IMO, you’re probably fine with only using VPN. That is with all the settings and additional measures done and with credible VPN provider, which, in my case, Mullvad.
If you’re planning another 9.11 or for some sick reason decided to share no no porns, VPN is definitely not enough and I’m pretty sure you already know that.
A lot of reputable VPN providers are constantly poked bt the authorities. They give nothing because they have nothing.
You’re fine if you’re just trying to bypass stupid regional censorship or download bunch of movies. That is, again, with proper security measures of course.
I’ve seen some people saying that you should use Tor for anonymity when someone’s just asking about how to use VPN better or whatnot. Tor is better in terms of anonymity, sure. But for most of the cases, VPN is fine.
And I cannot stress this enough: you will NEVER be perfectly anonymous online. Period.
I think we’d all benefit from less discussion about whether or not product or service X is enough, and more conversations about what the options are, how they work and how they might benefit you. Because there is no right or wrong way to go about it.
Sharing information and experiences makes it easier to decide what is useful to you. You might want privacy for different reasons than the next person. Not everyone is paranoid, not everyone is an activist, not everyone has the same needs. To illustrate this, I’ll share my own experiences, but first, an oversimplified summary of common privacy related topics or services:
VPN: instead of connecting directly to services on the internet, you first connect to a VPN provider (or self-hosted solution), then to everything else. The only connection your ISP sees is to the VPN provider, the requests between you and the VPN provider have added encryption (like for example Wireguard). The IP address you communicate to the internet is that of the VPN provider, if they have servers in different countries you can appear to send requests from IP addresses in those countries.
DNS: domain naming system, required to link requests to websites like www dot example dot net to the corresponding IP addresses. This is called resolving. DNS can be manipulated or used for extracting sensitive data at multiple points in your connection chains. Encrypting your DNS requests adds security and can provide privacy from whoever ends up resolving your DNS. This can be your ISP, major players like Google or Cloudflare, your VPN provider and many more, depending on your setup.
De-googling: moving away from Google services first and foremost, removing ways for Google to track you (regardless) second. Because Android is open source, parts of the system that rely and or offer telemetry to Google can be removed or altered. Any Android device that runs a version of Android that is not specifically advertised as privacy friendly will spy on you (your usage, what apps you install, your habits across apps) in some shape or form. Unless you’re wanted by a government or have to deal with stalkers, no one is looking for juicy details about your private life, just the details they can use to sell you products through targeted advertising.
Adblocking: using tools or servers that block as much of online tracking as possible. In most cases, you’re at least trying to prevent advertisers gathering data about you and profiling you. Can be done at a decent level by just using the right browser plugins, but you can take this a lot further.
Fingerprinting: profiling you regardless based on everything your device, browser and OS tells about you regardless of how much you think you’re already protecting your privacy with a VPN and ad-blockers. Fighting fingerprinting doesn’t have to be rocket science, but does require a lot more effort. Even when done right, one misstep (a software update reverting settings you carefully customised, for example) can require you to have to dive back in.
TOR: the onion router, best described as an overlay network on top of the internet in which you connect to an endpoint (whether a website or service) through multiple other computers in the network called nodes. Nodes can be anything from a full fledged server in a data center to a computer at home, and can specifically be made to be relay nodes or exit nodes, for example. Does only make it hard to trace what you send back to you, does not magically conceal the information in it. Sending personally identifiable information over TOR is just as risky as over the ‘regular internet’. The network offers the possibility to host on the TOR network, creating this separate layer of sites and services that has poorly been coined The Dark Web.
Encryption: very broad, but talking on all levels, from PGP encryption for emails to E2EE, if you can encrypt without driving yourself nuts, do it. So many technologies we still use today (looking at you, e-mail) rely on a patchwork of Band-Aids to hold it together in terms of security and authentication, better be safe than sorry.
I realize as I’m typing this that I could go on a lot longer, so not wanting to get too far off-topic, let me share my own privacy journey in short for some perspective.
A friend of mine was already a privacy advocate when she decided to run for parlement (around ten years ago in the Netherlands) and we discussed the topic every once in a while. I decided I didn’t want any corporation making millions off the back of freely given personal info of mine, so I dove into the deep end. I stopped using Google services (but did not delete accounts, either) and got into TOR routing. After putting myself through months of getting blocked from even the most common sites due to being fingerprinted as a TOR user, having to do eight captcha’s just to access a service and running on the slowest connection ever due to routing all my apps through TOR, I called it a day.
Over the years, as knowledge became more readily available, services got better and new services popped up, I would gently ease myself back in the direction I wanted to go, taking it one step at a time, assessing the value it would provide in relation to the effort needed to implement, or the hurdles needed to overcome. That’s really the best advice I can give there: keep informed, try stuff out, see if it’s for you. Is it easy to use? See if you can help others going through the same process and maybe even help them make the switch.
So where am I now in my privacy setup?
I don’t run degoogled Android but sandbox apps that I would like to get rid of (but can’t) or don’t trust and use ADB to uninstall what can be removed.
I run a VPS with TransIP in the Netherlands that I connect to over Wireguard, runs Pi-hole gor adblocking and resolves DNS through DNSCrypt resolvers that don’t log. I use it as my primary “VPN” on most devices including my phone.
I have a duplicate setup running with Digital Ocean, just for the sake of availability, but might move that to Germany with Hetzner, for example.
I use Protonmail as my primary email provider but have backup providers like Tutanota as fall-back. I used DuckDuckGo’s email aliases for s bit as well before switching to SimpleLogin.
I prepaid Mullvad for a couple of months with the intent of running my own Netgear router with Pfsense, forcing the whole house through Mullvad.
I hardened Firefox on my primary devices and run the same combination of adblocking and privacy plugins across every installation (including Mull on Android).
There’s more I do in terms of backups, security and encryption, but that might veer a bit too far off topic.
My current setup is currently not necessary for living a free life here in the Netherlands, but it does suit me. Some things are based on ideals, some things on practical worries, others because I want to learn more about the technology involved. It’s relatively easy for me to manage and I know what I’m conceding when I do use intrusive services or apps.
Long story short: don’t push your views, share information, help each other out, as long as we know what it does and what we get out of it, we can determine ourselves what is enough for us. Maybe a VPN is enough for you, maybe it’s not. You decide.