[FridgeSeal]

No, they're not.

The solution is getting strong, enforced laws that protect our privacy and punish those who break them.

But for the moment, with advertisers viewing themselves as gods gift to the internet who think that all your information belongs to them simply by virtue of existing, and who will go to great lengths to acquire and store it all (for perpetuity), a solution is needed, and part of that is VPN's.

[surement]

In general, you can still identify users for advertising purposes without knowing their IP address.

[confounded]

3rd party cookies and fingerprinting js is hugely different from "full take" at source.

[Bartweiss]

Data you release can never be recovered. Even if we were to chuck out the entire House and reverse this change in 2018, VPNs would still be a key part of the solution. It would only take one medical search sold to insurers (as a random example) to seriously affect you, so I agree that downplaying technical defenses is unreasonable.

[dredmorbius]

You can make holding and using that data highly intractable.

If there are blisteringly strong penalties to holding and trading in personal data, the incentives to do so will largely disappear. Unfortunately, statutory regimes, particularly in the United States, seem to be going in the opposite direction.

With the ability to seek out and purge disclosed data, at least some of the damage can be mitigated. Considering that there is far too much information for humans to ever process but a small portion of it, that might actually be sufficient -- we won't be needing the Men in Black eraser pens.

[Bartweiss]

All fair points, though I specifically had individual defense in mind. I don't know any good way for an individual to restrain accurate data once it's released, so poisoning is the only option I see to dilute the value of it.

At least when thinking about individual defenses, I tend to treat the regulatory landscape as a lost cause - currently I'm just hoping that privacy tools won't be actively outlawed.

[dredmorbius]

Information-related activities have far more in common with epidemiology -- and at all kinds of levels -- than pretty much anything else.

Whether it's concern of your data going out, or bad genetics patterns coming in, your best bet is to cut off the routes of transmission.

In a plague-infested land, it's practicing exceedingly good hygiene which is in your best interest. If that means walling yourself off from the rest of society for a few years (as one royal household in Europe did), so be it.

Keep in mind that the Black Death even eventually reached Iceland, though some years after it scorched over the rest of Europe (4-5 years as I recall).

There are domains of problems which are intrinsically personal. Though rather more which manifestly are not.

(Though you've also got me thinking about what equivalents to own information spreading out there are, epidemiologically.)

[Bartweiss]

> (Though you've also got me thinking about what equivalents to own information spreading out there are, epidemiologically.)

This seems like a really good question, actually. The disease model of information is quite effective, at least in terms of ideas like herd immunity, transmission rates, quarantine, etc.

But at the "patient zero" level it's quite strange, with personal information being a thing you know you have and don't want to spread unintentionally. It definitely changes some things compared to the standard model, though I think you have a point that you can invert things fairly effectively (i.e. 'hygeine' is to avoid spreading info, instead of contracting it).

I also wish there was more good writing on information hazards, which follow the epidemiology model almost precisely. So much of what's out there descends into Cthulu references or 'fake news' rants, rather than looking at the actual metaphors for things like "herd immunity".

(Surely someone has written an ironic essay about "vaccinating against anti-vax ideas"?)

[dredmorbius]

There is some public-health treatment of information spreading, though not a whole lot of it. I've been the source of some, though the ideas pre-date me considerably. You could go back to religious contexts, the concepts of apostasy and blasphemy, or even (per I.F. Stone) the Trial of Socrates, for prior art.

For information specifically, it's interesting in that there are at least three possible goals:

1. Restricting or combatting the spread of toxic information.

2. Encouraging the spread of useful or helpful information. There's a great deal of this under the rhubric of "diffusion of information".

3. Limiting, for socially beneficial or malevolent purposes, the spread of generally private information.

The first two instances have clear epidemiological and evolutionary cognates: limiting the spread of disease or disease agents (bacteria, viruses, prions, contaminants), or the process of evolutionary advance or propogation of fitness adaptations.

