How to Critically Choose a VPN: Difference between revisions
From TCU Wiki
(Frist Draft Session Notes) |
|||
| Line 20: | Line 20: | ||
=Notes & Resources= | =Notes & Resources= | ||
'' | |||
'''[] Slides'''<br> | |||
'''[] | |||
'''What will this session do?''' | |||
* Provide tools to critically analyze and chose a VPN service | |||
'''What will this session not do?''' | |||
* Give specific recommendations | |||
* Say anything negative about certain providers | |||
'''Before you start to choose a VPN service, you need to ask “Do I need a VPN?”''' | |||
* A VPN is not going to protect you 100% | |||
* VPNs are not a one-button solution to all of your privacy problems. | |||
Threat modeling is key to determining if you need a VPN or not. | |||
* Use Cases: | |||
** Circumvention | |||
** ISP surveillance | |||
** Untrusted Wi-fi networks | |||
** Geo-blocked content | |||
'''What makes a good VPN?'''<br> | |||
Can you trust the VPN? How do you find the right service? | |||
* Misaligned incentives, ads, misleading information, review sites etc. make it challenging to filter the good content and trustworthy information from the noise. | |||
** Search Results | |||
*** Highest ranked sites are all tech magazines and VPN review sites. | |||
*** There is a lot of money to be made in ad revenues | |||
** VPN Sponsorship | |||
*** They usually don’t have any technical expertise or background. | |||
*** They are often incentivized by monetary gain. | |||
'''Route 1: Trust the Experts''' (The easier route) | |||
* Examples of more trusted VPN recommendations | |||
** [https://www.privacyguides.org/vpn/ Privacy Guides] | |||
** [https://freedom.press/training/choosing-a-vpn/ Freedom of the Press Foundation] | |||
'''Route 2: Do it Yourself''' | |||
* Do not default to trust. Make the VPN provider work for your trust. | |||
* Start with a long list and narrow it down. | |||
* Review the website of the provider and implement a check-list. | |||
* Be vigilant. | |||
* Do a safety check (searches, forums etc.). | |||
'''The VPN Provider Checklist:''' | |||
* Jurisdiction | |||
** Transparency / accountability | |||
*** Depending on the location of the company, they will be subject to the local laws which will determine business practices and consumer protections. | |||
'''<span style="background:red">Red Flags (Avoid)</span>''' | |||
* Overpromising | |||
** Promises perfect privacy or anonymity. | |||
** Best / fastest service (yellow flag, not so red). | |||
** Promises “military-grade” encryption. | |||
*** This is just meaningless marketing jargon | |||
* Privacy Policy | |||
** There needs to be a policy. | |||
** It should be clear and concise. | |||
* No transparent ownership | |||
** You want to see clear ownership so that there is full accountability. | |||
* No details on security practices | |||
** This is hard to do if you don’t have a security background. | |||
* No audits | |||
** There needs to be an independent auditor. | |||
** It should be an auditor who specializes in VPN or technical audits. | |||
'''<span style="background:yellow">Yellow Flags (Proceed with Caution)</span>''' | |||
* Trackers on the website or in the VPN app | |||
** This means they don’t fully respect your privacy. | |||
*** It’s for marketing and website optimization in most cases. | |||
** In the AppStore, Apple will tell you what the VPN actually tracks in the app. | |||
* No legal guidelines | |||
** How do they handle law enforcement requests? | |||
** You want to see transparency reports | |||
* Too good to be true deals | |||
** Multiple years for under 50 USD etc. | |||
** Lifetime accounts | |||
** Not sustainable, or need other ways to make money | |||
*** Selling browser data etc. | |||
* Fear / Uncertainty / Doubt | |||
** Service stoking user fears to get them to use VPNs | |||
* Dark patterns | |||
** Fake countdown timers | |||
** Exit consoles | |||
* Social Proof tricks | |||
** Made up user numbers | |||
** Trustpilot problem | |||
*** It’s really easy to purchase reviews | |||
'''<span style="background:green">Green Flags (Big Pluses)</span>''' | |||
* Open source | |||
* Minimal information for sign up | |||
** Some providers don’t even need an email address for sign up | |||
** Your provider should only know minimal information about you. | |||
* Uses the latest protocols available | |||
** WireGuard is the gold standard and default for best providers. | |||
'''Once you've narrowed down a trusted shortlist, choose a service based on other preferences:''' | |||
* Price point, platform support, server locations, streaming support. | |||
* Killswitch | |||
* Multi-hop (allows you to jump through multiple servers in different jurisdictions) | |||
* Ad blocking | |||
* Cryptocurrency payments | |||
Revision as of 11:03, 19 January 2023
- Date: Wednesday, December 7
- Time: 10am to 11am EST / 3pm - 4pm UTC (What time is it in my city?)
