this post was submitted on 19 Feb 2026
1252 points (99.8% liked)
Privacy
8982 readers
749 users here now
A community for Lemmy users interested in privacy
Rules:
- Be civil
- No spam posting
- Keep posts on-topic
- No trolling
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
if people are technically inclined, a service like Tailscale can be used to circumvent things like the online safety act. with the exit nodes.
or just roll your own vpn
Roll up your own vpn? Where the server is in your name? Or your home IP?
yeah, it’s not even close to being anonymous, but at least you will get out of the OSA bullshit
Just use your server to connect to Mullvad
Why not just connect directly?
No need for age verification to connect to your own server + mullvad obfuscating your identity afterwards
I don't understand. The proposed legislation would force ID verification for Mullvad users. You're still a Mullvad user, regardless of whether you connect through your VPS.
Mullvad also accepts anonymous cash payments, good luck with identifying me as a mullvad user with only an envelope, a target address,an account id which isn't tied to a name and 10 bucks in it.
The first hop would go from "my UK client machine" -> "my VPN server elsewhere" which would impede Mullvad from automatically recognize you as a UK customer because that "server elsewhere" wouldn't have a UK IP address.
The second, Mullvad, hop would go from "my VPN server elsewhere" -> "some other IP maybe in yet another country"
As long as you didn't pay with a UK payment system (so, use a crypto currency or send them money in an envelope), due to that first hop Mullvad would have no way to know you are British and thus no legal obligation to treat you as such.
However a "my server elsewhere" also needs to be paid for. Further, all connections from that server would always be yours since you would be the single user of that server. Adding a Mullvad hop after that adds the anonymization of, for the rest of the Internet, your stuff being just one amongst many connections from many Mullvad clients coming from that server, plus Mullvad is probably much better at anonymizing stuff that "random techie setting up their own a VPN server on a VPS", plus if you pay Mullvad using an anonymous payment system, they themselves have no idea who you are if they were ever legally forced to disclose it.
That first hop gives Mullvad plausible deniability about serving a UK customer without ID, whilst the second hop gives you a stronger anonymity than you would get if your entrance point into the internet was a single-user server you owner or rented.
And you think VPSs would be omitted from this legislation?
VPS control is a much bigger pandora's box to open than VPN control because there are way more VPS providers than VPN providers and there are constantly new ones popping up, plus there are millions of uses for a VPS which are wholly unrelated to VPNs.
How exactly would the UK Government enforce a law to "identify all VPN users just in case they're British ones trying to run a VPN server abroad" on tens of thousands of VPS providers worldwide whose business is just proving open-ended server infrastructure to anybody anywhere for any technological use?
Govts don't just not make legislation because they don't know how to enforce it. They make the law, and they figure out the enforcement later. VPS providers will comply because they don't give a single shit about your privacy and aren't going to take the risk.
The difference is that connecting to an VPS outside of UK legislation is a process which encompasses pretty much everything, from email to webbrowsing to whatever. The traffic is HTTPS encrypted and looks like any other legitimate traffic. What the VPS does afterwards is invisible to the UK Government. If the UK doesn't want to put up a great Firewall that makes China blush, there is no way to prevent this, and legislation that cannot be enforced is dead law.
Also, this would be very disruptive for any business that isn't totally local, which is an pretty good incentive to not do this if they dont want to cripple their economy.
Judging by the way law enforcement against foreign sites sharing copyrighted materials has happened, it's either cooperating with the local authorities for taking down the servers or taking away the domain names - which for this law, which unlike copyright isn't an internationally agreed thing and for which there are zero international protocols in place, seems unlikely to get the required local authorities cooperation in most other countries - or by forcing local (in this case UK) ISPs to block access to the domains and/or IP addresses of the foreign servers breaking the law - which given how the larger VPN providers operate (basically, they have lots of VPN access points and often add more - for example Mullvad in 2025 had 667) will already be a game of wack-a-mole even without going after people setting up their own VPN in a VPS, and way more so if they do go after those since there are hundreds of thousands, maybe even millions of VPSs for rent out there because there are lots of VPS providers and each can spin up a very large number of virtual private servers, plus there are a lot of uses of VPSs in the UK which are perfectly legal so blocking the IP addresses of those can have a massive business impact and impact in the perceived reliability of the Internet in the UK for all manner of things.
I've already addressed your position on enforcement. If you have a rebuttal to that, please send it my way. Please do not reply to me to elaborate on why it can't be enforced.
I2P.
