Following Team CommUNITY’s model of the Industry Standards Collaborative Conversation held at the 2020 VPN Village, the 2022 VPN Community Unconfrence brought together a diverse group of individuals working in and around the VPN ecosystem to discuss the most important challenges facing the industry.

Leading up to the event Team CommUNITY met one-on-one with researchers, commercial and non-commercial VPN providers, technologists and frontline defenders to better understand the key challenges they each saw in the VPN ecosystem. Based on these conversations and in a pre-event survey of participants, we narrowed down a series of prompts for the small group discussions.

Event Notes: Event Jamboard

Breakout Session One

The first set of breakout sessions separated participants into five groups based on their background: Users, Frontline Defenders and User Researchers; Academics and Researchers; Commercial VPN Providers; Technologists; and Technologists Working in Repressive Environments.

Users, Frontline Defenders and User Researchers

What are the most important challenges facing at-risk users in regards to selecting and using VPNs?

Cost and Payments

• Can I afford it? Many organizations are low on resources for basic operations, which means paying for a VPN isn't really an option.
• How do users working in censored environments manage payments? How do they avoid paid providers?
• Will payments for a VPN put a red flag on my bank account? Payments can expose that I'm using a VPN.

Legal Consequences

• What are the legal consequences for using a VPN in regions where it is criminalized? It’s challenging to understand the penalties.
  • India just passed a law that requires commercial VPN providers retain user data.
• 2 sides — What are the consequences when VPNs become 'illegal'? And VPN providers, what are the legal nuances in an international context?

Trust

• There's a lot of opacity in the VPN industry. Opaque ownership with possible conflicts of interest. Who are the owners?
• Which VPN should I use? People typically default to a VPN that someone they know is using. There's a lot of lack of understanding for users and even trainers.
• How do we know that a VPN provider doesn’t log information?
• VPN providers know your IP address and where you’re connecting from. Usually you trust the VPN not to share it.

Technical Literacy and Understanding of VPNs

• There is a lack of awareness of what a VPN is.
• How do I know if I’m experiencing censorship or my internet connection is just bad?
• There is a lack of technical expertise to set up a VPN.
• How do I find out which VPNs have better security?
• Individuals often don’t know that they are being surveilled or that they need to protect their communications until it’s too late.

Technical Limitations and Performance

• There is no app for my OS.
• "It's too slow".
• Services (not only streaming services) block VPNs.

Navigating Self-Deployed VPNs

• Looking for recommendations for self-deployed VPNs.
• NordVPN has a self-hosted option, but have heard that it may not be the best VPN option.
• WEPN - doesn't really require a lot of technical expertise and IP is not blacklisted, depends on hardware.

Researchers

What challenges and successes have you had collaborating with commercial and non-commercial VPN industry and end users in your research? How would you like to see your research applied in industry and the digital rights fields going forward?

Refer to Addressing Known Security Vulnerabilities

Challenges

• Reporting vulnerabilities and having them fixed is unnecessarily difficult.
• Technologically, we have to rely on VPN vendors, software and hardware vendors and middleboxes on the internet to fix vulnerabilities.
• Responsibility for vulnerabilities and fixing them can be shifted from vendor to vendor. “It’s not my fault”.
• Vendors may report fixing a vulnerability when it in fact has not been fixed.

Successes

• Some providers and operating systems have offered patches.