VPN vs TOR for Political Dissidents

The history of virtual private networks (VPNs) can be dated back to 1996, when a Microsoft employee developed a peer-to-peer tunnelling protocol (PPTP). Work on related technology, IPsec, however, was going on for a couple of years at that point at places like Columbia University, AT&T Bell Labs, and Naval Research Library which received a grant from DARPA.

Since then, the technology has improved and spread to a point where every YouTube video seems to be sponsored by one of the VPN service providers. Nevertheless, the technology was initially meant to be used by businesses and not private individuals. Its goal was to allow site-to-site connections and remote access to private local networks and not hide your identity when posting racist frogs 4chan.

A local network is just a bunch of computers and sometimes servers directly connected to each other. Simply put if one is not present in the physical location of the network, he won’t be able to access it. 

Clearly, it can be quite limiting, hence, the invention of VPN technology. It allows the creation of an encrypted connection between such a network and another device through the Internet – one could say that it creates a private “Internet” within the Internet. 

This kind of set up offers privacy and security of data transferred, but it’s not fully anonymous since the owner of the VPN server can see the entire traffic coming through the server (depending on configuration it might include the entire traffic of a connected device).

Unfortunately, the VPN was never created for the purposes that every YouTuber claims it was. “Anonymity”, “security”, “military grade encryption”, “perfect privacy when browsing the web”, etc. are all nonsense. 

Rarely do products so widely advertised provide anything of value and here is no different. Though there are cases where a good VPN is beneficial, one cannot transcend the natural limitation of the Internet – it was never meant to be private. 

The Internet is inherently public. Whenever you serve a website or use an app, you connect to a server which, in essence, is someone else’s computer. And the owner of that computer knows exactly who you are, what you do, and where you’re coming from. 

Just like when you take a stroll through the shite-smeared streets of Dublin City, your actions are public and anyone with nothing better to do than to pry on you will know exactly who you are (how you look), where you’re going, and from which direction you came from. 

The only way to maintain some level of privacy is to be anonymous by blending with the crowd, that is, by wearing the most plain and common clothes possible, a black hat and sunglasses; and the more people do it the better for you. This is the essence of TOR (The Onion Router). However, before talking about TOR, let’s expand on the role a VPN might play in the life of a keyboard warrior. 

VPN provides end-to-end encryption between the user device and the VPN server, which is great when the server is under your control and has direct access to everything the user will need just like businesses usually have. 

With a personal VPN, the traffic between your device and the server will too be encrypted, but it must be decrypted on the server to fetch the wanted site. In the end, what happens is that you create a “safe” and “private” connection to an intermediary that then “openly” does whatever you asked it to do.

Such a setup will allow you to blend in with all other traffic coming from the VPN servers, but it won’t be even comparable to TOR since the entire traffic goes through a centralised service provider. 

Your IP will be hidden from the websites you visit (sometimes), and your Internet Service Provider (ISP) won’t be able to see websites you visit save for connecting to a VPN. If you know that local government has direct access to your ISP’s logs this may be a great use case for a VPN, assuming the government didn’t make the same deal with them, which is unlikely considering the entry cost of entering the VPN market and how easy it is to put a gag order on such company.

Often advertisers will tell you that you should be using VPN when connecting to a sketchy Wi-Fi because “something something unprotected something something hackers” and that “the VPN will create an encrypted tunnel and prevent any hackers from stealing your data”. Sounds good, except nowadays almost all data is sent through an encrypted tunnel by default. 100% of all websites you will visit during an average day (and 99% during a less-than-average day) will already implement end-to-end encryption through the HTTPS protocol (note the padlock icon in the address bar when you visit a site). 

These days whenever you attempt to connect to an unsecure website (HTTP with no S at the end), the browser will block it or clearly inform you about the lack of encryption. 

A VPN doesn’t give you much benefit beside changing your IP address to let you watch regional content on Netflix… you cosmopolitan pedo. Modern trackers, however, don’t need to know your IP to know who you are. They can use third-party cookies, JavaScript fingerprinting, or other methods to identify you. If you’re a special threat, be sure that your browsing habits or typing less than 500 words can be enough to uncover your identity. So, a VPN can’t even hide your identity from most websites.

Moreover, though your ISP won’t know how much time you spent posting images of frogs on fascist forums, the VPN provider will, and, arguably, it can be more dangerous to you if you follow the advice of your favourite youtuber. Most VPNs are data mining operations – unsurprising, considering that data is one of the most sought-after commodities. 

Notably, ExpressVPN is owned by a corporation that used to specialise in ad-injections, Kape Technologies. Last year we also learned that ExpressVPN had a former U.S. intelligence operative turned UAE cyber-spy as a chief information officer… Certainly, nothing to worry about there.

And it’s not like other VPNs don’t glow brighter than the Sun. I mean imagine that you want to see what the most paranoid schizos are connecting to and install software on their computers that is designed to read all that data and redirect to a single choke point… not to mention the massive amounts of initial capital required to set up servers and run marketing campaigns that most VPNs do these days… or the easiness in connecting a small black box to their server (after their independent security audit, of course) that no one really knows what it’s doing but you got a gag order so you can’t even mention it to anyone… Certainly, nothing to worry about there.

If you still decide to use a VPN, you should make sure that you do not leak any extra information about your identity.  For a while WebRTC leak was a thing where even with a working VPN one could obtain a user’s real IP. 

