Author Topic: Privacy (collected references) (Read 29776 times)

IainB · « **on:** June 28, 2018, 01:02 AM »

Original post:	2018-06-28
Last updated:	2018-11-16

Privacy - especially in the "Internet Age" - is something that has the potential sometimes (often?) to be overlooked/ignored or abused:

Sometimes the personal privacy of oneself may be overlooked/ignored by individuals who might not realise the relevance/importance of their own right to personal privacy - or that of members of society in general - people who probably might care a lot more if they were more aware (less ignorant) of some of the potential and wider ramifications/implications of privacy issues.
Sometimes the personal privacy of others may be overlooked/ignored or abused by people, government functions and corporations who are focused on, or being driven by objectives which may be incompatible with the rights to personal privacy of others.

So I thought it might be useful to create a "Privacy thread" to collect/collate some salient privacy-related points that we come across and provide some kind of index to same.

About Privacy:

This discussion thread.
The NEED for privacy:
- Three Reasons Why the "Nothing to Hide" Argument is Flawed.
- I’ve Got Nothing to Hide” and Other Misunderstandings of Privacy.

____________________________________________

DNS-related:

CloudFlare launches privacy oriented DNS servers
DNSCrypt (to be added).

DonationCoder forum (DCF) and user privacy:

DCF Privacy Policy (FAQ) - comprehensive summary and detail.
GDPR (EU General Data Protection Regulation, 2018) implemented for DC forum (announced 2018-05-24).
Search DCF Site: for "privacy" - https://duckduckgo.com/site:donationcoder.com/forum/_privacy

GDPR (EU General Data Protection Regulation, 2018):

Government-authorised privacy breaches:

US NSA (National Security Agency) + "Five Eyes" nations (SnowdenGate) - Knight to queen's bishop 3 - Snowden charged with espionage.

Search engines and websites that are apparently committed to preserving the user's full right to privacy:

Search engines and websites that apparently rely on tracking/utilising the user's personal data/metadata to maintain their marketing and/or revenue streams:

Facebook.com - and most other "social networking" sites and their assets.
Google.com - including Google search engine and most of its other assets - i.e., "free" and paid services.
Google enforces its ownership of user data.
Microsoft.com

- including Bing search engine and most of its other assets - i.e., "free" and paid services like LinkedIn.com.

Just about any website that insists that you "Subscribe" by providing your ID.

Software:

Abine.com - apps and browser extensions - Passwords, Payments, & Privacy.
Windows 10 Privacy Concerns.

Tips & Tricks:

Vested interests antithetical with Privacy regulation:

See corporate interests referred to here - California passes its own GDPR (2018-06-29)
Re: Privacy: IT companies intend to profit from your loss of privacy?
- includes: Twitter, Facebook, and Google are Fighting Internet Privacy Laws

IainB · « **Reply #1 on:** June 28, 2018, 01:02 AM »

This was the post I read today (2018-06-28) on the DuckDuckGo blog that caused me to start this thread. The whole ethos of DuckDuckGo is based on privacy, so it does not have an axe to grind, but it does differentiate its services because of that. I thought the post raised some valid, cogent and thought-provoking points. I've copied the post below in its entirety, together with embedded hyperlinks, rather than just provided the link, because it would seem worthy of discussion in and of itself.
(Copied below sans embedded images.)

Three Reasons Why the "Nothing to Hide" Argument is Flawed
27 JUNE 2018/PRIVACY

Over the years, we at DuckDuckGo have often heard a flawed counter-argument to online privacy: “Why should I care? I have nothing to hide.”

As Internet privacy has become more mainstream, this argument is rightfully fading away. However, it’s still floating around and so we wanted to take a moment to explain three key reasons why it's flawed.

1) Privacy isn’t about hiding information; privacy is about protecting information, and surely you have information that you’d like to protect.
Do you close the door when you go to the bathroom? Would you give your bank account information to anyone? Do you want all your search and browsing history made public? Of course not.

Simply put, everyone wants to keep certain things private and you can easily illustrate that by asking people to let you make all their emails, texts, searches, financial information, medical information, etc. public. Very few people will say yes.

2) Privacy is a fundamental right and you don't need to prove the necessity of fundamental rights to anyone.
You should have the right to free speech even if you feel you have nothing important to say right now. You should have the right to assemble even if you feel you have nothing to protest right now. These should be fundamental rights just like the right to privacy.

And for good reason. Think of commonplace scenarios in which privacy is crucial and desirable like intimate conversations, medical procedures, and voting. We change our behavior when we're being watched, which is made obvious when voting; hence, an argument can be made that privacy in voting underpins democracy.

3) Lack of privacy creates significant harms that everyone wants to avoid.
You need privacy to avoid unfortunately common threats like identity theft, manipulation through ads, discrimination based on your personal information, harassment, the filter bubble, and many other real harms that arise from invasions of privacy.

In addition, what many people don’t realize is that several small pieces of your personal data can be put together to reveal much more about you than you would think is possible. For example, an analysis conducted by MIT researchers found that “just four fairly vague pieces of information — the dates and locations of four purchases — are enough to identify 90 percent of the people in a data set recording three months of credit-card transactions by 1.1 million users.”

It’s critical to remember that privacy isn't just about protecting a single and seemingly insignificant piece of personal data, which is often what people think about when they say, “I have nothing to hide.” For example, some may say they don't mind if a company knows their email address while others might say they don't care if a company knows where they shop online.

