July 28 2022, VPN Community Gathering: Difference between revisions

From TCU Wiki
No edit summary
Updated notes with Parking Lot topics
 
(One intermediate revision by the same user not shown)
Line 95: Line 95:


===Discussion===
===Discussion===
'''User Data Protections'''
* What is the data that the provider can take from the user and what can be done? When most traffic is now encrypted.  
* What is the data that the provider can take from the user and what can be done? When most traffic is now encrypted.  
** Google Transparency Report
** Google Transparency Report
Line 103: Line 104:
** Are VPN providers actually selling user data?
** Are VPN providers actually selling user data?
*** There are free providers that have millions of installs. Maybe they aren't selling data, but the question is open.
*** There are free providers that have millions of installs. Maybe they aren't selling data, but the question is open.
* ISPs package, collate and sell data on a mass scale.
* VPNalyzer: Working with a friendly ISP to see how much you can learn about a user from the ISP.
* VPNalyzer: Working with a friendly ISP to see how much you can learn about a user from the ISP.
** You can detect if specific users of that ISP in a region are Muslim.
** You can detect if specific users of that ISP in a region are Muslim.
Line 110: Line 112:
** Recommendation: Use HTTPS only by default.
** Recommendation: Use HTTPS only by default.
** Will depend on the user and the threat model.
** Will depend on the user and the threat model.
* [Remarks of Chair Lina M. Khan Regarding the 6(b) Study on the Privacy Practices of Six Major Internet Service Providers https://www.ftc.gov/system/files/documents/public_statements/1597790/20211021_isp_privacy_6b_statement_of_chair_khan_final.pdf FTC report]
'''VPN Use Cases'''
* Guides and methodologies often fail because we don't take into account different threat models.
* Guides and methodologies often fail because we don't take into account different threat models.
** For this kind of user, this is what matters. For these users, this is what matters.
** For this kind of user, this is what matters. For these users, this is what matters.
* The question that came to mind: Do we even have a list of use cases?
* '''The question that came to mind: Do we even have a list of VPN use cases?''
** A user who is using a VPN for bypassing filtering, then maybe they don't care about targeted ads.  
** A user who is using a VPN for bypassing filtering, then maybe they don't care about targeted ads.  
** Or maybe you are trying to bypass targeted ads.
** Or maybe you are trying to bypass targeted ads.
** '''How are we going to create a framework when we don't have the actual use cases for some of these VPNs in our own communities?'''
** '''How are we going to create a framework when we don't have the actual use cases for some of these VPNs in our own communities?'''
** '''Who is validating the VPN providers in our own community?'''
** There is zero presence of some of the VPN providers (especially in Africa) and what are the actual use cases that they are creating these VPNs with?
** There is zero presence of some of the VPN providers (especially in Africa) and what are the actual use cases that they are creating these VPNs with?
** Let's create a framework that can be applied within the community as well.
*** Shutdowns, censorship and surveillance are regular challenges in Sub-Saharan Africa.
*** Shutdowns, censorship and surveillance are regular challenges in Sub-Saharan Africa.
*** The Team CommUNITY [https://internetfreedomfestival.org/wiki/index.php/July_27,_2022_,_Africa_Meetup Africa meetup has great notes] on this.
*** The Team CommUNITY [https://internetfreedomfestival.org/wiki/index.php/July_27,_2022_,_Africa_Meetup Africa meetup has great notes] on this.
* There is not a clear solution for the diversity of problems and use cases that we face.
'''Digital Rights Community and Industry Overlap'''
** '''Who is validating the VPN providers in our own community?'''
** Let's create a framework that can be applied within the community as well.
* When you are working with at-risk users, you need to be able to show that you yourself are familiar with and connect with the developers and the tool.
* When you are working with at-risk users, you need to be able to show that you yourself are familiar with and connect with the developers and the tool.
'''Trust'''
* There are 3 levels: ISP, VPN service, Client
* There are 3 levels: ISP, VPN service, Client
** Who do you trust more?
** Who do you trust more?
** In different regions it may shift drastically.
** In different regions it may shift drastically.
* Can I tunnel my traffic to another government to hide my traffic from my government?
** It's not about an ISP adversary, it's about government adversaries.
'''VPN Client Customization'''
* What if the VPN client let me only send Netflix with the VPN?
* What if the VPN client let me only send Netflix with the VPN?
** Centralized VPNs control the VPN and the client and they control what you can send to the VPN or not.
** Centralized VPNs control the VPN and the client and they control what you can send to the VPN or not.
Line 130: Line 148:
** Requires a client independent of the provider.
** Requires a client independent of the provider.
** Providers could provide standard protocols that can function with different clients.
** Providers could provide standard protocols that can function with different clients.
* Can I tunnel my traffic to another government to hide my traffic from my government?
** It's not about an ISP adversary, it's about government adversaries.
* Separation of client and service:
* Separation of client and service:
** This is possible, but generally with the better providers
** This is possible, but generally with the better providers
** Some of the better providers offer split-tunneling
** Some of the better providers offer split-tunneling
* Chosing a VPN
 
