Hi, this is my first post here. As I'm interesting in fields of computer theory, #cryptography, IT #security and #privacy, I felt that a post like this is some kind of needed. There are many privacy concerned Internet users around, and the sad reality is, that many of them are (still) convinced, that if a privacy-related service (be it a proxy, #VPN, #TOR, whatever) - especially the free ones - states, that makes you completely anonymous and hidden on the net, that this is certainly true. But it's not.
There are many VPN (virtual private network) solutions available - many of them also free of charge (mostly as a freemium business model). The main problem with free VPNs is, that they aren't really free. I generally do not copy sentences from Anonymous but the following is a bloody fact:
- If you don't have to pay for a product, you are the product being sold.
The only real difference is that paying users (and their data of course) are less likely to be exposed/sold to some other corporate entities. That's all.
And in some way it's also fine. If it is OK for you, that your ISP, websites, companies are to 99% (as always, there is no 100% in (IT) security and privacy) blocked from viewing what are you really doing or knowing who you really are (or let's say, see it more or less obfuscated), then it's fine. If you use a VPN to watch geo-restricted content, then it's perfectly fine. If you're using a VPN to do online banking securely from an open hotspot, it's really essential. But if you are expecting to be completely anonymous and invisible on the Internet, and even the government does not know what are you doing, when you're using a VPN (free or paid, as it turns out it doesn't really matter), then it is not OK. Because it's a lie. (Or whatever is more accurate to describe it)
For more on the privacy related study of some of the best VPNs (DNS hijacking and IPv6 leaks - I know it was shared before but it fits into context), read here.
The other option is TOR (I'll not go into proxies, because they are generally (by majority of security and privacy researchers) claimed to be far less secure than VPN, but that's also another story for another time). As by many (also #Snowden), The Onion Router is the free speech machine of the censored net. The main difference to a VPN provider is, that a VPN is (or is not) government controlled but TOR exit nodes easily can be. Everybody can set up a node to help the community to run a faster and more stable onion network - but "help" can be interpreted in different ways: you can help the community (which is a big donation forward to those who live in repressed regimes, but also isn't a very clever idea, as all data that is running through your node is considered as your traffic by the law - so, if somebody is connected to your exit relay and is searching for illegal content (like child pornography), then you are responsible for that - and it also happened in real life) or help yourself to gain data (like the NSA or GCHQ, which are supposed to be setting up fast and reliable exit nodes, just to track the traffic - it's a pretty controversial claim, but not completely out of scope). So seen, TOR is fine and generally also does not make trouble (let leave the fact that NSA is categorizing IPs (via XKeyScore), which use TOR software or even search for it as "extremist" controlled).
Oh, and also, just for notice: (to cite The Guardian)
- The software [TOR] is primarily funded and promoted by the US government itself.
- Tor gives you one level of anonymity -- which is IP anonymity. It doesn't protect you from rogue exit nodes, transport layer security (sniffing on the entry/exit nodes), or correlation attacks from a very 'all seeing' adversary.
I apologize for bad English (if this is the case) and hope it helps somebody in a way. And thanks for reading. It's a long post, I know.
P.S.: I cannot guarantee for the objectivity of listed articles and websites. Also, all the links are purely for reference and are in no way meant to be passive advertising. And it's just my opinion on the topic, so feel free to submit yours :)
Under what circumstances would one want to use VPNs or TOR? It seems to me if you are masking your identity you have something to hide, but maybe i'm missing something.
As a rule of thumb, privacy helps protect the weak from the powerful. Perhaps you have nothing to hide, but journalists, activists, celebrities, whistleblowers etc all do, and many of them act as a balancing force in government in your favor. People who need privacy are thrown under the bus if we make privacy synonymous with "suspicious", and systems such as TOR are actually more effective at their job when used by plenty of people like us with nothing to hide. Advocating against privacy in this age is becoming much like advocating for a "papers please" society, because the technology is allowing your "papers" to be automatically checked everywhere you go without you having to be physically stopped and made aware of what's happening. There's also a constant stream of data being hacked - every personal detail of every US employee was recently stolen (i.e. there are no questions you can ask to tell the difference between the real person and the identity thief), nudes, every customer's details and credit card info was taken from Target and Home Depot, etc. So the tighter you are with your details and where they are stored, the better. Hopefully we can transition to not storing so much unnecessary detail about people, for the sake of security. And similiar to protection from power, privacy also offers protection from the online bullies and mobs. Being "doxxed" is what they call having that protection taken away.
