telia (formerly TeliaSonera) collaborated with the FRA intelligence service to tap fiber optic cables crossing the Baltic Sea, while also providing similar access in its operations across Central Asia.
In Australia, Telstra and Optus participate in the country’s data retention scheme, maintaining comprehensive records of customer communications for government access. The revelation that these companies also provided access to undersea cable landing stations demonstrated how telecommunications providers serve as crucial points for international surveillance operations.
Middle Eastern telecom providers show similar patterns of integration. Etisalat in the UAE and STC in Saudi Arabia maintain comprehensive surveillance capabilities within their networks, often utilizing systems from Western vendors like Nokia and Ericsson. These installations provide both domestic monitoring capabilities and access to international traffic passing through regional hubs.
The integration extends to Internet Exchange Points (IXPs), where telecommunications providers play a crucial role in enabling surveillance. The DE-CIX in Frankfurt, LINX in London, and AMS-IX in Amsterdam all operate under frameworks that require cooperation with government monitoring programs, effectively turning these crucial internet infrastructure points into surveillance chokepoints.
Data Brokers and Analytics
Data brokers have emerged as a critical component in global surveillance, allowing government agencies to bypass legal restrictions by simply purchasing data they couldn’t directly collect. A stark example emerged when the U.S. military was revealed to be purchasing location data from Muslim prayer apps including Muslim Pro and Salaat First through broker X-Mode Social (now Outlogic). These apps, with over 98 million downloads, were unknowingly feeding user location data into military intelligence operations.
Oracle’s BlueKai tracks over 2 trillion data points monthly, with documented sales to government agencies worldwide. Their data marketplace includes detailed profiles of billions of individuals, accessible to both commercial and government clients. A 2020 data leak revealed the extent of their collection, including detailed browsing histories and location data from partner websites and apps across more than 100 countries.
In Europe, Mobileum (formerly Roaming Consulting Company) collects and sells mobile network data to governments worldwide. Their systems process data from over 900 mobile networks across 190 countries, providing detailed movement patterns and communication records to various agencies.
The practice extends globally. The Indian government has been documented purchasing data from local brokers like Surveillify and MadhanApps, which collect information through popular regional apps. These companies aggregate data from hundreds of apps, including banking, gaming, and social media applications, creating detailed profiles of Indian citizens.
U.S. agencies have increasingly turned to commercial data purchases to bypass Fourth Amendment restrictions. The IRS purchased smartphone location data from broker Venntel to track potential suspects. CBP and ICE acquired access to license plate databases from commercial vendor Vigilant Solutions, containing billions of records from private parking lots and toll roads.
Anomaly Six, a Virginia-based broker, embeds its software development kit (SDK) in hundreds of consumer apps, collecting location data from over 500 million devices globally. Their client list includes military and intelligence agencies from multiple countries, demonstrating how commercial data collection directly feeds into national security operations.
In China, data brokers like TalkingData and Jiguang work within the country’s data ecosystem, collecting information from apps and providing it to both commercial clients and government agencies. These companies process data from over 1 billion devices, creating detailed profiles that include online and offline behavior patterns.
Middle Eastern governments have been documented purchasing data from brokers like Rayzone Group and Circles Technologies. These companies aggregate information from telecom networks, apps, and social media, selling access to both regional security services and international clients.
Clearview AI exemplifies the global reach of modern data brokers, having scraped over 20 billion facial images from social media and the internet. Their services have been sold to over 2,400 law enforcement agencies across 27 countries, effectively creating a global facial recognition database through commercial means.
The Predicio data broker network, exposed in 2021, revealed how location data from seemingly innocent apps was being sold to defense contractors and government agencies. Their network included apps ranging from weather services to dating platforms, demonstrating how everyday applications serve as collection points for surveillance data.
Acxiom, one of the largest data brokers globally, maintains profiles on billions of individuals, providing this data to both commercial and government clients. Their global data products include information from public records, commercial transactions, and online behavior, creating comprehensive profiles that are sold to various government agencies. In 2021, they were revealed to be a key supplier of consumer data to multiple intelligence agencies, with their data being used for pattern-of-life analysis and target identification.
