Earlier this year, OTF and Team CommUNITY brought together technologists, academics, user researchers, and Virtual Private Network (VPN) providers to discuss challenges and opportunities within the VPN space.
VPNs have become an increasingly important and widely adopted tool for users facing censorship and surveillance. Put simply, a VPN creates an encrypted ‘tunnel’ where a user’s traffic flows and therefore helps users stay away from the prying eyes of Internet Service Providers (ISPs), censors, hackers, and nation-state actors. VPN services also assign your device a new IP address, allowing users in restrictive countries to access the internet as if they were living in a more open country. This technology applies to a wide variety of use cases: from internet activists living in the most high-risk environments and looking to stay safe online from surveillance (and worse), to internet users looking to access a different country’s video streaming service.
It’s difficult for technologists to build for all these different use cases, so many don’t. Some VPN providers are very focused on content streaming access in their business and operating models; others are more focused on online privacy and transparency, while others center on circumvention and anti-censorship.
The variety of user threat models and service provider business models in a multi-billion dollar global VPN industry all paint a picture of a complex, unregulated space. Given these challenges, this ecosystem can be a dangerous one for users to navigate.
In collaboration with the VPN Initiative at Team CommUNITY, OTF brought together different stakeholders to unpack the main technical, operational, user-facing, and community-related challenges that face VPNs focused on circumvention and user safety. It is our hope that increased collaboration and trust building within the space is the first step towards a safer and more seamless experience for users.
Here are some takeaways and opportunities that arose from the discussion at the VPN Convening which we hope community members will engage with and take forward:
Theme 1: Collaboration on Information Sharing
Lack of information sharing between providers and community members
VPNs are an important tool for users to have on hand, especially in times of heightened censorship or information crackdown. In these times, the internet freedom community often rallies together in a “rapid response” fashion to support users on the ground, assess their needs, and distribute appropriate tools. VPN providers can play a unique role in this process, as they have additional insight into the type of information controls being exercised in a given country, as well as which circumvention tactics are working best. This is vital information for the internet freedom community to have, but participants highlighted that there is a lack of shared space, methodology, and tooling in the ecosystem which makes the practice of information sharing incredibly challenging.
The group discussed specific challenges, including how difficult it is for providers to distinguish which data is actually useful in different contexts (for example, in a rapid response fashion within the community or among different providers). Moreso, providers are set up differently and use different tools to collect data, and this makes collecting high-level insights more difficult. One thing that could help these challenges is for providers and researchers to better communicate, but notably, this requires a great deal of trust that all parties involved share the same values, none more important than transparency.
Opportunities for action
- How can we better understand the data needs of different stakeholders in different contexts?
- How can we ensure that we have sufficient coordination between key players in times of crisis?
- Can we help facilitate spaces where information sharing could take place? Do events play a role here?
Theme 2: Reaching users in highly censored environments
VPN Distribution in Highly Censored Environments
There are many methods for distributing VPNs in censored environments where users cannot access them via traditional app stores. A few examples are simply sideloading, messenger bots, sneakernet, dual-purpose platforms (like Telegram or GitHub), and progressive web apps. However, mass sharing is incredibly difficult as it takes time and a word-of-mouth effort to learn about a large download source, and in that time the source itself is sometimes blocked. This is further complicated by the fact that users don’t often know which alternative distribution methods they can or should trust.
Opportunities for action:
- How can we evaluate the efficacy of existing distribution methods?
- What new, creative, and effective distribution methods exist?
- How do we best communicate the legitimacy of certain distribution methods to users?
Lack of user feedback about VPN experience in highly censored environments
Participants identified that user needs often go unaddressed given the lack of formalized feedback loops between users, researchers, and providers, especially in highly censored environments. Things like localization, regional awareness of tools and resources, lack of education on how to diagnose VPN problems, and the technical complexity of using some VPN tools can all be a blocker to user experience.
Opportunities for action:
- How can trusted digital security practitioners and local organizations who are technically savvy and well-connected play a role in bridging the gap between providers and users?
- How can VPN providers safely and thoughtfully approach in-country testing? How can they create support channels with anonymity?
- Should threat intel organizations or coalitions play a role here? How can they be leveraged by VPN providers to reach regional testers or organizations?
- Is it possible to have a regional or centralized place where user testing-related information lives that is regularly updated? What documentation would be important here
Sustainability of VPN solutions in highly censored environments
Participants acknowledged the challenges in supporting users at scale in censored environments. As user numbers grow, providers need to continuously upgrade their technical architecture to support rising user-carrying costs. This is often happening against the backdrop of a cat-and-mouse game where as providers gain more popularity in a censored country, they also paint a target on their back for censors. Supporting large user numbers is made more challenging as many providers are unable to monetize users in certain countries.
Opportunities for action:
- What does it mean to run a growing and sustainable VPN while in the cat-and-mouse game?
- What kind of architectural building blocks and other factors affect provider sustainability?
Theme 3: User education and trust
User education and VPN reviews
Participants felt that the risks around using VPNs and ISPs are often misunderstood, and that there aren’t very many independent information sources on VPNs. This makes it difficult to critically evaluate and select a VPN for regular and high-risk internet users. The situation is even worse when considering a lack of localized materials for different communities, including minority language speakers.
Furthermore, participants identified that VPN reviewers and journalists largely rely on security audits to inform their reviews, and that there is a lack of standardization in audit scopes and approaches which means that all VPN reviews are not created equal.
What we end up with is a situation where a lack of technical foundation for evaluating VPNs and a lack of standardized trust indicators leads to a huge amount of inconsistency in user-education materials.
Opportunities for action:
- Could the development of technical standards for providers allow for greater differentiation between them?
- Can we expose bad actors through technical study and review?
- What should a standard VPN audit scope include? How are security audits designed and structured with high-risk users in mind? How can we translate their results into readable, localized user education materials?
- What role do third party actors (App stores, phone manufacturers, OS developers) play in promoting VPNs to users?
Lack of collective agreement on privacy and technical standards
Participants in the event discussed different technical and operational aspects that can serve as trust indicators for VPN providers. The lack of established standards is often a blocker to information sharing and overall collaboration in this space, and participants were keen to see action taken on a number of categories that require further examination.
The categories of standards people came up with are related to
- Marketing: Affiliate standards, transparency about marketing in privacy policies
- Open-source requirements: What do we really mean by this? What approach to open sourcing is most appropriate?
- Required technical features: What should these be?
- Data practice standards: What does a “no-logs” policy mean in technical terms? Should we expect log retention transparency? Should we help providers with producing easy-to-read privacy policies?
- Usability: What is a meaningful VPN- user experience in environments with a high level of information controls or poor connectivity?
- Ownership and funding transparency: What level of corporate transparency is important for high-risk users?
If you’d like to discuss any of the above takeaways and insights, we encourage you to reach out to [email protected]. Otherwise, we look forward to reviewing your applications!