 
'''Choosing a VPN'''
** 1st question: Do you need a VPN?
** 1st question: Do you need a VPN?
** 2nd question: Do you trust the VPN more than your ISP?
** 2nd question: Do you trust the VPN more than your ISP?
* After you have said yes to these first two questions, what comes next?
** After you have said yes to these first two questions, what comes next?
* ISPs package, collate and sell data on a mass scale
* [https://www.ftc.gov/system/files/documents/public_statements/1597790/20211021_isp_privacy_6b_statement_of_chair_khan_final.pdf FTC report]


* There is not a clear solution for the diversity of problems and use cases that we face.
 
* What is a VPN?
'''What Actually Is a VPN?'''
* VPN is the kingdom or the phylum - but what're the genus or species within?
* VPN is the kingdom or the phylum - but what're the genus or species within?
* Maybe it will be helpful to start branding VPN user cases into profiles.
* Maybe it will be helpful to start branding VPN user cases into profiles.
** Selective providers use special naming for gamers avoiding DDOS attacks for example.
** Selective providers use special naming for gamers avoiding DDOS attacks for example.
=Parking Lot=
Questions and topics highlighted for further discussion.
* The Outline team is seeing a proliferation of sites and groups offering Outline service. How can users determine if they can trust those VPNs? On the other hand, can we enable a marketplace to make them easier to find?
** Random idea: maybe outline clients could strongly suggest to users not to connect to outline providers that are run by people they do not know/trust?
* How does selective proxying work, is it application-specific?
* Is there a place where the academic links related to VPN/circumvention research are collected?
** https://censorbib.nymity.ch/, but it's for censorship
* Random Idea: A community VPN provider analysis with the same matrixes that was just shared for commercial VPN providers.

Latest revision as of 10:32, 8 September 2022

Past Event Updates

Resources

VPN Trust Initiative (VTI)

i2coalition

CDT Signals of Trustworthy VPNs

Notes

Project Updates

Outline / Jigsaw

Overview of Projects from Jigsaw:

Prevent
  • Encrypted DNS on Android and Chrome. WG chair for DoH
  • HTTPS Record RFC, enabling ECH
Mitigate
Expose


More and more communities are running Outline servers and offering them to communities for free.

  • Access is distributed via Facebook groups and Telegram channels.
  • It's hard to trust these communities. How can you create a marketplace for these VPNs and ensure people can trust them?
  • Interesting property of Outline is that anyone can run a VPN so you don't have to trust your VPN provider.
  • However an inverse problem seems to have arisen and now there is a question of trusting these community VPNs.
  • Call to action written by Sen. Wyden and Rep. Eshoo to FTC about VPN ecosystem and lack of regulation.

Presentation

Viktor from IVPN presented on the need for an inclusive and collaborative approach to establishing VPN industry trust and ethics standards.

Presentation Slides

Notes

  • The talk is geared more toward commercial VPNs, potentially not so much for providers with other use cases like Outline.
  • IVPN use case is most focused on privacy.
  • ​​​​​​​As a result of the lack of education around VPNs, users are misinformed about trust signals.
  • Providers cannot agree on a baseline for evaluation.
  • Ideal would be to be able to create an independent framework to sift the trustworthy providers from the rest.
  • There have been several initiatives to address signals of trust / industry standards / guidelines.
    • CDT trust signals: Project born at RightsCon
      • Failed to have wide reach and get more uptake
    • VPNalyzer is another project for evaluation of VPNs
    • VTI
      • Aimed to present commercial providers in a good light as opposed to holding them to a higher standard?
      • There are providers that participate who discredit the trustworthiness of the efforts.
  • There are also independent reviewers:
    • ThatOnePrivacyGuy was sold to a VPN review site that is now owned by Kade Technologies (owner of ExpressVPN etc).
    • PrivacyGuides
      • They look at ownership, logging, open source etc.
      • They are pretty restrictive; they don't share information about how other providers fail these quality checks.
  • Need: Establish a trusted, open framework created by independent contributors
    • Tier structure (listing providers based on meeting set criteria).
    • Not an endorsement site.
  • Evaluation based on...
    • Transparency
    • Ownership
    • Infrastructure
    • Protocols used
    • Marketing
    • Kill Switch
    • Strong privacy policy
  • Key problems…
    • Who agrees on the rules?
    • Can we set objective criteria?
    • Who verifies providers, claims
    • Some providers won’t agree or participate
    • How can we reach a large audience, make an impact
  • Do you want to protect people from things that they don't understand?
  • Impact - How do you make this impactful? How do you make sure it has reach?

