What is I2P – An Idiot’s Introduction

Douglas Crawford

Douglas Crawford

January 7, 2014

The Dark Web

VPN and Tor are two ways to stay anonymous and preserve your privacy when online. Each has its strengths and weaknesses, which we discuss in some detail in this article, but the bottom line is that Tor is extremely secure but very slow and unsuitable for P2P downloading, while VPN is less secure because it relies on trusting your VPN provider, but is much faster, is great for P2P downloading, and generally provides a better web browsing experience.

What both these technologies have in common is that they are primarily concerned with accessing the publicly indexed ‘visible’ (or ‘surface’) web. There is however another internet out there known as the Dark Web (or Dark net, Deep web etc.), which includes all the websites not indexed by search engines.

How big this Dark web is no-one really knows, although Mike Bergman, founder of BrightPlanet and credited with coining the phrase Deep Web, famously estimated that ‘the Deep Web is currently 400 to 550 times larger than the commonly defined world wide web’ back in 2001, and is still regularly cited today,

The Deep Web is the fastest growing category of new information on the internet … The value of Deep Web content is immeasurable … Internet searches are searching only 0,03% … of the [total web] pages available.” (Micheal K. Bergman).

Much of the so-called Dark web simply comprises of private websites (some of which have taken active measures to avoid being listed by search engines), IIRC chat forums, Usenet groups, and other perfectly legitimate web use. There also exist publicly accessible ‘darknets’, secure networks that can be accessed by the public, but which allow users a very high level of anonymity. The best known and most used of these are I2P and Freenet (we will discuss Tor in a moment).

Traditionally (and notoriously) the preserve of pedophiles, terrorists, drug dealer, gangsters and other people and material that most right-headed internet users would want nothing to do with, increasing awareness of pervasive government surveillance (thank you Mr Snowden) and ever more draconian copyright enforcement measures are fueling a surge of public interest in an internet that is ‘off-grid’.

Tor as a Darknet

Tor sits in a slightly odd position, as it was designed primarily to access the visible internet anonymously. This however is one of its primary weaknesses, as there are a limited number of exit nodes, which makes it easy to block these exit nodes, to set up ‘honeypot’ exit nodes to monitor traffic (although the way in which the onion router works should still ensure that the end user remains anonymous), and to perform ‘end-to-end-timing’ attacks to uncover the identity of Tor users.

In response to this, Tor has developed its Hidden Services protocol, which allows Tor-only websites (.onion) and services to exist entirely within the Tor network, so that users do not have to access the visible web through potentially dangerous exit nodes at all. Tor Hidden Services therefore also acts as a Darkweb, and is by far the most popular such service.

However, because Tor was not originally designed as a Darknet, alternatives such as I2P and Freenet, which were designed from the ground-up as Darknets, offer distinct advantages.

What is I2P?

The Invisible Internet Project (I2P) is a decentralized anonymizing network built using Java on similar principles to Tor, but which was designed from the ground up as a self-contained darknet. As with Tor, users of I2P connect to each other using peer-to-peer encrypted tunnels, but there are some key technical differences:

  • Unlike Tor, which uses a centralized directory to manage the overall ‘view’ of the network, as well as gather and report statistics, I2P uses a distributed peer-to-peer model
  •  Unlike Tor Onion routing, I2P uses Garlic routing, which encrypts multiple messages together to make it more difficult for attackers to perform traffic analysis
  • Unlike Tor, I2P tunnels are uni-directional, so incoming traffic and outgoing traffic are completely separate, which improves anonymity
  • I2P uses packet switching instead of Tor’s circuit switching, which means transparent load balancing of messages across multiple peers, rather than a single path. Essentially, all peers participate in routing for others
  • I2Ps uses its own API rather than SOCKS which is used by Tor. This helps to make I2P more secure than Tor.

The end result is that if using hidden services, I2P is both much faster than using Tor (it was designed with P2P downloading in mind), more secure, and more robust.

