There are cases where Iranian feminist authors and freedom fighters live in exile — for instance in Germany — and use their phones completely normally, whether Apple, Android, or whatever else. Yet Iranian agents still manage to track them. The reason is that the data is simply bought from data brokers: the Iranian regime purchases it and then sends people to observe these women in person.

Data broker tracking can be curtailed with a VPN, but a VPN alone does relatively little. What matters more is blending into the largest possible crowd. The point of using something like a default Firefox setup isn’t the browser itself — it’s that you end up with the same screen resolution, the same fonts, the same default settings that the largest number of people on the planet also have. If your browser deviates from that baseline, then details such as when you’re online, which apps you’ve installed, which websites you visit, which fonts and add-ons you have, your browser settings, your user agent, and so on, can uniquely identify you or single you out. The whole game is to keep the indistinguishable mass as big as possible: if someone knows the person they’re hunting is in a certain group, you want that group to be huge.

Once that fingerprint is known, you can be re-identified even under a different IP. So the data brokers who buy data from Facebook, Instagram, or wherever still have what they need. It’s also been shown that apps communicate with each other in ways that allow unique attribution across them. And depending on which country you live in, default regional versions — US builds, Apple US, and the like — aren’t necessarily privacy-compliant; whether that’s actually illegal depends on the jurisdiction.

On a desktop PC, the situation is similar. There it depends heavily on which browser you use. If you take a browser with completely default settings and then surf either with or without a VPN, you’ll be recognized all the same — meaning users can be de-anonymized regardless. So it really doesn’t help much at all.

And while we’re at it — go on, tell me what exactly in my last message you think I didn’t come up with myself. Be specific. Which sentence, which idea? I’d genuinely like to know what you think was put in my head.

VPN-alone is weak opsec. It changes your exit IP and that’s the whole trick. Meanwhile your browser leaks entropy everywhere: user agent, screen size, timezone, installed fonts, canvas/WebGL hashes, audio fingerprint, and your extension list — each add-on detectable through web-accessible resources, injected DOM, blocked bait requests, or timing tells. uBlock + Privacy Badger + Stylus + some niche translator + Vimium = probably a globally unique signature that follows you across every VPN exit you use. EFF’s Cover Your Tracks has been showing this for a decade. Customization is identity. And WebRTC just hands your real IP over anyway. STUN requests for peer discovery go straight through the tunnel in most default setups and leak both your local and real public IP to any page that asks — VPN connected, doesn’t matter. DNS leaks work the same way: if the OS resolver isn’t forced through the tunnel, you’re querying your ISP while pretending to be in Romania. Add OS telemetry, background apps phoning home, clock skew, TLS fingerprints (JA3/JA4) — none of which a VPN touches — and the “I’m anonymous because VPN xyz” idea falls apart. Tor Browser exists exactly because the only winning move against fingerprinting is to look identical to everyone else. Anything custom is a name tag.

Not necessarily. For example if your browser is fingerprinting you towards the webpage, a VPN will be useless when it comes to privacy.

No, the partnership with tor project https://support-a266c4.pages.torproject.net/mullvad-browser/

Hi, nice and interesting website. While reading through the first bit, I noticed that you regularly criticize the Israel conflicts and I just can’t shake the idea that it would be kind of difficult to maintain the content when the situation in the conflict zones might somewhat change/shift. I share the critics and want solely point out that the information on privacy/security hardening will most likely be relevant long term while the conflicts will just end hopefully ‘soon’. Let me know if I shall elaborate.

Check out mullvad browser and their VPN. Also who historicaly build it. Tor browser had a huge vulnerability for nearly a year and the intelligence agencies and other shady entities IDed a bunch of people (also political activists).

I read about the webRTC setting, which is important and can leak DNS even when using VPN. AFAIK, when enabled, it can also enable torrent streams which can pose legal problems for the users, who think they use some random streaming page. Did you suggest any VPN besides Tor? You watch (1440p?) youtube how exactly and how slow is it? Because I find it difficult to let go of YouTube but I hate alphabet/meta. Did you mention browser agents and window size? We can randomize some settings to be less recognizable. I find it difficult to navigate the content, so my suggestion is for example to add collapsible footer links at the bottom and maybe a search.

Did you suggest an own DNS resolver/filter like pihole/adguard?

You mentioned fairphone. Do you know about grapheneOS? This is the end game of deggoogled phones. Right now it is only compatible with Google Pixel Phones, solely because they are the only ones having the granularity of control over the hardware. (Chipset makers need to deliver drivers with adequate access/control over it). This will change soon as Motorola will release compatible phones soon to meet the grapheneOS specs.

F-droid is difficult. I know the focus here is privacy, but the APK signatures of the devs get over-written by F-droid. https://privsec.dev/posts/android/f-droid-security-issues/ So what grapheneOS users like me usually do is use the app obtainium and preferably import from github and cross-reference the signature directly. So you access the apps directly from source.

I also like this site: https://www.privacytools.io/

Easy to sue them then.

I have 5900x, 3090 and 32GB highly overclocked DDR4 (3800MHz). Still I think an upgrade is worth it. From 24 threads to 16 is negligible in my use-cases.

Used market ~400€ for a 5800x3d where I live.

I summarized what i want hosted with usercount and seached for the minimum total cost for running these services reliantly 24/7 for 15 years. I found some really nice platforms and CPU combinations. To my shame I asked in the Reddit nixos sub if a platform I found is compatible with nixos so I think some subs are only viable with enough total users. I wouldn’t have though to post that in lemmy just because I dont know where.

Maybe we could share some IT themed lemmies? I am in a few: foss, linux, privacy, cybersecurity.

With best regards, iig

Thanks for the info but, no offence, this was not my question. I never noticed once that ‘going back’ would bring me to the same or a new one. I use Vanadium on the phone and for browsing on desktop Firefox and Mulvad.

It shall be banned for kids/teenagers. The problem is the prehistoric usage of ID. It is possible to have IDs which just disclose the answer to ‘are you above legal age?’ with a boolean and not the age. The question is, do they want to push for global surveillance, because they know we don’t have ZK-featured IDs in most countries? (Based on zero knowledge proofs).

I never ever experienced this. Can someone give me an example (url) so i can check if it would work on my browsers?