However, these small pieces of personal data are increasingly aggregated by advertising platforms like Google and Facebook to form a more complete picture of who you are, what you do, where you go, and with whom you spend time. And those large data profiles can then lead much more easily to significant privacy harms. If that feels creepy, it’s because it is.

We can't stress enough that your privacy shouldn’t be taken for granted. The ‘I have nothing to hide’ response does just that, implying that government and corporate surveillance should be acceptable as the default.

Privacy should be the default. We are setting a new standard of trust online and believe getting the privacy you want online should be as easy as closing the blinds.

For more privacy advice, follow us on Twitter & get our privacy crash course.

Dax the duck
We are the Internet privacy company that lets you take control of your information, without any tradeoffs. Welcome to the Duck Side!
(Read more.)

Deozaan · « **Reply #2 on:** June 28, 2018, 03:38 AM »

Three Reasons Why the "Nothing to Hide" Argument is Flawed
-IainB (June 28, 2018, 01:02 AM)

Here's a more in depth paper on the subject:

"I've Got Nothing to Hide" and Other Misunderstandings of Privacy by Daniel J. Solove

Disclaimer: I haven't taken the time to read it yet, so I can't speak to its contents.

anandcoral · « **Reply #3 on:** June 28, 2018, 07:51 AM »

Long time ago, I upgraded to Win10 and it insist on online login and updating my os at it own whims. I started using Android mobile is always connected to my email to big brother and it knows what I type in keyboard. My laptop is ever connected to internet and many programs just update and throw ads and make merry to themselves.

Now I do not have much energy or time to even think of privacy. Obviously I do keep watch behind my back when I am doing online bank transaction.

Regards,

Anand

IainB · « **Reply #4 on:** June 29, 2018, 05:08 PM »

This post at TheRegister signals extremely good news for the privacy of the general public user of the Internet. The post is also rather enlightening: (my emphasis)
(Copied below sans embedded hyperlinks/images.)

Google weeps as its home state of California passes its own GDPR
The right to view and delete personal info is here – and you'll be amazed to hear why the law passed so fast
By Kieren McCarthy in San Francisco 29 Jun 2018 at 20:0213 Reg comments

Uh oh, someone just got some bad news
California has become the first state in the US to pass a data privacy law – with governor Jerry Brown signing the California Consumer Privacy Act of 2018 into law on Thursday.

The legislation will give new rights to the state's 40 million inhabitants, including the ability to view the data that companies hold on them and, critically, request that it be deleted and not sold to third parties. It's not too far off Europe's GDPR.

Any company that holds data on more than 50,000 people is subject to the law, and each violation carries a hefty $7,500 fine. Needless to say, the corporations that make a big chunk of their profits from selling their users' information are not overly excited about the new law.

"We think there's a set of ramifications that's really difficult to understand," said a Google spokesperson, adding: "User privacy needs to be thoughtfully balanced against legitimate business needs."

Likewise tech industry association the Internet Association complainedthat "policymakers work to correct the inevitable, negative policy and compliance ramifications this last-minute deal will create."

So far no word from Facebook, which put 1.5 billion users on a boat to California back in April in order to avoid Europe's similar data privacy regulations.

Don't worry if you are surprised by the sudden news that California, the home of Silicon Valley, has passed a new information privacy law – because everyone else is too. And this being the US political system there is, of course, an entirely depressing reason for that.

Another part of the statement by the Internet Association put some light on the issue: "Data regulation policy is complex and impacts every sector of the economy, including the internet industry," it argues. "That makes the lack of public discussion and process surrounding this far-reaching bill even more concerning. The circumstances of this bill are specific to California."

I see...
So this bill was rushed through?

Yes, it was. And what's more it was signed in law on Thursday by Governor Brown just hours after it was passed, unanimously, by both houses in Sacramento. What led lawmakers to push through privacy legislation at almost unheard-of speed? A ballot measure.

That’s right, since early 2016, a number of dedicated individuals with the funds and legislative know-how to make data privacy a reality worked together on a ballot initiative in order to give Californians the opportunity to give themselves their own privacy rights after every other effort in Sacramento and Washington DC has been shot down by the extremely well-funded lobbyists of Big Tech and Big Cable.

Hand locking door
GDPR forgive us, it's been one month since you were enforced…
READ MORE
Real estate developer Alastair Mactaggart put about $2m of his own money into the initiative following a chance conversation with a Google engineer in his home town of Oakland in which the engineer told him: "If people just understood how much we knew about them, they’d be really worried."

Mactaggart then spoke with a fellow dad at his kid's school, a finance guy called Rick Arney who had previously worked in the California State Senate, about it. And Arney walked him through California's unusual ballot measure system where anyone in the state can put forward an initiative and if it gets sufficient support will be put on the ballot paper at the next election.

If a ballot initiative gets enough votes, it becomes law. There have been some good and some bad outcomes from this exercise in direct democracy over the years but given the fact that both Mactaggart and Arney felt that there was no way a data privacy law would make its way through the corridors of power in Sacramento in the normal way, given the enormous influence of Silicon Valley, they decided a ballot measure was the way to go.

Beware the policy wonk
One other individual is worth mentioning: Mary Stone Ross was a former CIA employee and had been legal counsel for the House of Representatives Intelligence Committee and she also lives in Oakland. Mactaggart persuaded her to join the team to craft the actual policy and make sure it could make it through the system.

