IMO, you’re probably fine with only using VPN. That is with all the settings and additional measures done and with credible VPN provider, which, in my case, Mullvad.
If you’re planning another 9.11 or for some sick reason decided to share no no porns, VPN is definitely not enough and I’m pretty sure you already know that.
A lot of reputable VPN providers are constantly poked bt the authorities. They give nothing because they have nothing.
You’re fine if you’re just trying to bypass stupid regional censorship or download bunch of movies. That is, again, with proper security measures of course.
I’ve seen some people saying that you should use Tor for anonymity when someone’s just asking about how to use VPN better or whatnot. Tor is better in terms of anonymity, sure. But for most of the cases, VPN is fine.
And I cannot stress this enough: you will NEVER be perfectly anonymous online. Period.
I think we’d all benefit from less discussion about whether or not product or service X is enough, and more conversations about what the options are, how they work and how they might benefit you. Because there is no right or wrong way to go about it.
Sharing information and experiences makes it easier to decide what is useful to you. You might want privacy for different reasons than the next person. Not everyone is paranoid, not everyone is an activist, not everyone has the same needs. To illustrate this, I’ll share my own experiences, but first, an oversimplified summary of common privacy related topics or services:
-
VPN: instead of connecting directly to services on the internet, you first connect to a VPN provider (or self-hosted solution), then to everything else. The only connection your ISP sees is to the VPN provider, the requests between you and the VPN provider have added encryption (like for example Wireguard). The IP address you communicate to the internet is that of the VPN provider, if they have servers in different countries you can appear to send requests from IP addresses in those countries.
-
DNS: domain naming system, required to link requests to websites like www dot example dot net to the corresponding IP addresses. This is called resolving. DNS can be manipulated or used for extracting sensitive data at multiple points in your connection chains. Encrypting your DNS requests adds security and can provide privacy from whoever ends up resolving your DNS. This can be your ISP, major players like Google or Cloudflare, your VPN provider and many more, depending on your setup.
-
De-googling: moving away from Google services first and foremost, removing ways for Google to track you (regardless) second. Because Android is open source, parts of the system that rely and or offer telemetry to Google can be removed or altered. Any Android device that runs a version of Android that is not specifically advertised as privacy friendly will spy on you (your usage, what apps you install, your habits across apps) in some shape or form. Unless you’re wanted by a government or have to deal with stalkers, no one is looking for juicy details about your private life, just the details they can use to sell you products through targeted advertising.
-
Adblocking: using tools or servers that block as much of online tracking as possible. In most cases, you’re at least trying to prevent advertisers gathering data about you and profiling you. Can be done at a decent level by just using the right browser plugins, but you can take this a lot further.
-
Fingerprinting: profiling you regardless based on everything your device, browser and OS tells about you regardless of how much you think you’re already protecting your privacy with a VPN and ad-blockers. Fighting fingerprinting doesn’t have to be rocket science, but does require a lot more effort. Even when done right, one misstep (a software update reverting settings you carefully customised, for example) can require you to have to dive back in.
-
TOR: the onion router, best described as an overlay network on top of the internet in which you connect to an endpoint (whether a website or service) through multiple other computers in the network called nodes. Nodes can be anything from a full fledged server in a data center to a computer at home, and can specifically be made to be relay nodes or exit nodes, for example. Does only make it hard to trace what you send back to you, does not magically conceal the information in it. Sending personally identifiable information over TOR is just as risky as over the ‘regular internet’. The network offers the possibility to host on the TOR network, creating this separate layer of sites and services that has poorly been coined The Dark Web.
-
Encryption: very broad, but talking on all levels, from PGP encryption for emails to E2EE, if you can encrypt without driving yourself nuts, do it. So many technologies we still use today (looking at you, e-mail) rely on a patchwork of Band-Aids to hold it together in terms of security and authentication, better be safe than sorry.
I realize as I’m typing this that I could go on a lot longer, so not wanting to get too far off-topic, let me share my own privacy journey in short for some perspective.