Discussion

User Data Protections

  • What is the data that the provider can take from the user and what can be done? When most traffic is now encrypted.
    • Google Transparency Report
      • 10% of the web (Explorer users) is unencrypted
    • Majority of people are sending raw DNS
      • VPN providers can make good income on DNS info
    • Metadata is the key valuable info.
    • Are VPN providers actually selling user data?
      • There are free providers that have millions of installs. Maybe they aren't selling data, but the question is open.
  • ISPs package, collate and sell data on a mass scale.
  • VPNalyzer: Working with a friendly ISP to see how much you can learn about a user from the ISP.
    • You can detect if specific users of that ISP in a region are Muslim.
    • You can use a profile easily if you look at metadata. And a VPN can view this.
  • Surveillance is a big problem
    • In the US, with the fall of Roe v. Wade, there is an open question about what the ISP or VPN provider are logging around reproductive care.
    • Recommendation: Use HTTPS only by default.
    • Will depend on the user and the threat model.
  • [Remarks of Chair Lina M. Khan Regarding the 6(b) Study on the Privacy Practices of Six Major Internet Service Providers https://www.ftc.gov/system/files/documents/public_statements/1597790/20211021_isp_privacy_6b_statement_of_chair_khan_final.pdf FTC report]


VPN Use Cases

  • Guides and methodologies often fail because we don't take into account different threat models.
    • For this kind of user, this is what matters. For these users, this is what matters.
  • 'The question that came to mind: Do we even have a list of VPN use cases?
    • A user who is using a VPN for bypassing filtering, then maybe they don't care about targeted ads.
    • Or maybe you are trying to bypass targeted ads.
    • How are we going to create a framework when we don't have the actual use cases for some of these VPNs in our own communities?
    • There is zero presence of some of the VPN providers (especially in Africa) and what are the actual use cases that they are creating these VPNs with?
  • There is not a clear solution for the diversity of problems and use cases that we face.


Digital Rights Community and Industry Overlap

    • Who is validating the VPN providers in our own community?
    • Let's create a framework that can be applied within the community as well.
  • When you are working with at-risk users, you need to be able to show that you yourself are familiar with and connect with the developers and the tool.


Trust

  • There are 3 levels: ISP, VPN service, Client
    • Who do you trust more?
    • In different regions it may shift drastically.
  • Can I tunnel my traffic to another government to hide my traffic from my government?
    • It's not about an ISP adversary, it's about government adversaries.


VPN Client Customization

  • What if the VPN client let me only send Netflix with the VPN?
    • Centralized VPNs control the VPN and the client and they control what you can send to the VPN or not.
  • Onion routing system with VPNs?
    • Requires a client independent of the provider.
    • Providers could provide standard protocols that can function with different clients.
  • Separation of client and service:
    • This is possible, but generally with the better providers
    • Some of the better providers offer split-tunneling


Choosing a VPN

    • 1st question: Do you need a VPN?
    • 2nd question: Do you trust the VPN more than your ISP?
    • After you have said yes to these first two questions, what comes next?


What Actually Is a VPN?

  • VPN is the kingdom or the phylum - but what're the genus or species within?
  • Maybe it will be helpful to start branding VPN user cases into profiles.
    • Selective providers use special naming for gamers avoiding DDOS attacks for example.

Parking Lot

Questions and topics highlighted for further discussion.

  • The Outline team is seeing a proliferation of sites and groups offering Outline service. How can users determine if they can trust those VPNs? On the other hand, can we enable a marketplace to make them easier to find?
    • Random idea: maybe outline clients could strongly suggest to users not to connect to outline providers that are run by people they do not know/trust?
  • How does selective proxying work, is it application-specific?
  • Is there a place where the academic links related to VPN/circumvention research are collected?
  • Random Idea: A community VPN provider analysis with the same matrixes that was just shared for commercial VPN providers.