Together the three of them then spend the next year talking to relevant people, from lawyers to tech experts to academics to ordinary citizens to arrive at their overall approach and draft the initiative.

And it is at that point that, to be put in bluntly, the shit hit the fan. Because the truth is that consumers – and especially Californians who tend to be more tech-savvy than the rest of the country given the concentration of tech companies in the state – understand the issues around data privacy rules and they want more rights over it.

With the initiative well structured and the policy process run professionally, the ballot measure gained the required number of supporters to get it on the ballot. And thanks to the focus groups and polls the group carried out, they were confident that come November it would pass and data privacy become law through direct democracy.

At which point, it is fair to say, Big Internet freaked out and made lots of visits to lawmakers in Sacramento who also freaked out.

The following months have seen a scurry of activity but if you want to know why the bill became law in almost record time and was signed by Governor Brown on Thursday all you need to know is this single fact: the deadline for pulling the initiative from November's ballot as last night – Thursday evening – and Mactaggart said publicly that if the bill was signed, he would do exactly that and pull his ballot measure.

Privy see
You may be wondering why Sacramento was able to get it through unanimously without dozens of Google and Facebook-funded lawmakers continually derailing the effort, especially since it was still a ballot measure. After all, the tech giants could have spent millions campaigning against the measure in a bid to make sure people didn’t vote for it.

And the truth is that they had already lined up millions of dollars to do exactly that. Except they were going to lose because, thanks to massively increased public awareness of data privacy given the recent Facebook Russian election fake news scandal and the European GDPR legislation, it was going to be very hard to push back against the issue. And it has been structured extremely well – it was, frankly, good law.

There is another critical component: laws passed through the ballot initiative are much, much harder for lawmakers to change, especially if they are well structured.

So suddenly Big Tech and Sacramento were faced with a choice: pass data privacy legislation at record speed and persuade Mactaggart to pull his ballot initiative with the chance to change it later through normal legislative procedures; or play politics as usual and be faced with the same law but one that would be much harder to change in future.

And, of course, they went with the law. And Mactaggart, to his eternal credit, agreed to pull his ballot measure in order to allow the "normal" legislative approach to achieve the same goal.

And so the California Consumer Privacy Act of 2018 is now law and today is the first day that most Californians will have heard of it. Sausage making at its finest.

Of course, Google, Facebook et al are going to spend the next decade doing everything they can trying to unravel it. And as we saw just last week, lawmakers are only too willing to do the bidding of large corporate donors. But it is much harder to put a genie back in the bottle than it is to stop it getting out. ®

Copied from: Google weeps as its home state of California passes its own GDPR • The Register - <https://www.theregister.co.uk/2018/06/29/california_data_privacy_law/>

IainB · « **Reply #5 on:** June 29, 2018, 06:38 PM »

@Deozaan: Where you write:

...Here's a more in depth paper on the subject:
"I've Got Nothing to Hide" and Other Misunderstandings of Privacy by Daniel J. Solove
Disclaimer: I haven't taken the time to read it yet, so I can't speak to its contents.
-Deozaan (June 28, 2018, 03:38 AM)

- thankyou!

The post you link to is:

This is a tangentially related bit of irony:
I went to download a paper on privacy called "I've Got Nothing to Hide" and Other Misunderstandings of Privacy by Daniel J. Solove, but since the website detected that I was using an anonymous proxy, they tried to get me to register for an account so they could track me, and made me complete the reCAPTCHA three times when I insisted on clicking the (almost hidden) link to continue downloading anonymously.
-Deozaan (June 18, 2018, 07:18 PM)

I downloaded the paper (.PDF file) via the link you gave to ssrn.com. It seems to be a very informative paper by Daniel J Solove:

* © Daniel J. Solove 2007. Associate Professor, George Washington University
Law School; J.D., Yale Law School. Thanks to Chris Hoofnagle, Adam Moore, and Michael
Sullivan for helpful comments, and to my research assistant Sheerin Shahinpoor. I
develop some of the ideas in this essay in significantly more depth in my forthcoming
book, Understanding Privacy, to be published by Harvard University Press in May 2008.

(From the footnote to the cover page of: “I’ve Got Nothing to Hide” and Other
Misunderstandings of Privacy.

Note: The .PDF file is attached to this post, for convenience, as per link below. It can also easily be viewed/downloaded direct from ssrn.com - here.

IainB · « **Reply #6 on:** June 29, 2018, 08:29 PM »

Again from TheRegister, this time some possibly privacy-related news:
UK.gov is not being advised by Google. Repeat. It is not being advised by Google

DeepMind's 'Demis Hassabis is an individual' – Ministry of Fun
By Andrew Orlowski 29 Jun 2018 at 09:5517 Reg comments
demis hassabis
DeepMind co-founder Demis Hassabis (Pic: Debby Wong / Shutterstock.com)
Google is not advising the British government on AI, the Ministry of Fun assured this week, following the appointment of Google's Demis Hassabis as an advisor on AI.

The US ad, search and cloud biz acquired Hassabis' company DeepMind four years ago and he has since been a Google employee. In the wordsof The Guardian, Hassabis is "leading Google's project to build software more powerful than the human brain".

Earlier this week, the Department for Digital, Culture, Media and Sport – aka the Ministry of Fun – announced the creation of a new "AI Council" and appointed Hassabis as its advisor. The department seemed pleased with landing such a trophy, explaining that Hassabis "will provide expert industry guidance to help the country build the skills and capability it needs to capitalise on the huge social and economic potential of AI – a key part of the Government's modern Industrial Strategy."