- Who: Viktor Vecsei, COO at IVPN
- Location: Zoom
RSVP: https://digitalrights.formstack.com/forms/vpnvillage2022_4
How to Critically Choose a VPN Service (Talk and Q&A)
In a market so saturated with commercial VPN providers, it is a challenge not only to determine if you need a VPN or not, but also to navigate search results and the network of VPN review sites as you try to find a trustworthy VPN.
What are the key things you should look for when determining if a VPN service is trustworthy? How can you determine if a VPN recommendation site is legitimate? What red flags signal that you should steer clear of a VPN provider?
In this session, you will learn how to recognize signals of trustworthiness in VPN providers and more effectively analyze VPN recommendation resources in your search for a VPN service that respects your privacy, safety and security as a user.
Note: This session is not geared toward high-risk users or those for whom anonymity and/or circumventing severe censorship is a necessity.
Bio: Viktor Vecsei is a privacy activist, researcher and writer. He is the COO at IVPN, a privacy-focused VPN provider, where he works on increasing transparency, honest communication and improving ethical standards in the commercial VPN space.
Notes & Resources
[] Slides
[]
What will this session do?
- Provide tools to critically analyze and chose a VPN service
What will this session not do?
- Give specific recommendations
- Say anything negative about certain providers
Before you start to choose a VPN service, you need to ask “Do I need a VPN?”
- A VPN is not going to protect you 100%
- VPNs are not a one-button solution to all of your privacy problems.
Threat modeling is key to determining if you need a VPN or not.
- Use Cases:
- Circumvention
- ISP surveillance
- Untrusted Wi-fi networks
- Geo-blocked content
What makes a good VPN?
Can you trust the VPN? How do you find the right service?
- Misaligned incentives, ads, misleading information, review sites etc. make it challenging to filter the good content and trustworthy information from the noise.
- Search Results
- Highest ranked sites are all tech magazines and VPN review sites.
- There is a lot of money to be made in ad revenues
- VPN Sponsorship
- They usually don’t have any technical expertise or background.
- They are often incentivized by monetary gain.
- Search Results
Route 1: Trust the Experts (The easier route)
- Examples of more trusted VPN recommendations
Route 2: Do it Yourself
- Do not default to trust. Make the VPN provider work for your trust.
- Start with a long list and narrow it down.
- Review the website of the provider and implement a check-list.
- Be vigilant.
- Do a safety check (searches, forums etc.).
The VPN Provider Checklist:
- Jurisdiction
- Transparency / accountability
- Depending on the location of the company, they will be subject to the local laws which will determine business practices and consumer protections.
- Transparency / accountability
Red Flags (Avoid)
- Overpromising
- Promises perfect privacy or anonymity.
- Best / fastest service (yellow flag, not so red).
- Promises “military-grade” encryption.
- This is just meaningless marketing jargon
- Privacy Policy
- There needs to be a policy.
- It should be clear and concise.
- No transparent ownership
- You want to see clear ownership so that there is full accountability.
- No details on security practices
- This is hard to do if you don’t have a security background.
- No audits
- There needs to be an independent auditor.
- It should be an auditor who specializes in VPN or technical audits.
Yellow Flags (Proceed with Caution)
- Trackers on the website or in the VPN app
- This means they don’t fully respect your privacy.
- It’s for marketing and website optimization in most cases.
- In the AppStore, Apple will tell you what the VPN actually tracks in the app.
- This means they don’t fully respect your privacy.
- No legal guidelines
- How do they handle law enforcement requests?
- You want to see transparency reports
- Too good to be true deals
- Multiple years for under 50 USD etc.
- Lifetime accounts
- Not sustainable, or need other ways to make money
- Selling browser data etc.
- Fear / Uncertainty / Doubt
- Service stoking user fears to get them to use VPNs
- Dark patterns
- Fake countdown timers
- Exit consoles
- Social Proof tricks
- Made up user numbers
- Trustpilot problem
- It’s really easy to purchase reviews
Green Flags (Big Pluses)
- Open source
- Minimal information for sign up
- Some providers don’t even need an email address for sign up
- Your provider should only know minimal information about you.
- Uses the latest protocols available
- WireGuard is the gold standard and default for best providers.
Once you've narrowed down a trusted shortlist, choose a service based on other preferences:
- Price point, platform support, server locations, streaming support.
- Killswitch
- Multi-hop (allows you to jump through multiple servers in different jurisdictions)
- Ad blocking
- Cryptocurrency payments
