A lot of VPNs are owned or connected to Israeli intelligence agencies or other assorted shell companies.
Mullvad is your best bet but VPNs don't make you private. In fact they should just be called Virtual LAN networks. Most of your traffic on the clearnet is encrypted already via HTTPS and VPNs only obfuscate your IP address from the website you're connecting to. A lot of the fuckery comes from the nonfree clientside JS code that is executed on a lot of websites that can track you as well as nonfree web browsers.
VPNs won't protect you against bad digital practices.
A much better approach to digital privacy is to make sure that your org can function entirely on free software that respects your freedoms. Example: instead of organizing via Discord, Social Media, etc. you can organize via XMPP or Matrix which can be deployed by your org if needed. Instead of creating documents via M$ Office or Google Docs you can use a office suite like LibreOffice and store everything locally and only share copies when needed. Instead of meeting over Zoom you can meet over Jitsi Meet.
This in my opinion, is far more impressive and worthwhile task than asking your members to pay for a VPN. It actually educates your org on good computing practices rather than security theatre that you'll have to pay into.
There's a big fucking reason why YouTubers can sponsor VPNs but no one seems to be aware of FOSS.
under most cases, they only have this data via DNS. it's encrypted once the actual https request is made - only the destination ip address is available at that point. so encrypting DNS and securing that is probably more important than the protection a VPN provides. if you use a VPN without some form of DNS encryption, you're trading one ISP you don't trust for a second you shouldn't trust but inappropriately are. DNS anonymization is an extra step you can and should take to ensure you're not trusting your DNS provider, either - it works by tunneling encrypted DNS requests through shared, public relays.
what you actually need a VPN for is to mask your ip address to the website you're visiting and to mask the ip address you're visiting from your ISP. these are important considerations but it's useless if you don't first protect DNS, ensure you can't be tracked via cookies/be fingerprinted, and ensure you're only connecting to websites over https.
VPNs are an important and useful tool but they're not the first or best tool for digital hygiene. you have to tackle each layer, one at a time. start at the top and work down the hierarchy.
insert spiel about how VPNs are generally pretty overhyped as a privacy tool but if you're in US you want one that's not american owned, mullvad is swedish and does actually have very good protection policies for customer data. https://mullvad.net/de/blog/2023/4/20/mullvad-vpn-was-subject-to-a-search-warrant-customer-data-not-compromised
they got raided by swedish authorities and due to their no logging policy the data that was sought after simply didn't exist. you can also pay them in various anonymous ways including cash in a postal envelope lol. also it's only 5 euro
You're asking the wrong question. VPNs are cool and all, it won't really protect your communication, especially not from a government actor. A VPN can sort of trick a website into thinking you are at a different location and in some ways can mask what you are doing from your ISP. It won't protect you from the government.
What you want is GPG encryption of your communications. GPG can be used in 2 main ways, you can encrypt files/text or you can sign files/text. Each person has a private key and a public key. In the case where you encrypt a message, you would take the public key of the person that you want to receive the message to encrypt the message and then the encrypted message can only be decrypted by the recipients private key. In the case where you sign a message, you use your private key to generate a "signature" string and then other people can take your public key and the signature to confirm that you wrote the message that you signed.
You can set this up with an email client like Thunderbird (equivalent to firefox).
ProtonVPN has a free subscription so maybe that would help less tech-savvy comrades dip their toes 🤷🏼♀️ it’s very limited, but might just be what gets them into online privacy. Good luck & be safe out there ☮️
Also read their blog post about supporting HK. they are a TAIWANESE company and Taiwanese companies do not do this. They do whatever they can to minimize controversy.
I suggest the high tech of a pencil and a piece of paper. The NSA can't read shit. If they want to spy on you, they have to pay some guy to do it, and that costs money.
If you mail stuff then they have to pay someone to tamper with your mail and it should be kind of easy to tell if that's happened. Use codes. I kinda wonder if the lemon juice thing still works.
Pack rice around packages extremely tightly using clear packaging (tape). Send a photo to the recipient. If it was opened, then the rice orientations won't match the image.
The online organizing way is to use a paid vpn to prevent local WiFi attacks and isp snooping, harden all devices and computers that will be used, only use encrypted communications and develop data security practices compatible with the possibility of being jammed up.
You gotta have real knowledge and awareness to pull this off as an individual, or a huge point of trust/failure in one person who does it for you.
If you do all that then the cops will just use metadata and inference to get warrants or just have someone infiltrate you or turn a trusted member.
The other way, the way the bolsheviks used, is to only organize in person and develop a no-trust framework for interacting with your community.
Then the cops will infiltrate or turn members but you have at least prepared for it and expect it.
IDK if we're at this level of need right now. But I want to start people on the path to doing these things as a habit.
I could see our org doing mutual aid to help undocumented immigrants hide, help women cross state lines for abortions, etc. in the near future. I want us to be ready to cover our tracks before we need to.
I’m saying this not to belittle or hurt you, but to make my point clear:
You are not capable of what you’re saying. It is not possible to safely include people in your group while doing what you’re saying.
If that sounds like too much of an assumption, if it sounds like I’m being hyperbolic, think of this completely not yanked from the local headlines amalgamation of cop activities in the surrounding handful of rural counties over the last year:
You’re doing something, an opponent shows up to agitate. There is violence, the police show up. Did everyone leave their phones at home? Does everyone’s phone have biometrics turned off? Is everyone trained to resist interrogation? Has everyone changed login credentials from data breaches? If their phones are Apple, do they have lockdown and advanced data protection turned on? are they not carrying the recovery code on their person? If they’re using an android phone, is it running a trustworthy non manufacturer install? Are they capable of figuring out if an android version is trustworthy? If they’re all in some trustworthy encrypted chat, are they treating it like there’s someone screenshotting?
A vpn wouldn’t help at all if any one of those things were wrong.
Just recently, a peaceful talk about Palestinian resistance was interrupted by Zionists and violence broke out. Are all your people 100% prepared even when it’s a seemingly friendly environment?
Don’t organize online. In person or bust. Don’t take computers with you unless they’re wiped clean except for the bare minimum that is needed to do the job they’re gonna be used for. A phone is a computer.