But just because a Google employee is giving the government advice, that doesn't necessarily mean a Google employee is giving the government advice. You would be quite wrong to think that.
(Read the rest at the link.)

Copied from: UK.gov is not being advised by Google. Repeat. It is not being advised by Google • The Register - <https://www.theregister.co.uk/2018/06/29/ministry_of_fun_is_not_being_advised_by_google/>

Similarly, we can presumably be assured that US government is not being advised/influenced by Google...

IainB · « **Reply #7 on:** July 01, 2018, 01:54 AM »

In 2008/9 I was contracted as a project manager to establish and commence a project that was going to transform the gathering of revenue/tax data by doing it online. This was for individuals and accounting agents of SMBs (Small to Medium-sized Businesses). It was to automate and dramatically improve the efficiency and speed of the processes involved, which, up until then, had been prone to massive manual processing holdups.

Fast forward 9 years. I was doing my personal online tax return the other day and was impressed with how easy it was,, as the Inland Revenue already knew an awful lot of the private details about my income. What potentially had been likely to take me hours by the old methods was now taking minutes. This was for my individual tax return. (I had read in the press that the SMB side of things was still having hiccups though.)

Then my train of thought reminded me of this silly humour post I made in 2014:

Scott Adams Blog: Message to My Government 03/06/2014
Mar 6, 2014

I never felt too violated by the news that my government can snoop on every digital communication and financial transaction I make. Maybe I should have been more bothered, but the snooping wasn't affecting my daily life, and it seemed like it might be useful for fighting terrorism, so I worried about other things instead.

This week, as I was pulling together all of my records to do taxes, I didn't get too upset that the process of taxpaying is unnecessarily frustrating and burdensome. As a citizen, I do what I need to do. I'm a team player.

I have also come to peace with the fact that my government now takes about half of my income. I figure most of it goes to good causes. I'm here to help.

I take pride in the fact that I don't let the little things get to me.

But the other day, as I was crawling my way through mountains of statements and receipts, trying to organize my records for my accountant, with several more days of this drudgery ahead, I had a disturbing thought. I must warn you in advance that this disturbing thought can only be expressed in all capital letters and it must include profanity. It goes like this.

Message to my government:

DO MY FUCKING TAXES FOR ME, YOU ASSHOLES!!! YOU ALREADY KNOW EVERY FUCKING THING I DID THIS YEAR!!!

Seriously.
-IainB (March 11, 2014, 05:57 AM)

tomos · « **Reply #8 on:** July 01, 2018, 11:11 AM »

You're on a roll Iain

California post especially interesting.
Will have to catch up with earlier posts.

YannickDa · « **Reply #9 on:** July 02, 2018, 04:14 AM »

That sounds great.
They've been caught with their hands in the honeypot,
"cambridge analytica", "facebook", "google"
(with some of their employees refusing to
work along with government's agencies), etc...
So, some laws were written and voted.
You can even access all that private data that was collected and click on a big "Erase" button.
This was just a little mistake.
But that won't happen again.
Everything is under control now.

Or perhaps they still have all this information.
Maybe the big "Erase" button didn't worked as expected.
IMHO, they will go on with their data gathering.
But they will take extra care as to not beeing caught again...

"Want To Freak Yourself Out?" Here Is All The Personal Data That Facebook/Google Collect

IainB · « **Reply #10 on:** July 02, 2018, 05:43 PM »

@YannickDa: Yes, I suspect you're probably pretty much spot-on in what you write above. It would seem prudent for any individual to regard all/any protestations by whomever that "Oh no! Don't worry! Your 'right to privacy' and the security and confidentiality of all your personal data is our primary objective!", as being likely to be just so much cynical hokum - especially if/when voiced by, for example (say):

(a) Representatives of government and government-affiliated organisations.
(b) Representatives of NGOs (Non-Governmental Organisations).
(c) Representatives of corporate organisations.
(d) IT startup founders/entrepreneurs.

(Have I missed any out?)

Some people (not me, you understand) might put it in the New Zealand vernacular thus: "They couldn't give a rat's #rse about your stinking rights to privacy.", but I couldn't possibly comment.

IainB · « **Reply #11 on:** July 02, 2018, 06:34 PM »

There's a very good summary post of the Facebook fiasco in the bleepingcomputer.com website, by Catalin Cimpanu:
(Copied below sans embedded images; my emphasis.)

Facebook Acknowledges It Shared User Data With 61 Companies
tags: Technology
Catalin Cimpanu - 2018-07-02

Image: Facebook app login

In a 747-page document provided to the US House of Representatives' Energy and Commerce Committee on Friday, Facebook admitted that it granted special access to users' data to 61 tech companies.

According to the document, these 61 companies received a "one-time" extension so they could update their apps in order to comply with a Terms of Service change the company applied in May 2015.

61 companies received API exemptions in 2015
The six-month extension was applied from May 2015, onward, when Facebook restricted its API so apps could not access too much data on its users, and especially the data of users' friends.

The API change came in a period when apps like the one developed by Cambridge Analytica were using the Facebook API to mass-harvest the data of Facebook users.

In May 2015, Facebook realized that apps were abusing this loophole in its permission system to trick one user into granting permission to the personal data of hundreds of his friends, and restricted the Facebook API to prevent indirect data harvesting.

