How to Critically Choose a VPN

From TCU Wiki
Revision as of 11:03, 19 January 2023 by Erin (talk | contribs) (Frist Draft Session Notes)
  • Date: Wednesday, December 7
  • Time: 10am to 11am EST / 3pm - 4pm UTC (What time is it in my city?)
  • Who: Viktor Vecsei, COO at IVPN
  • Location: Zoom

RSVP: https://digitalrights.formstack.com/forms/vpnvillage2022_4

How to Critically Choose a VPN Service (Talk and Q&A)

In a market so saturated with commercial VPN providers, it is a challenge not only to determine if you need a VPN or not, but also to navigate search results and the network of VPN review sites as you try to find a trustworthy VPN.

What are the key things you should look for when determining if a VPN service is trustworthy? How can you determine if a VPN recommendation site is legitimate? What red flags signal that you should steer clear of a VPN provider?

In this session, you will learn how to recognize signals of trustworthiness in VPN providers and more effectively analyze VPN recommendation resources in your search for a VPN service that respects your privacy, safety and security as a user.

Note: This session is not geared toward high-risk users or those for whom anonymity and/or circumventing severe censorship is a necessity.

Bio: Viktor Vecsei is a privacy activist, researcher and writer. He is the COO at IVPN, a privacy-focused VPN provider, where he works on increasing transparency, honest communication and improving ethical standards in the commercial VPN space.

Notes & Resources

[] Slides

[]

What will this session do?

  • Provide tools to critically analyze and chose a VPN service

What will this session not do?

  • Give specific recommendations
  • Say anything negative about certain providers

Before you start to choose a VPN service, you need to ask “Do I need a VPN?”

  • A VPN is not going to protect you 100%
  • VPNs are not a one-button solution to all of your privacy problems.

Threat modeling is key to determining if you need a VPN or not.

  • Use Cases:
    • Circumvention
    • ISP surveillance
    • Untrusted Wi-fi networks
    • Geo-blocked content

What makes a good VPN?
Can you trust the VPN? How do you find the right service?

  • Misaligned incentives, ads, misleading information, review sites etc. make it challenging to filter the good content and trustworthy information from the noise.
    • Search Results
      • Highest ranked sites are all tech magazines and VPN review sites.
      • There is a lot of money to be made in ad revenues
    • VPN Sponsorship
      • They usually don’t have any technical expertise or background.
      • They are often incentivized by monetary gain.

Route 1: Trust the Experts (The easier route)

Route 2: Do it Yourself

  • Do not default to trust. Make the VPN provider work for your trust.
  • Start with a long list and narrow it down.
  • Review the website of the provider and implement a check-list.
  • Be vigilant.
  • Do a safety check (searches, forums etc.).

The VPN Provider Checklist:

  • Jurisdiction
    • Transparency / accountability
      • Depending on the location of the company, they will be subject to the local laws which will determine business practices and consumer protections.

Red Flags (Avoid)

  • Overpromising
    • Promises perfect privacy or anonymity.
    • Best / fastest service (yellow flag, not so red).
    • Promises “military-grade” encryption.
      • This is just meaningless marketing jargon
  • Privacy Policy
    • There needs to be a policy.
    • It should be clear and concise.
  • No transparent ownership
    • You want to see clear ownership so that there is full accountability.
  • No details on security practices
    • This is hard to do if you don’t have a security background.
  • No audits
    • There needs to be an independent auditor.
    • It should be an auditor who specializes in VPN or technical audits.

Yellow Flags (Proceed with Caution)

  • Trackers on the website or in the VPN app
    • This means they don’t fully respect your privacy.
      • It’s for marketing and website optimization in most cases.
    • In the AppStore, Apple will tell you what the VPN actually tracks in the app.
  • No legal guidelines
    • How do they handle law enforcement requests?
    • You want to see transparency reports
  • Too good to be true deals
    • Multiple years for under 50 USD etc.
    • Lifetime accounts
    • Not sustainable, or need other ways to make money
      • Selling browser data etc.
  • Fear / Uncertainty / Doubt
    • Service stoking user fears to get them to use VPNs
  • Dark patterns
    • Fake countdown timers
    • Exit consoles
  • Social Proof tricks
    • Made up user numbers
    • Trustpilot problem
      • It’s really easy to purchase reviews

Green Flags (Big Pluses)

  • Open source
  • Minimal information for sign up
    • Some providers don’t even need an email address for sign up
    • Your provider should only know minimal information about you.
  • Uses the latest protocols available
    • WireGuard is the gold standard and default for best providers.

Once you've narrowed down a trusted shortlist, choose a service based on other preferences:

  • Price point, platform support, server locations, streaming support.
  • Killswitch
  • Multi-hop (allows you to jump through multiple servers in different jurisdictions)
  • Ad blocking
  • Cryptocurrency payments
Retrieved from "https://wiki.digitalrights.community/index.php?title=How_to_Critically_Choose_a_VPN&oldid=46870"