Skip to main content
← Back to Blog
Regional·9 min read·

Privacy Tools for Users in Surveillance-Heavy Markets (2026)

Practical privacy setup for users in countries with state surveillance concerns: Russia, Iran, China-adjacent, and beyond. Extensions, DNS, VPN, and trade-offs.

#surveillance#VPN#DNS#privacy#Russia#Iran

Quick answer

In surveillance-heavy markets, the priority stack is: (1) a trusted VPN with independent audits (Mullvad, ProtonVPN), (2) encrypted DNS that the VPN cannot be stripped of, (3) a privacy extension to cut in-country tracking cookies, (4) Signal for messaging, (5) minimal mobile-app exposure. PrivacyGuard is one component of this — not the whole solution.

Threat-model first

"Privacy" means different things under different threat models. A journalist in Tehran, an activist in Minsk, a businessperson in Yerevan, and a student in Jakarta all have different risks. This article covers technical protections against pervasive internet-level surveillance — the threat model faced by users in countries where ISPs log extensively and routinely hand data to the state.

VPN selection

  • Mullvad — no account emails, accepts cash, uses WireGuard, regular independent audits.
  • ProtonVPN — Swiss, free tier available, independent audits, good Tor-integration.
  • IVPN — small, audit-heavy, multi-hop routing.

Avoid: free VPNs with unclear funding, VPNs sold via influencer marketing, VPNs based in 5/9/14-Eyes countries without strong jurisdictional protections.

DNS

Encrypted DNS (DoH, DoT) prevents your ISP from logging the domains you visit. Good providers:

  • Cloudflare 1.1.1.1 (DoH, DoT)
  • Quad9 9.9.9.9 (DoH, DoT, malware blocking)
  • NextDNS (customisable block lists)

Browser + extensions

  • Browser: Firefox with Strict mode, or Mullvad Browser. Chrome is too tracking-friendly.
  • PrivacyGuard — blocks trackers, reduces fingerprinting.
  • uBlock Origin on Firefox.
  • Cookie AutoDelete — clears cookies when tabs close.

Messaging

Signal is the standard for end-to-end encrypted messaging with metadata minimisation. For very high-risk situations, Briar (peer-to-peer, no central server) is worth learning. Avoid Telegram for sensitive content — its default chats are not end-to-end encrypted.

Operational minimums

  • Keep OS and browser fully up to date.
  • Use a password manager (Bitwarden, 1Password).
  • Use hardware security keys (YubiKey) for critical accounts.
  • Avoid installing apps outside official app stores unless you can verify the publisher.
  • Assume mobile-provider SMS is surveilled — do not rely on SMS 2FA alone.

What tools will not fix

No technical setup defeats targeted, well-resourced surveillance. If you are a named target of a state actor, you need operational-security training and legal support, not just better extensions. Organisations like Access Now Digital Security Helpline (accessnow.org/help) provide free support to activists, journalists, and human-rights defenders.

Related reading

What is a privacy extension? · Harden Chrome in 10 min · GeraCompliance (EU rules)