Just as Tor is primarily a tool designed to anonymously access the visible web, but which can be used as a Darkweb, I2P is a Darkweb tool that can also be used to access the surface web anonymously through ‘Outproxy’s’ (which are equivalent to Tor Exit Nodes). I2P Outproxies suffer similar weaknesses to Tor Exit Nodes however, and the fact that there are far fewer of them (as I2P has a much smaller user base) means that they are potentially more open to attack.

One thing to note is, as with VPN and Tor, I2P does not hide the fact that you are using the service, but does make it very hard to discover what you get up to when connected to it.

What can I do with I2P?

Still need I2P explained a little bit more? Don’t worry. I2P is effectively an internet within an internet, and once connected you can send email, browse websites, use blogging and forum software, host websites, take advantage of decentralized file storage, engage in anonymous real-time chat, and much more. As noted, you can also surf the open web anonymously, but I2P is probably not the best tool for the job in this regard.

VPN vs Tor vs I2P – Which should I use?

The simplest answer is that it depends on what you want to do. Fortunately, there is nothing stopping you using all three depending on the task at hand, which is the approach we would advocate.

  • VPN – for general internet use VPN is fast and easy to use, while providing a high degree of privacy. We firmly believe that people should VPN all the time by default to prevent dragnet surveillance by the likes of the NSA. It is also ideal for P2P downloading.
  • Tor – if you need to interact with the outside world as anonymously as possible (for example you are a whistleblower wanting to contact a journalist) then Tor cannot be beaten (and a further layer of anonymity can be added by connecting to Tor through a VPN service). If you want to surf the internet anonymously for free then Tor is also good, but it can be frustratingly slow. Although Tor Hidden Services are not as secure or fast as I2P, their relative popularity can make them more fun, and may be important to website owners looking for visitors. It is also older, has more developers, and is better funded
  • I2P – is technically the superior option is you want to access the Dark web, and is our tool of choice for this. Although not as popular as Tor Hidden Services, it is still very sociable (and much more so than rival Freenet), and is an excellent choice for P2P downloading. Like Tor, it is a good free option for accessing the visible web anonymously for free (and may be faster), but the limited number of Outproxies mean that it is also much less anonymous when used in this way.

Check out our article on How to use I2P: An idiot’s guide, and look out for our upcoming article on Freenet.

Douglas Crawford

I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. You can now follow me on Twitter - @douglasjcrawf.

49 responses to “What is I2P – An Idiot’s Introduction

  1. hi, this is Alexander, am new to vpn’s and other related network programming.As i wish i would provide a secure,untraceable browsing to the users by developing a vpn.But it seems to be not possible with a vpn.can i use i2p api in developing a vpn in java.? please tell me …?

    1. Hi Alexander,

      i2p is only really useful for accessing darkweb websites. It is written in Java, so you should be able to develop new uses for it in Java, but you will not be able to build a VPN with it, as such, as its just not what i2p is. Please be aware that for secure untraceable browsing of the regular internet you should use Tor.

    2. thanks a lot, but how a i2p really untraceable , and how can i use in developing a route for secure packets on a network?

      1. Hi Alexander,

        I am afraid that I am not a software developer. i2p is written in Java and is fully open source, so I suggest that you examine the code (available here) in order to determine if it can be developed in the way you wish.

  2. Thanks for amazing articles on TOR, Dark Web, VPN and other topics. This is a one step website for myriads of Browsing issues and solutions. I am still exploring the articles written by you. They are simple, user friendly and educative. I sincerely appreciate your time and effort in writting such wonderful write ups….

  3. Typical USA scope, generally JAP/Jondo is considered much more secure for anonymous comm than TOR. Daisying it under a good encrypted/no logs VPN seems as good as we can get in simple terms. Disabling all extensions in the browser, incl. SSL/TLS, java, flash etc, then using a 3rd level identity blocker such as which allows https/ssl connection which you’ve disabled (possible up to Firefox v.21) stops direct forced connection which some banks etc do to verify your real IP and PC is identified.

