That's going too far, I think. Sure, you can run your own VPN server, on an anonymously leased and managed VPS. But then, how do you anonymously lease and manage that VPS? As far as I know, your options are pretty much limited to VPN services, Tor and I2P. Also, VPS traffic is readily logged by providers, so your "anonymity" is pretty fragile.
Your best bet is distributing trust among multiple parties, such that no one of them can compromise you. VPN use is common, so start with nested VPN chains. Then Tor. If either the VPN chain or Tor resists compromise, then you're still safe.
After that, you can use any PM or email that you like. Because it's not connected to your meatspace identity. If content is end-to-end encrypted, the provider has nothing useful to share with adversaries. You and correspondents must, of course, avoid leaking metadata through account names and subject lines.
> But then, how do you anonymously lease and manage that VPS?
At least on DigitalOcean, it’s possible to create an anonymous account (no name required, not even by their TOS) connected to an anonymous email provider and funded by a cash-purchased Visa gift card. And a $5/mo droplet running IKEv2 VPN traffic (see Algo) is very secure and provides more than enough bandwidth/throughput for several people.
That would only leave the traffic itself (particularly the IP address(es) that initiate connections to your droplet). DO has a policy of not logging traffic unless an abuse alert is triggered.
Mullvad.net (a VPN provider) gives 3 hour accounts for free. You solve a captcha and they give you an account id to use to connect to their servers. If you want to keep using that account id for more than 3 hours you have to add money to that account. You can pay them in cash (they're in Sweden though) or Bitcoin, credit card, etc. They don't even ask you for your email and they claim to not keep logs that would allow to match an IP and a time stamp to a user [1].
One more thought - connecting via a temporary Mullvad account from a public or obscured entry point (perhaps during an international trip or at a McDonalds) would probably be the most straightforward method. The worst you're giving away is that entry point (to Sweden's loggers), but the DO/VPS fraud detection is less likely to fire if you're going through Mullvad.
To be clear, my own goal in all of this is primarily to get through residential ISP snooping -- I don't trust them not to sell my personal info. Staying out of the state dragnets is also a plus (I don't like the idea of snoops in a building somewhere reading my personal emails; same reason I close the living room curtains in the evening).
Yes, one can "anonymously" use WiFi APs. But it's hard to get close enough without becoming observable. And more and more, without being videoed. I've played with a Ubiquiti radio and parabolic antenna, and can hit APs at several km. But then, the dish is pretty big, so you need a large window. And unsecured APs have become harder to find.
It’s a lot easier to escape surveillance in the suburbs and rural areas. That being said, the ratio of McDonalds franchise density to population density goes higher the further out you go (at least in the US).
Note - Sweden is one of the “14 eyes”, so your browsing session (origin and destination IP, date/time) very well may be logged by their backbone, if not by Mullvad itself.
Ordering any server from a tor IP, even dirt cheap shared hosting plans, will trip their fraud detections 100% of the time. You'll likely get an email asking for photo ID.
I buy all my vpses via Tor, it takes some effort. But after a while I always manage to find a provider where I can complete the process. So, not all the providers all the time. Just some of them some of the time.
It depends on the hoster. BitHost has no problem with Tor exit IPs. Neither does Host Sailor. I know a few others, but sharing names would be imprudent.
A few years ago I tried that as an experiment. I wanted to see if I could setup completely anonymous Tor exit nodes. It didn't work.
I bought a prepaid debit card at a grocery store with cash. I tried to sign up for a few VPS providers using coffee shop WiFi. All wanted additional verification or wouldn't allow me to use the card. All providers use 3rd party services (eg MaxMind) to prevent fraud and prepaid cards is one of the things they look for.
It looks like your correct. I was under the impression that the USA PATRIOT Act required all cash cards to collect that information, but looking up the details it appears to only apply to reloadable cards in that they "establish a banking relationship" with the provider.
Your best bet is distributing trust among multiple parties, such that no one of them can compromise you. VPN use is common, so start with nested VPN chains. Then Tor. If either the VPN chain or Tor resists compromise, then you're still safe.
After that, you can use any PM or email that you like. Because it's not connected to your meatspace identity. If content is end-to-end encrypted, the provider has nothing useful to share with adversaries. You and correspondents must, of course, avoid leaking metadata through account names and subject lines.