My hot take on internet "Privacy"
Internet privacy it is a farce and companies are using the fear for profit. In reality the only thing you can do is decide in which company do you trust.
First thing you choose is the ISP, we all know that they are all scummy and get caught every year selling information, throttling services, lying, etc.
Then, if you want to be safe from your ISP you have to get a VPN and it is the same old story again. Even if you manage to never send or receive a bit outside the VPN you have to trust they are not loging everything and selling it.
It is a never ending story, because after that you have to trust the OS, the hardware manufacturers of each piece of your phone/pc, the modem, the router, the apps, and if you are talking with someone make it double because you have to trust all the same things from the one receiving the message.
People talks about huawei spying for the CPP like if things like PRISM doesn't exist. Every country has some kind of mass surveillance program and there is nothing we can do about it. If I were american I would prefer being spy by the Chinese that can't get me extradited.
What you feel is not new, see the well-known paper Reflections on Trusting Trust.
There is an aspect of picking who you "trust", but not always. The VPN example is a good one because visiting a site over an ISP versus over a VPN literally shifts who sees you visiting the IP in question.
However, a VPN likely is not in the same country as you, so it can shift the jurisdictions; if your government wants to know what you're doing, they can no longer just ask your ISP, their ISP will just tell them "you have to ask RussianVPN". And when they ask RussianVPN, those guys may very well have not just the means but also an incentive to tell them to go fuck themselves.
But then again:
If the chinese really wants you, I doubt they'll care about legal means of getting you there. The chinese have a lot of influence over most of the world, and they have a lot of power. Maybe a better way to ask the question is, "do you prefer pissing off your government, or pissing off the chinese government?".
What you're saying though is very true, and is pretty much why great security follows two golden rules:
Amazing paper! My post is just the rambling of someone who has been using internet for a long time.
Regarding the VPN you are right about that, it can make the things more complicated for someone who wants your data. It becomes something like the problem of the lock and the bike, you can always get a stronger lock but maybe cost more than the bike itself and for the thief would depend on the skill and how much want to get that bike.
Finally, of course if the goverment of any country really want you, they will get you, but again that excludes almost all the population. What an average person could do to reach that level of interest? I don't know.
What I was trying to say is that people talk like the Chinese government is the only one spying when we know that everyone is doing it.
My hot-response...
The status quo did not just materialize overnight. Today's Internet is the result of 30+ years of people, both willingly and unwittingly, surrendering their online privacy and autonomy in exchange for baubles, until year-after-year, layer-upon-layer, protocol on protocol, govt and industry and infrastructure has been built to facilitate a world where people no longer even own their own devices.
And people have been saying they value privacy, but never enough to spend a dime for it, nor inconvenience themselves, nor learn how to navigate w/o Google maps, nor stay in touch with friends w/o Facebook ...
When 99% of the Internet just pays lip-service to privacy, you get what we have today.
And for the record, online privacy does still exist, and is still possible. But every year it gets harder, and requires more technical skill and know-how.
I was just about to post the story below as its own topic, but it folds neatly into discussion of the delusion of Internet privacy:
The FBI Is Secretly Using A $2 Billion Travel Company As A Global Surveillance Tool
If:
The ideals of David Brin's The Transparent Society notwithstanding, when governments and private companies have all the power, we're effectively screwed. This is true even when we have some access to cryptographic measures, can record with cellphones or other means, and can disseminate evidence of the worst outcomes. Our protests have insufficient impact and are increasingly suppressed. The information we're permitted access to has been so constricted and contaminated that we don't know where to look to begin solving the problems effectively.
It's increasingly difficult for me to see ways out of this situation that don't involve mass immiseration and violence.
Theoretically there are anonymizing services like Tor. Some say Tor is now compromised because all off-ramps are run by the FBI, but even if that particular service isn't trustworthy at this time, the concept is sound and could be implemented by default in something like the Internet protocol if there were a will to do so. I would say, don't give up hope. Things look bleak at the moment, but they I think they will improve as time goes on.
If you don't use a VPN, actually the only thing that ISPs can see is what domains you are visiting. They can't see any of your traffic if you're going to a site that supports SSL (which is practically all of them).
Mass surveillance programs don't just show up. We can exercise political power and dismantle such programs in our own countries, and cause our governments to demand the dismantling of other governments' programs.
But you're right that no amount of threat modeling and VPNs and encryption can really substitute for functional democracy.
This is in part why I actually trust the privacy claims of US companies more than those based in many foreign countries.
There is no such thing as absolute trust, at some point, you have to take someone at their word. In the US, if it turns out that Apple or Cloudflare are flat out lying about what they do with my data, it exposes them to class-action lawsuits that they would have trouble defending, not to mention the enormous amount of damage that would be done to their brand. These tiny VPN companies based in small nations can just close up shop and start under a new name when they get found out.
Related post: The age of privacy nihilism is here