Hey guys n gurls, I was wondering if it is smart to disable my VPN connection for casual browsing.

Reasons: when having VPN constantly running it may be possible to track me via browser fingerprinting.

Szenario: the connection coming from the VPN which hypothetically downloaded a torrent, tries to watch capitalist propaganda while living in China, etc.pp has this screen ratio, this locale, this addons etc. And (more important) the YouTube login cookie we know belongs to this physical person/telephone number etc.

So I am wondering if I should only use the VPN when “needing” it (read articles not available in country, Netflix, read information government doesn’t like, things like that.) Or if I’m missing something here and I could obscure my causal day to day browsing as well without decreasing the security of the VPN.

For reference, the VPN doesn’t log anything (for more than a day) to my knowledge

EDIT: From what I understand from the comments: switching the VPN has little to no impact on widely used tracking and if at all makes it easier to corelate data. People emphasize the general lack of full privacy if you are wanted by entities willing to spend enough resources. But for the general need of privacy in normal usecases it makes more sense to just leave the VPN running.

  • telep@lemmy.ml
    link
    fedilink
    arrow-up
    31
    ·
    edit-2
    7 months ago

    tldr; no, if you trust your vpn more than your ISP always use it, as any hit to fingerprinting is menial.

    it really can’t hurt much to always be using it. any fingerprinting metric it would give is outweighed by the hiding of your IP behind the proxy. this is the #1 unique identifier that is tied back to people/locations.

    the other fingerprinting metrics also are still exposed anyway & could probably be linked back to “you” regardless of your IP changing if they wanted too.

    if you are worried about fingerprinting look into some projects like mullvad, librewolf, or even tor. clearing cookies on quit &/or having a separate browser for permenant logins/tokens to live in is also a good mitigation technique.

    • SomeLemmyUser@discuss.tchncs.deOP
      link
      fedilink
      arrow-up
      7
      ·
      7 months ago

      Thanks for the detailed response. I’m sure my IP is most relevant in tracking me, but if I’m tracked while visiting Lemmy/YouTube it would do no harm, while correlating my YouTube activity with my e.g. me reading websites the government doesn’t like would do harm.

      I use mullvad, and previously read using tor through a VPN doesn’t really make sense. I have Firefox set to not save cookies, but I have made an exception for YouTube as it is to troublesome to log in with 2fa all the time.

      My thought was that it may be easier to match up the fingerprint of @somelemmyuser accessing lemmy with the fingerprint of @somelemmyuser downloading capitalist propaganda while living in China if they come from the same VPN in a similar timeframe, while it would be harder to match the fingerprint of @somelemmyuser acsessing Lemmy from an normal ISP to the fingerprint of @somelemmyuser accsessing capitalist propaganda from a VPN, as you would need both datasets to find matches.

      And since me accessing Lemmy is not a problem but my lemmy account could be tracked back to me as a physical person, it could be smart to not do it with the same VPN.

      • telep@lemmy.ml
        link
        fedilink
        arrow-up
        6
        ·
        edit-2
        7 months ago

        ahhh I see what you mean.

        your thoughts on spacing out your connections & isolating is smart. unfortunately if you connect from the same device & browser any government agency or dedicated company with a big enough dataset (google, meta, etc.) would still be able to link you regardless of you IP by browser fingerprint alone. this does make YouTube more specifically being linked to your exact browser fingerprint porblamatic in a high stakes situation. As it, as you said is linked to your identity.

        for lower level tracking changing IP regularly is effective. however, instead of switching to your local IP it would be more privacy conscious to just switch to a different VPN server.

        unfortunately if you are genuinely worried about government level surveillance or the likes u enter into territory where VPNs often no longer cut it (or at least can’t truly be trusted too) as they are centralized & can be forced to make exceptions for law enforcement. traffic analysis is also easier, which makes time correlation deanonimization a more realistic risk when talking about government agencies specifically.

        the tor + vpn debate is one that lots of people argue & is excedingly complicated. tor is generally more than enough, unless you are wanted by INTERPOL haha. if you are genuinely worried about suppressive government or world powers targeting you look further into tor, & do not connect directly to your ISP at all as that data is essentially up for grabs to local authorities (depending on locale).

        for you specifically I would consider doing your more sensitive tasks in the tor browser without the VPN & then having your normal browser always on the VPN so they would be more difficult to correlate. anything torrent related is low enough stakes that I would imagine just about any proxy would suffice. hope this was helpful 🙏.

