PSA: VPNs can and probably do compromise your privacy

If you are located in a civilized, human rights respecting country in the western hemisphere, you should probably not be using a VPN[1].

[1] except on public WiFi and untrusted networks, which you should avoid using.

While I have found that the recommended VPN providers {Mullvad, Proton, IVPN} likely stick to their promise of not storing logs, they are flawed.

Every single VPN company on the planet depends on upstream networks out of their control. Proton operates a small network for their Switzerland servers, but there mere fact of connecting to them may still expose you[2]. I have reached out to several of their common upstream networks {M247 Europe SARL, Datacamp Limited, 31173 Services AB} with a simple question: do you collect NetFlow data? For how long is it retained? Do you share it with third parties (especially government agencies)?

The answers I have received have personally upset me: not a single provider responded saying they do not collect NetFlow data. One of the providers indicated NetFlow data is stored as long as 90 days. Only one of them was willing to answer whether NetFlow data is being shared with third parties, which they supposedly do not.

[2] Switzerland enacted a law requiring network operators with connections to other countries to mirror all traffic to the government. If you connect to a Switzerland based VPN server from outside Switzerland, you are making yourself blatantly visible to them.

To sum this up, 90% of all VPN servers have upstream networks collecting NetFlow data, sufficient to identify and match users to their traffic. In many cases, the (legal and especially technical) obstacles for monitoring individuals are significantly lower when using a VPN.

In light of this, if you need to remain anonymous, use a multi hop setup through jurisdictions that do not aggregate their NetFlow data. For example, routing traffic through a middle node in Russia or China can break the trail.

The battle for anonymity has long been lost and I am tremendously concerned about the implications this will have on the future of democracy.

I mean, to mitigate other trust and security issues you should use some kind of multi hop or multi party setup anyways, but what countries would be best to include? Germany? Japan? Estonia? Russia? Really Russia? I would have never guessed Switzerland had those requirements for network operators.

I think you’ll enjoy this article:

The good news is that, end-to-end correlation (using netflow and whatnot) is a well known attack on anonymization networks, and it’s been studied for a long time. Mixnets can provide protection against such adversaries, so anonymity is not lost as you say. However, enhanced anonymity comes at the cost of increased latency and reduced bandwidth. For more information, you can explore the Nym ( @nym-product ) thread: Nym and NymVPN - Next-gen privacy with mixnet and VPN service

Also, I disagree with your suggestion that you’re better off not using a VPN. Using a popular VPN can help blend your traffic with that of other users, providing some level of privacy. If your VPN supports multi-hop connections or cover traffic, it can offer even stronger protection for casual browsing. But if your primary goal is anonymity rather than privacy, a VPN won’t give you that.

In general, you should probably route traffic away from all countries that are on good terms with the US, they all share intelligence. This usually boils down to China, Russia, India being the only real options.

In case of Switzerland, this law exists for years but astonishingly there is almost no coverage in English about it. You can read more here with a translator: https://www.republik.ch/2024/01/09/der-bund-ueberwacht-uns-alle

People underestimate and do not realize to what lengths someone has to go to have a striking chance at remaining anonymous at this point. If you use Tor and all 3 nodes {entry, relay, exit} are in 14 eyes countries, odds are nearly 99% they can de anonymize you. Potentially not entirely passively, so Tor is not fully useless, but if you are a whistleblower risking potential lifetime imprisonment for treason you are gambling with your life at this point when relying on Tor.

This is troubling, since it aides the powers that be and continuously narrows the gap for individual freedom. What is the point of freedom of speech if everything you transmit on the Internet can be associated to you? This is equal to the government bugging every single street up to (your) driveway and generously sharing all recordings with countless other countries. Insanity if you really think about it.

Stopped reading after this. Dude thinks only the west is civilized.

You talk about VPNs and anonymity in the same sense. This leads me to believe that you believe VPNs provide anonymity? If this is the case, then you are not worth listening to because you are conflating basic info about privacy tech 101.

I also do not believe you wrote this yourself. And I also believe you are posting this to sound like an intellectual but those who are discerning will label you are pseudo intellectual which is more dangerous than a completely oblivious person.

Also, to write all that you have without providing external links to sources is more than suspect. And as terrible as Temu is, you have still managed to disparage it which is a feat on its own.