  4. It seems I can’t directly answer your last comment, so I’ll just keep going in this one.

    Thanks a lot for your answers, you helped me a lot. Just one more thing : since your ISP (and thus anyone who will ask him) knows when you’re using a VPN, is it really worth it to use an anonymous payment method like Bitcoin or prepaid credit cards to buy one ?

    1. Hi Roger,

      No problem! Well… to some extent. It adds an extra layer of privacy between yourself and your VPN provider, as your VPN provider does not know your real name or contact details. It does, however, know your real IP address. If it hands over this IP address to an adversary, then your ISP can use it to identify you.

  5. Hello !

    I didn’t know about I2P, thanks for the info. I’ll look further into that.
    There’s a few things I still have trouble to understand after reading your article, I’d appreciate some clarification about these.
    First of all, you’re saying that using Tor Hidden Services prevents the user from relying on a potentially dangerous exit node, but since Tor itself has all his traffic based on the nodes the information goes through (and so the final exit node), it still needs an exit node at the end, right ? So how is it secure ?

    Also, you’re recommending to always use a no-log VPN while browsing the web. While it may seems like a good idea at first, using it on the same device for both activities that require your real name (like online banking) and anonymous stuff (and on the same device on top of it) may reveal who you really are and so the use of a VPN would be pointless. Or am I wrong ?
    If I’m not, it would be a better solution to only use the VPN while surfing anonymously.

    1. Hi Roger,

      1. Nope. When accessing the openweb with Tor, traffic must enter and leave the Tor network at some point. This point is the exit node, which encrypts incoming traffic and decrypts outgoing traffic. So it can “see” this traffic. A Tor Hidden Services site effectively acts as a Tor node. This means that traffic never needs to leave the Tor network, and remains encrypted at all times (encryption and decryption is performed solely on your desktop).

      2. I have seen this argument before, but must admit that I do really understand it. What would it reveal? Both your bank and your “anonymous stuff” will see that you use a certain VPN provider, but if your VPN provider keeps no logs, this should not be a problem. And anyway, the use of shared IPs makes it very difficult to determine who is responsible for what.

      If your VPN provider was lying about keeping no logs then it might be able to connect your real name (e.g. via online banking) and your “anonymous stuff”, except for the fact that your bank will always use HTTPS so your VPN provider cannot see what you do on its website (this is true of just about every website where you are asked to input personal information these days.

      It is worth stressing however, that your VPN provider will always know your real IP address anyway (unless you use VPN through Tor). And unless you use an anonymous payment method (such as properly mixed Bitcoins), your VPN will also know your real name via your payment method.

      1. I see, thanks for the clarification about Tor Hidden Services.

        I admit that the use of shared IPs must make things harder to link you to your anonymous activities online while using a no-logs VPN, but, assuming you’re using one that truly keeps none, whether your real name can be linked to anything will depend on if other users also use their IRL identities while browsing through the VPN. Sure, this is certainly the case, especially if you’re using a famous one, but the less users logging to real identities account there are, the more it is possible for someone to track you, especially by analyzing your browsing habits.

        You’re right, in the end, it’s all a matter of who to trust. Since it is nearly impossible to rely only on yourself in regard of Internet stuff, you have to trust someone.

        1. Hi Roger,

          Shared IPs makes it very difficult, but not impossible to uncover the identity of a VPN user. Assuming that many users share the IP address, it would take very detailed (and lengthy) end-to-end timing analysis to link a real IP address with specific internet activity. But, at least in theory, it is possible. Note that this is a highly targeted attack, and that you must be of specific interest to a a very determined adversary to become targeted in this way. If the adversary is law enforcement or similar, it is much easier to simply subpoena the VPN provider and require that it start keeping logs.

          I’m afraid that I don’t understand, however, why it matters if other users of the same IP address use their RL ids. Perhaps you could explain further? What does matter is the total number of people sharing that IP address at any given time (the more people sharing, the harder it is to identify an individual).

