I think we’d all benefit from less discussion about whether or not product or service X is enough, and more conversations about what the options are, how they work and how they might benefit you. Because there is no right or wrong way to go about it.

Sharing information and experiences makes it easier to decide what is useful to you. You might want privacy for different reasons than the next person. Not everyone is paranoid, not everyone is an activist, not everyone has the same needs. To illustrate this, I’ll share my own experiences, but first, an oversimplified summary of common privacy related topics or services:

• VPN: instead of connecting directly to services on the internet, you first connect to a VPN provider (or self-hosted solution), then to everything else. The only connection your ISP sees is to the VPN provider, the requests between you and the VPN provider have added encryption (like for example Wireguard). The IP address you communicate to the internet is that of the VPN provider, if they have servers in different countries you can appear to send requests from IP addresses in those countries.

• DNS: domain naming system, required to link requests to websites like www dot example dot net to the corresponding IP addresses. This is called resolving. DNS can be manipulated or used for extracting sensitive data at multiple points in your connection chains. Encrypting your DNS requests adds security and can provide privacy from whoever ends up resolving your DNS. This can be your ISP, major players like Google or Cloudflare, your VPN provider and many more, depending on your setup.

• De-googling: moving away from Google services first and foremost, removing ways for Google to track you (regardless) second. Because Android is open source, parts of the system that rely and or offer telemetry to Google can be removed or altered. Any Android device that runs a version of Android that is not specifically advertised as privacy friendly will spy on you (your usage, what apps you install, your habits across apps) in some shape or form. Unless you’re wanted by a government or have to deal with stalkers, no one is looking for juicy details about your private life, just the details they can use to sell you products through targeted advertising.

• Adblocking: using tools or servers that block as much of online tracking as possible. In most cases, you’re at least trying to prevent advertisers gathering data about you and profiling you. Can be done at a decent level by just using the right browser plugins, but you can take this a lot further.

• Fingerprinting: profiling you regardless based on everything your device, browser and OS tells about you regardless of how much you think you’re already protecting your privacy with a VPN and ad-blockers. Fighting fingerprinting doesn’t have to be rocket science, but does require a lot more effort. Even when done right, one misstep (a software update reverting settings you carefully customised, for example) can require you to have to dive back in.

• TOR: the onion router, best described as an overlay network on top of the internet in which you connect to an endpoint (whether a website or service) through multiple other computers in the network called nodes. Nodes can be anything from a full fledged server in a data center to a computer at home, and can specifically be made to be relay nodes or exit nodes, for example. Does only make it hard to trace what you send back to you, does not magically conceal the information in it. Sending personally identifiable information over TOR is just as risky as over the ‘regular internet’. The network offers the possibility to host on the TOR network, creating this separate layer of sites and services that has poorly been coined The Dark Web.

• Encryption: very broad, but talking on all levels, from PGP encryption for emails to E2EE, if you can encrypt without driving yourself nuts, do it. So many technologies we still use today (looking at you, e-mail) rely on a patchwork of Band-Aids to hold it together in terms of security and authentication, better be safe than sorry.

I realize as I’m typing this that I could go on a lot longer, so not wanting to get too far off-topic, let me share my own privacy journey in short for some perspective.

A friend of mine was already a privacy advocate when she decided to run for parlement (around ten years ago in the Netherlands) and we discussed the topic every once in a while. I decided I didn’t want any corporation making millions off the back of freely given personal info of mine, so I dove into the deep end. I stopped using Google services (but did not delete accounts, either) and got into TOR routing. After putting myself through months of getting blocked from even the most common sites due to being fingerprinted as a TOR user, having to do eight captcha’s just to access a service and running on the slowest connection ever due to routing all my apps through TOR, I called it a day.

Over the years, as knowledge became more readily available, services got better and new services popped up, I would gently ease myself back in the direction I wanted to go, taking it one step at a time, assessing the value it would provide in relation to the effort needed to implement, or the hurdles needed to overcome. That’s really the best advice I can give there: keep informed, try stuff out, see if it’s for you. Is it easy to use? See if you can help others going through the same process and maybe even help them make the switch.

So where am I now in my privacy setup?

• I don’t run degoogled Android but sandbox apps that I would like to get rid of (but can’t) or don’t trust and use ADB to uninstall what can be removed.