I don’t know about Russia but China has made VPN usage illegal for citizens. If you manage to route your traffic through these countries, you are using a government-run server. You think they aren’t going to be collecting all that data?

Not true.

India for example requires all VPN providers to log everything making the use useless and hence may as well be considered illegal but it is technically not illegal. This rule does not apply to corporate VPNs companies use however.

Thank you for the correction. I’ve removed the incorrect information.

I am not familiar with NetFlow, but I would appreciate if you at least shared screenshots of your exchanges.

this is a misconception. Most traffic nowadays is HTTPS, and you have other protections, so using public WiFi isn’t that bad security wise.

Apart from that, your post omits a lot of thing. Using a VPN is better than not using one, because unless you are your own ISP, your ISP might log every single website you visit.

Also, you omit tech like Mullvad’s DAITA, which greatly reduce the amount of metadata present.

Also, this isn’t a PSA. It is an opinion.

For the record, you made this statement one posting after claiming I have not written the initial posting myself and posture about being knowledgeable.

NetFlow data, depending on which type {NetFlow, IPFIX, sFlow} is used for collection, will contain precise timing information for every {src_ip,dst_ip,src_port,dst_port} tuple.

Anyone with access to NetFlow data of a VPN server can fairly quickly establish the exact same relationships that would be apparent from logs provided by the VPN provider. The concept of blending in with other users is absolutely void because overlapping traffic is minimal, so the patterns persist.

I will not be addressing any of your other ad hominem posted above. Everything I have said is based on my own research and knowledge. I never stated VPNs would be an anonymization tool. If anything I am demonstrating how their usage leads to the opposite. I understand it might be world shattering for some self proclaimed experts that VPNs are practically dragnets.

In case of China and Russia, even more so. The point remains: data they collect will not automatically end up in a five eyes maintained database. Adding political obstacles to your countermeasures seems like one of the only options left.

I strongly disagree that this usually applies. It depends on the jurisdiction. Within the US, this could potentially be the case. Outside the US, it is most likely not the case. In fact, GDPR makes this practice illegal for ISPs.

VPN servers are valid targets for warrants given there will be illicit users and abuse. In most countries it will be more challenging to monitor an individual on a standard residential connection than if they present their traffic on a silver plate through a server in a data center they have NetFlow insight for.

This article implies that ISPs perform NetFlow data sharing more intentionally than VPNs do, a bit contrary to the implications of this statement:

Anyway IVPN (mentioned in the OP) has an article specifically regarding this topic (the Vice article is similarly mentioned inside):

Of note are the quoted paragraphs below:

Nonetheless, it’s crucial to note that, besides the encrypted data, your ISP obtains a lot of information about your VPN from the NetFlow data. As the VPN service providers IP ranges are well known, your ISP can easily figure you are using a VPN, in addition to knowing the time you connect, the amount of data you transfer over the VPN and the location of the remote VPN server.

Although this information may seem insignificant, it can be exploited. For instance, it’s easy to determine the timing of your device usage, potentially the number of people in your house, and gather insights about how these people use the Internet.

And also more concerningly:

Unfortunately, a 2022 article from Vice has revealed that a US-based private company has been collecting NetFlow exports from many ISPs worldwide in exchange for Threat Intelligence analysis. As per the article, the number of involved ISPs suggests that it may represent roughly ninety percent of the global Internet traffic. Information about Team Cymru, the company that sells access to the consolidated NetFlows database, remains limited. It was found that their website contains a list of facts and myths about their services, though their claims cannot be verified. Nevertheless, it is evident that they are working on NetFlow aggregation.

Using the puzzle analogy again, Team Cymru has access to most of the puzzle pieces. While a single piece doesn’t hold enough information in the context of using a VPN, having many of them could potentially expose your Internet usage if they receive NetFlow exports from both your ISP and your VPN provider ISP. For example, traffic correlation using the packets timing becomes a lot easier when you know the delay between the user and their VPN provider acting as a proxy.

In 2024, the NSA stated to a US senator that they were buying NetFlow exports from ISPs as long as it involves traffic to or from the United States.

Ultimately I’d agree with the OPs assertation that routing VPN traffic through nations unaffiliated with the US and its allies/intelligence partners (which it has many of) would be the ideal scenario and that anything else ultimately does not make you quite as private as prior assumed. I would disagree with the notion that VPNs do nothing though, but perhaps noting critical issues that can come with using them would serve better in the future than total dismissal.