          Yes. VPNs require a degree of trust. Good VPNs make their business model from being trustworthy, but there are no guarantees. The beauty of Tor is that no trust is required, but the cost in internet usability is high (i.e. it is very slow, and many websites will refuse to work).

          1. So, basically, even if you’re using your VPN to do online banking, buy stuff and other things needing you to reveal who you are, even if you’re putting in your real name or adress, all that will be revealed is that you’re using a VPN, which is something your ISP already knows. Correct ?
            Considering that, my previous point, stating that it must be a better option to only send your web traffic through the VPN when you want to do some anonymous stuff is quite stupid, since the ISP will always know when you’re using your real IP and when you’re hiding behind a VPN. In that case, you’d better benefit from the use of a VPN (encryption, additional layer of security,…) at all time.

            when I was saying that the number of people using their real identity while browsing through a VPN may matter, I was thinking that if you were, hypothetically, the only one connecting to your bank account while using the VPN, all anonymous activities could be linked to you and only you. But I realized afterward that this is pretty stupid too. Assuming you’re using a famous no-logs VPN, there will theoretically be so many different users at the same time, that there’d be no proof that you’re the one who was doing this or that. The only things you would be linked to are these which involved you to use your real identity. Still right ?

            If I understood the whole thing right, if you’re browsing through your VPN and torrenting with it at the same time, if your provider truly is no-logs, there’d be no way (besides e2e timing analysis, of course) to know that both your browser and your Bittorrent client are yours and hosted on the same device. Even if you’re using your real name while browsing at this moment.

            I pretty much just corrected myself in this post, if I understood your explanations right. If I’m still wrong about something, please tell me. But if I’m not, I guess the best thing to do is to always use your VPN why doing Internet-related stuff.

            As for Tor, I disagree. It does require a degree of trust too, since pretty much anybody can run an exit node, someone with the required knowledge could use one to monitor your traffic.
            That, plus the slow speed and the fact that Tor is blocked by some websites (or just unable to work probably) like you mentioned, makes it difficult to use on a daily basis.
            Still, this is a wonderful project. While I barely use it for the reasons listed above, I, at some point, was thinkings about giving some of my bandwidth by hosting a Tor relay, but my ISP probably wouldn’t be happy if someone is using Tor to do some illegal stuff and have his traffic going out with my IP adress. Because of that, I gave up the idea.

          2. Hi Roger,

            1. Correct (although your VPN provider could put everything together if it chose to (or is forced to)).

            2. Using a VPN all the time will make e2e timing attacks more difficult to perform, yes.

            3. Ignoring e2e attacks, that is correct. A highly targeted and detailed e2e analysis might be able to uncover your real IP, but this would be a very difficult and arduous task. If your identity is already known (or suspected), it would be easier to use e2e analysis as corroborating evidence (i.e. not sufficient to prove anything by itself, but in support of other evidence).

            4. Correct.

            5. FWIW, I use my VPN at all times.

            6. Before reaching a Tor exit node, your data is sent through as least 2 other Tor nodes, and encrypted each time. The Tor exit node can monitor your traffic, but cannot know where it originates from unless you give this away in your data somehow. As long as you only give away personally identifiable information to secure (HTTPS) websites (e.g. your bank), the Tor exit node operator has no way to connect your data to you.

    1. Hi Boo,

      Indeed, although you will also suffer the combined speed hit of using both networks (which are slow to start with).

  6. HI Douglas I wanted to get your input on two things. One what’s your opinion of Cryptainer encryption software from Cypherix software? and what is the best firefox extension for passwords both for creating passwords, storage and use.
    Thank you

    1. Hi ralremr,

      That depends on what you are looking for. IMO VyprVPN provides the best technical performance, but is not so hot on privacy. AirVPN provides excellent privacy and performance, but is definitely aimed at techies (BolehVPN is in many ways similar, and is also an excellent choice, especially for users in Asia and Australia etc.) ExpressVPN strikes a good balance between performance, privacy, and user-friendliness…

    1. Hi ravinder,

      I no longer have I2P installed on my PC, but do not remember any particular when uninstalling it. Are you having problems using the standard Windows “Program and Features” uninstall procedure?