A friend of mine was already a privacy advocate when she decided to run for parlement (around ten years ago in the Netherlands) and we discussed the topic every once in a while. I decided I didn’t want any corporation making millions off the back of freely given personal info of mine, so I dove into the deep end. I stopped using Google services (but did not delete accounts, either) and got into TOR routing. After putting myself through months of getting blocked from even the most common sites due to being fingerprinted as a TOR user, having to do eight captcha’s just to access a service and running on the slowest connection ever due to routing all my apps through TOR, I called it a day.
Over the years, as knowledge became more readily available, services got better and new services popped up, I would gently ease myself back in the direction I wanted to go, taking it one step at a time, assessing the value it would provide in relation to the effort needed to implement, or the hurdles needed to overcome. That’s really the best advice I can give there: keep informed, try stuff out, see if it’s for you. Is it easy to use? See if you can help others going through the same process and maybe even help them make the switch.
So where am I now in my privacy setup?
-
I don’t run degoogled Android but sandbox apps that I would like to get rid of (but can’t) or don’t trust and use ADB to uninstall what can be removed.
-
I run a VPS with TransIP in the Netherlands that I connect to over Wireguard, runs Pi-hole gor adblocking and resolves DNS through DNSCrypt resolvers that don’t log. I use it as my primary “VPN” on most devices including my phone.
-
I have a duplicate setup running with Digital Ocean, just for the sake of availability, but might move that to Germany with Hetzner, for example.
-
I use Protonmail as my primary email provider but have backup providers like Tutanota as fall-back. I used DuckDuckGo’s email aliases for s bit as well before switching to SimpleLogin.
-
I prepaid Mullvad for a couple of months with the intent of running my own Netgear router with Pfsense, forcing the whole house through Mullvad.
-
I hardened Firefox on my primary devices and run the same combination of adblocking and privacy plugins across every installation (including Mull on Android).
There’s more I do in terms of backups, security and encryption, but that might veer a bit too far off topic.
My current setup is currently not necessary for living a free life here in the Netherlands, but it does suit me. Some things are based on ideals, some things on practical worries, others because I want to learn more about the technology involved. It’s relatively easy for me to manage and I know what I’m conceding when I do use intrusive services or apps.
Long story short: don’t push your views, share information, help each other out, as long as we know what it does and what we get out of it, we can determine ourselves what is enough for us. Maybe a VPN is enough for you, maybe it’s not. You decide.
Loved reading that. I really do agree on the threat-model aspect of privacy, which is the main reason why people discredit or worship VPNs. All the actions we take to safeguard our information is dependant on what we want to hide, and from who.
Also, a quick question. You mention
I run a VPS with TransIP in the Netherlands that I connect to over Wireguard
but wouldn’t this be useless since you’re basically moving from one static ip to the other? Hope you can clear this up, thanks !
Thanks, I definitely agree.
To answer your question: the whole setup is not meant to do anything else than move the IP away from my house / location at the time, block as many trackers as possible and encrypt my DNS.
-
deleted by creator
Removed by mod
If you care about privacy, VPN does close to nothing to prevent the advertisement industry from tracking you: they can track you using cookies and fingerprinting.
IMO using an ad-blocker (and ideally a browser that has tracking protection mechanisms like Firefox) is the preferred way to protect your privacy online.
You’re right. Though I’m quite sure 98% of the people using VPN because of privacy uses at least ubo and possibly hardened Firefox.
Sadly it isn’t the case. Most of my colleagues are using VPNs only, thinking it’s enough because of the bullshit sponsored segments VPN providers pushed over the years on YouTube.
VPNs can’t advertise what their services are actually for (rampant piracy without getting nasty letters from your ISP) so they advertise nonsense privacy instead.
All the marketing of VPNs over the last five years has really confused people as to what they are good for.
“Makes you private”? Private against what exactly? Does that mitigation match my threat model and use case? But that doesn’t fit into a fifteen second YouTube ad bit, and most people don’t do any further research.
I agree that vpns are fine for most people and use cases but is that a reason to lie by saying they make you anonymous? Vpns don’t make you anonymous. That is a fact, why not say it? Besides, VPNs are constantly shilled so I am not worried about their popularity. Tor or I2p make you anonymous, if you want to be anonymous, use them. For torrenting or bypassing geoblock, vpns are good.
