this post was submitted on 19 Jun 2026
38 points (100.0% liked)

Privacy

10069 readers
234 users here now

A community for Lemmy users interested in privacy

Rules:

  1. Be civil
  2. No spam posting
  3. Keep posts on-topic
  4. No trolling

founded 3 years ago
MODERATORS
iopq@lemmy.world
38
How will a VPN aid in privacy? What will a VPN not do for privacy? (lemmy.dbzer0.com)
submitted 4 days ago by west2seven@lemmy.dbzer0.com to c/privacy@lemmy.world
27 comments fedilink hide all child comments
 

As the title says. Im trying to migrate towards privacy based choices all around. A VPN has been tough, I cant access some websites and i dont think i could convince my wife to adopt using it. I still use it anyway.

top 27 comments
sorted by: hot top controversial new old
[–] AmbitiousProcess@piefed.social 13 points 3 days ago (2 children)

A VPN will protect you from your ISP, your router, or any public network you connect to knowing which specific domains you go to. (HTTPS protects the rest, so without a VPN they might be able to see you visit socialmedia.com but not socialmedia.com/thisspecificperson/thisspecificpost, and with a VPN, all of your traffic would just look like your computer > VPN company)

A VPN won't protect you from the places you visit online fingerprinting you with anything other than your IP address. If a site can see your screen size, installed extensions and fonts, what graphics capabilities your computer has, the username of your account, your typing style, browser version and type, etc, it's not gonna be hard to figure out that you're the same person whether or not your VPN is on.

Use a VPN if you don't trust your current network, or your internet service provider to not log what domains you go to. (or to circumvent region-blocked content by connecting to a server in that region) Don't use a VPN if that doesn't matter to you. Everything else about your privacy will likely remain identical otherwise.

[–] voxel@feddit.org 3 points 3 days ago (1 children)

Best comment so far.

[–] minorkeys@sh.itjust.works 2 points 3 days ago (1 children)

Is there anything that blocks all that other stuff, too?

[–] AmbitiousProcess@piefed.social 4 points 2 days ago* (last edited 2 days ago) (1 children)

There's no way to "block" it, as it's components that are inherent to how the web works. If you have a screen, it has a size, and if you go to a website, it can tell what size it is, for example. However, you can obfuscate or normalize some things.

Your best bet would be using something like the Tor browser (or Mullvad browser if you also use Mullvad VPN and don't want to deal with all the baggage the Tor network has), since it can limit your screen size so EVERYONE using the Tor browser has the exact same size "screen" to any website you visit, thus eliminating that as a data point, and all the Tor browsers are also running the same browser engine, going through the same overall network, etc:

https://support.torproject.org/tor-browser/features/fingerprinting-protections/

But at the end of the day, there's no way to reliably block all of it. The internet just relies on a lot of different things, and even a couple consistent data points can identify you. Hell, even using a VPN identifies you as "person using a VPN" vs just "person using the internet without a VPN", which is one more data point that could be correlated with the others.

[–] minorkeys@sh.itjust.works 2 points 2 days ago (2 children)

So we need a new internet then?

[–] mirshafie@europe.pub 4 points 2 days ago* (last edited 2 days ago)

Yes, or atthe very least laws that forbid fingerprinting outright.

[–] AmbitiousProcess@piefed.social 1 points 2 days ago (1 children)

A "new internet" wouldn't really fix this.

For example, if a site wants to display a page, it NEEDS to know how wide your screen is, otherwise the page will just look fucked up because everything will either be so wide it's past your screen's width, or so short it's a narrow bar in the middle.

Same goes for if a site wants to display certain rendered content. It can't do that without using some form of rendering engine like WebGL (and a "new internet" would still need some kind of engine to have that kind of rendered elements, even if it wasn't WebGL specifically). Your exact, specific hardware, current program utilization, and minute differences in power usage will ALWAYS produce some form of unique fingerprint. You can use extensions like CanvasBlocker to help with this, but it's not a guarantee and will break some rendering functionality. Then, the fact your browser blocks these functions is another data point that could track you. The lack of something is just as identifiable as having something as a data point.