  7. Hi Douglas,

    Have you receive a response from AirVPN, yet? Or, have you otherwise been able to ascertain any more information on whether or not 3rd parties (in the EU specifically) would be willing to provide information to national authorities?

    As a Systems Engineer, I created my own VPN using a ”well known” Cloud service, and connect over that. From there, when I so choose, I can connect to TOR to browse anonymously and receive the double-benefit that you refer to in this article. Tonight’s challenge? Setup I2P, and connect to it over my VPN tunnel. 🙂

    And, for true anonymity, the old saying remains true: If you want something done right, do it yourself. Whether it be a VPN service, an alternative to Dropbox / Google Docs (BTSync), or your email (self-hosted email [1]), we should all be taking back control over our privacy. Self-hosted solutions are readily available as Free Open Source Software, and there are tons of tutorials on how to properly set them up, and configure them to protect one’s self. For the true over-achievers, you can also host your own TOR exit nodes on a Virtual Private Server (VPS), and disable logging so that there are no records to be ascertained with a warrant.

    One other suggestion for you and your readers is to use an Operating System that was intended for anonymity; TAILs was the “go to” for a long time, but a new solution (which I have yet to test, but looks quite promising) is Subgraph OS [2]: An operating system that was not only built with security in mind, but is extensible and intended to be as user-friendly as possible. Not many security solutions out there take into account usability, but this operating system sounds like it is doing a good job at covering both bases.

    [2] Hi Douglas,

    Have you receive a response from AirVPN, yet? Or, have you otherwise been able to ascertain any more information on whether or not 3rd parties (in the EU specifically) would be willing to provide information to national authorities?

    As a Systems Engineer, I created my own VPN using a ”well known” Cloud service, and connect over that. From there, when I so choose, I can connect to TOR to browse anonymously and receive the double-benefit that you refer to in this article. Tonight’s challenge? Setup I2P, and connect to it over my VPN tunnel. 🙂

    And, for true anonymity, the old saying remains true: If you want something done right, do it yourself. Whether it be a VPN service, an alternative to Dropbox / Google Docs (BTSync), or your email (self-hosted email [1]), we should all be taking back control over our privacy. Self-hosted solutions are readily available as Free Open Source Software, and there are tons of tutorials on how to properly set them up, and configure them to protect one’s self. For the true over-achievers, you can also host your own TOR exit nodes on a Virtual Private Server (VPS), and disable logging so that there are no records to be ascertained with a warrant.

    One other suggestion for you and your readers is to use an Operating System that was intended for anonymity; TAILs was the “go to” for a long time, but a new solution (which I have yet to test, but looks quite promising) is Subgraph OS [2]: An operating system that was not only built with security in mind, but is extensible and intended to be as user-friendly as possible. Not many security solutions out there take into account usability, but this operating system sounds like it is doing a good job at covering both bases.



    1. Hi Anonymous,

      1. Oops… sorry. This slipped my mind,

      About Data Retention Directive transpositions in Member States, as well as any other law of course (with *maybe* exceptional exceptions in the field of civil contractual agreements, if any), our servers activity applicable law is the law of the country in which the server is physically located.

      The Data Retention Directive has been declared definitely invalid since its birth by the CJEU, so all of its transpositions are invalid as well:

      (The reason is infringement of fundamental rights, so any similar law will have to be checked carefully, because infringement of human rights is probably the most monstrous consequence a law can achieve.)

      About jurisdiction vs. applicable law in the field of data protection in the Information Society, please see:

      There is also a very wide jurisprudence that shows how the applicable law for a server located in a Member State territory is the law of the country in which the server is located.

