How to Critically Choose a VPN: Difference between revisions

From TCU Wiki
Erin (talk | contribs)
Frist Draft Session Notes
Line 20: Line 20:


=Notes & Resources=
=Notes & Resources=
''Notes and resources will be added here''
 
'''[] Slides'''<br>
'''[]
 
'''What will this session do?'''
* Provide tools to critically analyze and chose a VPN service
 
'''What will this session not do?'''
* Give specific recommendations
* Say anything negative about certain providers
 
'''Before you start to choose a VPN service, you need to ask “Do I need a VPN?”'''
* A VPN is not going to protect you 100%
* VPNs are not a one-button solution to all of your privacy problems.
 
Threat modeling is key to determining if you need a VPN or not.
* Use Cases:
** Circumvention
** ISP surveillance
** Untrusted Wi-fi networks
** Geo-blocked content
 
'''What makes a good VPN?'''<br>
Can you trust the VPN? How do you find the right service?
* Misaligned incentives, ads, misleading information, review sites etc. make it challenging to filter the good content and trustworthy information from the noise.
** Search Results
*** Highest ranked sites are all tech magazines and VPN review sites.
*** There is a lot of money to be made in ad revenues
** VPN Sponsorship
*** They usually don’t have any technical expertise or background.
*** They are often incentivized by monetary gain.
 
'''Route 1: Trust the Experts''' (The easier route)
* Examples of more trusted VPN recommendations
** [https://www.privacyguides.org/vpn/ Privacy Guides]
** [https://freedom.press/training/choosing-a-vpn/ Freedom of the Press Foundation]
 
'''Route 2: Do it Yourself'''
* Do not default to trust. Make the VPN provider work for your trust.
* Start with a long list and narrow it down.
* Review the website of the provider and implement a check-list.
* Be vigilant.
* Do a safety check (searches, forums etc.).
 
'''The VPN Provider Checklist:'''
* Jurisdiction
** Transparency / accountability
*** Depending on the location of the company, they will be subject to the local laws which will determine business practices and consumer protections.
 
'''<span style="background:red">Red Flags (Avoid)</span>'''
* Overpromising
** Promises perfect privacy or anonymity.
** Best / fastest service (yellow flag, not so red).
** Promises “military-grade” encryption.
*** This is just meaningless marketing jargon
* Privacy Policy
** There needs to be a policy.
** It should be clear and concise.
* No transparent ownership
** You want to see clear ownership so that there is full accountability.
* No details on security practices
** This is hard to do if you don’t have a security background.
* No audits
** There needs to be an independent auditor.
** It should be an auditor who specializes in VPN or technical audits.
 
'''<span style="background:yellow">Yellow Flags (Proceed with Caution)</span>'''
* Trackers on the website or in the VPN app
** This means they don’t fully respect your privacy.
*** It’s for marketing and website optimization in most cases.
** In the AppStore, Apple will tell you what the VPN actually tracks in the app.
* No legal guidelines
** How do they handle law enforcement requests?
** You want to see transparency reports
* Too good to be true deals
** Multiple years for under 50 USD etc.
** Lifetime accounts
** Not sustainable, or need other ways to make money
*** Selling browser data etc.
* Fear / Uncertainty / Doubt
** Service stoking user fears to get them to use VPNs
* Dark patterns
** Fake countdown timers
** Exit consoles
* Social Proof tricks
** Made up user numbers
** Trustpilot problem
*** It’s really easy to purchase reviews
 
'''<span style="background:green">Green Flags (Big Pluses)</span>'''
* Open source
* Minimal information for sign up
** Some providers don’t even need an email address for sign up
** Your provider should only know minimal information about you.
* Uses the latest protocols available
** WireGuard is the gold standard and default for best providers.
 
'''Once you've narrowed down a trusted shortlist, choose a service based on other preferences:'''
* Price point, platform support, server locations, streaming support.
* Killswitch
* Multi-hop (allows you to jump through multiple servers in different jurisdictions)
* Ad blocking
* Cryptocurrency payments

Revision as of 11:03, 19 January 2023

  • Date: Wednesday, December 7
  • Time: 10am to 11am EST / 3pm - 4pm UTC (What time is it in my city?)
  • Who: Viktor Vecsei, COO at IVPN
  • Location: Zoom

RSVP: https://digitalrights.formstack.com/forms/vpnvillage2022_4

How to Critically Choose a VPN Service (Talk and Q&A)

In a market so saturated with commercial VPN providers, it is a challenge not only to determine if you need a VPN or not, but also to navigate search results and the network of VPN review sites as you try to find a trustworthy VPN.