• I run a VPS with TransIP in the Netherlands that I connect to over Wireguard, runs Pi-hole gor adblocking and resolves DNS through DNSCrypt resolvers that don’t log. I use it as my primary “VPN” on most devices including my phone.

• I have a duplicate setup running with Digital Ocean, just for the sake of availability, but might move that to Germany with Hetzner, for example.

• I use Protonmail as my primary email provider but have backup providers like Tutanota as fall-back. I used DuckDuckGo’s email aliases for s bit as well before switching to SimpleLogin.

• I prepaid Mullvad for a couple of months with the intent of running my own Netgear router with Pfsense, forcing the whole house through Mullvad.

• I hardened Firefox on my primary devices and run the same combination of adblocking and privacy plugins across every installation (including Mull on Android).

There’s more I do in terms of backups, security and encryption, but that might veer a bit too far off topic.

My current setup is currently not necessary for living a free life here in the Netherlands, but it does suit me. Some things are based on ideals, some things on practical worries, others because I want to learn more about the technology involved. It’s relatively easy for me to manage and I know what I’m conceding when I do use intrusive services or apps.

Long story short: don’t push your views, share information, help each other out, as long as we know what it does and what we get out of it, we can determine ourselves what is enough for us. Maybe a VPN is enough for you, maybe it’s not. You decide.

TOR is also free

Mullvad is the correct answer.

All the marketing of VPNs over the last five years has really confused people as to what they are good for.

“Makes you private”? Private against what exactly? Does that mitigation match my threat model and use case? But that doesn’t fit into a fifteen second YouTube ad bit, and most people don’t do any further research.

I think it comes down to the threat model that you implicitly or explicitly operate under. Most people don’t think about it, and so they equate “more” with better, and VPNs are easily marketed as more, turn it on and rather what whatismyip.com showing a map near your house, now you’re magically somewhere else!

If you are paranoid about everything, then again there is the “defense in depth” mindset, which in theory couldn’t hurt. That said, having a clear mental model for what you are aiming to be protected from is the best way to find a suitable suite of protections. To agree with a number of others in this thread, ad-blockers (I recommend NextDNS personally) are a great step to stop organizations with a financial incentive to learn all they can about you to sell you stuff, or sell your data. There have been large US ISPs that have experimented with injecting ads or other content either into default DNS responses (e.g., if you mistype something in the search bar it will bring you the ISP’s terribad search portal), or even HTTP responses. If you are stuck with one of those ISPs (I’m sorry, and the US monopolies on ISPs are terrible), then a VPN will help you against your threat (the ISP).

If you are an EU resident, and protected by GDPR (or some of the US states that are enacting similar protections), then moving to a more centralized service can be a good thing, since you have a single place to request data deletion, etc., whereas for a non-EU resident, “smearing” your data over multiple non-coordinating entities is a good move to limit the view of you from any single organization.

If you are worried about government surveillance, you have bigger issues. Most people who want to think they are uber valuable to the government are not, and act in counter-productive ways, but co-mingling their data with that of actual baddies, so it all gets revealed in a warrant search. The Lavabit hosting service was used by extreme privacy wonks, and some actual criminals, and when the government went after Snowden, they got all of Lavabit’s data, so being on that platform may have been counter-productive for people hiding from the G-men. The OPSEC needed for countering government-level is beyond what you’ll learn on a public post, and must be incredibly well-curated and maintained; it will cost you, but if someone will outspend you to get you, then it’s table stakes.

I’ve one use of VPN, to use contents and pricing from other regions, and it’s enough for that

If you care about privacy, VPN does close to nothing to prevent the advertisement industry from tracking you: they can track you using cookies and fingerprinting.

IMO using an ad-blocker (and ideally a browser that has tracking protection mechanisms like Firefox) is the preferred way to protect your privacy online.

deleted by creator

deleted by creator

Yes

I agree that vpns are fine for most people and use cases but is that a reason to lie by saying they make you anonymous? Vpns don’t make you anonymous. That is a fact, why not say it? Besides, VPNs are constantly shilled so I am not worried about their popularity. Tor or I2p make you anonymous, if you want to be anonymous, use them. For torrenting or bypassing geoblock, vpns are good.