I understand the escaping oppressive regimes, but why should I worry about my government spying on me? What is the NSA looking for that I should resort to masking my identity?
why should I worry about my government spying on me
Good question. Why should an honest person care about NSA Surveillance? Watch this:
I agree with this point. I have no worries about my (or other) governments spying at me but there is that uncomfortable feeling of being continuously observed (even when doing everything lawful and moral). In general people don't like to be under continuous surveillance, even if they aren't doing anything false (in moral and jurisdictional context) There's a quite known quote (or motto):
If you have nothing to hide, you have nothing to fear.
The best use case that everyone could consider righteous is to protect your information while you're connected to wifi that you do not control. If I'm at Starbucks, there is a greater-than-zero chance that someone could be sniffing my traffic. There is a greater-than-zero chance that someone could put up a false hotspot and read all of my traffic, read my passwords, read my email. If I'm on someone else's wifi connection, I fire up my VPN as it encrypts all traffic as it's going through. Another good example is if you're on an Internet connection where your ISP plays with the traffic. For example, if your ISP throttles YouTube videos. Running through a VPN, they would never know what site you're on, so you have free access to information. But really, everyone has something to hide. If you didn't have something to hide, you wouldn't have curtains in your house or locks on your doors. If you don't have something to hide, tell me your bank account login and your social security number. If you don't have anything to hide, take the password off your wifi, your laptop, and your smartphone. Everyone has something they're trying to hide, and it's almost never as malicious as people who say "you're trying to hide something" think it is. More often, it's just embarrassing, not malicious.
Yes, something similar I said in the original post:
If it is OK for you, that your ISP, websites, companies are to 99% (as always, there is no 100% in (IT) security and privacy) blocked from viewing what are you really doing or knowing who you really are (or let's say, see it more or less obfuscated), then it's fine. If you use a VPN to watch geo-restricted content, then it's perfectly fine. If you're using a VPN to do online banking securely from an open hotspot, it's really essential.
The assumption that having something to hide means your doing something wrong isn't accurate anymore. Sure, a lot of shadowy stuff goes on behind VPNs or TOR. On the other hand, people may want to hide searches regarding sexual orientation or fetishes, though all within the bounds of the law. Or, someone may want to hide research for a large purchase from Amazon and Google. There are also lifesaving resources like Erowid that most people probably don't want immediately connected to them. Having something to hide doesn't automatically mean ypunare doing something wrong.
So what I can understand from your comment is that it basically is a matter of right to privacy. It isn't so much about what you are looking at or doing, but that you can do it with anonymity. Am I getting close to the general idea?
Yeah, pretty much spot on. One argument I somewhat like (it's got its flaws of course) is that even if you agree wholeheartedly with the government, you still benefit from the freedom of speech. There is also a bit more conspiracy minded argument that you can never know what the government (or any group with access) might turn your data into or use it for at a later point. Dates can be changed, passwords remembered, and photos smudged to turn a harmless activity into a felony. But like I said, that's a bit far.
Fewer things are approved by governments on a daily basis. With the increasing number of illegal things one can do, you'd do well to rethink your illusion. BTW, how do you know what your government will approve of tomorrow...or even today?
You have nothing to hide until you need to hide something you believe. It's obvious in other countries (Turkey, Iran, so on) that the government is seeking dissidents and locking down Internet to silence the people (so that they can get away with shit). But the USA is also trying this - by the way of various lawsets (SOPA, TPA, PIPA). And when that passes, you'll have plenty to hide - that you watch shows/listen to music not licensed in the US (or without your personal license, like downloading it from a place not authorized by whoever carries the copyright... which could also shut down Netflix). So even if you have nothing to hide /now/, using VPNs or TOR is a way to protest against these things.
Purely out of protest. I'm fortunate enough to have access to all the content I want to watch (that I know about - I'm not saying I know about all the shows and movies out there). But these law projects are, to me, simply disgusting - as, from what I understand, all of the planned laws so far give the tools to ISPs to turn the Internet into a glorified, interactive cable TV ON TOP of giving the intelligence agencies the tools and legal background to watch where you're surfing (and if you're circumventing the blocks put in place).