The question of concealment ... thinking through here, I'm coming up with concepts such as camoflage, mimickry, colour or shape-shifting (e.g., cuttlefish, octopus). There are bacteria and viruses which evolve or mutate rapidly making various antibodies or antibiotics less effective quickly (another element taken up by fake-news and propaganda sites -- one article I was reading yesterday noted how new most such outlets were, earlier pieces I've seen noted how new sites were emerging late in 2016 and growing to million+ daily user). I need to think more about that.

As for the antivax situation, I've pointed out that information campaigns to refute anti-vax ideas regarding the efficacy (and safety) of vaccines against viruses which attack DNA/RNA, are an information attack on an information attack on an information attack on an information attack on information.

https://ello.co/dredmorbius/post/manw8sighyj2in4661tyla

[smnscu]

> advertisers viewing themselves as gods

Tangential point, I've heard from a friend how much you can earn by being involved in a "premium" ad network, and it's basically around 100x what I can make as a SWE freelancer. I also remember a HN user claiming they make $30k/month from a simple "YouTube downloader" kind of site.

[mirimir]

But even with laws, you can't trust ISPs and governments that pwn them. So yes, using VPNs is prudent.

[JeremyBanks]

How do VPNs protect you against advertisers?

[pier25]

Because ISPs can't read your traffic

[erentz]

But now the VPN provider can just track you and sell all your browsing history instead of the ISP, so how is this better?

[mirimir]

Because you have much more choice for VPN providers than for ISPs. And you can change VPN periodically, far more easily than changing ISP. Also, you can use nested chains of VPNs, much like Tor, to distribute trust. So adversaries must compromise multiple providers, quickly enough that logs will be available.

Edit: Also, you can pick VPN providers outside your adversary's sphere of influence. That's standard advice for users in China, for example.

[JumpCrisscross]

Also, you can pay for a VPN without revealing your identity. Not so with ISPs. I use a VPN, for instance, to mask my Tor usage from my ISP. (I'm an American using the Internet in the United States.)

[mirimir]

True. But the VPN provider effectively knows who you are, because they see your IP address. Or rather, a resourceful adversary can get your IP address from the VPN provider, and then get your identity from your ISP.

If you chain VPNs, however, it certainly makes sense to lease the second/indirect VPN anonymously.

[angry-hacker]

And now both of your vpn owners have your data connected to your ips. You do have more choice but if both of them sell the data, it doesn't make any difference.

[j_s]

If you need multiple residential IPs, use Hola's Luminati. If you don't trust them (a wise move), do so illegitimately.

https://news.ycombinator.com/item?id=13676600

You can also tunnel to Tor through domain fronting.

https://trac.torproject.org/projects/tor/wiki/doc/AChildsGar...

https://www.fireeye.com/blog/threat-research/2017/03/apt29_d...

[mirimir]

Right, you still need to trust someone.

If it really matters, you use nested VPN chains. Three deep is my standard, and I've managed six. Latency can be a couple seconds, but hey.

[Bartweiss]

I've lived places where my only ISP choice was Comcast. I trust them as little as the worst VPNs, and having a choice of VPN lets you choose one which is trustworthy and in a convenient jurisdiction. That matters some in the States (no NSL to Canada, for instance) and a great deal in China or other countries.

[peteretep]

    > But now the VPN provider can
    > just track you

Find one based in a less offensive jurisdiction?

[Mahn]

It's not. There's no way to verify the VPN provider is not keeping logs and tracking you.

[dredmorbius]

This is the principle-agent problem, generally.

Audits and reputation may help.

[nosuchthing]

Yes, but every website you visit can potentially ID you with cookies or browser finger prints.

[mirimir]

Well, you compartmentalize in multiple VMs. Using different VPNs, Tor, and nested chains of them.

[brokenmachine]

Things are getting very inconvenient at that point, all to avoid being snooped on by the people who are supposed to be representing us.

What a sorry state of affairs.

[mirimir]

Yes, it is unfortunate. But hey, you gotta deal with what's so.

There is a learning curve, and extra steps in configuring a working environment. But once the host and VMs are configured, uptime is no worse than with typical LANs.