Essentially, you can't have the features of the web without also making it known to a site that your browser supports (or actively doesn't support) those features. Even a "new internet" or entirely different set of browser and web frameworks wouldn't remove fingerprinting, it would just mean fingerprinting is done by whatever new methods now exist.

Even if you as a person simply type a given way, you can be identified by your typing styles. For example, I tend to use both "simply" and "for example" a lot more than other people, as you literally just saw. If you tend to use the internet around a given time, your time zone can be inferred. Unless you want technology that fully rewrites everything you say in a standard, robotic tone 100% of the time, and also delays some of your web requests by 12 hours to throw off time fingerprinting, you can't avoid that.

Try https://coveryourtracks.eff.org/ and it'll give you a good sense of how many different things could fingerprint you. If you want to block ads, a site can know you block them. If you want to stay logged into ANY website after you close a tab, it'll know you save cookies, etc.

As someone else mentioned, legal protections are best here, as the largest actors that use these fingerprinting techniques are usually corporate, legally registered entities that run ad networks, and if fingerprinting as a concept can't be "blocked", then people's legal right to do so is your next best option.

[–] minorkeys@sh.itjust.works 1 points 1 day ago* (last edited 1 day ago) (1 children)

Make the site send everything and the device determine what to use.

[–] AmbitiousProcess@piefed.social 1 points 1 day ago (1 children)

It's a little more complicated than that.

Should every request you make to a site require EVERY single language the site is translated in to be sent? That's many times more bandwidth, and would make your page load speeds tens of times slower by default. If that's not possible, then they know your language and likely general region.

Want to stay signed in to a website, or have a site remember your settings? You can't do that without some form of persistent authentication mechanism like a cookie, which can also be used to fingerprint you. If you don't want that, you'll have to sign back in to every single website every single time you open a tab for that site.

A site might send all its contents and let your browser format it without revealing its screen size... but what about if the content necessarily has to be different for different screens? A desktop layout for a site won't work well on mobile, after all.

What about the times you browse? Unless you want some of your page loads to randomly take extra hours to happen just to obscure your time zone, that's a data point too.

Oh, also no interactive code that sends data back to a server can run because it could be used to fingerprint your device's general model, OS, and GPU/CPU hardware. Say goodbye to basically all web-based games, file converters, image editors, video players, etc.

Now add in your mouse and keyboard movements, topics of interest, and any data you voluntarily reveal about yourself on any website.

This is why I say this is more a legal problem for prevention than a technical one. Preventing most of this fingerprinting also necessarily means destroying the functionality of the web.

[–] minorkeys@sh.itjust.works 1 points 1 day ago (1 children)

Of course they will be problems if you expect the exact same experience as now. Why can't a website send everything? Bandwidth really isn't so much of an issue and neither is latency these days. If that means a website needs to be built leaner and with less stuff, so be it. I don't see anything you mention as a real blocker.

[–] AmbitiousProcess@piefed.social 1 points 1 day ago (1 children)

I think you underestimate how much bandwidth would be required for every single site and piece of web content to be sent in every single language, for every single request. (keep in mind this would also include ALL images with text in them, ALL captions and audio tracks for videos, and entire copies of video content if the contents itself has to be modified, such as on-screen images)

Sites could be slimmer, sure, but that doesn't change the fact it would be a problem very quickly.

For example, a big problem is that if EVERYONE is using many times more bandwidth, the supply gets constrained for EVERYONE given there's still a physical limit to how much data can flow through a cable (or internet exchange).

And again, there's still way more data that could be collected on you that would negate this fingerprinting prevention, even if it was feasible. If you choose to read a particular news site even once, boom, there's your country or even state/city.

