[lolinder]

> Use a good VPN service to hide your IP address whenever possible. (Failure to do this is what compromised a Proton Mail user in France who was arrested after after police obtained IP logs.)

If your VPN is tied to a payment method then all you've done is give police one extra hop to follow to get at you, which wouldn't have saved this activist. Their list of VPNs only includes Mullvad in position 9 of 10, but as far as I'm aware it's the only one that offers payment methods that preserve your anonymity.

[red_admiral]

If you're doing low-bandwidth stuff like sending e-mails, TOR (which is of course free) should be your first choice.

But you have to absolutely "air-gap" that from the rest of your identity, such as not making a proton e-mail address over TOR and then using your usual email address as the recovery one.

[SomeoneFromCA]

nah tor is not trustworthy, as it also exposes you as a tor user; in a less developed countries, where not many people know how to use Tor, you'll stick out real bad. It is much better to use shady random proxy servers you'll find online, before connecting to Tor; it is extremely slow, but much safer, as the authoritarian state monitors won't be able to see that subpoenaed ip adresses come from tor exit nodes, conveniently at the same time period you (and basically no one else) were using Tor.

[ApolloFortyNine]

Only if the vpn provider had logs.

Most claim they don't, PIA even was subpoenad at least once and responded they don't have logs.

[ThrowawayTestr]

Keep in mind that was years and at least one owner ago.

[Dylan16807]

Let's say I buy Mullvad access with a credit card, then access my otherwise-unrelated Proton Mail account via Mullvad.

How are police going to find me behind that hop?

[lolinder]

I don't know one way or the other how easy it is, but if I were an activist in an oppressive regime I wouldn't want to use a VPN that is connected to my identity in any way. I wouldn't trust zero-log policies to keep me safe, there are too many unknowns about the way they run these services and what metadata they have to turn over.

[peanut-walrus]

In this case an activist in the oppressive regime of...Spain?!

Opsec is hard and most activists in western countries don't take it seriously. It's not like we live in PRC or DPRK right?

Ironically, it is likely far harder for PRC or DPRK to get data from Proton than it is for Spanish police.

[TaylorAlexander]

> It's not like we live in PRC or DPRK right?

Right. Western governments are much, much better at mass covert surveillance.

> it is likely far harder for PRC or DPRK to get data from Proton than it is for Spanish police

You balk at the idea of a western government being oppressive while pointing out that our “secure” email services can be easily compromised by government action.

[alexey-salmin]

Well Spain probably never got over the Franco legacy.

https://www.wired.com/story/europe-break-encryption-leaked-d...

“Ideally, in our view, it would be desirable to legislatively prevent EU-based service providers from implementing end-to-end encryption,” Spanish representatives said in the document.

[spookie]

Spain had to deal with homegrown terrorism not that long ago. Not excusing them, but it should be pointed out for more context.

[godelski]

> but if I were an activist in an oppressive regime

Then mail them your money

I think most people are considering less serious threat models

[Repulsion9513]

I assume by "less serious threat models" you mean non-governmental, in which case just signing up for ProtonMail without a VPN is perfectly safe.

[godelski]

> you mean non-governmental

I would say most people are concerned with dragnets, not targeted attacks. There's quite a lot you can hide from the government in terms of dragnets, in the same way you'd hide from big tech.

"Hide" isn't the right word. "Defend from" I think is probably better. Defending our constitutional rights from government and defending our privacy from big tech.

I'm actually perfectly okay with governments in targeted attacks (where a warrant is reasonably given). I'm just not okay with police being lazy.

[Repulsion9513]

How does mailing them your money help against a dragnet? How does a VPN help against a dragnet? Like the government can spy on (and somehow SSL MITM) your home ISP but not spy on your VPN ISP?

[chefkd]

How could one go off grid without going off grid do you think? Cash, bitcoin, prepaid cards, VPNs they all seem traceable if truly needed

[Ferret7446]

Speaking absolutely, you can't. Reality is public. You have to choose your risk tolerance level.

[timeon]

They can find you if they are lucky with choosing your ISP, and there are not many people connecting to VPN you have used at specific time.

[stanac]

So they would have guess which ISP you are using and hope no one else was connected from that ISP to VPN at the same time. I don't think it could be used as evidence (in any country).

[2OEH8eoCRo0]

I assume they won't bother unless you're a pedo or terrorist. In that case, what you are you using the email address for? Request your info from all of those sites. Wait for you to get sloppy once.

[detlef64]

You are totally wrong. You are assuming that every single VPN is logging everything you do online, every IP address, and every website, and then saving this information for every user. Completely false. Show me a single reputable VPN that does. Show me the real life cases where this has happened. Any good VPN, including Mullvad, is a no-logs VPN, which means activity through the VPN is not recorded and cannot be connected with users. There have been numerous VPNs that have not only been audited to verify this, they have been proven correct in court or real-life tests. Mullvad is a perfect example of this:

https://restoreprivacy.com/mullvad-vpn-says-customer-data-is...

Paying for a VPN account does not mean the VPN is going to start logging user activity. Keeping payment records does not equal logging user activity through VPN servers. And most of the big name VPNs allow for crypto payments.