One question that I often see asked is, if I start using a VPN, am I instantly ‘anonymous’? Well, the answer is almost certainly no, but the long answer is, it depends. See, because of cookies, you can have one long session over the course of days or weeks and with many different IP addresses. Your home wifi, your cellular connection, the school library, and coffee shop wifi all have different IP address. That’s part of a globally connected world and thus why providers don’t harass you every time your IP changes. This concept of one account, many identifying bits is not a new concept. You can lose your library card and get issued a new card and account number – that doesn’t absolve you of any restrictions or overdue fees. You can have one Verizon Wireless account for 10 years and change your phone number multiple times, Verizon will always know it’s you.
Past v. Future
That doesn’t mean everything is futile and there’s no point. You can certainly take action and protect your identity or enhance your security moving forward. But make no mistake, any account or service you have used with your exposed residential IP address should be burned. Or, alternatively, you could continue using that account for routine benign usage. That’s how you develop noise and obfuscation. Many of these concepts are tied in closely to the gray man philosophy. The number one goal for 99% of users is obfuscating your digital footprint without making it obvious that you are doing so.
On a side note, but related to this topic, just because you are using a no-long VPN does not mean that they have a “won’t log” policy. Sure, we have seen reports from various VPNs who have been audited and do indeed keep no logs. That does not stop them from receiving a court order to start logging. You should absolutely be checking your VPN / email provider for warrant canaries which is a silent way of them communicating to their users that they have received a warrant or subpoena for information.
This exact scenario happened in 2021 when email provider ProtonMail complied with a court order that let to the arrest of a French activist.[1] Does this mean you should stop using ProtonMail? Well, like most situations – it depends. Are you actively engaging in behavior that is either currently illegal or could potentially become illegal in the future? Who is after you and how bad do they want you? These are questions, that again, “don’t matter” for the average person seeking a bit more privacy.
At the end of the day, there is one question you really have to ask yourself – if you are using a free product or paying as little as a couple bucks a month, is your provider really going to jeopardize their entire business over one customer? Absolutely not. On a small scale like a DMCA request, they can placate the company by saying they’ve given their naughty customer a strike, or have terminated their account. But on a larger scale? Don’t fool yourself – they will flip on you in a heartbeat.
Take a look at NordVPN – one of the most well known and ubiquitous VPN providers who offers a full suite of privacy products. They capitalize on the fear of every day citizens making them feel like they are under constant threat of being hacked. They very publicly drew a line in the sand saying that they are not a safe haven for cybercriminals and wanted to distance themselves from shady providers[2]. What does this ultimately mean for you, the customer? According to NordVPN they “would do everything to legally challenge them.” Remember when I talked about free services, or cheap services? Don’t fool yourself thinking that NordVPN, or any provider, will spend hundreds of thousands of dollars on litigation in court just to protect one customer.
Threat model is everything
I know it’s probably the most repeated phrase on this website, but it’s the truth. There is a trade off between using a VPN and the sacrifices you make. Tor Browser, for instance, is great for staying anonymous, but it would be a terrible choice for your daily usage. It’s slow, and nearly all exit node IPs are blacklisted. Try to log in to just about any website and you’ll get captcha after captcha.
References
- “ProtonMail court order leads to the arrest of French climate activist” The Verge, Sep 2021
- “NordVPN: Actually, We Do Comply With Law Enforcement Data Requests” PCMag, Jan 2022