But these 61 tech companies, because they ran popular apps, received an exemption to this API change, during which, theoretically, they could have abused the Facebook API to collect data on Facebook users and their friends. Data that could have been collected included name, gender, birthdate, location, photos, and page likes.

Facebook did not say if any of these companies abused this extension period to harvest data on users and their friends. The list of 61 companies who received an API extension includes:
Spoiler
1. ABCSocial, ABC Television Network
2. Actiance
3. Adium
4. Anschutz Entertainment Group
5. AOL
6. Arktan / Janrain
7. Audi
8. biNu
9. Cerulean Studios
10. Coffee Meets Bagel
11. DataSift
12. Dingtone
13. Double Down Interactive
14. Endomondo
15. Flowics, Zauber Labs
16. Garena
17. Global Relay Communications
18. Hearsay Systems
19. Hinge
20. HiQ International AB
21. Hootsuite
22. Krush Technologies
23. LiveFyre / Adobe Systems
24. Mail.ru
25. MiggoChat
26. Monterosa Productions Limited
27. never.no AS
28. NIKE
29. Nimbuzz
30. NISSAN MOTOR CO / Airbiquity Inc.
31. Oracle
32. Panasonic
33. Playtika
34. Postano, TigerLogic Corporation
35. Raidcall
36. RealNetworks, Inc.
37. RegED / Stoneriver RegED
38. Reliance/Saavn
39. Rovi
40. Salesforce/Radian6
41. SeaChange International
42. Serotek Corp.
43. Shape Services
44. Smarsh
45. Snap
46. Social SafeGuard
47. Socialeyes LLC
48. SocialNewsdesk
49. Socialware / Proofpoint
50. SoundayMusic
51. Spotify
52. Spredfast
53. Sprinklr / Sprinklr Japan
54. Storyful Limited / News Corp
55. Tagboard
56. Telescope
57. Tradable Bits, TradableBits Media Inc.
58. UPS
59. Vidpresso
60. Vizrt Group AS
61. Wayin

Of the list above, Serotek received an eight-month extension.

Facebook points the finger at five other companies
Facebook also said it identified five other companies that tested beta versions of their apps that had the "theoretical" capability of harvesting a users' friends data. The list includes.
1. Activision / Bizarre Creations
2. Fun2Shoot
3. Golden Union Co.
4. IQ Zone / PicDial
5. PeekSocial

"We are not aware that any of this handful of companies used this access, and we have now revoked any technical capability they may have had to access any friends' data", Facebook said.

Facebook slowly closing all loopholes
In addition, Facebook also announced it was discontinuing 38 partnerships with companies that it authorized to build versions of Facebook or Facebook features for custom devices and products, and which may have also gained extensive access to user data.

Last week, a security researcher discovered another quiz app, similar to the one developed by Cambridge Analytica, which also gained access and later exposed the details of over 120 million Facebook users.

The app was named Nametests.com, associated with the eponymous website. Current evidence doesn't suggest the data collected by this second quiz app might have been used for political ads and influence campaigns such as the one collected by Cambridge Analytica.
_________________
CATALIN CIMPANU
Catalin Cimpanu is the Security News Editor for Bleeping Computer, where he covers topics such as malware, breaches, vulnerabilities, exploits, hacking news, the Dark Web, and a few more. Catalin previously covered Web & Security news for Softpedia between May 2015 and October 2016. The easiest way to reach Catalin is via his XMPP/Jabber address at [email protected]. For other contact methods, please visit Catalin's author page.

Copied from: Facebook Acknowledges It Shared User Data With 61 Companies - <https://www.bleepingcomputer.com/news/technology/facebook-acknowledges-it-shared-user-data-with-61-companies/>

IainB · « **Reply #12 on:** July 08, 2018, 02:02 AM »

The AddictiveTips website is usually worth keeping an eye on because they often have some very useful tips in all sorts of categories of interest. One of these categories is Privacy+VPNs (Virtual Private Network providers), which they frequently plug - probably because they get a financial benefit, such as, (say) advertising revenue, or commission on sales, or something. However, where they do talk about VPN services, AddictiveTips usually seem to be pretty thorough and relatively objective.

A recent example is the post: Best VPNs for GDPR: Unblock Online Services in Europe, which covers various useful points, some of which I summarise below and with my own comments/perspective added (but please do read the whole thing at the link):