I think this line needs to be entirely retired from serious discussion. It's a gross simplification that relies on emotional manipulation (you're slave!) and does nothing to actually inform anyone. First off there's nothing preventing (most) companies you pay from tapping into the same revenue streams as companies you don't pay. Outside of technical protectiona you usually just have a EULA with unilateral change provisions with all the protections, or lack thereof, that entails. Fact ia that there are different business methods that are used to monetize free services. Selling your time and attention to advertisers is quite different from selling your location history. And as repugnant as the later may be it is still not selling you, it is selling information about you. So yeah, question free services but question paid services and be upfront about why you question them. If you don't know how they make money, say you don't know. If you do know, share the details. If you don't have to pay for a product, you are the product being sold.
I never trusted paid services more than free ones. I never said that paying for a VPN service is far better than using the free stream. I just said:
So seen, it's completely irrelevant how a service provider (paid or free of charge) makes money, if you generally distrust them. No, to answer the request, I don't know their exact business model. But do you honestly think that they will show me their exact, real plans for how to dealing with money income? I think not. Because it's simple not lucrative enough for such companies in such a difficult and established market, to be completely honest with the end user. It's sad. But also reading the EULA won't change it much. And as it seems, those service providers who tried to provide a completely free VPN service and/or nearly-complete anonymous, failed because they couldn't sustain with running the servers anymore and were in need to shut down - because complete comfort (no ads, no data exposure, really free) for the user, is (generally) a disaster for the company that pays the bills for keeping the system running. Or they're still running but can't provide the same comfort that an average (average privacy concerned) person demands. I agree, maybe the quote is really a bit of a gross simplification but it's not like getting a (free or paid) newspaper with ads inside - when you read such a paper, you are a passive part of the money scheme (you can go for the ad and buy a thing or simply ignore it - because you hold the paper in your hands); but when you're using a VPN service (free or paid), you are the active part of the scheme (you directly interact with the providers goods and use them).The only real difference is that paying users (and their data of course) are less likely to be exposed/sold to some other corporate entities. That's all.
Into that you can count being exposed to advertisements (which can be annoying) or your data (history, identity) is being sold to other 3rd party companies (which isn't less annoying than the first option). And of course, there is never a guarantee how your case will be handled in their system - even if you pay you aren't necessarily completely secure and/or anonymous. But with a paid service you statistically seen can get slightly more chances to being not exposed.
None of this makes you the product. Which was my main point. Those are both much more to the point. You can say "you are the product" or you can say "I don't know how they make money and it makes me suspicious". Even then, if you don't know that your payment at least covers the costs of the service you're likely no better off by paying and risk exposing payment information. Hell, I'd argue that a proxy service that makes $10 by showing you ads is safer than one that charges you $5. That's the kind of nuance that goes straight out of the window when free services are not so subtly compared to slavery.But with a paid service you statistically seen can get slightly more chances to being not exposed.
But do you honestly think that they will show me their exact, real plans for how to dealing with money income?
We can say, what we want to say. It's free speech. And I agree, putting an Anonymous quote was controversial. I also agree, that maybe you're not the product directly; but does not knowing about being the product is the same as simply not being the product? For me, it's safer to assume that all companies are exposing data (even that there may be providers who doesn't) - it's safer to assume that I'm the product in each and every case, than to give my trust to someone I don't know a bit and to rely on "facts" a corporation is providing me.
You're the product when you're in the middle of a marketplace. That's the one case where you, not something of yours, is on sale. It is very good to know what of yours a company has that can be monetized. For a proxy, browsing data is straightforward. They have it regardless of how much you pay them. It doesn't stop being product just because they also happen to sell proxy services, just that if they make enough money selling proxy services they don't have to sell it to stay afloat. The false dillema presented by "paying or product" is another good reason to use the phrase. If you are paying the company you are merely aware of one of the products they sell. > it's safer to assume that I'm the product in each and every case, than to give my trust to someone I don't know a bit and to rely on "facts" a corporation is providing me. Is paying someone to not sell your info not trust? My bottom line with proxies is that they simply aren't a privacy tool. They can help but shouldn't be relied upon. Trying to figure out what the product is just obacures that proxies by their very nature have a lot of info on you.