Do we 100X bandwidth usage across the board, spend billions of dollars more every year in perpetuity to handle redundant bandwidth, pay more in server hosting costs to accommodate the extra usage, all just to eliminate ONE data point, or do we just pass some laws against using that data to fingerprint someone?

[–] minorkeys@sh.itjust.works 1 points 1 day ago (1 children)

Then the services reduce what a website does. Neither of us know what that internet looks like but it solves the problem of privacy and I'd want to see what it its like and what innovations emerge to solve the problems you're mentioning. A new internet is a massive undertaking, why wouldn't it have lost a of problems needing to be solved? The significance of your criticism is proportional to the significance of the change.

[–] AmbitiousProcess@piefed.social 1 points 1 day ago

I just think that such a massive undertaking would cost so much, require so much sacrifice, and not even necessarily prevent fingerprinting.

If you don't want fingerprinting, then you genuinely cannot interact on the internet as yourself. Everything would have to be passed through a filter that makes everyone the same, including their interests, what they talk about, when they use it, and what they choose to consume.

At that point, it's no different than a network of robots talking to one another while humans play pretend like they're controlling them.

You cannot eliminate all fingerprinting via technical means alone. Even if you spend the billions and billions of dollars on drastically increased bandwidth and processing power, redesign every web framework from the ground up and brick every internet connected device on earth, bring functionality of all websites to the bare minimum and eliminate some types of sites/content entirely... some of it is just behavior based, which can't be removed without removing the humans from the equation altogether.

This is why I believe a legal framework is best for fingerprinting protections, and technical measures only when it's more of a simple data point to eliminate (e.g. if every browser, or most browsers enabled the Do Not Track header, nobody could realistically be identified by if they do or don't have it on), because the alternative is fundamentally demolishing the ability of anyone to do anything online at a cost that's even higher than what we spend now for more functionality.

[–] PP_BOY_@lemmy.world 22 points 4 days ago

A VPN prevents your ISP from seeing exactly what websites you're visiting. Depending on your local laws and censorships, this can be either the difference in a jail sentence or a letter saying "don't download Green Day America Idiot again >:("

A VPN doesn't prevent digital fingerprinting, user accounts/profiles from being created, or dark tracking. It's entirely possible to be identified even with a VPN; you can't eat your cake and have it too.

Tl;dr you should really consider your VPN as just a shield from your ISP seeing where you go. It's not a one-click solution to anonymity, it's just one layer of many in a good opsec solution

[–] megopie@lemmy.blahaj.zone 13 points 4 days ago (1 children)

It hides traffic from your ISP or cellular provider. Who are monitoring your traffic and location and selling that information in aggregate to 3rd parties.

It also conceals your location from websites and makes it a little harder to ID you. Websites have other methods of identifying you, cookies, device specs, the type of browser you’re using, patterns of usage, ect ect. Hiding your IP takes one point of data away from them but is basically useless if you’re not taking other steps like disabling certain browser functionality.

I found that a lot of sites will throw a lot more of a fit from VPN usage on a mobile device than they do from a desktop.

[–] voxel@feddit.org 3 points 3 days ago (1 children)

A VPN does not strictly hide your location. There is a lot of information that is shared with the websites you visit, e.g. your preferred language, timezone, etc.

A VPN can only change the IP-Address which also reveals information about your approximate location. In my case it is often times a city in another state, not very accurate.

[–] megopie@lemmy.blahaj.zone 1 points 2 days ago

I know, I’m just trying to speak in generalities for the sake of clarity.

[–] artyom@piefed.social 8 points 4 days ago (1 children)

VPN encrypts your traffic and obscures it from your ISP, as well as the server you're reaching out to.

Unfortunately a lot of people use VPNs to hide their malicious activity, and for that reason, many sites will block the connection. It's unfortunately just the way it is.