The solution to this issue is Nym. The Nym mixnet was designed from the ground up to counter an adversary that can monitor its network through net-flow logs.

Mixnet_diagram_95ee6acdff2347×1415 113 KB

The only problem is that its not free like Tor is, and there aren’t OSes that restrict the entire system’s connection to Nym, like Whonix and Tails. You could theoretically make a “Nym Gateway” yourself with intermediate Linux knowledge. Its also not a browser but just an anonymizing network, so you have to account for browser fingerprints yourself.

Its marketing as a “VPN” is misleading; its a mixnet, more akin to Tor than it is a VPN. Nodes are ran by volunteers rather than a company.

It’s also slow. But unfortunately you need slow in order to defeat this kind of issue.

Mullvad’s DAITA (Defense Against AI-guided Traffic Analysis) also is meant to mitigate this issue and mitigates it by introducing random noise, standardizes packet sizes, and such. I wouldn’t consider it as “potent” as Nym and its 5-hop paranoia is, but its not nearly as slow.

Unfortunately, countries which are unlikely to cooperate with “western” countries also tend to be ones which prohibit things like no-logs or uncensored VPNs. It’d be worthwhile finding jurisdictions which do not, but Russia and China aren’t one of them.

If the threat model is such that there is worry about privacy being compromised by nation-state actors, then why not use Tor? Am I missing something? The limitations of VPNs are known in this community.

1. VPNs are not, and should not be, advertised as a countermeasure against mass surveillance actor like the NSA. That’s like recommending a knight’s iron armor for defense against a tank cannon.
2. Tor is not designed against nation-state actors. See the infographic Tor Project made:

tor_visualization792×612 38 KB

The issue is as follows; the NSA, GCHQ, German police, or any entity capable of surveilling large portions of the internet, could theoretically log data from known entry and exit nodes that fall within their jurisdictions - or wherever they have eavesdropping taps set up, which may be outside their countries(!) and de-anonymize Tor traffic through machine learning. Colluding ISPs can do the same. However, doing this is would still be somewhat costly even for a government because we’re talking about a MASSIVE amount of traffic, and Tor nodes are distributed across a lot of ASNs.

If a Tor node hasn’t been set up to be surveilled as a part of the Tor network, such as a bridge unknown to them, a Snowflake proxy, or an entry node somewhere in a hostile country not controlled by them, then a user wouldn’t be entirely de-anonymized. De-anonymizing Snowflake users via ISP data would be especially difficult, because that necessitate collecting, storing and and computing detailed data for everyone rather than a select few popular Tor nodes.

There are also legal constraints associated, too, depending on country. The NSA would not start de-anonymizing American users of darknet drug forums with eavesdropping data, because that would 1) be illegal for them to do this (though they don’t have the best track record of abiding by the law) and 2) the NSA is not a law enforcement organization. (The UK equivalent - GCHQ - is a different story).

Its still unclear what progress, if any, governments have made against Tor since Snowden’s revelation that they were struggling against it a decade ago. There are tens of thousands of people doing very illegal things through Tor. But I wonder if there’s a day where ISPs will eventually team up to deanonymize Tor for advertising purposes.

Despite the possibility of de-anonymization, Tor can still be somewhat effective against nation-states, just not a perfect solution. It would be nice if Tor added traffic mixing, to keep up with the times. Nym is meant for that purpose, albeit its unpopular and has its own problems).

think it’s time to start looking beyond jurisdiction, privacy-preserving technologies must evolve to be secure even in the face of global collaboration between authorities. i know that’s a tall order but it has to happen or online anonymity is truly doomed; we need oblivious access CDNs, overlay networks with traffic mixing AND darknet functionality, and so much more.

as fond as i am of nym or any organization that attempts to combat traffic analysis, i have a feeling they will suffer the same fate as their predecessor, jondonym (not saying the two are related). it’s expensive, painfully slow (in anonymous mode or even without), has too much competition and a small user base, which makes users stand out more. the decision to transition to a paid vpn service was a major blunder in my mind, for something like nym to take off they need to have as many people using it as possible. i’m fully cognizant of the fact that they need funds in order to continue development, but my point still stands–it’s too pricey and needs considerable improvement.

i’m also curious whether something like mullvad’s DAITA could sufficiently obfuscate upstream netflow logs. even if traffic is collected by providers, would the data actually be usable?