I'm honestly interested, how could one 'do privacy' the right way then?

perhaps I am missing something, but it seems like having physical control over the machine breaks several important use cases for VPNs.

if I understand correctly, the privacy that you get from a VPN comes from encrypting the traffic itself, hiding your actual IP, and mixing your traffic with other clients using the same exit point. although it is a matter of record that you are a subscriber, no intercepted traffic can actually be traced back to the IP you own (assuming your provider doesn't keep logs, of course).

I don't really see how these qualities could be retained by operating your own VPN server. unless you are doing some black ops shit, your identity would have to be connected to the VPN server itself, so the fact that it masks your computers IP doesn't matter. plus you probably don't have many other people using your server, so you lose that plausible deniability.

I would be quite glad to be corrected, as I certainly don't love trusting my provider when they say they don't keep logs.

I agree that's true from a technical perspective. However, the VPN provider has an economic incentive to compete on privacy. I would much rather just trust my local ISP, but at least I have a choice in VPN providers.

> privacy shouldn't be limited to people with a technical background

Absolutely. That's why I want this as a product that Just Works instead of my own hacked-up implementation.

This is extremely suboptimal. "I only hide my activity when it's worth hiding" paints a giant target on your back. VPNs as a matter of course protect you from all manner of anti-consumer tactics, and if you don't obfuscate all of your traffic, it tips off surveilling parties to only focus on the subset of traffic that routes through a VPN.

This. However the critical point is that VPN providers are virtual, so there is in theory infinite competition; ISPs are an oligopoly in every country, so there is no real competition - If you don't like something about your ISP, like selling your metadata, it's usually tough shit because the other few will follow knowing there is no real competition and seeing a way to extract more money.

Why not? Doesn't it depend on your purpose and threat level? If you have state level actors chasing you than VPNs will only be part of your opsec toolchest — preferring TOR where possible and being very strict about where you access the internet (certainly not at home). But if you are just downloading the latest episode of Sherlock from your local hive of wretched scum and villainy, a VPN will surely help.

VPNs are only part of the solution of course (not using any social media, not connecting to any of your normal accounts, limiting VPN use to whatever it is you want to keep private), but you seem adamant that even this is not a valid use of VPNs, or am I misreading your posts?

It only solves it against a particular ISP.

> Also you still have the same issue with virtually all of those paid VPN services (that you connect from your IP and that you paid for the service).

I completely agree, that's why I always maintain that only privacy by design solutions should be relied on (Tor and i2p for example).

> Oh, and Vultr takes Bitcoin, btw (not that that's privacy but it is potentially a layer of separation from your bank account).

But they know the IP, so that's still identifiable information.

Yes, it's crap, and any techbro worth their salary should know this.

It's also incredibly annoying when VPN this and VPN that pops up on youtube.

Because most peoples threat model doesn't include actors that can force a VPN provider to give up their data. They just use it because it's making it easier to not get data stolen in a coffee shop and watch US Netflix.

A VPN is inherently not a privacy tool. It is perceived that way because of the acronym Virtual 'Private' Network but privacy is not in the design specs at all.

It's just for tunneling over untrusted networks like Starbucks Wi-Fi and spoofing your geo-location. That's it. You can't verify the no-logs claims by providers unless you're physically in their building and auditing the setup yourself.

Or course they do, I'm so tired of seeing posts like this when really what you mean is that it's not perfect privacy and therefore you don't like it.

But I don't like the logs that my ISP is _required_ to keep, an and the organisations that have access to them as a result. A VPN removes that.

> but there's no law in preventing a VPN provider not to do so

GDPR.

(for a UK perspective)

No, you don't ever use VPN for privacy. 99% of the VPN providers log every single activity on their servers.

I am using Mullvad and they seem take privacy very seriously and I kind of trust them, certainly more than all the other providers. Do I trust them 100%? Definitely not.

Well not really. There was a great (german) interview with the perfect privacy founders recently [1]. They seem to be decent guys with close ties to the Chaos Computer Club and I strongly suspect they wouldn't want to work like that.

[1] https://www.youtube.com/watch?v=VMr0gJvI-6I

> But if you need to hide your traffic from anybody but your peer on the internet and you need to hide the fact that you talked to that peer, then, I'm afraid, your out of luck.

Nah, that one is easy just use an anonymous sim card or an open wifi and your good to go.

Honestly these discussions often feel pretty asinine to me. I personally use paid VPNs to pirate to my hearts content, work around my ISPs terrible networking and a little bit of geo-unblocking. Of course you can't use these services to protect yourself from three letter agency type surveillance or equally powerful threat actors but if they are "private" enough to block the music industry and their lawyers from suing you that's a pretty high standard of privacy, certainly more than any ISP alone gives you!

>Acting as they do, and promoting commercial VPN providers as a solution to potential issues does more harm than good.

I think this ignores the fact that some users have different threatmodels, sometimes the privacy threat model of a user does include their ISP for various reasons (think China).

>

Starting with the obvious, if you pay for a VPN service, they have to keep your user account and associated payment information and your payment history. So, unless you are using a fake identity and an anonymous credit card (is that even possible these days?), your VPN account will be linked to your actual identity.

Depends on the VPN, some VPN providers actually don't keep that kind of history or provide options to operate and pay an account anonymously.

It's not their bias against competitors that's my issue, it's their bias in believing that VPN is a credible long term solution to the privacy problems they highlight.

It's right there in their basic premise. I only use VPNs for one reason: to securely connect to a remote location and participate as a local client on their network.

For protecting your own privacy you're going to need an _entirely_ different set of tools.

ISP surveillance is not OK, but ISPs only know the domains I access, not what I do on them. I can prevent them from knowing even that by using a VPN, Tor, or any other kind of proxy. I believe encrypted DNS might also become a thing in the future. Also, I'm not locked-in to my ISP.

>no matter how many precautions you take, someone is watching you some how

That's what we're trying to fight.

>There's a record somewhere with all your past emails and they are making a marketing profile about you

A lot of my email accounts are fake-identity and temporary and I try to use encryption whenever I can, but I admit email encryption has a long way to go. There's no lock-in here though.

>Android has you locked into Google surveillance

It doesn't. Custom Google-free Android ROMs are a thing and work well.

>Send a text? Your provider had to send that data

Use encryption. I recommend Matrix/Riot.im for encrypted chat. There is also a program called Silence that can encrypt SMS.

-

If you want to know the point of all this, there's a lot of material online, but you can start by watching the short talk "Why Privacy Matters" by Glenn Greenwald

you can't. but, you could use 2 nested vpn services, which would help if you can know that the 2 aren't affiliated with each other ... which you can't know.

i mean, it's hilarious that VPN services suggest privacy as one of their selling features. lol.

It's pretty difficult. You can't say anything for sure, it's all trust. That's why you should be so strict.

When you host your own end point you still have to trustits provider of course, but of course the incentive (concentrated, specific user traffic data) for abuse is much reduced.

But how anonymous are you actually? Are you sure your traffic can't be connected to you? Certain you set everything up correctly?

With my provider of choice, because I trust them reasonably much (sure feels like jinxing it), I don't have these worries.