Purpose of the GDPR law: Intended to protect the privacy rights of internet users within the EU, but because so many internet companies have an international footprint, most have chosen to update their privacy policies for all users. worldwide (i.e., including non-Europeans).
Why GDPR was important: This legislation was a major step forward in cementing into law the rights to privacy of internet users - e.g., recent scandals such as the misuse of Facebook data by Cambridge Analytica for commercial/political ends highlighted the need to maintain the personal rights to one's digital privacy. Users can now take better control of "their" data which is logged/held by Internet-based "social networking service", Google, Yahoo!, and various other organisations relying on revenue derived from collecting/amassing their user data via distributed online services, or other reasons.
What a VPN can do for digital privacy: One of the best tools that users can deploy to improve their privacy online is arguably by using a VPN. The post provides a good overview of what a VPN is, its potential benefits and how it could be used in conjunction with the GDPR legislation to protect your privacy. There are recommendations for the "best" VPNs for GDPR.
EDIT 2018-07-09:
NB: TRUST is a key issue here. There is a caveat that many organisations in the business of providing $PAID-for VPN services seem to tend to conceal - not all the VPN providers are actually operating a trustworthy service, from the user's perspective, such that your logged VPN activity data could be made available to government or other authorities, through legal or other compulsion (even corruption/informal agreement).
Government privacy breaches and propaganda: Various national governments sometimes commit some of the worst abuses of Internet freedoms, passing laws that authorise "legal" breaching of user privacy and enforce censorship (blocking) and permitting only politically what is deemed as being acceptable propaganda or "news" consumption. Internet users in the EU and beyond have experienced website blocks. This typically happens when the EU or another government decides to prevent or limit access to certain websites, usually "for consumer protection reasons". For example, not only to protect consumers from being defrauded or to inhibit the purchase of dangerous products online, but also to punish access to or block access to sites for "copyright infringement", or that encourage "incorrect thinking/information", or have "inappropriate content", or speech that is not permitted, or otherwise generally politically controversial/"unacceptable" content.
Regulation without oversight: EU legislation about website blocking conceals the reality that that sites can already be (and are) blocked with no oversight, which rings alarm bells for anyone who values internet freedoms. In the recent past, for example, the Spanish government has used such blocking methods to prevent people from accessing websites discussing issues around the Catalan independence movement.
Government-sanctioned blocking: If a government decides to block a website/page, then all of the ISPs within that entire nation's telecomms infrastructure are obliged to implement the block and prevent their customers from accessing that site. Thus, when a user types in the URL of a blocked site, the request is sent from the user's device to their ISP where - if that URL is on a blocked list - then the ISP redirects the user to a blocked notice or simply denies the connection, and this action is logged against the user ID/IP address. The user is not anonymous, and all their internet traffic can be (and is) read and logged by the ISP.
Purpose of a VPN: A VPN can enable the user to bypass (work around) blocks and government censorship by connecting usually anonymously to a server elsewhere in the "free" world. For example, if you are in the EU and the website that you want to access is blocked, then you can connect to a VPN server in (say) Japan, or the US, or Canada. All of your data will have been encrypted and passed through your local ISP (i.e., your ISP can’t see the URL or other request data that you’re accessing and so won't know to block your connection). It is then routed via that VPN server, allowing the user to browse the internet as if their ISP was physically in the country where the VPN server is located – in this case, Japan, or the US, or Canada – and so the EU user is able to use a VPN access sites that have been blocked by the EU.

wraith808 · « **Reply #13 on:** July 08, 2018, 09:32 AM »

What a VPN can do for digital privacy: One of the best tools that users can deploy to improve their privacy online is arguably by using a VPN. The post provides a good overview of what a VPN is, its benefits and how it can be used in conjunction with the GDPR legislation to protect your privacy. There are recommendations for the "best" VPNs for GDPR.

-IainB (July 08, 2018, 02:02 AM)

Always remember, a VPN is only as good as your VPN provider. If they roll over and play dead, or are a "false flag" provider, you might as well not be using VPN at all.

Deozaan · « **Reply #14 on:** July 08, 2018, 05:46 PM »

I'm surprised they didn't mention ProtonVPN.

4wd · « **Reply #15 on:** July 08, 2018, 10:25 PM »

I'm surprised they didn't mention ProtonVPN.
-Deozaan (July 08, 2018, 05:46 PM)

Regarding their comment in Features:

In addition to strong technical security, ProtonVPN also benefits from strong legal protection. Because we are based in Switzerland, ProtonVPN is protected by some of the world's strongest privacy laws and remains outside of US and EU jurisdiction. This means that unlike VPN providers based in a fourteen eyes country, we cannot be coerced into spying on our users.

A possible view from the other side of the coin: It doesn’t matter how many eyes you have

If you believe Wikipedia^w:

Further intelligence sharing collaborations
As spelled out by Privacy International, there are a number of issue-specific intelligence agreements that include some or all the above nations and numerous others, such as:
An area specific sharing amongst the 41 nations that formed the allied coalition in Afghanistan;
A shared effort of the Five Eyes nations in "focused cooperation" on computer network exploitation with Austria, Belgium, Czech Republic, Denmark, Germany, Greece, Hungary, Iceland, Italy, Japan, Luxembourg, the Netherlands, Norway, Poland, Portugal, South Korea, Spain, Sweden, Switzerland and Turkey;
Club of Berne^w: 17 members including primarily European States; the US is not a member;
The Counterterrorist Group: a wider membership than the 17 European States that make up the Club of Berne^w, and includes the US;
NATO Special Committee: made up of the heads of the security services of NATO's 28 member countries;

If they want you bad enough I doubt whether a VPN provider anywhere is going to stop them.

IainB · « **Reply #16 on:** July 09, 2018, 12:55 AM »

Sorry, I hadn't been intending to suggest that this thread topic could usefully provide coincidentally relevant:
(a) details of/for a fully comprehensive coverage of VPNs (though directions to same could be useful), or
(b)comprehensive reviews of VPN Pros/Cons or "Which are the best/most trustworthy/etc. VPNs, and why?" (though directions to same could be useful).

Methinks those would probably be pretty extensive subject/topic areas or discussion threads in their own right!

What could perhaps be more useful/relevant for inclusion in this thread are (and please say if you have other suggestions) our experiences/knowledge of those DNS/VPN methods/tools that meet the criteria of (say) being variously able to meet three criteria (and please suggest any other important criteria that I may have missed):

Effective: e.g., most likely to be certainly able to meet the requirements for the necessary improvement in a personal user's internet privacy/security;
Available and non-proprietary: e.g., in the public domain;
$FREE: (or low cost) to use.