What are the key things you should look for when determining if a VPN service is trustworthy? How can you determine if a VPN recommendation site is legitimate? What red flags signal that you should steer clear of a VPN provider?

In this session, you will learn how to recognize signals of trustworthiness in VPN providers and more effectively analyze VPN recommendation resources in your search for a VPN service that respects your privacy, safety and security as a user.

Note: This session is not geared toward high-risk users or those for whom anonymity and/or circumventing severe censorship is a necessity.

Bio: Viktor Vecsei is a privacy activist, researcher and writer. He is the COO at IVPN, a privacy-focused VPN provider, where he works on increasing transparency, honest communication and improving ethical standards in the commercial VPN space.

Notes & Resources

[] Slides
[]

What will this session do?

  • Provide tools to critically analyze and chose a VPN service

What will this session not do?

  • Give specific recommendations
  • Say anything negative about certain providers

Before you start to choose a VPN service, you need to ask “Do I need a VPN?”

  • A VPN is not going to protect you 100%
  • VPNs are not a one-button solution to all of your privacy problems.

Threat modeling is key to determining if you need a VPN or not.

  • Use Cases:
    • Circumvention
    • ISP surveillance
    • Untrusted Wi-fi networks
    • Geo-blocked content

What makes a good VPN?
Can you trust the VPN? How do you find the right service?

  • Misaligned incentives, ads, misleading information, review sites etc. make it challenging to filter the good content and trustworthy information from the noise.
    • Search Results
      • Highest ranked sites are all tech magazines and VPN review sites.
      • There is a lot of money to be made in ad revenues
    • VPN Sponsorship
      • They usually don’t have any technical expertise or background.
      • They are often incentivized by monetary gain.

Route 1: Trust the Experts (The easier route)

Route 2: Do it Yourself

  • Do not default to trust. Make the VPN provider work for your trust.
  • Start with a long list and narrow it down.
  • Review the website of the provider and implement a check-list.
  • Be vigilant.
  • Do a safety check (searches, forums etc.).

The VPN Provider Checklist:

  • Jurisdiction
    • Transparency / accountability
      • Depending on the location of the company, they will be subject to the local laws which will determine business practices and consumer protections.

Red Flags (Avoid)

  • Overpromising
    • Promises perfect privacy or anonymity.
    • Best / fastest service (yellow flag, not so red).
    • Promises “military-grade” encryption.
      • This is just meaningless marketing jargon
  • Privacy Policy
    • There needs to be a policy.
    • It should be clear and concise.
  • No transparent ownership
    • You want to see clear ownership so that there is full accountability.
  • No details on security practices
    • This is hard to do if you don’t have a security background.
  • No audits
    • There needs to be an independent auditor.
    • It should be an auditor who specializes in VPN or technical audits.

Yellow Flags (Proceed with Caution)

  • Trackers on the website or in the VPN app
    • This means they don’t fully respect your privacy.
      • It’s for marketing and website optimization in most cases.
    • In the AppStore, Apple will tell you what the VPN actually tracks in the app.
  • No legal guidelines
    • How do they handle law enforcement requests?
    • You want to see transparency reports
  • Too good to be true deals
    • Multiple years for under 50 USD etc.
    • Lifetime accounts
    • Not sustainable, or need other ways to make money
      • Selling browser data etc.
  • Fear / Uncertainty / Doubt
    • Service stoking user fears to get them to use VPNs
  • Dark patterns
    • Fake countdown timers
    • Exit consoles
  • Social Proof tricks
    • Made up user numbers
    • Trustpilot problem
      • It’s really easy to purchase reviews

Green Flags (Big Pluses)

  • Open source
  • Minimal information for sign up
    • Some providers don’t even need an email address for sign up
    • Your provider should only know minimal information about you.
  • Uses the latest protocols available
    • WireGuard is the gold standard and default for best providers.

Once you've narrowed down a trusted shortlist, choose a service based on other preferences:

  • Price point, platform support, server locations, streaming support.
  • Killswitch
  • Multi-hop (allows you to jump through multiple servers in different jurisdictions)
  • Ad blocking
  • Cryptocurrency payments