[–] voxel@feddit.org 2 points 3 days ago (1 children)

(...) as well as the server you're reaching out to.

No, the server you reach out to sees the full traffic because that is the server your device is communicating with. It is only routed over the VPN, which acts as a middle person.

[–] artyom@piefed.social 1 points 3 days ago

I meant your request origination is obscured.

[–] mufkin@lemmy.zip 2 points 4 days ago

https://en.wikipedia.org/wiki/Virtual_private_network

[–] unitedwithme@lemmy.today 1 points 4 days ago* (last edited 4 days ago) (1 children)

OK, I've posted this elsewhere and took a moment to find it:

  1. Phone on airplane mode (eliminates WiFi/BT cellular & GPS tracking)

  2. run physical mobile hotspot device for data (like Calyx hotspot - +1pt if you pick Moxee or Orbic model to also run rayhunter from EFF)

  3. connect to hotspot over WiFi with random MAC addresses (effectively eliminates IMSI tracking)

  4. Enable a solid VPN with Kill switch. (Helps hide location and other usage from ISP)

  5. Use e2ee chat/text/phone apps over WiFi like Signal, SimpleX, XMPP server or app (servers=Jabber, Prosody, Snikket, etc apps are Cheogram, Snikket, Conversations - eliminates carrier tracking to an extent unless you can also get your friends and family on it)

  6. Run a degoogled OS with profiles capability

  7. Run alt app stores - preferably F-Droid or something without Google services

  8. Run Firefox forks like Librewolf or Waterfox or even Ironfox with Port Authority and Privacy Badger extensions

  9. Use a more private search engine or host your own. I like Ecosia which does have some ads, but they're not evil (yet) and help with reforestation. There are others, I forget names. Someone can add to this list.

  10. Something you can do to help your wife though, without running anything additional, run an adblocker like Pi-hole, Adguard, eBlocker, or Technitium

Bonus: focus on FOSS and/or other non-US tech based companies. Proton, Mullvad, Nord, and US/CAN based goodness are EFF, Calyx Institute, Privacy4Cars, so many more

That's a solid start, some easier than others obviously. Others should add to this list!

Edit: duh, forgot to say use a private email like Proton mail where you can use aliases and also SimpleLogin for additional domains/addresses that forward. I use those for insurance shopping, car shopping, or other stuff you have to have an email to communicate, and when you're done, just delete or deactivate the alias to cut spam or data being sold.

[–] iopq@lemmy.world 2 points 3 days ago (1 children)

I just use a VPN app on the phone. You can prevent the phone from connecting directly and always to connect through the VPN

[–] unitedwithme@lemmy.today 1 points 3 days ago (1 children)

Yes, that sounds like the kill switch so no connections go through without the VPN.

[–] iopq@lemmy.world 1 points 2 days ago

You can select always on VPN for the same effect. It's not 100% guaranteed, but going directly is basically considered a bug

[–] NutinButNet@hilariouschaos.com 4 points 4 days ago

A VPN is kind of like sending a letter through the post office using someone else’s address. Like if you put the grocery store’s address on it and then stuck it in with their outgoing mail.

It gets your letter there and the post office doesn’t know your actual address, they think it came from the grocery store. Likewise, the person receiving your letter thinks it came from the grocery store too.

And the VPN handles it in reverse by taking a letter from that person and even though it gets to the grocery store, it gets delivered directly to you and no one else except you and the grocery store know that’s not actually your real address.

For privacy, this is great at protecting you from websites you don’t want knowing your real IP address which can reveal things like your exact location in the world, say Facebook. You want to use Facebook to talk to granny but you don’t want Facebook knowing your real public IP.

Some people also use them for tricking websites into thinking they are elsewhere. When you subscribe to a VPN service, they often show you different servers around the world and you can choose to appear like you’re in the UK even though you’re in the US. A site like Netflix may show Rick and Morty only to UK residents so you use a VPN to trick them into showing you shows like that.