> why people pay for 3rd party VPNs? It's far more secure to create your own wireguard/openvpn/whatever with a cheap VPS
Your comment seems to infer that you're unable to empathize with people who might think/understand differently than you. It also seems to negate that you avail of other services/non-self-controlled processes without worrying about the threat models, there.
Just hand-waiving with a "Why don't people just do 'x'?" is ironic - in the sense of "Why do you do your own medical care?" or "Why don't you grow your own food and slaughter your own animals?" or "Why don't you manufacture your own phone, it's operating system - oh, and the cellular tower closest to you?".
Threat models exist, _everywhere_, and it's impossible for someone to build all of the pieces, themselves, to prevent all threat models at every possible avenue/point.
In other words, at a non-arbitrary point, doing _everything_ yourself is untenable and that's precisely why services in society exist, today (that and ease of access, use, required foreknowledge, and - most notably - cost).
Not everyone is savvy enough to do it, even though the process has been simplified with many hosting providers providing preconfigured VPN servers.
And it doesn't anonymize you that well. When you post a message that draws the attention of law enforcement, the IP will lead them to a VPN provider that hopefully doesn't keep any logs.
But if it leads them to a specific server, the hosting provider will disclose your account and payment data, since it is linked to your private server. Unless they accept fully pseudonymous accounts and let you pay for your VPS in cash, Monero or tumbled Bitcoins, finding you is much easier now.
I find it so insane that people think the major VPN providers aren't all completely compromised one way or the other. As if you're really going to be able to just pass your traffic through such a business and they're going to actually keep no logs, and not have secret deals made with intelligence agencies, and aren't unknowingly completely insided/compromised by intelligence agencies. As if you can just push your traffic through a major VPN and intelligence agencies would just go "well shucks, oh man, they sure got us, we'll never know who it was, foiled again".
> I find it so insane that people think the major VPN providers aren't all completely compromised one way or the other.
For 99.9% of people a VPN is just something they use to access something in another country or because some YouTube ad scared them into believing you need a VPN as soon as you step into a coffee shop.
The threat model of most people does not include state actors or intelligence actors and they just don’t care.
Both are Swiss zero log, Mullvad has a flat 5 euro/month charge that goes back to when they started to (they say) forever - you can send them cash in envolope for the next twenty years with a generated account number and you're away.
ProtonVPN has plans - the two year streaming sign up is 4.99 euro/month.
Ah, good 'ole trustworthy Swiss companies! Like Crypto AG![1]
Realistically, all VPNs are compromised. But for most people's threat model, that's irrelevant anyways.
Proton for instance revealed the location of a climate activist leading to his arrest[2], with the inspiring message from the CEO that "privacy protections can be suspended", silently on a per-user basis at any time.
Haven't seen anything like that for Mullvad, but it's probably the same. At least the company takes crypto. But these things are always just surface level obscurity at best.
The case you shared in fact shows that the Proton's encryption ensures privacy by default and that it cannot be bypassed even when we're presented with a court request that we cannot legally contest. Namely, weren't able to share any of the user's email content due to zero-access encryption which makes it inaccessible to us: https://proton.me/blog/zero-access-encryption. All we could provide was the limited metadata we need to have access to anyway in order for the email service to work properly.
Additionally, the user's identity had already been known to the law enforcement. As any legally operating company, we need to comply to the local legislation.
> Proton for instance revealed the location of a climate activist leading to his arrest[2], with the inspiring message from the CEO that "privacy protections can be suspended", silently on a per-user basis at any time.
That person isn't just a climate activist, they (and others who used that email account) broke French laws. Swiss authorities compelled the disclosure.
> broke French laws. Swiss authorities compelled the disclosure.
That's a terrible reason. Torrenting breaks French law. Having the wrong bread or cheese with your wine probably breaks French law.
And if your company can be compelled via gag order to give up your users' privacy whenever the authorities feel like it, well, your product isn't very effective anyways, and you should stop pretending you offer any meaningful level of protection.
It really depends on why are you trying to do. It is not easy (or just impossible) to get the same amount of ip with that $5/mo or $10/mo VPN services by renting your own VPS at the same price.
Oftentimes, it's not about security but about circumventing censorship. A cheap VPS comes with a fixed IP located in one fixed part of the world. Many VPN providers allow switching.
Compared to the rest of the world, the number of people who even know what a VPS is is microscopically small.
And even those that do, the number of them with the time, desire, or skill, to do as you suggest, is even smaller.
I myself was into this sort of thing just 10 years ago. Now, as I start looking at hitting the big 6-0 in just a few years time, I’m already working on divesting myself of all this complexity,
Your comment seems to infer that you're unable to empathize with people who might think/understand differently than you. It also seems to negate that you avail of other services/non-self-controlled processes without worrying about the threat models, there.
Just hand-waiving with a "Why don't people just do 'x'?" is ironic - in the sense of "Why do you do your own medical care?" or "Why don't you grow your own food and slaughter your own animals?" or "Why don't you manufacture your own phone, it's operating system - oh, and the cellular tower closest to you?".
Threat models exist, _everywhere_, and it's impossible for someone to build all of the pieces, themselves, to prevent all threat models at every possible avenue/point.
In other words, at a non-arbitrary point, doing _everything_ yourself is untenable and that's precisely why services in society exist, today (that and ease of access, use, required foreknowledge, and - most notably - cost).