Should Gibraltar be classified as a member of the 'five eyes' alliance?

There is a widely circulated misconception that Gibraltar is a part of the United Kingdom (UK). This misconception is reflected in the apparent classification of Gibraltarian VPN service providers as UK service providers. Such a classification misleads the users of Gibraltarian VPN services (such as IVPN) by giving them the false impression that Gibraltarian VPN services are governed by the UK laws and hence are subject to the signals intelligence sharing of the five eyes or ‘fourteen eyes’ alliances.

The purpose of this article is to demonstrate that Gibraltar is not a part of the United Kingdom (UK) and, therefore, Gibraltarian VPN service providers are not subject to the intelligence sharing alliance of the ‘five eyes’. In Section 2, an examination of the relationship between Gibraltar and UK is provided. Section 3 contains arguments showing that Gibraltar is not a part of the UK. In Section 4, a conclusion is drawn.

What is the relationship between Gibraltar and UK?

The main relationship between Gibraltar and UK stems from the fact that the British monarch is the head of state of both Gibraltar and UK. However, such a relationship is not enough to make Gibraltar a part of UK. For example, no one argues that Andorra is a part of France although the President of France is the head of Andorra (together with the Spanish/Roman Catholic Bishop of Urgell).

Arguments showing that Gibraltar is not a part of the UK

Gibraltar is not a part of the UK due to the following reasons:

  • Gibraltar has its own system of governance, including a parliament and a government. The members of these two institutions are elected by the Gibraltar electorate. The parliament has 17 members, whereas the government consists of 10 members. The official website of the Gibraltar parliament states that the “the Gibraltar Parliament is the heart of democracy in Gibraltar and the rock foundation of the sovereignty of ‘Gibraltarians’ in the widest sense”.
    • Gibraltar is not governed by the UK laws, but by legislation which suits Gibraltar’s own particular requirements and not the UK requirements.

    • The Gibraltar Legislation Support Unit (LSU), together with ministers and government departmental officials, is responsible for drafting the Gibraltarian legislation. The Gibraltarian legislation is not drafted by the UK Office of the Parliamentary Counsel (an institution responsible for drafting all UK government Bills).

    • Gibraltar has its own independent legal system. The Supreme Court of Gibraltar has unlimited jurisdiction to resolve any civil or criminal disputes. Other judicial institutions in Gibraltar include: the Court of Appeal of Gibraltar, Court of First Instance, and Magistrates’ Court.

    • Gibraltar uses its own currency (the Gibraltar pound) which is controlled by Gibraltar’s government.

    • Gibraltar is not officially represented in the UK parliament.

    • Gibraltar is excluded from 4 areas of EU policy, namely, Customs Union, Common Commercial Policy, Common Agriculture Policy, Common Fisheries Policy. In comparison, the UK is obliged to comply with all those four areas. If Gibraltar was a part of the UK, the EU policies applying to UK would have applied to Gibraltar as well.

    • Gibraltar is not obliged to comply with neither UK nor EU VAT rules. See Article 28 of the 1971 UK Assession Treaty.

      • The Gibraltar Constitution Order 2006 clearly states that the Constitution of Gibraltar gives the people of Gibraltar a degree of self-government.
      • The taxation in Gibraltar differs significantly from the taxation in UK. In comparison with UK, no corporate tax is levied on income which is not accrued in and derived from Gibraltar.
      • The law enforcement in Gibraltar is in the hands of the Royal Gibraltar Police Force, not in the hands of the UK Police.
      • The British Foreign and Commonwealth Office pointed out that Gibraltar is a separate territory enjoying the individual and collective rights accorded by the Charter of the United Nations.
      • The British government clearly supported the right of self-determination of the people of Gibraltar.


      In the light of the aforementioned observations, it can be concluded that Gibraltarian VPN service providers should not be classified as UK service providers and hence are not subject to the signals intelligence sharing of the ‘five eyes’ or ‘fourteen eyes’ alliances. To do the opposite would mean to disregard the important difference between the regulatory regimes applying to Gibraltar and UK. For example, Gibraltarian VPN service providers are not obliged to comply with the comprehensive UK laws regulating the information society (e.g. UK Digital Economy Act 2010).

      Hence, the UK government is not entitled to conduct direct surveillance of Gibraltarian VPN networks. For example, the UK Regulation of Investigatory Powers Act 2000 (RIPA) allows certain UK public bodies to demand that a VPN service provider provides access to a customer’s communications in secret. RIPA does not apply to Gibraltar.

