Tano wrote:1. Many VPN providers claim they do not log any info about their users' browsing sessions, times, associated ISP etc... True or false?
More often false than true. Most providers don't own their own server infrastructure but rent their servers from other companies, very often these are so called virtual private servers (VPS), which in layman terms means a company rents a share of a set of hardware from another company. The first red flag is that a provider offers servers in many countries and thus jurisdictions, stay away from those if you worry about various LEA.
Private Internet Access was endorsed earlier in the thread so I'm going to continue on that track below, but let me know if you would like a breakdown of another provider.
PIA uses Google analytics on their website, so they not only track all visits to their website but also share that information with Google. Their email (and thus support email and other customer information transmitted via email) is outsourced to an email service called
emailsrvr.com, which is owned by a company called
Rackspace. Rackspace is also the company that leases VPSes to PIA which they use to operate their VPN infrastructure.
They write in their privacy policy that they comply with LEA requests and subpoenas as long as they are considered valid in the state of California. This is another red flag, because as we know courts in California are subject to nasty things such as secret laws, gag orders and similar (FISA), so we know for sure that PIA will comply with national security letters (
unlike Lavabit, for example).
Due to how PIA has chosen to operate the question is no longer if you can trust PIA, but whether you can trust Google, Rackspace and the state of California:
- When you access their website that information is available to Google
- When you interact with their staff that information is shared with Rackspace
- Data sent and received between you and PIA can be timestamped by not only PIA but also Rackspace
But more importantly because they operate in a highly intercepted country (USA) it is more or less given that any information about you required by a prosecutor will be available if there is a case of high enough priority either directly from PIA or from the friends of the feds in companies like Google and Rackspace that PIA has chosen to do their business with.
I personally do not trust companies that use gimmicks in marketing like "no logs" and then don't even have the legal authority to deny access to their servers because they are not even theirs to deny access to.
Tano wrote:2. Can you list the criteria (in a simple, 'networking for dummys' kinda way) by which an average internet user (not a bloody NSA) would choose the best possible anonymity protection? What are the layers?
It depends on your adversary. Most users are anonymous towards other laymen as long as they don't reveal who they are. Anonymity is most often breached in non-technical means, e.g. criminals bragging about their crimes online or even doing business via SMS and Facebook Messenger. It's important to understand what data retention laws exist in the countries in which used service providers operate in.
Tor is a fantastic project because they made it easy for regular users to become anonymous via the
Tor Browser Bundle. Sometimes ease of use comes with a high price to pay, like when they didn't update the included version of Firefox making it possible for the FBI to
launch a malware attack against users of Tor Browser Bundle as part of
Operation Onymous which resulted in the closure of Silk Road 2.0 and the arrest of 17 people by police from 17 countries.
Evidently, unfortunately, easy to use and maintain means easy for the adversary as well. Use Tor but stay away from TBB if you can. Flash and Java are your enemies, throw them out. JavaScript is a pain to lose but best to. If you are tired of being treated like a criminal by the gatekeepers of the world (for using Tor, something which alone is enough to
put you on an NSA watchlist), then connect to a VPN *via* Tor, so the connection link becomes Tor->VPN, to keep the VPN provider unknowing of who (and what) you are.
Forget VPN protocols built into Windows and Mac OS X.
PPTP is broken and no provider of it is to be taken seriously. OpenVPN (the protocol, not the provider) is your best shot, but I'll spare you a recommendation on cipher suites.
Bless