I argue that VPNs are bad for the user, especially if the user is a dissenter from the status quo.

VPNs present a centralized point of monitoring

Similarly to your ISP or a CDN, a VPN could just get handed a National Security Letter (or your state's equivalent) to start logging your traffic without letting you know. Of course many of them say they don't log users.

The government would pay more attention when monitoring VPNs in addition to, say, ISPs, because those users are more interested in privacy.

In addition, if you pay a VPN using a credit card, the payment company now knows you are up to no good, and might blacklist you.

VPNs use proprietary software

Some VPN providers offer OpenVPN, or some other free-software solution; but many use proprietary software. This has quite some implications:

  1. It is much more difficult to inspect what the software does. The software could be buggy or could spy on you.
  2. Constant updates might introduce new issues even after you inspect an old version of the software.
  3. The software might install new root certificates on your system, allowing them to impersonate or Man-in-the-Middle any website, like Lenovo's Superfish (same is true of any otherwise-legitimate certificate authority).

Depending on your skill, wealth, the importance, and the sensitivity of the information you are transferring, you might want to audit or inspect the source code of the software you will use, as well as build it from the inspected source, and not use binaries.

In addition, you need to seriously consider the trustworthiness of your service provider. One that pushes binary software that is meant to somehow offer you protection raises a red flag.

Real options: Tor, I2P, Freenet

Onions in the dark are good for you; CC-BY-SA Credit: Colin @ wikimedia.org

Onions in the dark are good for you; CC-BY-SA Credit: Colin @ wikimedia.org

Tor (The Onion Router)

Tor works by layering encrypted instructions forming a route of volunteers of the Tor network, eventually "exiting" to the open Internet, or reaching a hidden service. Each volunteer relay will decrypt the instructions targeted for them, and forward what's left to the next relay as per the instructions, without knowing where the final destination or payload is. Such decryption is analogous to peeling layers of an onion - hence the name.

It would be impractical to send National Security Letters to relays around the world; and they would likely not be bound by them. I believe you should choose an exit node, correspondent, and/or relays outside of your current jurisdiction (i.e. US -> EU, Russia, China, Iran...). (Export control lists are handy here). Still, a lot of network relays or exit nodes might be run by governments.

WikiLeaks has a Tor address for the disclosure of leaks; which means this institution that leaked information about US war crimes trusts Tor.

Note that they have a long address; be wary of short addresses, since, for example, Facebook's vanity onion address is made up entirely of English words - facebookcorewwwi.onion . Version 3 onion addresses are longer and more secure.

Tor Browser is an easy way to become a lot harder to track, and is pretty well-tested, being perhaps the largest anonymity network.

I2P (Invisible Internet Protocol)

I2P works similarly to Tor, except that it uses garlic routing - multiple messages ("bulbs" or "cloves") get grouped together, to make it supposedly harder to deanonymize.

I2P is a bit harder to use, since it is not so nicely-packaged as Tor Browser, requiring you to run the Router manually, in addition to your browser.

Also, in order to access the open Internet, as opposed to anonymous I2P sites, you need an "Outproxy" of which there are quite few; whereas hidden services have better support.

Both of these networks have a vulnerability, because ISPs might statistically correlate the endpoints of traffic, at the request of government. For instance, they could single you out based on the exact timestamps of your requests, and notice that another computer has network activity with sufficiently similar timestamps (serving your requests).

This kind of surveillance can be performed by malicious intermediary network relays as well - perhaps that is why there was a significant uptick in Chinese I2P routers starting June 2020, right before US elections, for instance.

Freenet

Freenet was created for more difficult situations, and does not have this specific weakness. Not only is Freenet supposed to offer some anonymity, but nodes also act as a data cache. This way, your content is available from many nodes, and you do not have to be online in order to serve it, and any surveillance will find it hard to pinpoint the original source of the content.

Most importantly, this ensures that popular-enough content is very censorship-resistant. But it has the disadvantage that dynamic content is much harder to implement.

Closing

It is up to you to figure out the most appropriate technology for your speech.

It is a noble mission to expose corrupt governments that want you silenced, but it is also very risky. I hope you find these tools useful, and that you use them in a well-thought-out Operations Security context. You also need a trustworthy operating system, hardware, network, and penpal.

Good luck!


Reactions & Comments