Tech Friend is our advice column covering cybersecurity, privacy, and everyday technology. Email your question to techfriend@expressvpn.com. If you have questions about your ExpressVPN subscription or need troubleshooting help, please contact Support.
I find it difficult to find a definitive answer on who can see what I’m doing online. If I have ExpressVPN on 24/7 and browse using DuckDuckGo or Brave, who can see what? What about governments?
If I use a VPN, overlay it with Tor, and use a messaging app like Signal, can anyone see or intercept anything, up to and including the FBI and NSA? I believe it’s no one… or am I incorrect? If so, what can be done?
Submitted by: Greg Albert
There are a number of privacy tools available to help you keep your online activity to yourself. But can they evade everyone—even governments?
“The full extent of government capabilities around the world, due to classified information housed within each government, will never be fully publicly known,” says Aaron Engel, chief information security officer at ExpressVPN. “You can take as many steps as possible to safeguard your privacy and protect yourself, but a true guarantee of privacy is not something you should ever expect.”
While the precautions you describe are very effective against known privacy threats, no one can guarantee that a government isn’t observing your activity.
We can only discuss who can see what within the context of known methods of monitoring. Let’s start with what can be seen by third parties without taking any precautions. Then we’ll look at the scenarios you describe.
If you take no security precautions…
Let’s say you don’t use a VPN for encryption and you use mainstream services for email, browsing, and entertainment. Here’s a list of how various entities could see your activity.
Internet service provider: Your ISP can see your online activity, including websites (domains) you visit, approximately how much time you spend on each site, the online apps you use, and your online habits. This is why they can throttle your connection if they detect that you are conducting high-bandwidth activities like streaming. Your connections to sites and services are established using DNS and SNI (TLS Server Name Indication), which are unencrypted by default, and thus visible to your ISP.
Most reputable websites these days use HTTPS encryption for web traffic, and most browsers support DoH (DNS over HTTPs) or DoT (DNS over TLS) to prevent each network hop (including your ISP) having visibility over the pages you request, which prevents your ISP from seeing the specific pages you’re visiting and any data you transmit to the sites. However, using DoH or DoT means you need to trust the entity providing DNS resolution (usually the browser vendor), as they may be able to see which sites you’re visiting.
Wi-Fi network operators: Wi-Fi admins could see the sites you’ve visited through router logs. They can do this by figuring out your IP address (the one the Wi-Fi access point assigns you on the local network) and seeing the DNS requests you’ve made and the responses you’ve received to determine what sites you’ve visited.
Big Tech companies, social media, browsers, websites: Companies like Google and Meta, including social media such as YouTube and Instagram, can record your actions on their platforms. It’s especially easy to track you if you’re signed in, but your IP address is another easy way to identify you and see your general location. Cookies also allow websites to track you across the internet to show you relevant ads.
Hackers: Man-in-the-middle and downgrade attacks, where attackers can trick your browser into connecting to the wrong endpoint or into reverting to the less secure HTTP, can allow hackers to monitor your activity. These attacks can occur over unsecured public Wi-Fi, or where a certificate’s private key has been compromised.
Governments: Governments can learn about your online activity by requesting data from ISPs, social media companies, search engines, and browser makers, or any other company that may have information about your online activity. Other methods include browser fingerprinting and installing spyware on your device—in other words, hacking.
VPN + privacy browser
Using ExpressVPN with the privacy-focused services DuckDuckGo (for search or as a browser) and/or Brave browser is a strong privacy combination that can be easily achieved by most people.
A high-quality VPN like ExpressVPN encrypts your traffic and replaces your IP address with a different one. For your browsing activity, both DuckDuckGo and Brave browsers claim not to track user activity or store user data. Both block trackers and third-party cookies. Brave also blocks browser fingerprinting, showing sites a random fingerprint instead. These are default settings; a user could turn these features off. And finally, you can use Tor through the Brave browser.
Using these services goes a long way to keep your activity more private from your ISP, websites, hackers, and more. Here’s what various third parties can see.
