Tech Friend is our advice column covering cybersecurity, privacy, and everyday technology. Email your question to techfriend@expressvpn.com. If you have questions about your ExpressVPN subscription or need troubleshooting help, please contact Support.
I find it difficult to find a definitive answer on who can see what I’m doing online. If I have ExpressVPN on 24/7 and browse using DuckDuckGo or Brave, who can see what? What about governments?
If I use a VPN, overlay it with Tor, and use a messaging app like Signal, can anyone see or intercept anything, up to and including the FBI and NSA? I believe it’s no one… or am I incorrect? If so, what can be done?
Submitted by: Greg Albert
Numerous privacy tools exist to help you keep your online activity to yourself, but can they let you evade everyone—even governments?
“The full extent of government capabilities around the world, due to classified information housed within each government, will never be fully publicly known,” says Aaron Engel, chief information security officer at ExpressVPN. “You can take as many steps as possible to safeguard your privacy and protect yourself, but a true guarantee of privacy is not something you should ever expect.”
While the precautions you describe are very effective against known privacy threats, no one can guarantee that a government isn’t observing your activity.
We can only discuss who can see what within the context of known methods of monitoring. Let’s start with what third parties can see without taking any precautions. Then we’ll look at the scenarios you describe.
If you take no security precautions…
Let’s say you don’t use a VPN for encryption and you use mainstream services for email, browsing, and entertainment. Here’s a list of how various entities could see your activity.
Internet service provider: Your ISP can see your online activity, including which websites (domains) you visit, approximately how much time you spend on each site, the online apps you use, and your online habits. This is why it can throttle your connection if it detects you’re engaging in high-bandwidth activity like streaming. Your connections to sites and services are established using DNS and SNI (TLS Server Name Indication), which are unencrypted by default, and thus visible to your ISP.
Most reputable websites these days use HTTPS encryption for web traffic, and most browsers support DoH (DNS over HTTPs) or DoT (DNS over TLS) to prevent each network hop (including your ISP) from having visibility over the pages you request, which prevents your ISP from seeing the specific pages you’re visiting and any data you transmit to the sites. However, using DoH or DoT means you need to trust the entity providing DNS resolution (usually the browser vendor), as they may be able to see which sites you’re visiting.
Wi-Fi network operators: Wi-Fi admins could see the sites you’ve visited through router logs. They can do this by figuring out your device’s IP address (the one the Wi-Fi access point assigns you on the local network) and seeing the DNS requests you’ve made and the responses you’ve received to determine what sites you’ve visited.
Big Tech companies, social media, browsers, websites: Companies like Google and Meta, including social media networks such as YouTube and Instagram, can record your actions on their platforms. It’s especially easy to track you if you’re signed in, but your IP address is another easy way to identify you and see your general location. Websites can also use cookies and embedded trackers to track you across the internet and collect data about your behavior.
Hackers: Man-in-the-middle and downgrade attacks, where attackers can trick your browser into connecting to the wrong endpoint or reverting your connection to the less secure HTTP, can let hackers monitor your activity. These attacks can occur over unsecured public Wi-Fi, or on any online platform where a security certificate’s private key has been compromised.
Governments: Governments can learn about your online activity by requesting data from ISPs, social media companies, search engines, browsers, or any other company that may have information about your online activity. Other methods include browser fingerprinting and installing spyware on your device—in other words, hacking.
VPN + privacy browser
Using ExpressVPN together with privacy-focused services like DuckDuckGo (for search or as a browser) and/or Brave browser is a strong privacy combination that is easily achievable for most people.
ExpressVPN is a premium service that uses strong tunneling protocols to encrypt your traffic and replaces your IP address with a different one. For your browsing activity, both DuckDuckGo and Brave browsers claim not to track user activity or store user data. Both block trackers and third-party cookies. Brave also blocks browser fingerprinting, showing sites a random fingerprint instead. These are default settings; you could turn these features off. Finally, you can also use Tor through the Brave browser.
Using ExpressVPN with a privacy browser like Brave Browser or DuckDuckGo provides a seamless experience. You don’t have to compromise your privacy for convenience with the right setup. Our user-friendly app takes just seconds to set up and you can connect up to 8 devices simultaneously with a single ExpressVPN subscription.
Using these services goes a long way to keep your activity more private from your ISP, websites, hackers, and more. Here’s what various third parties can see.
