by selmat on 1/10/19, 12:47 PM with 71 comments
by jasode on 1/10/19, 1:14 PM
Yes but how does the average person really know if those suggested foreign VPNs are not CIA or other government coordinated honeypots?
In terms of cyberspace cat & mouse games, I think VPNs can be useful to evade Netflix streaming restrictions to particular countries or to hide your DNS queries from your ISP. You don't need a lot of trust in VPN entities to evade commercial businesses.
However, using VPNs to evade government surveillance is a whole different ballgame. Because of the far reaching tentacles of government agencies, there's no reliable method to determine which VPN to trust.
by tptacek on 1/10/19, 3:59 PM
This is extraordinarily, almost axiomatically bad advice. The USG has an NSL process for obtaining information from US-based service providers. It has no process whatsoever for obtaining it from foreign providers. It can simply do it. We have the largest, best-funded signals intelligence agency in the world, and literally the only place in the world you have any procedural, legal defenses against them is here.
I'm not being normative. You don't have to like this state of affairs. But it is the reality in which we live, and signing up with a European privacy service won't keep your data out of the hands of US surveillance if they want it.
I think jurisdiction is the wrong question. The most important question to be asking about a service provide is "what information do they collect and retain about me". Sometimes these comparisons are hard to make from the outside, but other times you can make inferences just based on the features they offer and the protocols they use.
by mockingbirdy on 1/10/19, 1:43 PM
Simply visiting this site makes it more likely. [2]
For anyone who fears state-level surveillance: Using a VPN or Tor and some privacy plugins isn't enough. Don't assume that you're safe just because of it. In fact, you make yourself identifiable if you rely on such plugins.
I won't go into details on how to be able to have privacy that can compete with state-level surveillance, because you'll have to commit crimes to get it. If you think that your government is watching you - don't trust these simple instructions. It's way harder. Some people had to die because of this.
Many (authoritarian) governments don't let you use a VPN without putting you on a watch list. If you try to keep a low profile, you need other measures. False sense of security can be dangerous in some countries. I hope that those who need this (a fraction of those who read it) keep themselves safe.
edit: I think they should clearly state that this tutorial isn't suited for individuals who are in great danger w.r.t surveillance. It's for people who are interested in privacy, not for people in life-or-death situations.
[1]: https://www.cnet.com/news/nsa-likely-targets-anybody-whos-to...
[2]: https://www.makeuseof.com/tag/interest-privacy-will-ensure-y...
by chin123 on 1/10/19, 1:14 PM
I like that it has OS-specific recommendations.
by ptero on 1/10/19, 1:59 PM
However, I am afraid that using those tools to protect your own privacy is at best a temporary band-aid as long as the current trend of accepting more and more backdoors into our personal lives persists.
To change this a significant portion of people need to see the government not as the main savior from terrorism (poverty, disease, crime, etc.) but as a big bureaucracy where a lot of clerks care more about their paycheck than the end results of their day's work (which is fine). And a large portion of public servants who do care, care more about their career, power and perception than about people who chose them to govern (which is bad).
This view change, if it ever happens, should force government to justify their actions and pay more attention to real issues (poverty, crime, disease, terrorism) and less to scare tactics. A used car salesman can provide a useful service -- knowing that a customer suspects him to be a swindler forces him into a partial honesty. That said, I am not optimistic that this view change will happen soon.
by holri on 1/10/19, 8:11 PM
by yange on 1/11/19, 4:59 AM
You might think it's a trivial thing, but it actually tells a lot about you. If someone can trace your activities through time, it's essentially a detailed profile of you, and they can learn how you live and work. Sometimes it can even be used to de-anonymize you by cross referencing with your "real" online identity.
In general it's impractical for users to fully understand what kinds of meta data were included in each file format or send by each application. EXIF data is often included in image files generated by cameras or image editing software. Your full file path to a source code file may be included in the executable you compiled, and it may leak your personal information. Your operating system may send regular health report to its company. A proxy service may append your real IP address in HTTP headers. Even for some encrypted services, they don't encrypt or sign everything. Like 1Password in the past didn't encrypt the URLs of your saved login sites. TLS 1.2 doesn't sign the cipher suites. TLS 1.3 doesn't encrypt client certificate.
Most of these software and protocols were not designed with privacy as a primary concern. Even they do, there are info that they decided to be okay to leak. However, it should be up to the users to decide whether the design decisions were reasonable for their own use case. Even many of these meta data leak seem like targeted surveillance, it's actually scalable and can be adapted to mass surveillance.
by walterbell on 1/10/19, 3:52 PM
by skilled on 1/10/19, 3:05 PM
by throw1984 on 1/10/19, 1:13 PM
by ericcholis on 1/10/19, 4:36 PM
by Maximus9000 on 1/10/19, 3:58 PM
by bungie4 on 1/10/19, 8:18 PM
by mtgx on 1/10/19, 1:20 PM
“Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say.”
https://www.goodreads.com/quotes/7308507-arguing-that-you-do...
But ultimately, the idea that you want privacy because you have something bad to hide is a deeply flawed one, pushed by governments, maybe not necessarily because they are "evil" and want to abuse that power (although that certainly seems a factor to consider lately), but also because pretty much the only times they do want to bypass privacy laws is when they deal with criminals. So that gives them a very narrow view of the issue. When all you have is a hammer, every problem looks like a nail.
Privacy is both about "keeping things to yourself" and not wanting others to know everything there is to know about you for no good reason, as well as to protect yourself against potential abuses (from governments, but also criminals, unscrupulous companies, etc) that can't be predicted ahead of time. There are thousands of potential uses for the data, like say using your data to manipulate you with ads during elections, make you buy anti-depressants, make you pay higher insurance, and so on.