I think I titled this wrong. I should’ve said People should stop saying VPN isn’t enough.
My VPN is supposed to not keep information about who is using which IP, no logs and no government possibility to have them doing it silently (Swiss VPN).
Or are you meaning fingerprinting by my navigator etc?
Genuinely interested.
What happens if the Swiss government orders the VPN compagny to log the IP of your account? VPN also allows for cross site fingerprinting so your identity can be correlated between sites.
I’m pretty sure if that ever happens, VPN providers will move to some other countries that will not.
I’ve one use of VPN, to use contents and pricing from other regions, and it’s enough for that
deleted by creator
I think your ISP is the last entity being able to track you you should be worried about, the ad industry and big tech are much more worrisome to me. And at best, your ISP can see to and from which IP addresses your packets go, but as long as your traffic is encrypted (which most of it is thanks to the prevalence of HTTPS) they have no way to tell what you send/receive from these IPs.
deleted by creator
I think it comes down to the threat model that you implicitly or explicitly operate under. Most people don’t think about it, and so they equate “more” with better, and VPNs are easily marketed as more, turn it on and rather what whatismyip.com showing a map near your house, now you’re magically somewhere else!
If you are paranoid about everything, then again there is the “defense in depth” mindset, which in theory couldn’t hurt. That said, having a clear mental model for what you are aiming to be protected from is the best way to find a suitable suite of protections. To agree with a number of others in this thread, ad-blockers (I recommend NextDNS personally) are a great step to stop organizations with a financial incentive to learn all they can about you to sell you stuff, or sell your data. There have been large US ISPs that have experimented with injecting ads or other content either into default DNS responses (e.g., if you mistype something in the search bar it will bring you the ISP’s terribad search portal), or even HTTP responses. If you are stuck with one of those ISPs (I’m sorry, and the US monopolies on ISPs are terrible), then a VPN will help you against your threat (the ISP).
If you are an EU resident, and protected by GDPR (or some of the US states that are enacting similar protections), then moving to a more centralized service can be a good thing, since you have a single place to request data deletion, etc., whereas for a non-EU resident, “smearing” your data over multiple non-coordinating entities is a good move to limit the view of you from any single organization.
If you are worried about government surveillance, you have bigger issues. Most people who want to think they are uber valuable to the government are not, and act in counter-productive ways, but co-mingling their data with that of actual baddies, so it all gets revealed in a warrant search. The Lavabit hosting service was used by extreme privacy wonks, and some actual criminals, and when the government went after Snowden, they got all of Lavabit’s data, so being on that platform may have been counter-productive for people hiding from the G-men. The OPSEC needed for countering government-level is beyond what you’ll learn on a public post, and must be incredibly well-curated and maintained; it will cost you, but if someone will outspend you to get you, then it’s table stakes.
There have been large US ISPs that have experimented with injecting ads or other content either into default DNS responses
That’s revolting. How on earth is that legal?
Error 404
Look at those car assurances !!
TOR is also free
Mullvad is the correct answer.
They are in Sweden the country famously viewing legal information exchange a crime more serious than murder and part of the Fourteen Eyes, they are also obliged to store your data for half a year . Like whatever your use case for vpn is Sweden based company is not a good choice.
deleted by creator
deleted by creator
deleted by creator
deleted by creator
deleted by creator
What VPN providers do you approve of?
Of the big boys both nord vpn and proton vpn seem to take those issues seriously though proton vpn looks better overall.
I haven’t seen Nord being recommended in a privacy focus forum in forever. Not sure about their relationship with law enforcement, but I had the understanding that they would benefit from selling your data. Might have to research a bit more before my protonvpn renewal comes.
I had the understanding that they would benefit from selling your data
Huh? How?
Might have to research a bit more before my protonvpn renewal comes.
If I were you, I’d stick with proton regardless if your previous understanding is correct or not.
I always thought that VPN (or any other means of hiding your IP) is a necessary but not sufficient step to prevent online tracking. Is this not correct? I don’t think that using GChrome with a VPN will do much, in the same way as using hardened browsers without VPN will do much. It might depend on the thread model.
Yes