The hard part of privacy is not picking the right tool. It is combining several tools without the combination producing a signature that correlates back to you. This is the operational-privacy problem.
What correlation looks like#
Every privacy tool reduces one type of leak and leaves others intact. The leaks usually fall into these layers:
- Network layer. Who saw the packets — your ISP, the destination service, anyone in between.
- Account layer. Which identifiers (email, phone, cookie, username) link sessions to a persistent profile.
- Payment layer. Who paid whom, when, in what amount, through what processor.
- Content layer. What the messages, posts, and queries themselves reveal — writing style, time of day, technical interests, language idiom, language-model fingerprints.
- Timing layer. When activity happens, and whether it correlates across accounts that should be unlinked.
- Hardware layer. Device fingerprint, MAC, IMEI, fonts list, screen size, GPU.
A user is “private” relative to an adversary when none of these layers reveal them. Most users fix one or two and leave the rest, which means they have a particular kind of privacy that often is not the kind they think they have.
The Mullvad example#
You pay Mullvad with a credit card in your name. You use Mullvad from your home Wi-Fi. The Mullvad account is a randomly-generated number — Mullvad does not know who you are.
This is fine for some threat models. Mullvad will not testify that you visited a specific site, because Mullvad genuinely does not have that data. The 2023 Swedish-police-search outcome is real.
It is not fine for other threat models. The card processor knows you bought from Mullvad. Your ISP knows you connect to Mullvad’s IPs at certain times. The destination service knows it received connections from Mullvad’s exit IPs. With those three data points and a court order, an investigator can correlate “this user paid Mullvad” with “Mullvad’s exit IP visited my site at 14:32” — even though Mullvad itself can produce nothing.
The fix is not to use a different VPN; it is to break the payment-layer correlation (pay Mullvad in cash or in a coinjoined-then-converted way) or to break the network-layer correlation (run Tor over the Mullvad tunnel, or use Mullvad Browser without the VPN as a deliberate fingerprint-uniformity strategy).
Picking your threat model#
The right starting question is: against which adversary, defending which property?
- Mass-surveillance adversary, defending against being in a default dataset. Mainstream privacy posture is sufficient: privacy-respecting search, no-account VPN, no-KYC email. You don’t need to hide from a specific actor; you need to not be the path of least resistance for a generic pull.
- Targeted adversary with subpoena power, defending content. End-to-end encryption (Signal, SimpleX, PGP). Operator-side compelled disclosure is the threat; encrypt so the operator has nothing to compel.
- Targeted adversary with subpoena power, defending metadata. Add Tor to the above. The operator should not see who you talk to or when.
- Network adversary, defending identity. Tor Browser is the tool. Pay attention to fingerprinting; do not log into real-name accounts in the same browser session.
- Local-network adversary, defending what you do. VPN is sufficient. The threat is your employer or your coffee-shop Wi-Fi, not the destination service.
Putting a high-end tool (Tor + privacy coin + cash-only-payment) against a low-end threat (your ISP showing you ads) costs operational discipline you won’t sustain. Putting a low-end tool (DDG search) against a high-end threat (a state adversary that wants to identify a specific account holder) does not buy you what you think.
The compartmentalization model#
The most useful frame for combining tools is personas. A persona is a named context with strict rules.
- Identity persona. Real name, primary email, bank account, social media. You don’t try to hide here. The rule is “everything that is supposed to be public goes here.”
- Privacy persona. No real name, separate email, separate wallet, separate browser profile (or separate machine). The rule is “no overlap with the identity persona, ever.”
Two personas is hard. Three (privacy + work + research) is harder. The failure mode of bad compartmentalization is worse than no compartmentalization, because if you mix them up you produce a Rosetta stone that correlates one to the other.
The classic mistake: logging into the privacy persona’s Reddit account from the same browser profile as the identity persona’s Gmail. Reddit doesn’t see the Gmail login; Google doesn’t see the Reddit login; but the browser cookie set, the autofill suggestions, the bookmark list, and the tab history all tie them together if anyone gets a forensic look at the machine.
Practical compartmentalization patterns#
- Browser profiles. Firefox containers, Chromium profiles, or separate browsers entirely. The cheapest layer; works for most threat models.
- Separate VMs. Whonix, Qubes-OS, or just two VirtualBox VMs. Stronger separation; better for cross-account correlation resistance.
- Separate machines. A second laptop, used only for the privacy persona. Strongest separation; highest cost.
- Separate networks. Different Wi-Fi, or VPN-on-one-machine, Tor-on-another. Useful when network-layer correlation is part of the threat.
Most users don’t need separate machines. Most users need one good browser-profile habit and one good wallet habit. The marginal returns from heavier compartmentalization drop fast.
Timing and rhythm#
A subtle correlation pattern. Two accounts that should be unlinked, both active 09:00–17:00 in the same time zone, both quiet at 12:30, both quiet on certain weekends — that pattern is more identifying than people expect. The mitigation is awareness: don’t post on the privacy persona right after posting on the identity persona, and don’t run both on the same schedule.
For most users this is overkill. For users whose threat model includes pattern-analysis, it is a real consideration.
Tool combinations that work#
A few combinations the directory’s users have settled into over time:
- “I just don’t want my ISP to see”: Mullvad VPN + Firefox + uBlock Origin + DDG. No-account, low-friction, sufficient against mass-collection adversaries.
- “I want to communicate without a phone number”: SimpleX or Session. Both ends decide their threat model independently.
- “I want to swap BTC to XMR without showing up on a CEX history”: Trocador (no-account) into Cake Wallet or Feather. Churn the XMR. Stop there if non-correlation is the goal.
- “I want a hosted blog without my name on it”: Njalla domain, anonymous host, paid in crypto from a wallet that has never touched a KYC venue. The bottleneck is the wallet history, not the host.
- “I want an email address with nothing tied to my identity”: Posteo (cash-by-mail) or Tuta (anon signup). Use only over Tor. Don’t link from your real social.
These are not perfect. They are consistent with the threat model implied by the situation, which is usually the right thing to aim for.
What to skip#
A few things people spend operational discipline on without much payoff:
- Multiple privacy coins for the same flow. Picking between XMR and ZEC matters less than not correlating any of it to a KYC venue. Pick one and use it.
- Heavy browser hardening on a real-name machine. If the threat is the destination service, your account at the destination service ties everything together no matter how hardened the browser is. Hardened browsing without account hygiene is empty calories.
- Tor-everywhere. Tor is the right tool when the network adversary matters. For accounts that are tied to a real-name identity anyway, Tor adds friction without privacy.
The honest summary#
Operational privacy is mostly a matter of two things: picking the right adversary to defend against (most users overshoot) and not breaking compartmentalization (most users undershoot). The tools matter less than the discipline of using them consistently.
The directory’s job is to make the tools easy to find and to describe what each one does. The combination is yours.
See also#
- Mullvad VPN, Tor Browser, SimpleX Chat, Monero, Njalla — the tools most often combined in this article.
- Methodology — how each entry is structured to support this kind of comparison.