Having chosen to not take refuge under a large, dense object for the last several years (not that i'd blame you), you're probably aware of how fragile privacy, and thus freedom has become in the digital age. At the network level a lot of people (including Ed) recommend The Onion Router (Tor) in order to protect ones privacy. Others prefer using a Virtual Private Network (VPN) and still others recommend using both with a VPN preceding the connection to Tor. If you're wondering what i recommend, i don't; i'll leave that up to you to since it's not a one-size-fits-all thing and, more importantly, i'm not qualified to make such a suggestion. What i would like to do however is point out some of the differences between the two as i see them because each has distinct advantages and disadvantages.
- Using the Tor network is free, as is the Tor Browser, a privacy and security hardened version of Firefox which is used to connect to the Tor network. The Tor Project source code is public and the servers can be run by anyone, including people or organizations which may be malicious, however there is debate as to how much impact a malicious operator can have. Using a VPN will cost you roughly $5 to $10 per month and a lot of the companies providing VPN services are highly unethical. As a rule of thumb, never trust a VPN provider offering their service for free!
- While it is true that no VPN can be fully trusted regarding security and privacy, the same is true for the Tor network (see for example, Tor Network Compromised by Single Hacker Stealing Users' Bitcoin: Report and 'You Are Not Anonymous on Tor' - Study Shows Privacy Network Offers Superficial Anonymity). We know there is a massive amount of money to be made in the malware department and vendors, many of which sell exploits to governments and intelligence communities, have little or no incentive to disclose the vulnerabilities they discover. These vulnerabilities can remain secret for weeks, months, or years. Knowing this, i think it is dangerously illogical to conclude that anything is completely secure, including the Tor network.
- Picking a bad VPN that logs traffic and doesn't respect your privacy is easier than getting your drone stuck in a tree, however there is only one Tor Project and one Tor Browser and the source code for both is public and auditable by anyone.
- When using the Tor network, it is strongly suggested to use the Tor Browser in its default configuration. Remaining anonymous on the network depends heavily on uniformity and so, with few exceptions, you can kiss your beloved add-ons goodbye. With a VPN one has more choices as to what browser and add-ons they use, though these choices must be weighed carefully.
- Avoiding browser fingerprinting and tracking is much easier to achieve with Tor, while preventing fingerprinting outside of Tor is quite difficult whether using a VPN or not. In both cases however, the websites you visit will not know your physical location and will be less able to fingerprint and track your browser as long as you take some necessary precautions. That said, nothing can protect your privacy if you log on to privacy toxic surveillance platforms like Facebook, Instagram, Twitter, Google, YouTube, etc., using your real identity or the same credentials you used prior to using Tor or a VPN.
- Because of the layers of encryption that Tor employs, bandwidth limitations, the load on the nodes, etc., Tor will generally provide a slower web experience, higher latency, and a less stable connection than a good VPN. This problem is exacerbated if one adds more nodes to the Tor circuit. File sharing is discouraged with Tor and latency sensitive gaming is out of the question. Even watching high definition videos can be problematic.
- Tor may insulate users from a malicious operator better than a VPN, partly because a Tor circuit is composed of multiple nodes whereas a VPN usually presents a single point of attack. Though some VPN providers offer an option to route traffic through more than one node, all the nodes are controlled by the same company. One could chain multiple VPNs, but then the price increases.
- Different people require different levels of privacy. A journalist wishing to communicate privately with a source may be better off using Tor. On the other hand, someone wanting to download copyrighted content whilst avoiding nasty-grams from their ISP, or stream high resolution videos or most other non-sensitive and bandwidth intensive activities, may be better off with a VPN.
- With Tor it is non-trivial (and ill advised) to choose what exit node you want to use, whereas any good VPN provider will allow you to connect to any of their servers and usually this requires only a couple of clicks using their client software. One advantage of being able to choose among servers is the ability to access content which is blocked in a particular geographical region, such as certain videos.
- VPN client software may not be open source and may not respect your privacy even if it is, however any good VPN provider will allow connections using other methods, such as with OpenVPN or, perhaps better yet, WireGuard. This issue is non-existent with Tor.
- Both Tor exit nodes and VPN nodes are subject to having their IP addresses blacklisted by governments, corporate websites, and even private website owners which results in the inability to connect to them. In the case of a VPN this is fairly rare in my personal experience, however those who shop online are more likely to have trouble with either Tor or a VPN, though the problem may be exacerbated with Tor. With a VPN one can always switch nodes.
- Choosing to use Tor is a simple yes or no decision, while choosing to use a VPN requires serious research in order to locate a trustworthy provider. The VPN market is exploding and so are the number of ethically retarded providers. Be careful when reading VPN "reviews" because many of them are written by VPN providers or their paid bloggers. I've had several offers from VPN providers asking me to post content here in exchange for money (i always turn them down).
- The only traffic routed through the Tor network when using the Tor Browser is the web traffic generated by your browser, whereas with a VPN, typically all network traffic generated by your computer is routed through the VPN. With a suitable router you also have the option to set up the VPN on the router so that anything that connects to your local network will be routed through the VPN. This is fairly easy to do with routers that support it, or those for which you can install custom firmware, such as DD-WRT or the formidable and open Turris Omnia or Vikings routers.
- An entire Tor network, including the entrance and exit nodes, can be run on a single machine using software such as The Shadow Simulator. This may present serious privacy/security issues that undermine Tor network layering if a Tor network is created by a malicious party such as an ISP or law enforcement.