Privacy Service Consolidation
The consolidation of privacy services under larger corporate entities represents a significant shift in the privacy industry landscape. The most notable example is Kape Technologies, which evolved from its origins as Crossrider, a company known for developing browser extensions that were often flagged as malware and tools documented to be used in surveillance operations. Kape has since acquired ExpressVPN for $936 million, CyberGhost, Private Internet Access, and ZenMate, gaining control over a significant portion of the VPN market. Their transition from surveillance technology to privacy services has raised concerns, particularly given their continued partnerships with advertising and analytics companies.
Strategic acquisitions by Ziff Davis (formerly J2 Global) demonstrate another pattern of consolidation. Their purchase of IGN, Mashable, and other tech media outlets provided platforms to promote their acquired VPN services: StrongVPN, IPVanish, and SaferVPN. The company later acquired HotSpotShield’s parent company Pango, adding additional VPN services to their portfolio while maintaining connections to advertising networks through their media properties.
Nord Security’s merger with Surfshark, followed by investment from private equity firm Novator Partners, created another major consolidation in the industry. This merger, valued at $1.6 billion, brought together two of the largest VPN providers while maintaining an appearance of independence. The subsequent expansion into password managers and encrypted cloud storage shows how these consolidated entities are expanding beyond traditional privacy services.
Less publicized but equally concerning are cases like Chinese consortium Innovative Network Solutions acquiring multiple smaller VPN services including PureVPN, Ivacy, and several white-label VPN providers. Despite marketing claims about Swiss and Singapore jurisdictions, these services were revealed to share infrastructure and data handling practices with Chinese entities.
The consolidation and deceptive practices of VPN providers came into sharp focus through a series of revelations beginning in 2020. What appeared to be independent VPN services – including SuperVPN, UFO VPN, FAST VPN, Free VPN, Flash VPN, Secure VPN, and Rabbit VPN – were discovered to be white-label products operating under shared ownership and infrastructure. Despite each service prominently marketing “no-logs” policies, subsequent data breaches in 2022 and 2023 revealed the true extent of their data collection.
The 2022 breach exposed personal information of 21 million users across multiple services, while SuperVPN’s 2023 breach revealed an unsecured database of over 360 million records containing everything from original IP addresses to detailed browsing histories. The incident exposed not only the hollow nature of their privacy promises but also the risks of a consolidated VPN industry where multiple brands operate as mere fronts for the same underlying infrastructure – all while collecting precisely the kind of sensitive data they claimed not to store.
The impact of consolidation extends to infrastructure. Oracle’s acquisition of Dyn, a major DNS provider, followed by their purchase of Internet Intelligence, has concentrated critical privacy infrastructure under corporate control. Similar concerns arose when Cisco acquired OpenDNS, integrating it into their threat intelligence platform which shares data with various security services.
These consolidations often involve complex financial structures designed to obscure ultimate ownership. For example, the acquisition of several privacy-focused browser extensions by an investment group was later linked to a major advertising network through a series of holding companies. This pattern of obscured ownership through corporate structures makes it increasingly difficult for users to understand who ultimately controls their privacy services.
The Crypto AG operation reveals a crucial pattern in government-backed surveillance services: when intelligence agencies covertly control a privacy or security service, they invest heavily in its success and market dominance. The CIA and BND didn’t merely operate Crypto AG – they poured resources into making it the industry leader, ensuring its encryption machines were technically sophisticated enough to be credible while maintaining their exploitable weaknesses.
They leveraged diplomatic channels to promote the company’s products, they leveraged their jurisdiction as a seal of legitimacy, they used intelligence assets to undermine competitors, and even arranged for respected neutral nations to publicly endorse the company’s services. This pattern suggests that when a privacy service receives unusual levels of institutional support, achieves unexpectedly rapid market dominance, or benefits from seemingly coordinated positive coverage across multiple channels, it might warrant a bit more careful scrutiny. The very success and prominence of a service might, paradoxically, be a warning sign of state involvement rather than an indication of trustworthiness.