Internet service provider: With VPN encryption, ISPs can still see that you are transferring data and how much, but they can only see that it is going to a VPN server. They cannot see where it goes after that. Your actual browsing history is a mystery.
Wi-Fi network operators: Wi-Fi admins would only see that your device traffic was going to a VPN and nothing else.
Big Tech companies, social media, browsers, websites: If you go online while signed in to services (this applies to all apps), they will easily continue to record your activity on their sites, whether you are using a VPN and a privacy browser or not. If you aren’t signed in, then a VPN will keep you anonymous by hiding your IP and location from these services, and the privacy browsers will block cookies (with Brave blocking fingerprinting, too). It is possible for sites to know you are using a VPN but not any other information about your identity.
Hackers: A VPN’s encryption will stop common attacks like man-in-the-middle. However, it won’t stop social engineering attacks such as phishing, in which the user is fooled into giving away key information like passwords or clicking on a malicious link that can otherwise leave them vulnerable.
Governments: With a VPN and a browser like Brave, there is very little of your activity anyone can see. If a government wanted information on you, they might go to your ISP, and your ISP cannot see much beyond the times you are online.
Governments would be more likely to compromise your device to spy on you. With the Pegasus spyware case not too long ago, for instance, spyware being used by governments was revealed to be so sophisticated that a phone might be infected with Pegasus just by receiving a malicious message.
A government might also use the method of “store now, decrypt later” to spy on someone. While they wouldn’t be able to read the encrypted data today, there is the possibility that they could store that data for decryption at a later time, once technology advances enough for them to do so. This is why ExpressVPN now uses post-quantum cryptography to keep our users safe, in the face of this eventuality.
It’s worth noting that a VPN company can in theory see your traffic, instead of your ISP seeing it. This is why it’s important to choose a reputable VPN if privacy is a priority for you. ExpressVPN does not log your activity or VPN connections, and we can’t turn over any information about your activity that we don’t have—as shown in a real past example. Independent auditors have also extensively examined our privacy claims.
VPN + Tor + Signal
How private are your communications if you turn on a VPN, use Tor, then send messages with Signal?
Using Tor over VPN offers extra privacy protections by increasing your anonymity. Tor is usually set up only as a browser, which does not protect app traffic, but it is possible to set up Tor for your whole device.
However, using Signal alone, without VPN or Tor, should be enough to prevent anyone from reading your messages. Messages are end-to-end encrypted, meaning it’s impossible for anyone other than the sender and receiver to read the messages. Signal, perhaps the world’s most vocal supporter of E2E encryption, itself does not have access to the messages. If message data somehow gets hacked, the hacker would not be able to decrypt it for hundreds or thousands of years.
Importantly, Signal also doesn’t collect metadata about its users and doesn’t know their identities or anything about the interactions over its service—this is a key distinction that sets Signal apart from other messaging services like WhatsApp.
So no one can intercept your end-to-end encrypted messages. Even the FBI and NSA, you ask? For government agencies trying to spy on individuals, they would most likely compromise a device by installing spyware or by tricking the person into communicating with them at the other end. The person you are messaging could also have a compromised device or be cooperating with the government. By contrast, breaking end-to-end encryption seems less likely, although as mentioned above, the full capabilities of governments cannot be known.
The same goes for the use of Tor and the dark web. In many cases of government agencies busting criminals operating on secure platforms, it is simply a matter of a person revealing too much information to another human—not technical interception.
Read more: How to stay anonymous in online chats
But to answer your question, if you use a VPN, Tor, and Signal at the same time, your privacy risks are extremely low.
Risk mitigation vs. elimination
There’s no simple answer to this type of question, because there are so many risk factors at play.
It’s important to keep in mind that risk can only be mitigated, not eliminated. You can take measures to achieve a very high level of security, but nothing can guarantee total security. Even if your technical safeguards are strong, people still face the risks of phishing and other social engineering attacks. Having high security, however, could also serve as a deterrent to drive an attacker to look for an easier target.
Privacy should be a choice. Choose ExpressVPN.
30-day money-back guarantee
Take the first step to protect yourself online. Try ExpressVPN risk-free.
What is a VPN?