      D.Lgs you cite and subsequent modifications are invalid due to the CJEU decision, but that’s irrelevant for the above “applicable law”reasons, because we have no VPN servers in Italy (and no web servers).
      ‘Some EU Member States never implemented Data Retention or canceled it as unconstitutional years before the CJEU decision (Germany, Romania; Belgium, although for different reasons).

      Other EU countries have abrogated their data retention laws soon after the CJEU decision (the Netherlands, Austria, Bulgaria, Ireland etc. etc.) please see

      In UK the law scope does not seem to cover VPNs, but we’re not sure: the law is ambiguous.

      Any other non-complying legislation such as the one in UK (if it can be applied to our service) has no value for us, the CJEU has higher authority and we have more than enough resources to challenge any government up to the CJEU should any entity require us to perform activities breaking fundamental right according to the CJEU decision. We do not log, monitor or inspect clients traffic in any of our VPN servers.

      Basically, as far as I can gather, EU counties powers to monitor VPN connections has not really been to the test…

      2. Self-hosted solutions are in general a good idea, but most people do not have the technical expertise or interest to implement them so good ready-made solutions still have great value. Look out, however, for more articles on self-hosting services. I will note that self-hosting VPN does not provide as much anonymity as using a good no-logs commercial services as the VPS address is directly traceable to the owner (unless you, as you have done, further steps are taken to improve anonymity/privacy).

      3. Subgraph OS looks interesting and I will look into it further, Thanks for the tip!

    2. Anonymous,
      how do you create a VPN on a “well known” cloud server?

      And am I correct in assuming that all traffic can only be traced back to the cloud server?

      Were you able to achieve the I2p over the VPN? if so how?

      1. Hi Cyberzyme and Anoymous,

        Please be aware that running your own VPN on a cloud server is not as anonymous as using a privacy-oriented commercial VPN service. Not only do these services use shared IP’s (many customers using the same IP address) to make it difficult to associate any internet activity with any individual user, but they are also setup with the aim of protecting users privacy. A cloud storage providers, on the other hand, will have no qualms at all about handing over your details to the authorities or closing your account when served with a DMCA notice…

  8. Yes. You got the point, if the VPN service provides access to the Internet (which is the case of AirVPN) it should, in my opinion, fall in the second of the four categories contemplated in the mentioned law, therefore obliged to keep all user data pertaining his internet access for up to two years.

    If, on the other side, the VPN doesn’t provide access to Internet, then they shouldn’t be obliged to keep those user data.

    That’s why VPN as service per sé is in my opinion not mentioned.

    Please ask them and let me know.

    Of course we are just discussing about not being obliged to keep those data, not about being obliged of not keeping those data, which is what should really matter in terms of our privacy.

    As far as I know, this kind of protection, in Europe, is only available in Gibraltar.

    1. Hi Rosario,

      As a British Overseas Territory, I would not trust Gibraltar. For a lengthier(if a little old) discussion on this subject, please see Data retention, VPN logging and internet surveillance in Europe, but in general we usually consider Bulgaria, Luxemburg, Netherlands, Romania and Sweden good locations for VPN because the DRD (or local versions of it) have not been applied to VPN providers in those countries (as far as we can tell – deciphering often often arcane, little discussed, and poorly worded laws that are usually only available or even discussed in the local language makes getting hold of hard facts a somewhat frustrating exercise). I will let you know what AirVPN’s reply is is.

  9. Dear Douglas,

    The Italian law covering the matter is the “decreto legislativo n. 109” of May, 30th 2008.

    You can download it at the following link:

    At page 3, article 3, paragraph 1, subparagraph a.2, it states clearly that all data pertaining user access to Internet have to be monitored and kept for two years.

    Since their VPN provides access to Internet, indeed they keep your data.

    I agree with you, unless we have access to the device drivers of the baseband chips, we cannot be secure. But we can still do something, like using only open source community developed (and financed) code.

    As for trusting technology financed by the government, I have my doubts. I would rather use i2p instead.

    Please check more about textsecure and the other technology….