        • SomeLemmyUser@discuss.tchncs.deOP
          link
          fedilink
          arrow-up
          1
          ·
          7 months ago

          It was, that was the kind of information I needed, as it helps to differentiate what kind/level of privacy I have and what kind/level of privacy different actors can circumvent etc.

          As I am mostly looking at not generating useful data for shitcompanies like amazon, google, Microsoft etc. The always onvpn and no cookies except YouTube should be more than sufficient. If my country decides that my political opinion is no longer permitted I should nevertheless be using Tor and check if I’m unique (fingerprint wise).

  • psmgx@lemmy.world
    link
    fedilink
    arrow-up
    11
    ·
    edit-2
    7 months ago

    Timing attacks are a thing and behavior can be correlated by metadata and situational considerations, e.g. Bob only uses his VPN at night, and only for 21 minutes on average. Jane uses her VPN from roughly 830am to 515pm M-F. What do those patterns mean?

    But so long as it works and the costs are low, use the VPN constantly. And always check for leaks.

    • SomeLemmyUser@discuss.tchncs.deOP
      link
      fedilink
      arrow-up
      2
      ·
      edit-2
      7 months ago

      Any suggestions about checking leaks etc? I have done this one check, but I’m not that deep in the matter to know if its enough.

      So you say to keep it running - any (technical) reasoning or just that you think my YouTube connection exiting the vpn and the connection to the website the government doesn’t like exiting the VPN can not be correlated that easy?

      • Em Adespoton@lemmy.ca
        link
        fedilink
        arrow-up
        6
        ·
        7 months ago

        If you use it for everything, when you use it ceases to be useful information for data gatherers.

        It’s why companies have data retention policies. That way they can’t be accused of intentionally destroying data to hide things, because they destroy ALL data like that.

  • bloodfart@lemmy.ml
    link
    fedilink
    arrow-up
    4
    ·
    7 months ago

    that’s not how it works.

    your vpn doesn’t do anything to mitigate broswer fingerprinting. websites use browser fingerprinting to identify a unique browser no matter the ip its connecting from. when i connect through mullvad’s french server, it identifies my browser just like when i connect through any other server.

    most of the time those sites even clock that i’m connecting through a vpn.

    a computer that is connected to some vpn and downloads a torrent while also visiting a website that fingerprints their browser will not have the two conflated unless the attacker can match traffic coming out of the vpn and traffic going into the computer.

    that information wouldn’t be useful to an attacker unless they also had access to the website that fingerprinted the browser and were part of the torrent swarm so they could actually say yes, browser 12345 and user 34567 downloading The_Mummy_CrAcK_DeNuVo.mp4 are the same person and they were at this ip that corresponds to this router at this physical location and when we confiscate their computer we can verify their browser has the fingerprint, open and shut case, book em’ dano.

    if you disconnect from your vpn intermittently it actually makes those checks easier because then the attacker can say “look, browser 12345 is coming from both the french mullvad node and from this little coffee shop in taipei! get em!”

    a single vpn proxy can’t protect you from a hypothetical hostile whole ass internet.

    • refalo@programming.dev
      link
      fedilink
      arrow-up
      3
      ·
      edit-2
      7 months ago

      Personally I’d rather my ISP see more of my internet activity as I think they are less likely to be interested in using/selling as much of my data (or be compromised in some way) as a VPN company. But I could be wrong.

      • Monkey With A Shell@lemmy.socdojo.com
        link
        fedilink
        arrow-up
        2
        ·
        7 months ago

        Shortly after the net neutrality rules where first revoked mine sent a message asking me to opt out of gathering data for sale, so defiantly not always the case. Not trusting some checkbox to prevent them from doing so in the future got everything that can be put through tunnels since.

    • TrickDacy@lemmy.world
      link
      fedilink
      arrow-up
      2
      ·
      7 months ago

      since your IP adress changes regulary,

      I’m missing where you are getting this information…?

      • You999
        link
        fedilink
        arrow-up
        4
        arrow-down
        1
        ·
        7 months ago

        In the US pretty much all our ISPs use dynamic IPs by default and charge extra for static IPs. The lease time on the dynamic IP varies dramatically from ISP to ISP.