Internet service provider: With VPN encryption, ISPs can still see you’re transferring data and how much, but they can only see it’s going to a VPN server. They can’t see where it goes after that. Your actual browsing activity is a mystery.
Wi-Fi network operators: Wi-Fi admins would only see that your device traffic went to a VPN and nothing else.
Big Tech companies, social media, browsers, websites: If you go online while signed in to services (this applies to all apps), they will easily continue to record your activity on their sites, whether you’re using a VPN and a privacy browser or not. If you aren’t signed in, then a VPN will keep you anonymous by hiding your IP address and location from these services, and the privacy browsers will block cookies and some trackers (with Brave blocking fingerprinting, too). It’s possible for sites to know you’re using a VPN but they likely won’t get any other information about your identity.
Hackers: A VPN’s encryption will stop common attacks like man-in-the-middle. However, it won’t stop social engineering attacks such as phishing, in which you’re tricked into giving away key information like passwords or clicking on a malicious link that can otherwise leave you vulnerable.
Governments: With a VPN and a browser like Brave, there’s very little of your activity anyone can see. If a government wants information on you, they might go to your ISP, and your ISP cannot see much beyond the times you’re online.
Governments would be more likely to compromise your device to spy on you. With the Pegasus spyware case not too long ago, for instance, spyware being used by governments was revealed to be so sophisticated that a phone might be infected with Pegasus just by receiving a malicious message.
A government might also use the “store now, decrypt later” method to spy on someone. While they wouldn’t be able to read the encrypted data today, there is the possibility that they could store that data for decryption at a later time, once technology advances enough for them to do so. This is why ExpressVPN now uses post-quantum cryptography to keep our customers safe, in the face of this eventuality.
It’s worth noting that a VPN company can, in theory, see your traffic. This is why it’s important to choose a reputable VPN if privacy is a priority for you. ExpressVPN does not log your activity or VPN connections, and we can’t turn over any information about your activity that we don’t have—as shown in a real past example. Independent auditors have also extensively examined our privacy claims.
Your privacy always comes first. Whereas servers typically come equipped with hard drives as their storage solution, ExpressVPN’s TrustedServer technology uses RAM-only servers that, by definition, can’t store your data. You can also sign up for ExpressVPN using Bitcoin to protect your financial information.
VPN + Tor + Signal
How private are your communications if you turn on a VPN, use Tor, and then send messages with Signal?
Using Tor over VPN offers extra privacy protection by increasing your anonymity. Tor is usually set up only as a browser, which doesn’t protect app traffic, but it’s possible to set up Tor to route traffic for your whole device.
That said, using Signal alone, without a VPN or Tor, should be enough to prevent anyone from reading your messages. Messages are end-to-end encrypted, meaning no one other than the sender and receiver can read the messages. Signal, perhaps the world’s most vocal supporter of E2E encryption, doesn’t have access to the messages either. If your message data does get intercepted somehow, the hacker wouldn’t be able to decrypt it for hundreds or thousands of years.
Importantly, Signal also doesn’t collect metadata about its users and doesn’t know their identities or anything about the interactions over its service—this is a key distinction that sets Signal apart from other messaging services like WhatsApp.
So no one can intercept your end-to-end encrypted messages. Even the FBI and NSA, you ask? Government agencies trying to spy on individuals would most likely compromise a device by installing spyware or tricking the person into communicating with them at the other end. The person you’re messaging could also have a compromised device or be cooperating with the government. By contrast, breaking end-to-end encryption seems less likely, although as mentioned above, the full capabilities of governments cannot be known.
The same goes for the use of Tor and the dark web. In many cases where government agencies bust criminals operating on secure platforms, it’s simply a matter of a person revealing too much information to another human—not the result of technical interception.
Read more: How to stay anonymous in online chats
To fully answer your question, if you use a VPN, Tor, and Signal simultaneously, your privacy risk is extremely low.
Risk mitigation vs. elimination
There’s no simple answer to this type of question because so many risk factors are at play.
It’s important to keep in mind that risk can only be mitigated, not eliminated. You can take measures to achieve a very high level of privacy and security, but nothing can guarantee total safety. Even if your technical safeguards are strong, people still face the risks of phishing and other social engineering attacks. Having a high level of security, however, could also serve as a deterrent to drive an attacker to look for an easier target.
Privacy should be a choice. Choose ExpressVPN.
30-day money-back guarantee
Take the first step to protect yourself online. Try ExpressVPN risk-free.
What is a VPN?
