Looks like so much of work put into list, but I still wonder why on Earth anyone would use 3rd party service especially one based in weird jurisdiction for anything other than torrents download?
Likely every service with questionable legal status (e.g all that state there is no logging going) does analyse all bandwidth for it's own needs and clearly going to steal everything they can. Even TOR exit nodes are more secure since you at least know they can't be trusted by default.
What advantage is there over own servers that is unlikely monitored by default and still dirt cheap?
First of all, there's no such thing as own server. The trust you are putting into the ISP your "own server" is connected to is exactly the same as the trust you are putting into a VPN provider.
Second, for a lot of people in this world it's a given that their ISP/government is monitoring their traffic. It's vastly better to be potentially spied on by someone abroad then to be certainly spied on by someone who has direct authority over you.
To answer your first question, the most popular use cases for VPN are:
1. Circumventing censorship
2. Circumventing regional content restrictions
3. Hiding your IP while torrenting (note that this is relevant only in the US)
4. Avoiding government surveillance (again, note that US is not the only country in the world, but likely the only one with any meaningful reach outside its borders)
6. Hiding your IP while engaging in illegal online activities (#3 is a special case of this but it's a vastly larger group so I made it separate)
Note that "weird jurisdictions" can be a significant advantage for cases #3 and #6 (because they are harder to subpoena) as well as #3 (because they don't have retention laws).
> 3. Hiding your IP while torrenting (note that this is relevant only in the US)
It's not, actually. The same BS is happening in at least Finland too these days.
Legal companies get the rights to some media (in the Nordics or whatever) and monitor some torrents and take screenshots(!) of the IP's in the torrent swarm and can then petition the market court for the subscriber details of the IP addresses in the swarm then send a threatening letter asking for a 500€ settlement. Some idiots are even caving in and paying. I don't think anyone has actually been sued yet for establishing some precedent (though the Finnish legal system isn't based on precedents).
They threaten to take it to court and that would cost much more. You'll also have to deal with a lot of bureaucratic crap along the way that has very short deadlines and can cause a lot of trouble if you don't meet them, so they kindly allow you to pay to make it all go away...
I can't speak for weird jurisdictions, but I use privateinternetaccess myself. I haven't tried it for torrents actually, I should give that a shot. I use it for
* getting around arbitrary region restrictions (that use case is rapidly disappearing)
* protecting myself against snoopers when on public WiFi. I'm very mobile, and often work from cafe/hotel/airport WiFi. They're mostly in the clear, but I VPN even over encrypted WiFi because of the below.
* I don't like ISPs selling my information. The service i use is fast enough that I can have it always on, without a noticeable speed loss... So I do. If my ISP wants to sell my browsing habits, they can buy them from me.
Now that you mention it, I'll totally try torrenting something. Curious to know how it performs!
I do agree that hiding bandwidth and source is reasonable use-case, but then you don't really need to know about service jurisdiction, logging policies, activism, etc. So I just seriously wonder why anyone who actually care about real privacy and logging would use public services.
For people who care about real privacy, VPNs are useful to hide Tor use from ISPs. You use a nested chain of maybe three or four VPN services, and then hit Tor. Let's say that you were using targeted onion services while the CMU jerks were pwning Tor users. Instead of your ISP-assigned IP, the FBI would just know a VPN exit IP. And they'd need to successively subpoena three or four providers in order to get your ISP-assigned IP.
Nah not Snowden, it was just a joke because in TV shows whenever there is some kind of computer crime the technical specialists in the show (black hats turned white, etc.) talk about how the criminal is untraceable because they were hidden behind 7 proxies or such. Not saying you are a criminal it just made me smile/chuckle when you mentioned routing Tor over VPN which is also going through another VPN which in turn is on Tor, etc.
I use a VPN to watch San Francisco Giants games on my paid MLB.tv subscription. Even though I am 3+ hours from both SF and LA, and even though I can't get games on cable/broadcast TV, I am in the Dodgers blackout region. Therefore, when my favorite team plays their biggest rival, I need the VPN to watch the game.
> Non-unique IP, which, for good no-logging VPNs, means no way to map a connection to a person, even through the legal system.
Not guaranteed. That depends on the network setup and on how much pressure legal system had on the ISP in question.
Possible cases:
1. Dynamic IPs allocated from a shared address pool, but no carrier-grade NAT, just 1:1 mappings. Most likely, ISP's AAA (authentication, authorization and accounting) systems keep track of those, so the account details are one warrant away. Especially if ISP has or historically had metered plans, using IP addresses is generally the most straightforward way to match flow reports (with traffic volume data) to customers.
2. User is behind a carrier-grade NAT, ISP's local jurisdiction requires ISPs to disclose information about customers, and local law enforcement aren't happy with "uh... we don't know, there's a NAT, we only can tell it's someone of those thousand accounts from that BRAS, sorry" replies, so ISP had been fined or threatened with license revocation (if ISP services are licensed in their jurisdiction). In such case they had probably at least set up two flow probes - before and after the NAT, so it's usually possible to correlate the streams. Or, more likely, implemented logging of NAT connection mappings (on GNU/Linux machines this is quite simple with conntrack and ulogd, no idea about Ciscos - not my area of expertise), so it's also well possible to determine who it was.
Since one generally can't know what ISP's routers are capable of, having carrier-grade NAT should be only considered as a possible hindrance, but not as a guaranteed way to keep their account identity anonymous.
For hiding IP and bandwidth you don't really need to know even a third of options included in that list. And for "good no-logging VPNs" do you actually belive service like that may even exist for longer than a few years?
Do check out AirVPN, BolehVPN, Cryptohippie, Insorg, iVPN, Mullvad, etc via https://archive.org/ They've been around for more than a few years. Maybe eventually they'll be unable to lease usable servers. It's hard to say.
I do not agree with you. I am running my own VPN Server outside of Mainland China and thanks to obfuscation my VPN is working quite well and its very reliable.
Are you by chance aware of any simple tutorial for ShadowSocks? Last time I looked at the website it didn't seem straightforward to set up (particularly for non-techies).
Most people are talking about various valid use cases but it's this risk vector that I'm interested in. What exactly could a VPN steal from regular personal computing network traffic? Cookies and sessions? Web history and other meta-data? Does HTTPS / up-to-date encryption protocols stop any of this?
The advantage over your own servers is that it's harder to associate your traffic with your identity. The advantage of "weird jurisdiction" is that they won't cooperate with relevant LEA so readily.
Likely every service with questionable legal status (e.g all that state there is no logging going) does analyse all bandwidth for it's own needs and clearly going to steal everything they can. Even TOR exit nodes are more secure since you at least know they can't be trusted by default.
What advantage is there over own servers that is unlikely monitored by default and still dirt cheap?