I think the problem with personal VPNs is correlating incoming with outgoing traffic is trivial for a global adversary (NSA, ISPs). When you use a service provider where a bunch of people are connecting to a single server correlating input with output becomes much more difficult, I seriously doubt it would be impossible though.

If your threat model seriously includes the NSA, then you shouldn’t be using IP at all. Or any kind of electronic communication, for that matter.

If your threat model includes your ISP, but does not extend to nation-state level adversaries, then a good private VPN should be a decent enough solution, although a public VPN might be easier and still adequate.

Source: I personally pissed off the Director of the NSA in November of 1992 (see http://www.shub-internet.org/brad/cacm92nov.html ). At the time, my clearance was Top Secret/SCI, and I had been read onto multiple compartments — including the ones for ECHELON, KEYHOLE, etc.... So far as I know, I am still on their shit list, albeit not as high as Snowden or Binney.

May I suggest https://letsencrypt.org/ or similar for your website?

Yes, this is true.

So the best bet is staying off the shit lists of the NSA and other global adversaries.

Clicked on your link just to get on the list (or move up, I suppose). ;-)

That's what I think.

However, I have used personal VPNs tunneled through Tor. But I was very careful to be anonymous about the VPS I used. And it was just to get around blocking of Tor exits.

But then you get no privacy benefits of VPNs: pretty much all cloud providers will be to tell to law enforcement, given an IP address, who and when rented it from them.

And since you're not, I suppose, reselling your traffic to other users, the liability for problematic traffic will land on you.

That's why I made a random google account and am using those sweet $300 in initial credits

But don't you have to provide to them a cc card "just in case"? That's pretty strong link to your identity.

Also the bandwidth rates all big cloud providers are charging are just extortionate

You have no way of verifying that a VPN lacks that capability. If you want anonymity, use Tor.

Correct. It's even more complicated than just trusting a "no logs" policy. You have to also trust that noone with hardware access (rogue VPN company employees, datacenter people, law enforcement and intelligence services) intercepts your traffic or messes with the servers, and that the servers themselves don't get hacked due to some vulnerabilities. Recall how NordVPN recently got hacked because datacenter operator left vulnerable remote management software exposed.

Tor might have its vulnerabilities as well, like all software. Not to forget that pretty much anyone can run an entry guard today and at least associate your IP with usage of Tor..

True, you don't.

And yes, Tor provides far more anonymity than any VPN service ever could.

However, some Tor relays are malicious. And we have no way of verifying which ones are or aren't, except by trusting the Tor Project. It's true that there's lots more independent oversight, however. But that CMU exploit of the "relay early" bug is a red flag. Because the Tor Project didn't detect the malicious relays for at least weeks.

Anyway, I use nested VPN chains to access the Tor network. So if I get pwned through a malicious entry guard, at least they'll only learn the final VPN exit address.

Exactly.