Essentially, what if the entire internet worked kinda like how torrents do, and was also anonymized and E2EE?
Well, it would be pretty slow, but it would also be extremely distributed and difficult to censor/disrupt.
Basically, everyone on I2P is a micro-relay for everyone else.
I2p has some flaws that make it potentially dangerous to use in a country targeting civil liberties.
Tor is a much better choice since it has better anti censorship and anti detection built in.
It should be noted that we are past the point of tor being able to provide true anonymity from nation state actors.
The threat vector for tor was always the exit nodes and now that we have the equipment to monitor it you ought to expect tor can also give you up.
Source?
The Tor foundation is constantly working to fight all sorts of attacks. Don't buy into misinformation as there are many organizations who stand to benefit from people not using Tor.
Even if Tor was vulnerable like you say, I'm not sure what else you would use. Not using Tor is worse than using Tor. It is in the interest of the nation states for you to not use it which is while you see them promoting the idea that Tor is insecure.
The source is “this is a known weakness of tor and always has been”, there have been a number of white papers and conference talks on this over the years.
When tor was developed it was known what the weakness was. Mitigation is possible, but you can not certainly say 100% that tor will anonymize you, unfortunately.
The exit nodes being the weakness in tor has always been known, any actor capable of monitoring and capturing enough traffic on exit nodes can correlate it, at that point you have to track it.
Tor alone can not protect you, but it is a pretty significant tool. You need defense in depth if you intend to protect your identity.
I think you are overestimating the threat model. Nothing is ever fool proof but Tor does make it extremely difficult to actually identify someone. You are talking about a hypothetical attack vs something that is actually feasible to pull off. Tor is design so that there can be many compromised nodes without to much danger. Tor's popularity as makes it hard to track individuals since there is a lot of traffic.
In the context of bypassing a vpn restriction to watch porn or what have you … yes. You’re absolutely right. They aren’t looking for you.
Hard disagree.
What flaws are you talking about?
Also, we know that a major problem with TOR is that LE/Intel agencies run their own nodes, and if you bounce through enough of them, or you got through a honeypot exit node, they can deanonymize you, this has happened before, and it probably happens more than is publically known.
That and if you run a node, and the US government finds out, and they don't like you, they will shut it down, raid you.
Meanwhile, the multi-stage packet encryption and relay method of I2P makes it much more difficult to decrypt a packet and then also figure out which parts of which packet are going to who.
You really should consider the fact that there are parties who have a vested interest in making people doubt Tor. Tor is the best option we have by far and is currently far superior than i2p. It is designed to keep anonymity even with compromised nodes. Doing a deanonymizing attack is extremely hard and costly and only has a small chance of actually succeeding and that's before the new crypto algorithm roles out which makes this kind if attack pretty much impossible. Nothing is perfect but Tor does a pretty good job. It also has some of the most robust censorship resistance tools available and works in Russia and Iran. They solved the denial of service issue with a proof of work system a while back so performance wise Tor is now much better.
Meanwhile I2p still has issues with its design which the developers acknowledge on the website. This isn't meant to be hate against i2p but simply an analysis of the real world facts. I2p shouldn't be used anywhere where anonymity is critical as it is vulnerable to attack due to some outstanding issues with its design. Even outside out deanonymity, i2p still has issues with denial of service attacks and it doesn't have a simple solution for name resolution which is rather dangerous. I like it and concept and run my own node but I wouldn't rely on it for survival. Building a p2p network is really really hard which is why Tor uses a more centralized approach.
If you want to look more into that, there's a company called Holepunch that's exploring a lot of that technology. But as a heads up they are funded by a crypto company.
I mean, I2P is a FOSS project, from its inception.
Frankly, I don't a damn for any tech being developed by a private company of crypto bros, they're all corrupt liars, beyond the possible exception of monero, who seem to actually be competent at security/privacy/anonymity, unlike literally all other crypto.
Sure but, connected to where?
a VPS, preferably one you pay for with crypto. You use the exit node feature, and you will be VPN'd to another network.
Then you've not solved anything because that IP is still unique to you.
i never said it was private. I just said that it will get you around the OSA shit.
What's "OSA shit"?
online safety act
This. Tor is better.
TOR is great for privacy but obviously awful for daily use.
Why?
...have you ever used it?
Every day
Then why are you acting like you don't know?
You're saying I don't know why tor can't be used every day, though I use it every day.
Loads of people use it every day (millions, actually).
Why do you act like Tor can't be used every day?