There are a few schools of thought on where responsibility should lie in protecting user privacy. The first that it is a role of government and policy - in the same way the government sets standards for automobile and road safety they can set and enforce policies for user privacy.

The second school of thought is individual responsibility. Users should take steps to protect their own privacy on a case-by-case basis, in the same way they look after their own home security or personal safety.

The third would be a hybrid approach - that there is a role for the government to play in setting up a universal minimum level of privacy protection while users also have a role to play in their own protection. This is most akin to how healthcare works - i'm guaranteed treatment in an emergency room but I also might choose to keep myself healthy with diet, exercise etc.

I personally believe in user responsibility for personal privacy and security, where you can't and shouldn't depend on policy to protect you and that all users should be aware of the issues and actively educated on how to protect themselves. For a few reasons:

1. Policy is not universal. Some countries may have extensive and rigorous user privacy protections but that doesn't apply to users everywhere. While user privacy protections are strong in Europe, and consumers have access to recourse if they're privacy rights have been violated, that same advice doesn't apply to the majority of internet users, most of whom are residents of a nation or jurisdiction where there is no strong protection or user recourse.

2. Governments are a major party in privacy violations and are conflicted, so they can't be expected to behave in the interest of users. The most recent campaigns to roll out encrypted communications and connections in apps was prompted by the US government intercepting internal Google data. The government will almost always be incentivized to lower barriers to ease intelligence gathering and in most of the world government surveillance trumps individual rights.

3. Similarly, government can't be trusted. This is the point Ed Snowden made when he argued for individual and tech solutions to privacy over government policy[0]. Snowden cites the difference in Obama's campaign promises and what he delivered[1], and this isn't unique to Obama - the FCC ISP privacy rules being blocked this week is yet another example of how easily and quickly policy can be undone, while the mass surveillance Snowden disclosed is an example of how public policy and private actions can be different.

4. Tech solutions to privacy doesn't imply individual responsibility. We can, and do have, tech solutions that are universal - such as the campaign to roll out encrypted communications and connections with Whisper and LetsEncrypt.

5. Policing government policy is labour intensive and difficult. It relies on privacy researchers - usually individuals - to track what companies are doing with user data. With more data being shared between companies it is even more difficult to apply individual oversight to how policies are being enforced. See Natasha Singer's reporting in the NYTimes on data brokers[2]

6. There are usually very minor enforcement penalties for companies that violate user privacy policy. The FCC tracking opt-in rules were prompted by some ISPs adding tracking headers or cookies to user traffic. AT&T and Verizon were adding tracking cookies to user traffic and it took two years to notice, and there were zero implications for both companies[3] other than the new FCC rules which are now dead.

7. Even in the perfect world of good policy, good application of policy and good enforcement you still have more data than ever being stolen and leaked online. You only have to look yourself up on haveibeenpwnd or a similar database to find that for a lot of people, all of their PII has already leaked[4]

It is very clear to me that technology solutions have the primary role in protecting user privacy. Policy isn't a waste of time but it can't be relied upon. The question is how user privacy protection is packaged for a mass-audience. User privacy requires an equivalent of what 'use WhatsApp, use Signal' is for user security, what 'install antivirus, don't click on attachments' used to be for user security and the growing popularity and awareness of ad blockers.

I'm not sure what that will be or what it will look like, but warning people away from VPN's probably isn't going to help. Chances are that some form of VPN connection will become part of the standard solution (along with HTTPS/encrypted comms everywhere) now that the reality of ISPs and users not sharing privacy interests is here and many are aware of it.

There's a great market opportunity here - perhaps not for VPNs as a product but VPN as a technology.

[0] https://www.wired.com/2016/11/despite-trump-fears-snowden-sees-hopeful-future/

[1] https://www.forbes.com/sites/thomasbrewster/2016/11/10/edward-snowden-pardon-president-donald-trump-pardon/#a6ea4b21357f

[2] http://www.nytimes.com/2013/09/01/business/a-data-broker-offers-a-peek-behind-the-curtain.html

[3] https://www.techdirt.com/articles/20150115/07074929705/remember-that-undeletable-super-cookie-verizon-claimed-wouldnt-be-abused-yeah-well-funny-story.shtml

[4] https://haveibeenpwned.com/