Because of the garbage disseminated in the mainstream media, much of the public sees Tor as being synonymous with the 'Dark Web' which many believe is nothing more than a haven for criminals. Tor is simply a tool and like any tool it can be used by bad people to do bad things or good people to do good things. For the average person wanting to protect their privacy the Tor network simply provides a portal to access the same websites one visits every day, but in a more private and secure way. That said, yes, there is a 'dark' web that is accessible only through software like Tor and while some of the content available in that sector is indeed illegal and extremely offensive, there is also a lot of quality content which is otherwise censored on the open web.
Some people believe that using Tor will attract the attention of the intelligence community. While it is apparently true that using encryption will raise the eyebrow of 'The Man', such criminal spying on the public by governments is not at all limited to those using Tor. More importantly, our inherent right of free speech is under severe attack not only by governments, but by ourselves as individuals simply because those who believe they are being watched tend to self-censor. This is a very dangerous situation because we cannot work toward a free and transparent society if our ability to communicate is compromised.
I'm hesitant to recommend a VPN provider if you decide to go that route, however in the interest of hopefully steering you away from much of the garbage out there, i will offer my personal insight.
NordVPN is a huge player in the VPN market and i have used them in the past, however the size of the company and their cheap prices has always bothered me. Nords service wasn't very good either, for several reasons, one being the stability of the connection and another being blacklisted IP addresses. Many speak highly of Mullvad VPN and it is recommended by PrivacyTools, though i have no experience with them. I have also used AirVPN which i rather liked, but it has its caveats also.
More recently i switched from Nord to AzireVPN, a small and unique Swedish company that focuses on the WireGuard protocol which has some distinct advantages over OpenVPN. There are a few key reasons i switched to Azire, one being that they own and install their hardware rather than lease it like virtually everyone else, Nord and Mullvad included. They also employ some very interesting security measures to prevent tampering, including physically plugging ports and running everything in RAM. This is the only company i know of that takes these precautions. Regarding performance i have had next to zero trouble with their service and latency and bandwidth has been excellent. Unlike Nord, i haven't had to switch server locations every few days because of service degradation or blacklisted nodes. Lastly, Azire accepts cryptocurrency so you can purchase their service anonymously without having to provide any personal information. If you choose Azire, please consider using my affiliate link which gives me some free time with them.
FreePN is also another interesting player in the privacy market. This project is building a free, open-source, distributed VPN service similar to the Tor network. There are caveats with this service however, so please do your homework. Read: FreePN: Free, open-source, distributed VPN.
Lastly, i recommend reading the following articles by Sven Taylor of Restore Privacy:
Regarding the article, Why Does Anyone Still Trust Tor?, it is my non-professional opinion that Sven goes a little overboard in attacking Tor. I think that you could swap out the word Tor with any VPN service or web browser or operating system and make several of the same arguments. There have been many bugs and vulnerabilities discovered in Tor that were patched and very likely many more that have yet to be discovered, or have been discovered but not disclosed, and the same is true for software in general. In the end, privacy on the internet can ever be guaranteed.
- About to use Tor. Any security tips? - Matt Traudt
- Exploit vendor drops Tor Browser zero-day on Twitter | ZDNet
- FreePN: Free, open-source, distributed VPN – 12Bytes.org
- How Can You Trust a Virtual Private Network to Protect Your Privacy? | Stay Safe Online
- "No Logs" IPVanish Embroiled in Logging Scandal | Restore Privacy
- Tor (anonymity network) | Wikipedia
- Torproject TOR : List of security vulnerabilities
- Tor Browser news: Three vulnerabilities allow spies to detect Tor browsers | Cloud Pro
- Tor Browser Has a Flaw That Governments May Have Exploited | PCMag.com
- Tor Network Compromised by Single Hacker Stealing Users' Bitcoin: Report | Yahoo Finance
- UNITED STATES DISTRICT COURT for the District of Massachusetts United States of America V. Ryan S. Lin | U.S. DOJ (PureVPN found to be keeping logs)
- Virtual private network | Wikipedia
- VPN + Tor: Not Necessarily a Net Gain - Matt Traudt
- VPN Comparison by That One Privacy Guy
- VPN vs Tor: In-Depth Comparison | Restore Privacy
- VPN Services | PrivacyTools
- VPNs are Lying About Logs | Restore Privacy
- Well, I read up on Tor… | MobilityDigest
- Which VPN Services Keep You Anonymous in 2018? - TorrentFreak
- Why Does Anyone Still Trust Tor? | Restore Privacy
- 'You Are Not Anonymous on Tor' - Study Shows Privacy Network Offers Superficial Anonymity | Privacy Bitcoin News
- 3 Years Later, the Snowden Leaks Have Changed How the World Sees NSA Surveillance | Electronic Frontier Foundation
- arkenfox/user.js: An ongoing comprehensive user.js template for configuring and hardening Firefox privacy, security and anti-fingerprinting | GitHub
- In Depth Review: New NSA Documents Expose How Americans Can Be Spied on Without A Warrant | Electronic Frontier Foundation
- Opt out of global data surveillance programs like PRISM, XKeyscore, and Tempora | PRISM Break
- Privacy International
- Tech | 12Bytes.org (this website)
- The second operating system hiding in every mobile phone | OSnews