      Even the data protection authorities of Gibraltar and UK are different. The data protection authority of Gibraltar is called Gibraltar Regulatory Authority (GRA). The GRA supervises the enforcement of the Data Protection Act 2004, a Gibraltarian law implementing the European data protection laws. The UK authority responsible for the enforcement of the UK Data Protection Act 1998 is called Information Commissioner’s Office (ICO).

      In the future, we can expect that Gibraltar will preserve its self-governance and independent legal system. The autonomous status of Gibraltar makes it an attractive location for companies wishing to preserve the privacy and security of their customers.

Comments icon
We invite you to discuss this post in our Reddit community or on Twitter. You can also send your feedback to
Tags: Privacy




ThatOnePrivacyGuy here,

I’m inferring that this blog post is in direct response to my VPN Comparison Chart in which I mark Gibraltar as a “Fourteen eyes country” (with a note explaining Gibraltar itself isn’t a fourteen eyes country, but it is a British Overseas Territory of the UK, which is). I have created a thread on reddit on the /r/vpn subreddit where I will respond to questions and comments and in which I have posed the question to the community after providing the information I originally used to make this decision. The relevant thread can be found here:



ThatOnePrivacyGuy here,

After some consideration, I have changed my VPN Comparison Chart in the /r/vpn sidebar to show Gibraltar NOT as a Fourteen Eyes Country, but I have left the note that was there in place as a warning for the reasons discussed in my thread.



It’s clear to see how these Alliances have been operating for probably longer than we realised. Australian’s wanted to cut ties to the Commonwealth quite some time ago but of course that did not eventuate. Aus ticks a lot of boxes from above but that one tie to the “Commonwealth” keeps us in the FVEY’s.

I have noticed using IVPN tuneling via the UK recently that there have been “Read this about changes in how we handle your data” type notices on G0ggleye sites.

Switch to the US or NL and the notice is gone. It seems the UK are digging their claws in. I guess most will click “Okay I got it” rather than read it. has and maintains a very informative collection of tools and explains the 5-14 eyes agreements for anyone who is interested.

Thanks for the informative blog post @Ed Holden.



Gibraltar is a British territory, so although it isn’t a part of the UK and has its own parliament and judiciary, the UK is still responsible for its defense and foreign policy.

This means that Gibraltar is within GCHQ’s jurisdiction through the UK’s membership in the Five Eyes, the Nine Eyes, and the Fourteen Eyes.

Crypto | Seb


I am sort of on the fence with this one. Do I believe that Gibraltar is able to be controlled by high authority government entities within the UK? Yes. Do I think this is at all likely to happen? No. Let me do some explaining.

I have always told people that security, privacy and anonymity come in multiple levels. In this day and age, we can’t just rely on a home security system to keep us safe and never lock our front door. The same applies for the digital world as well. In the Reddit post, someone mentioned “for OPSEC purposes..” and I immediately saw the flaw in that because one would be outright foolish to place their unconditional trust in a VPN company if it was life or prison for them.

I am a firm believer that IVPN is standing up for our privacy in the digital world on incredible levels. I also believe they could improve the system to garner more trust from their user-base (which I would happily discuss with their admins :P). But in the end, they are a great job at providing a service that is secure and keeps who we are anonymous and what we do private. Should they receive such a high-powered lawful request to turn on logs and identify a customer, from an Intelligence agency like the GCHQ, it is you who is at fault if they are able to fulfill this request and come knocking on your door with a search warrant. Placing all your eggs in one basket is a surefire way to get owned.

Chaining multiple VPNs together or using the Tor Browser on top of IVPN is not only easy to do, but can only further the anonymity you acquire. **

Crypto | Seb



iVPN should get a lot of credit for being transparent about what they can and cannot do. On this topic, the crucial question is probably data retention. Can the jurisdiction of the company’s incorporation compel iVPN to keep and turn over customer data, including actual internet traffic, logs, and other items related to clients? iVPN’s data privacy policy is spelled out here:

That’s about as good as it gets for vpn services. If your vpn service does not keep the data, they can’t turn it over to whoever compels them to do so.