As I think, for the companies it's pretty important, that I am the middle of the(ir) marketplace. For them I'm/my identity is a possible product, something that somebody else will buy from them. Whoever gets the most of my identity first, makes the most profit. Simple as that. And no, for me paying someone, just for the plain reason, that (s)he will not sell/expose my data, is not a sign of trust and I also consider it as a stupid action. But that's my opinion. Stopping (or at least believing them to stop) selling my data away shouldn't be anything I should buy. It should be taken for granted. But it's not. Because not selling data away isn't as lucrative as doing it. Agreed with last point. Proxies aren't made for privacy. Handy but not even near to privacy.You're the product when you're in the middle of a marketplace. That's the one case where you, not something of yours, is on sale.
I think I don't understand - by speaking of VPNs, your identity is you. The 'data' I'm speaking of is the bundle of your preferences, your habits, your activity, your motive, etc. = your identity. Identities are the (new) currency of the (new) world.
This is true, and people should be aware of it, but VPNs and TOR etc provide good protection against mass untargetted surveillance and a bunch of other things, so use should be encouraged - with the proviso understanding that if a government or other powerful actor targets you specifically, and cares enough, then such measures are not sufficient.
Using paid and free VPN piggybacked (no Tor) will probably get it done to anyone's satisfaction. I've got nothing to hide but I'm going to do it anyway.
It's the point what you're trying to mask - you mentioned browser and machine, so the identifiers that I can think up are: User Agent, plugins, encoding, language, etc. and the MAC (media access control) of the machine. The probability of exposed serials of hardware is extremely low, but theoretically possible. For both there is a more simple solution than physically changing the ground - which is also fine, but can be time expensive. For Firefox there is an addon called FireGloves, which deletes/nullifies all that things like UA, plugin list, language, encoding and other stuff. For changing the MAC there is plenty of MAC changing software - TMAC (even if it's not open-source and there are many open-source MAC changers available) worked fine for me. And also, TOR software generally comes bundled with a preconfigured Firefox, together called TBB (Tor Browsing Bundle).
Pay for sock5 and vpn that doesn't log, get a throwaway laptop, load up tails on from a cd or usb, and connect to tor from a public wifi location. Bam you're anonymous.
Nope. Not directly. Something like "complete privacy" or "invisibility" does not exist. First of all, TOR (used in Tails) doesn't make you anonymous. It's not designed to do something like that. It's generally meant to be a tool for have a chance in repressed regimes. Secondly, you must have an apparently very strong motivation to stay close to a public WiFi all the time. Third, VPNs are logging. Even if they are saying that they are not. Just because of paying approximately 7$/month, do you really think a VPN service provider will assume legal responsibility for all your also illegal actions done by their system? I think not. Because it's not even near lucrative to get trouble with the law, get prosecuted, because somebody was doing bad things online. No one would do that in my opinion. Fourth, by paying for Socks5 or a VPN provider, there exist transaction logs. Even if your are using Bitcoin, it can (if there is enough interest) tracked back to you. Fifth, getting a throwaway laptop is 1) expensive and 2) has the really high risk to get a hardware backdoored machine - the only option is then to buy a 6-8 years old computer to be sure. At the end, it can be extremely expensive (time and money) to get close to something like "complete" anonymity. And the point is that it just not work - the government you are trying hide from has far more resources to exploit systems and establish a mass surveillance.
I used Freedome by F-Secure. They have smartphone apps and support Windows/OSX. It's fairly inexpensive, run by a security company, and they don't keep logs.
As far as I know there is no notice about logs on their website? Also, this forum post from January makes me struggle if the system has been audited already. But nevertheless, most of VPN providers aren't audited or at least do not publish the audit report and Freedome is very new to the market, so let's see.
http://community.f-secure.com/t5/F-Secure/Does-F-Secure-follow-the-EU-data/ta-p/68996 "F-Secure does not retain any kind of data or log users’ traffic." I should say, I'm not claiming that Freedome is the best VPN in the world. I use it and trust it, but I'm not in a life-or-death situation when it comes to sharing content. If life-or-death describes your situation, please please please do more homework than I have done trying to pick a VPN provider. My main concerns when it comes to VPN providers is "do they log", "can I pretend to be in another country", and "will they encrypt my traffic". That's it. Don't take this advice if your life depends on your anonymity.
Thanks! I really appreciate (positive) feedback! Anyway, when I use a VPN (which is rarely), I usually use CyberGhost, mainly to watch geo-restricted content. It's not perfect (for example not Linux support for free plans) but for me it works just fine. Also, the use of Hola VPN should be avoided.