Security Companies
The security industry exemplifies the fusion between private enterprise and state surveillance. G4S, one of the world’s largest security companies, operates surveillance systems for both private clients and government agencies across 85 countries. Through their acquisition of Adesta and other surveillance technology providers, they’ve become deeply integrated with national security infrastructure, operating monitoring centers that serve both commercial and government purposes. Their role in managing immigration detention facilities in multiple countries has provided them with extensive databases of biometric data.
Thales Group demonstrates how defense contractors have expanded into commercial surveillance. Their Digital Identity and Security division supplies both consumer security products and government surveillance capabilities. The company’s acquisition of Gemalto gave them control over a significant portion of the world’s SIM card production, while their integration with mobile network operators provides extensive monitoring capabilities. Their surveillance systems are documented operating in countries with concerning human rights records, including Egypt and Kazakhstan.
BAE Systems’ Applied Intelligence division represents another convergence point. While marketing cybersecurity services to businesses, they simultaneously develop surveillance tools for government agencies. Their acquisition of Danish cyber intelligence firm ETI Group expanded their capabilities in mass surveillance systems. Documentation revealed their technology being used for nationwide monitoring in Middle Eastern countries, while maintaining contracts with Western intelligence agencies.
Verint Systems exemplifies the dual-use nature of modern security technology. Their call center monitoring tools, sold to businesses for quality assurance, share core technology with their government surveillance systems. Their NICE unit, before its spinoff, supplied interception capabilities to both telecommunications companies and intelligence agencies. Their systems have been documented intercepting calls in countries across Asia and Latin America.
L3Harris Technologies, through multiple acquisitions, has become a major provider of both commercial security and government surveillance tools. Their acquisition of Vosper Thornycroft’s electronics division added capabilities for monitoring undersea cables, while their integration of Applied Signal Technology provided advanced signals intelligence capabilities. Their systems are used by both corporate security operations and national intelligence agencies.
Palantir’s expansion beyond government contracts shows how surveillance capabilities flow between sectors. Their Foundry platform, originally developed for intelligence agencies, is now used by major corporations for data analytics, creating shared surveillance capabilities between private and government sectors. Their systems process data from various sources, including commercial databases and government records.
NEC’s biometric systems demonstrate similar dual-use patterns. Their facial recognition technology, sold to retailers for security purposes, shares core technology with government surveillance systems. Their integration with India’s national ID system while simultaneously providing commercial security services shows how corporate and state surveillance capabilities converge.
Leonardo SpA (formerly Finmeccanica) provides another example through their cyber division. While selling security services to corporations, they simultaneously develop monitoring systems for government agencies. Their acquisition of Sirio Panel expanded their surveillance capabilities into aviation systems, while their integration with telecommunications providers enables widespread monitoring capabilities.
The EDGE Group in the UAE has emerged as a significant player, combining commercial security services with government surveillance capabilities. Their integration of multiple technology companies has created a comprehensive surveillance provider that serves both private and state clients across the Middle East and North Africa.
Implications for Privacy
The tangled web of global surveillance reveals an uncomfortable truth: trying to find a “safe” jurisdiction is like trying to find a dry spot in a monsoon. The reality is far more complex and interconnected than any pinboard of surveillance relationships could possibly capture. The monitoring and data-sharing agreements are so Byzantine, so deeply intertwined, that they effectively nullify any meaningful boundaries or controls.
This stark reality demands we fundamentally reimagine our approach to privacy. True privacy in today’s world isn’t achieved by picking the right spot on a map, or passing the right laws – it requires a sophisticated combination of cutting-edge encryption, robust technical safeguards, and meticulous operational security, all built on a clear-eyed understanding of modern surveillance capabilities.
While jurisdiction might still be a factor to consider in some very specific situations, treating it as your primary shield against today’s global surveillance apparatus is like using an umbrella in a hurricane. Instead, we must shift our focus to building privacy through encryption and obfuscation so strong, so comprehensive, that jurisdiction becomes irrelevant. Your goal should be to make your data incomprehensible and worthless to any observer, regardless of where they – or you – happen to be located.
This article first appeared on CodaMail and is republished with permission.