There are four such tools that immediately come to mind (and I feel sure there could be more listed or pointed to by other DCF members):

DNSCrypt: e.g., Simple DNSCrypt <https://www.simplednscrypt.org/>
Spoiler
Notes as at: 2018-07-09
Simple DNSCrypt
Simple DNSCrypt is a simple management tool to configure dnscrypt-proxy on windows based systems.

Status
New version based on dnscrypt-proxy 2.0.15

Getting Started
Prerequisites
At least one system with Windows 7 SP1 and the installation of. NET Framework 4.6.1 is currently required.
You also will need: Microsoft Visual C++ Redistributable for Visual Studio 2017 x64 or x86

Installing
To install Simple DNSCrypt use the latest (stable) MSI packages: x86 or x64.
(NB: I could not get the X64 version to work properly, but the X86 version seems to work just fine.)
SoftEther VPNClient (VPNGate): <http://www.softether-download.com/en.aspx?product=softether>
Spoiler
Notes as at: 2018-07-09
SoftEther VPN Client (Ver 4.27, Build 9668, beta)
softether-vpnclient-v4.27-9668-beta-2018.05.29-windows-x86_x64-intel.exe (42.96 MB)
Release Date: 2018-05-29 <Latest Build>
What's new (ChangeLog)
Languages: English, Japanese, Simplified Chinese
OS: Windows, CPU: Intel (x86 and x64)
(Windows 98 / 98 SE / ME / NT 4.0 SP6a / 2000 SP4 / XP SP2, SP3 / Vista SP1, SP2 / 7 SP1 / 8 / 8.1 / 10 / Server 2003 SP2 / Server 2008 SP1, SP2 / Hyper-V Server 2008 / Server 2008 R2 SP1 / Hyper-V Server 2008 R2 / Server 2012 / Hyper-V Server 2012 / Server 2012 R2 / Hyper-V Server 2012 R2 / Server 2016)
Freegate: <http://dit-inc.us/freegate.html>
Spoiler
Notes as at: 2018-07-09
Freegate is an anti-censorship software for secure and fast Internet access. It was developed and maintained by Dynamic Internet Technology Inc. (DIT), a pioneer in censorship-circumvention operation.
* users access web sites overseas as fast as their local ones;
* requires no installation or change in system setting;
* a single executable file on a Windows platform.

Freegate works by tapping into an anti-censorship backbone, DynaWeb, DIT's P2P-like proxy network system.

Freegate's anti-censorship capability is further enhanced by a new, unique encryption and compression algorithm in the versions of 6.33 and above.
Tor: <https://www.torproject.org/>
Spoiler
Notes as at: 2018-07-09
What is Tor?
Tor is free software and an open network that helps you defend against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security.

Why Anonymity Matters
Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location.

Though I have reviewed DNSCrypt and SoftEther VPNClient elsewhere on the DC Forum, my knowledge/understanding of the area of Privacy and alternative Privacy/Security tools (e.g., Tor) is necessarily limited to my personal experience and exposure to use of such tools. In regards to this discussion thread, I suspect that the collective experience of DCF members could comprise a "Brainstrust" which could contribute a great deal more than I might be able to on my own. Therefore any assistance in developing this thread could be most welcome.

IainB · « **Reply #17 on:** July 09, 2018, 01:27 AM »

For clarification, I have added this to the post I made above regarding the AddictiveTips article:

EDIT 2018-07-09:
NB: TRUST is a key issue here. There is a caveat that many organisations in the business of providing $PAID-for VPN services seem to tend to conceal - not all the VPN providers are actually operating a trustworthy service, from the user's perspective, such that your logged VPN activity data could be made available to government or other authorities, through legal or other compulsion (even corruption/informal agreement).

Also, please note that this is probably a True statement:

If they want you bad enough I doubt whether a VPN provider anywhere is going to stop them.
-4wd (July 08, 2018, 10:25 PM)

YannickDa · « **Reply #18 on:** July 12, 2018, 09:07 PM »

There's a solution implementing VPN, independant DNS, Proxy, WebMail, VoIP, Cloud and your own surveillance cams.

It's called "eniKma", it's french and seems to be very reliable.

Privacy (collected references)

Try Google Translate this page to learn more about it...

IainB · « **Reply #19 on:** July 23, 2018, 11:53 PM »

@YannickDa: I'm not absolutely sure, but it seems from the Enikma website and introductory video that the Enikma box is a proprietary "black box" (hardware) approach to the encryption of 2-way traffic between the User PC (Client) and the proprietary designated Enikma VPN DNS node, where the Enikma box provides a WiFi Access Point for devices in range of that Enikma box.

Thus the user's ISP is just acting as a passthrough node to the encrypted traffic, so there can be no "man-in-the-middle" attacks.
The communication path would seem to be:
Client<-->Enikma box<-->modem/router<-->ISP DNS<-->designated Enikma VPN DNS node

- and where the traffic between the two points Enikma box<-->designated Enikma VPN DNS node is encrypted.
This is actually quite simple, but seems to have been obfuscated in the website and details.

It would also seem to be a deliberate lock-in and rather kludgy/"overheady" alternative to the use of the public domain DNSCrypt software, which does the same thing (but more efficiently) except that:
(a) there is no obligation with DNSCrypt to have a given and/or proprietary VPN, because DNSCrypt is $FREE and works with any OpenDNS node, so the user is free to choose (not locked-in to) any VPN, and
(b) DNSCrypt encrypts traffic all the way from/to the Client (whereas Client Xmit/Receive is in clear with the Enikma box, potentially leaving some room for man-in-the-middle attacks).