    1. Hi Rosario,

      Thank you for that link. As far as I can see, however, ‘page 3, article 3, paragraph 1, subparagraph a.2,’ relates to ‘Categories of Data to Be Retained by Telephone and Electronic Communications Operators’ and says ‘… electronic mail… and says, ‘the IP address used and the electronic mail address as well as any additional ID related to the sender’ . (Official English translation here).

      Scanning through the legislation, the most relevant phrases that I can find are:

      f. “user ID” shall mean a unique identifier allocated to persons when they subscribe to and/or register with an Internet access service or Internet communications service;
      g. “uniquely allocated IP (Internet protocol) address” shall mean the (IP) protocol address enabling direct identification of the subscriber and/or user performing communications on the public network. (Section 1 Definitions)


      5. The providers of publicly available electronic communications services that make available Internet access services (Internet Access Providers) shall ensure that IP addresses are available and allow unique identification by ninety days as from the date of entry into force of this decree. (Section 6 Transitional and Final provisions)

      Am I missing something (I may well be)? Nothing that I can see specifically includes VPN providers in the law (I do not think that VPN providers count as an ‘Internet access service or Internet communications service’, but I could be wrong. I shall contact AirVPN and see what they say.

      As for funding of projects, as long as they are community developed and open source, where the money come from should not really matter.

      I will investigate TextSecure etc. further.

  10. Dear Douglas,

    Air VPN is provided by a company located in Italy.

    Italy, like almost all the countries in the European Union, is subject to a law that incorporated the EU/2006 directive (declared null in 2014) which obliges all the companies providing any sort of access to the Internet to keep detailed logs of their users for a minimum of six months up to two years.

    Therefore in some respects even worse than the Patriot Act.

    We may argue that a general VPN service doesn’t provide per se access to Internet. Can we say so about Air VPN?

    How easy is for an US agency to access those logs?

    Extremely. US arrived in Italy in 1945 and never left.

    As for Tor/textsecure/redphone, did you know that they are financed by the US intelligence at the speed of several millions of USD per year?

    Check my blog on Facebook for the references ( or search about the investigation made by the journalist at Pando.

    To be clear Switzerland is subject to even more strict laws concerning telecommunication data retention, meaning they keep those records for longer.

    When you purchase a service look first where they are located and which laws applies in such countries, examining even their constitution if you can.

    I usually do so.

    Have a great day

    1. Hi Rosario,

      As I understand it, the EU Data Retention Directive is not applied to VPN’s under Italian implementation of the law (which has now been declared unconstitutional by the European Court of Justice, although no EU country has taken much action on this front). As for the NSA, well… it is certain that the NSA has targeted Italian communications, and Italy is among the NSA’s ‘Fourteen Eyes’ spying partners. How far this means it can interfere with ordinary Italian services such as AirVPN, however, is difficult to tell, but AirVPN has always shown admirable dedication to users’ privacy.

      That Tor is partly funded by the US military is well-known, but this does not seem to make it easier for US intelligence services to compromise users (it’s all in the way its setup). I plan to investigate TextSecure and Redphone further, but I would consider manufactures’ root access to all smart phones via the baseband processor to be a bigger worry (although as I currently understand it, these represent the most secure communications options currently available). They are open source, so can be checked for backdoors etc. Expect an article on this subject very soon…

  11. I signed up for a ProtonMail account, and currently on the waiting list. I read your review and done some research on them. They seem like one of the few viable email service providers that account for privacy in a major way. Tutanova I haven’t looked into, however will check them out so I can compare the 2. Also Douglas is there any way to use Tor in Google chrome/Firefox instead of the tor browser but with all the tor functionality?


    1. Hi billy,

      Both ProtonMail and Tutanota have their advantages and weaknesses, and both are evolving new features all the time. The Chrome browser is fatally flawed when it comes to privacy, as it sends lots of information back to Google (Chromium is not immune to this either). The Tor Browser is basically Firefox with all the security settings maxed out, plus HTTS Everywhere and NoScript pre-installed., and Disconnect used as the default search engine. The Tor Browser is now the only recommended way of using Tor (past versions of Tor could be used separately from the browser, but this setup has been dropped for security reasons).

