Hosting Outside Five Eyes Intelligence Jurisdiction

The UKUSA Agreement, formalized in 1946 and expanded over subsequent decades, creates an intelligence sharing architecture across five English-speaking nations. The agreement is primarily about signals intelligence (SIGINT) - the interception and analysis of electronic communications. Five Eyes cooperation enables collection at internet exchange points, undersea cable tapping, satellite interception, and more targeted communications surveillance.

The practical implication for hosting: servers located in Five Eyes countries can be subject to signals collection by any of the five intelligence agencies under domestic legal authority, with intelligence then shared across the alliance. A server in the UK can be targeted by GCHQ under the UK Investigatory Powers Act, and resulting intelligence can be shared with the NSA, CSE, ASD, and GCSB without requiring separate legal process in each country. This creates a legal arbitrage where collection legal in one country produces intelligence available to all five.

Servers located outside Five Eyes countries are still subject to the host country's own intelligence capabilities. But they are not automatically part of the UKUSA sharing architecture. Collection against an Icelandic server by a Five Eyes agency requires either technical collection (intercepting traffic in transit, which is possible but requires targeting) or legal process through MLAT with Iceland's judicial system - a much higher bar than domestic collection authority.

For threat models involving surveillance by state-level actors, specifically those operating within or with cooperation from Five Eyes agencies, hosting outside the UKUSA framework provides meaningful reduction in surveillance risk. This matters most for journalists covering national security topics, political activists in countries with strong Western intelligence relationships, and businesses handling information of interest to government intelligence communities.

Iceland is a founding NATO member and maintains close security cooperation with the US and other Western allies. However, NATO membership and UKUSA signals intelligence sharing are separate frameworks. Iceland is not a signatory to the UKUSA Agreement and does not participate in the bulk SIGINT sharing that characterizes Five Eyes cooperation.

Iceland disbanded its own military forces in 1869 and has maintained only a coast guard and police force since then. The country has no domestic signals intelligence agency equivalent to GCHQ, NSA, or CSIS. Iceland's primary intelligence and security function is the Department of Civil Protection and Emergency Management (Almannavarnir) and the National Security and Intelligence Service (RIKIS), which focus on domestic security rather than foreign SIGINT operations.

The practical implication: a server in Iceland is not monitored by an Icelandic SIGINT agency as a matter of course. Icelandic authorities can conduct targeted surveillance under Icelandic criminal law with judicial authorization, but there is no bulk collection program targeting Icelandic internet infrastructure because there is no Icelandic intelligence agency with the mandate or resources to operate one.

Five Eyes agencies can and do conduct foreign intelligence operations outside their home countries, including against Icelandic-hosted infrastructure if it is a target of interest. But they must do so without the domestic legal authority that applies within their own jurisdictions. Collection against Icelandic infrastructure by a US agency requires either technical collection (intercepting traffic at internet exchange points or undersea cables before it reaches Iceland) or legal process in Iceland - which, under MLAT, requires dual criminality and Icelandic judicial approval.

Choosing a hosting jurisdiction based on intelligence alliance exposure requires understanding which alliances cover which countries. Here is a practical comparison of commonly used hosting jurisdictions.

Five Eyes members (US, UK, CA, AU, NZ): highest intelligence sharing exposure. Domestic legal authority for collection is broad. Intelligence shared across all five countries without per-country legal process. US CLOUD Act allows US law enforcement to compel data from US companies' overseas servers. Not recommended for high-sensitivity use cases.

Fourteen Eyes members (adds DE, FR, SE, NL, BE, IT, ES, NO, DK): enhanced cooperation on specific intelligence matters, but not the full UKUSA bulk sharing architecture. EU member states have GDPR constraints on domestic surveillance that provide some protection. Germany and France have strong data protection cultures but also robust domestic intelligence agencies. Suitable for most business use cases, not ideal for high-sensitivity political or journalistic work.

EEA non-EU, non-UKUSA (Iceland, Liechtenstein, Norway): Norway is in the Fourteen Eyes extension, so Iceland and Liechtenstein are the cleanest options in this category. Iceland has stronger IMMI-backed press freedom protections than Liechtenstein. For non-Five Eyes, non-Fourteen Eyes hosting with strong data protection law, Iceland is the most practical option with real datacenter infrastructure at competitive prices.

Non-aligned jurisdictions (Switzerland, Panama, Seychelles, etc.): some customers prefer countries with no significant intelligence alliance memberships and no data protection law cooperation with EU/US. These jurisdictions offer maximum independence but often with lower legal protections for customers themselves, weaker datacenter infrastructure, and higher prices. AnubizHost does not currently operate in these jurisdictions.

For the combination of non-Five Eyes, non-bulk-SIGINT, strong constitutional privacy law, and practical datacenter infrastructure at reasonable prices, Iceland is the best available option in Europe. Romania is in the EU (not Five Eyes) and provides the Constitutional Court precedent advantage at lower price points for non-SIGINT threat models.

Selecting a non-Five Eyes hosting location is one element of a defense posture against state-level surveillance. Combined with appropriate operational security practices, it provides meaningful protection for high-risk work.

Traffic encryption: all traffic to and from your server should be encrypted in transit. TLS 1.3 for HTTPS services, SSH for administrative access, WireGuard or OpenVPN for VPN tunnels. Traffic intercepted at internet exchange points or undersea cables is encrypted and cannot be read without your keys. Key management - keeping private keys only on devices you control, rotating keys periodically, and using forward secrecy (which both TLS 1.3 and WireGuard provide by default) - limits the value of any captured traffic.

Tor integration: for the highest sensitivity applications, route all traffic to and from the server through the Tor network. This defeats traffic analysis even against an adversary who can observe the full network path. Running a hidden service (.onion address) means the server's real IP is never revealed in normal operation, even to your users. AnubizHost's Iceland VPS nodes support Tor relay and hidden service operation. Ensure your server is not also accessible at its real IP for any production services you want to protect - hidden services require that the origin IP not be discoverable through the application itself.

Physical access consideration: even in Iceland, physical server access is possible for law enforcement under valid Icelandic court orders. Full-disk encryption (LUKS) with keys held only by you means physical access produces encrypted disks. For maximum protection, do not configure automatic key injection at boot - require a manual passphrase entry that you provide over a console or SSH after each boot. This is operationally inconvenient but means the server cannot be secretly imaged and decrypted while running.

Contact and provisioning: for five-eyes-free operation, ensure that all your contact points with AnubizHost (account creation IP, support ticket IP, payment method) are also outside Five Eyes monitoring. Use Tor browser for account creation and panel access. Use Monero for payment. Use a Proton Mail or Tutanota email address for your account. This makes the account itself resistant to intelligence collection through US or UK companies (Google, Microsoft, US-based payment processors) that are subject to Five Eyes legal demands.