Thankfully, it no longer happens unless you explicitly accept camera/microphone access on a per-site basis, so be careful with that (note that some browsers allow you to mitigate the problem; for example, if you use Brave, you should check this. 

Additionally, JavaScript (JS) fingerprinting can still deanonymize you without giving up your IP. With JS, a website can obtain your software and hardware specification as well as screen resolution and more, which means that if you run obscure Linux distro on a custom-built PC you will stick out like a native Swede in Malmo. 

But don’t think that just because you’re a normie and still use Windows + Chrome combo you will be safe: websites may combine the fingerprinted data with your browsing habits by using cross-site trackers. Most modern web browsers have privacy settings to block third party cookies, but as a good practice one should clean them regularly regardless. 

Additionally, one should: spoof his user-agent (there’s a browser add-on for that), protect himself from tracking through CDNs (there’s also an add-on for that), block trackers, adds, third-party scripts, and media elements (there’s an add-on for all that too – uBlock Origin). 

Finally, if you’re serious about privacy, you should block all JS as well. This step will be the one that will disrupt your browsing habits the most and, in some cases, straight-up break websites, but it will be worth it if you truly are a political dissident. At this point, however, if you decided to go to such great lengths, you might just ditch VPN and use TOR instead.

TOR has been developed by the U.S. Navy to protect American intelligence communications online and is now the number one tool that you cannot go without when you try to hide your identity on the Internet. 

Since it has been developed by the feds, many might rightfully be sceptical whether it’s actually worth using. The list of funders is full of the organisation run by people with dual citizenship that you wish you could [REDACTED]. 

One of them is Open Technology Fund (OTF) ([TOR donations by OTF] which inter alia donated a significant amount of money to development of Signal (full list of their supported projects). OTF is a subsidiary of the U.S. Agency for Global Media, which was involved in many propaganda campaigns in the second half of 20th century including establishing Radio Free Asia. Honestly, their evil deeds deserve a whole book on its own – luckily for us, it already has been written by Yasha Levine.

Regardless, for a political dissident, TOR is a necessity. Even Edward Snowden has used it himself – if it’s good enough for him, it should be more than enough for you. Arguably, the glowboys have a lot of interest in keeping TOR users (reasonably) anonymous – they themselves use it. Most likely it was one of the reasons why the project was made public and freely available. As mentioned before, the power of TOR comes from giving everyone the same identity – it helps you disappear in a crowd. If the software was kept exclusive to government operations, the metaphorical crowd wouldn’t exist.

TOR is essentially a traffic analysis resistance tool. It doesn’t prevent data collection; it makes it so that whatever data is collected can’t be meaningfully deciphered and effectively utilised by three-letter agencies or advertisers. There exist security vulnerabilities that can (partially) deanonymize some users if the FBI decides to put a target on their back, so TOR is not a be-all and end-all solution. It’s just one of many tools that one should be systematically utilising. 

TOR acts similarly to a VPN, but instead of routing your connection through a single, central server, it routs it through three, (usually) independent relays/nodes (computers set up by volunteers) with each adding an extra layer of encryption. Hence, the entry node can see your IP but not the final destination, the middle node can’t see either, and the exit node can see the final destination but not the IP. 

This provides greater privacy compared to a VPN since there’s no centralised member with full knowledge about your traffic. There’s no possibility of logging information on a single TOR network user without setting up honeypots or controlling significant number of nodes (which is theoretically possible, thus TOR is not the ultimate solution to privacy). Moreover, TOR bridges let you hide the fact that you are using TOR from your ISP, but be mindful that, just like with VPNs, your connection will look different nevertheless.

There are many things to be mindful of when using TOR to maximise one’s privacy/anonymity. The basic rules are as follows: 

(1) do not use personal accounts; 

(2) do not change TOR settings: no add-ons, plugins, full screen resolution, customisation; 

(3) do not discuss personal information; 

(4) use HTTPS; 

(5) do not do anything else while using TOR; and for advanced users, 

(6) use special distros such as Tails or Whonix. 

If we enter the tin-foil-hat territory, one should use TOR on a dedicated device with Tails/Whonix and never do it near other devices to prevent ultrasonic cross-device tracking. 

This is a mind-blowing technology, not necessarily due to its sophistication, but due to its spying capabilities. It’s uncertain how practical it is in deanonymization of TOR users; however, it is possible to use it to leak TOR user’s real IP – the proof of concept has been shown by security researchers at Blackhat EU and the 33rd Chaos Communication Congress.

Concluding, the Internet is inherently public and, thus, the only way to maintain privacy is to be anonymous. A VPN may be “fun” and increase your privacy if you’re using privacy-respecting providers that allow you to create pseudo-anonymous accounts (i.e. pay with crypto or cash over TOR without need for email/phone/other identifiable information) like Mullvad does. However, to reach true privacy levels TOR is essential, though it’s not perfect on its own. Professional hackers or people of the Snowden-sort use multiple levels of protection and TOR is only one of them. 

How much you should care about covering your online tracks will entirely depend on your threat model: if you plan insurrection, then it might be best to leave the Internet entirely and simply use pen and paper; on the other hand, if you don’t plan anything dangerous but you still care about privacy and making it harder for Google to create your online profile then start with simple steps such as using Brave or Firefox, enabling all or most privacy settings in your web browser, clearing your data often, and becoming an expert in cybersecurity.