      1. Hi Douglas thanks for reply!!

        You noted in one of your earlier replies that you use a number of browser plugins such as (HTTPS Everywhere, Self-Destructing Coolies, uBlock, BetterPrivacy, Privacy Badger). How do you use them in TOR, chrome or firefox?

          1. Hi billy,

            Admittedly I do. The system Firefox used to use for syncing bookmarks etc. was much more secure (end-to-end), but it confused too many users (who could also not retrieve their passwords once lost). The new system (very similar to the Chrome system, with bookmarks stored on a server with a retrievable password) is much less secure, but is so damn useful that I am guilty of using it (it is up to each individual to assess their threat model, and the extent to which they are willing to sacrifice functionality for security).

  12. Hi Douglas

    Just to say as I’m becoming more and more accustomed with Internet security, your articles have been great help in unveiling this analog blanket from my digital eyes!

    How would you use all 3 to further security/anonymity? And what methods do you use to obscure your identity online?


    1. Hi billy,

      Thanks! By ‘all 3’ do you mean VPN, Tor and I2P? If so, VPN over Tor provides a very high degree of anonymity when online (although this will slow down your internet connection considerably). I am not aware of a way to combine I2P with the others. I personally use AirVPN at all time, plus a number of browser plugins to prevent cross-site tracking etc. (HTTPS Everywhere, Self-Destructing Coolies, uBlock, BetterPrivacy, Privacy Badger). If I could convince more friends and family to get on board I would also use TextSecure (Signal for iOS devices) and Redphone for secure comunications. I am currently planning to migrate my email to either ProtonMail or Tutanova (I am still testing both services).

  13. I concur that I2P is way slower. But I am not sure that I have configured it correctly or something. Anyway i couldnt figure it out as I was having a hard time with my stupidity itself.

    1. Hi n30,

      I2P can definitely be quite intimidating and user-unfriendly. Have you read Part 2 of this article, where I try to cover the basics of getting up and running with it?

    1. Hi defcon,

      I would not normally reply to such a rude post, but as you may have a point relevant to our readers, I will make an exception this time. I have done some research, but can find nothing on a 20-50kb/s limit due to the streaming library, so if you would care to explain and/or provide some references, I would be grateful.

      1. Hi Douglas,

        I just thought I’d address this little post for your readers’ benefit (since it’s the first comment to appear), so that nobody ends up confused by defcon’s rude comment:
        I2P is *NOT* limited to a mere 20-50 kb/s, and most certainly is faster than Tor. The reason he and countless others mistakenly-think that it is, is because 20-50 kb/s is the default bandwidth speed I2P is set to when you install it; to avoid being set too high for those with low monthly bandwidth limits or speed.
        Upon installation of I2P, the user is supposed to open any browser and access their router control panel – where I2P configuration options now show – and manually adjust the bandwidth limit to line-up with your default set-up.

          1. Source (clearnet):
            Source (i2p): http://echelon.i2p/i2p/i2pspeed.txt

            As most traffic on I2P (www, torrent,…) needs ack packages until new data is sent, it needs to wait until a ack package returns from the server.
            In the end: send data, wait for ack, send more data, wait for ack,..
            As the RTT (RoundTripTime) adds up from the latency of each individual I2P node and each connection on this roundtrip, it takes usually 1-3 seconds until a ack package comes back to the client.
            With some internals of TCP and I2P transport, a data package has a limited size and cannot be as large as we want it to be.
            Together these conditions set a limit of max bandwidth per tunnel of 20-50 kbyte/sec.
            But if ONLY ONE hop in the tunnel has only 5 kb/sec bandwidth to spend, the whole tunnel is limited to 5 kb/sec, independent of the
            latency and other limitations.

Leave a Reply

Your email address will not be published. Required fields are marked *

Exclusive Offer
Get NordVPN for only
Get NordVPN for only