If I have it correctly then, I am surprised that Enikma are apparently allowed under local consumer protection laws to get away with such misleading/obfuscated and lock-in practices, and the fact that they are misleading would be no accident - which would seem to be unethical - so I personally wouldn't touch them with a bargepole.
...Never trust it when they use smoke and mirrors.

IainB · « **Reply #20 on:** July 24, 2018, 12:27 AM »

Extracted notes from the Telegram FAQ:
(Copied from: Telegram F.A.Q. - <https://telegram.org/faq#q-how-are-you-going-to-make-money-out-of-this>)

Q: What are your thoughts on internet privacy?
Big internet companies like Facebook or Google have effectively hijacked the privacy discourse in the recent years. Their marketers managed to convince the public that the most important things about privacy are superficial tools that allow hiding your public posts or your profile pictures from the people around you. Adding these superficial tools enables companies to calm down the public and change nothing in how they are turning over private data to marketers and other third parties.

At Telegram we think that the two most important components of Internet privacy should be instead:

Protecting your private conversations from snooping third parties, such as officials, employers, etc.
Protecting your personal data from third parties, such as marketers, advertisers, etc.
This is what everybody should care about, and these are some of our top priorities. Telegram's aim is to create a truly free messenger, without the usual caveats. This means that instead of diverting public attention with low-impact settings, we can afford to focus on the real privacy issues that exist in the modern world.

Q: What about GDPR?
New regulations regarding data privacy called the General Data Protection Regulation (GDPR) came into force in Europe on May 25, 2018. Since taking back our right to privacy was the reason we made Telegram, there wasn‘t much we had to change. We don’t use your data for ad targeting, we don’t sell it to others, and we’re not part of any mafia family “family of companies.”

Telegram only keeps the information it needs to function as a feature-rich cloud service — for example, your cloud chats so that you can access them from any devices without using third-party backups, or your contacts so that you can rely on your existing social graph when messaging people on Telegram.

We're still working with our lawyers on an update to the Telegram Privacy Policy that will lay this out in even more detail (don‘t expect any dramatic changes there though). We’ll notify you when it's ready.

For now, please feel free to use our new @GDPRbot to:
Request a copy of all your data that Telegram stores.
Contact Telegram's Data Protection Officer.
Android users got a GDPR update with version 4.8.9 which allows more control over synced contacts and adds other privacy settings. On June, 1, Apple approved Telegram v.4.8.2 for iOS with these features.

Q: There's illegal content on Telegram. How do I take it down?
All Telegram chats and group chats are private amongst their participants. We do not process any requests related to them. ...

Q: A bot or channel is infringing on my copyright. What do I do?
All Telegram chats and group chats are private amongst their participants. We do not process any requests related to them. ...

f0dder · « **Reply #21 on:** July 24, 2018, 11:04 AM »

Please don't think a VPN is going to give you any form of privacy.

A VPN lets you access a remote network securely across an insecure line - this is the only thing it's guaranteed to do. It's the only thing you should be using it for. Stop spreading the damn misconception that it's useful for privacy.

If you want to watch Netflix content from a different region, fine, VPN will let you do that, but morally you might was as well then be torrenting the content.

If you're doing something shady and want to hide your tracks, a VPN is not what you want. Not even one of the paid ones. Not even one of the "WE DON'T LOG ANYTHING AND WE VALUE YOUR PRIVACY". Stop it. There's a few threat models where a VPN can be a viable solution, but for those you should be running it yourself on a cloud instance somewhere. If you don't know how to do that, or think it's too much bother, you shouldn't be doing something shady in the first place - or you're not doing something that warrants that use of VPN, and should just not be doing it.

And stay entirely away from the ones that don't require payment, the market is shady as fuck and they've been doing all sorts of nasty stuff.

Deozaan · « **Reply #22 on:** July 24, 2018, 02:10 PM »

Please don't think a VPN is going to give you any form of privacy.

A VPN lets you access a remote network securely across an insecure line - this is the only thing it's guaranteed to do. It's the only thing you should be using it for. Stop spreading the damn misconception that it's useful for privacy.
-f0dder (July 24, 2018, 11:04 AM)

Doesn't it help prevent tracking? Or has that become so invasive these days that it doesn't matter what your IP is, they can still identify you by some unique ID in your browser or OS or something?

f0dder · « **Reply #23 on:** July 24, 2018, 04:45 PM »

Doesn't it help prevent tracking?
-Deozaan (July 24, 2018, 02:10 PM)

Not really, no. You have to consider that most people aren't on static global IPs, but will either have dynamic IPs, or even (a very large number) be behind cgnat. The tracking folks obviously want to be able to uniquely identify you even in spite of that, and across devices as well.

Trying to use VPN against that is absolutely useless.

You can avoid some of it if you use a combination of uMatrix (in whitelisting mode), conservative use of noscript, a decent adblocker like uBlock Origin, adding in HTTP Referer header control and Firefox Multi-Account Containers. But it's still not a 100% guarantee and it's a fair amount of work getting some sites to work the first time you visit them.

IainB · « **Reply #24 on:** July 29, 2018, 08:14 PM »

Looks like the Ugandan government could be in the vanguard when it comes to, uh, privacy...
...Uganda orders ISPs to block Ugandans from accessing Pornographic Websites Nice one!