VPNS- Safety in Crowds

I'm assuming that you're not in Hezbollah, or some gang which kidnaps bitcoin whales.1 For people who need extreme privacy like that, stop reading, I don't want to mislead you. I am writing this for people who have a low tolerance for hassle, and don't have lives that would crumble like a Cadbury's Flake, should their names and addresses become public.

You should use a VPN online for sure-- but which one? In this post, I make an argument that a good VPN might be one with the most users. Safety in crowds.

Before we start, keep in mind...

Choices about security are always relative to the thing being secured. That's why you don't bury your car keys in a locked box in the garden and dig it up every time you need the car.

What is a VPN and why use it?

A VPN keeps your actual whereabouts secret. I mean, if you are now in Arrowtown, New Zealand reading this, then anyone in your path on the Internet can see this. Without using a VPN, it's like you are walking around the mall with your home address on your t-shirt.

It's your location and your right to keep your location private whilst online that is the point of a VPN. A lot of VPN advertisements state that a VPN 'hides your activity online'. This is misleading. Your activity online is hidden as par for the course. You don't need a VPN for that. Heard of HTTPS?  HTTPS, the first part of most website addresses (i.e. https://), means that you and the website talk in private.2 Let me state that in bold.

Not even your VPN sees your fetishes the particular webpages you browse in the wee small hours.

Let's dally on this point. It's worth it, because the way that VPNs fit into the interlocking parts of the Internet is murky. I will use a simplified example.

The Bashful Playboy Purchaser

Chester wants to buy some vintage Playboy magazines. Honestly, I don't think there's anything to be ashamed about that-- indeed, nowadays it even has a touch of class to it-- but Chester is ashamed and wants to keep it hush-hush. So, he uses a VPN, Sky VPN to be exact, to connect to vintagenudiemags.com. There are 6 pieces of relevant information, which are able, in theory, to be gleaned from his traffic when he brings up vintagenudiemags.com in his webbrowser:

  1. "My real name is Chester Burke"
  2. "I live on Redwood Street, Adelaide, Australia."
  3. "Sky VPN is being used to send and recieve data online privately by someone at iiNet (ISP)."
  4. "I am contacting a website: vintagenudiemags.com."
  5. "I am looking at this issue of Playboy, and want to buy it."
  6. "Here are my delivery deets, and I'll pay with litecoin (LTC)."

The mix of a VPN and HTTPS means that no single party knows all six pieces of information. Here's what each party knows:

ISP VPN Website
Know's what? 1, 2, 3 3, 4 5, 6

Let's keep our focus on the VPNs. It is of heft to note:

A diagram of the steps in contacting a webserver selling vintage Playboy magazines, with the leftmost being a house with an inset of the user, Chester Burke, then the ISP switches, labelled iiNET, and then the VPN, and finally, on the far right, the website.

Collusion is happening

The VPN company is actually in ownership of very little data of heft. To make use of it, the VPN company needs to collude with one or both of the other parties. It needs spyware stelled4 at the ISP and/or the website, and, in the case of the ISP, also workers in on the plan.

How much of this collusion is really happening? We plebs don't know. It's best to take a middle ground here. For sure, why wouldn't there be some collusion? One billion people use VPNs. Do you think that all the governments haven't spent time working out how to beat this problem? On the other hand, one need not become paranoid. There are millions of webservers, and tens of thousands of employees working at ISPs and data centers. It would be costly and risky to compromize more than a tiny fraction. Collusion is ad hoc for the most part.

The Fishing Analogy

In my opinion, it's best to think of this like fishermen with a two-stage approach. There is a boat with a line, and some divers. You are a fish. The first stage is a long line of baited hooks. The stupidest fish take this bait. Then, a few divers with spearguns hunt the most prized fish nearby. As I wrote at the start, if you're one of the most prized fish, you are reading the wrong article. That leaves the stupidest fish. I'm getting to my point finally. To avoid being the stupidest fish...

  1. Use a VPN with a no-logs policy.
  2. Turn off your home router overnight, most nights.5
  3. Use either a small-time, cypherpunk VPN, or a very popular VPN.
  4. Pay for your VPN with cryptocurrency or a voucher, and don't use your real name to log in.

Small-time, cool VPNs

The punk-style VPN is a good choice, and one I prefer. All the same, there are downsides. A dozen servers and only five staff are a lot easier to compromize. A dwarf blueberry bush is a far more valuable target to a bird than an orchard of apple trees.

Popular VPNs

The most widely-used VPNs like Express VPN get a hard time. Scratch beneath the surface, and you'll find dodgy owners. I do not put it past companies which donate to the Israeli Defense Force (I.D.F.) to be running some kind of massive spy operation on all the VPN traffic.

Nevertheless, let's be realistic. There is a lot of traffic going through Express VPN. Do they route all that traffic to Israel? That would be hard to keep secret. I reckon that they have rules set up in other devices onsite.6 These rules would have trigger-events; for example, a connection from Southern Lebanon to Iran. Only worthwhile data would be forwarded on to a device which can log it.

Dress like a normie

Remember that the VPN company must collude to get useful information. Collusion across countries takes work and risk. Just by using one of the hipster VPNs, like Mullvad, you might put a sign on your back saying "I'm worth the work and risk." By using a normie VPN like Cyber Ghost, you will need to stand out in other ways to get noticed.

I'm saying that there's a good argument for being in the biggest crowd and blending in. If you don't behave in a blatantly suspicious way, like being all day, every day, on a gun-trading website, then, at very least, you are putting a high price on your doxing. You will be a random number among tens of thousands from your location. It's like being in a mall and wearing jeans and a Nike hoodie.

A Warning

All of this is helpful now, January 2026. Things are changing. Artificial Intelligence is bringing down the cost of gathering data on people. It doesn't change the principle: Blending in with a crowd is a smart move if you want to be private.

  1. A 'whale' is someone with a huge amount of a certain cryptocurrency, often gotten when it was cheap. (Return)
  2. HTTPS stands for 'Hyper-Text Transfer Protocol, Secured'. (Return)
  3. The VPN will see your city and country. The reason for this vagueness that the ISP cannot send each home connection directly to the Internet. It would be too expensive and a nightmare to fix. The ISP bundles up all the Internet connections at a couple of stages, and finally sends them to very expensive 'gateway routers'. The VPN cannot see beyond these gateway routers. (Return)
  4. to install (Return)
  5. This gives you a new IP address. Check this by going here. It thwarts being a low-hanging fruit, whereby a worker at an ISP, probably just before he or she resigns or gets fired, copies the log matching the IP addresses to the user identities, and then sells that list. In other words, if you use the same real IP address all the time, then that IP address and you are probably on some list on the Dark Web. Plus, you need to break up patterns as much as possible. If you don't get a new IP address by doing this, then your ISP has set you up with a 'static IP address'. You probably need a higher level of privacy-protection, but it's beyond the scope of this post. (Return)
  6. A firewall with Deep Stateful Packet Inspection (Return)

Back to the index of blog posts

Tags