That is not completely bulletproof, but it is a good start. As far as Gibraltar goes, it is a British Overseas Territory, and each territory has differences in how it is governed. Unlike British Crown Dependencies (the channel islands, Isle of Mann) territories can have varying degrees of separation from the UK government. If GHCQ (that large Doughnut shaped building in Cheltenham) is listening to internet traffic in and out of Gibraltar, what would they “hear”? iVPN’s entry and exit node servers are not in Gibraltar. The British government is responsible for Gibraltar’s defense and foreign policy, so could some part of it compel a private Gibraltarian company like iVPN to hand over client data, or force it to “split tunnel” or “mirror” their server traffic in foreign countries?

It may be possible, but unlikely. Gibraltar is self-governing, and it would be a stretch for the Brits to ask for this. Gibraltar is pretty good when it comes to the privacy of companies incorporated there, so they would be unlikely to go along.

I would worry about the Brits, but I would worry a lot more about the American and EU governments, and, at the moment, Spain. The EU might have good data privacy laws for individuals, but for companies like iVPN it might be different. Spain after the Brexit vote now wants “co-sovereignity” over Gibraltar, which the citizens of Gibraltar have fiercely rejected (and rightly so).

Ken Westmoreland


Australia has never sought to ‘cut ties’ with the Commonwealth of Nations- the majority of Commonwealth members are republics, and had the referendum in 1999 gone the other way, existing agreements like the Five Eyes agreements would have remained the same.

In theory, the UK still has the right to legislate for Gibraltar and suspend its Constitution (just as it did that of another Overseas Territory, the Turks and Caicos) whereas the 1986 Australia Act removed the UK Parliament’s right to legislate for Australia - in addition, the Privy Council was also removed as Australia’s highest court of appeal.

In conclusion, not the same as Australia.



Er guys, the spooks have been seen to break the law, time and time again. That’s why giving them more power is dangerous. If it’s a serious case like stopping a terrorist nuke or WMD no one is going to give a sh1t, but most of the spying by volume by definition of mass surveillance, has 0% to do with that. Thus, breaking the law, it is encouraging love of the power that the technology gives them, mission-creep and corruption by power, plain and simple. An Age-old problem for humans. The same failure of restraint that some extremist is doing, just different tools and a lot more cold-blooded. So, why is the discussion about whether spying is happening under the laws of the UK / Gibraltar? What about illegally? Thus the geographic region is irrelevant! When they have secret courts where you don’t get to challenge the evidence? That’s dangerous, to assume that they aren’t doing something, just because it is illegal to do it… With the ignorant corrupt culture in the UK today, who’s to stop them? They know it’s like that! Superhumans don’t exist, and power corrupts, end of story. They’re spooks - at least some of whom are the best professional liars in the UK, arguably. Or certainly are working hand-in-hand with their counterparts in Westminster. All this debate, implying they cannot use something against you in legal proceedings because it was gathered illegally, which is NOT a point of law in the UK. There, even cops can lie and break the law to gather evidence but the evidence is still admissible - shameful and rights-abusing but true - that “evidence must be gathered legally” is the USA you’re thinking about. So, sure, RIPA and IPA don’t apply (or do?) so one of the TENS of UK Gov agencies that have powers to snoop on you since RIPA (let alone the Investigatory Powers Act) won’t have such an easy time doing so… but you’re naive if you think they go so far into intelligence gathering via electronic means, but suddenly stop at the Gibraltan border etc. The UK maintains a whole base in Cyprus for one reason only: Sigint. Well, maybe the sexy Cypriot women help sway it, but people need to realize the mentality of these British Government / Establishment people. They are power-crazy. Now, obviously your threat model may fear none of that, it doesn’t matter, etc. But they (Gov ministers) keep talking about banning encryption, guys! Like it was an any-way-near sane option to consider! Scary times, and I don’t want to sow FUD, honestly. It’s just… well, naivety in others is a tool they use, too, remember that.

Updating the IVPN Certificate Authority

Posted on May 18, 2020 by Iain Douglas

This is an advanced warning that you may need to take action to continue using our service beyond 20th July 10:56 2020 UTC. The IVPN Certificate Authority (CA) is used to sign certificates we issue for our servers.

IVPN applications are now open source

Posted on February 10, 2020 by Viktor Vecsei

Today we are excited to announce the open sourcing of all IVPN applications (Android, macOS, iOS and Windows) under GPLv3 license. This is a first step in a multi-year plan to open source many parts of our service.

Protect yourself today and get peace of mind

Shut out hackers, identity thieves and the global government surveillance apparatus — every time you go online.