Industry Standards Collaborative Conversation

Notes: https://jamboard.google.com/d/1T9_ROiiWVOOeTnmIeCifH8PXaPiRs6GnpOUPG7lDY8E/viewer?f=7 https://pad.riseup.net/p/breakout2 https://pad.riseup.net/p/breakout1

The following are outcomes of various conversations

Greatest concerns users have and what they need from VPN providers to gain trust, and why

User worries regarding data:

• Where data is held and what the granularity of that data is
• What is the VPN doing, and what is it not doing
• Users may use the VPN as the solution to all problems, but ultimately don't know if there's more data (such as fingerprints) that they should be aware of

On trust:

• User wonder about provider relationships to law enforcement
• Security and privacy should not be a matter of trust
• Would prefer to have mechanisms that make it impossible for providers to access data
• Trust has been applied retroactively, after public at-large learns of companies’ involvement in court cases
• Would like if providers to proactively assure users of what is happening with user data
• Curious whether there can be an audit on what is actually on provider logs

Other questions and areas of concern:

• Is trust something that can be put into a company whose main motivation is profit, rather than privacy?
• Re: transparency reports - how do companies hand over data to authority, if they have any procedures or policies clarifying under what conditions they will surrender user data
• More services with anonymous account creation alternatives (no email address)
• What happens when a VPN provider is bought by another company? What does that mean for user privacy and safety?
• Need clearer understanding and more transparency about how VPN providers protect user data, esp for high-risk users
• Trainers, and other interested power-users, could use more up-to-date explainers on the various modern protocols and ciphersuites
• So many questions from users still remain about the *legality* of using a VPN. how do we address these questions?
• Need clearer understanding and more transparency about how VPN providers protect user data, esp for high-risk users

VPN Providers: How are you dealing with regulatory challenges and threats?

What some/most are already doing:

• They want to know as little as possible (e.g. “no logs”) so that they have nothing to hand over (including in case of seizure), and they don’t need to evade compliance. Being a good provider in this way makes their lives easier, actually. This is why minimum logging is important

• Tracking laws and regulations around the world, and potentially change where they locate servers or operations as a result

• Being thoughtful about jurisdiction of the provider

• Outline: Separate server distribution from client app, so they not banned in App Store

Thoughts on future regulatory challenges:

• Threats to encryption and platform/provider protection when they claim not to know

• Vague/general regulation being weaponized against VPNs (static IP legislation, e.g., or potential WeChat/TikTok restrictions)

• Regulatory risks to the users as well. How do you educate your users? This is a responsibility as well.

• We focus a lot on US, but we are susceptible to weakest link

• Where is your company registered? What jurisdiction are you under? Is the law clear? If it isn't clear, can you interpret it differently?

• How do you deal with Blocking of servers?

Thoughts on how they can do more

• Possibly lobbying, such as through the new VPN Trust Initiative. Can we do a regulatory Statement statement around users in Iran, Russia etc. How can this happen? Is there strength in numbers? Some are pushing for ESNI, how can we work together?
• Creating public pressure together as an industry

• Speaking as an industry protects against individual providers being targeted

• How can they connect more on a technical level (e.g. ESNI)'

Other Thoughts:

• Threats are infinite or evolving. Understanding laws and regulations around the world is a challenge.

• Many have had to relocate servers. Also, providers need to be conscious about where they are legally registered and what laws they are under.

• In places like China, Outline may be good option.

• Things are changing quite quickly now. Laws can be vague or general, and can be weaponized to be used against VPN providers. What can we do in the future?

• How do you design your systems to help with threats/challenges?

• NordVPN CTO is working on an open source framework with researchers that is open source, to help with digital threats. Also, there is the VPN Trust initiative.

• Static IP address feature. That's a risk that needs to be highlighted

• NordVPN payments got banned in China

On creating public pressure

• How do you use lobby and public pressure to help with regulatory threats?

• How do we put pressure on Apple and other companies, that for example removed VPNs from app store in certain counties?

• How do we educate users if the law penalizes them (not the provider)?

Researchers Researchers were prompted: What do you see as emerging threats and what are your priorities and areas of greatest concern in the coming years?

Concern: a lack of truly independent, portable, and cost-accessible infrastructure A lack of unity about protocols (TINA, Wireguard, OpenVPN, IPSec, etc) “too much PII leaking all over the place” Threat: More aggressive & more sophisticated censorship Priority: Stronger & more automated/adaptive censorship evasion

VPN Research previously has been unsystematic, required unsustainable, labor-intensive methods, and covers only a small slice of the market. There is a need for a data-driven VPN observatory.

___

Users think a VPN has all kinds of security, privacy, and anonymity, I'm worried that as well financed and motivated actors increasingly test these VPN technology won't be as up to the task as, e.g., Tor.

Concern: Poor user education, and currently too much responsibility being placed on users to protect their own security / privacy Lack of clarity about what "zero logs" or "no logs" actually means unless the provider is taken to court

With more people working from home, VPN adoption and awareness has surged, yet there still exists no easy way for users to identify the right VPN to use or to evaluate them based on their personal threat model.

People over-trust on VPNs, not fully understanding the risks they are still exposed at (malware/leaks/etc)

__

traffic/behavior analysis of the users the use of AI/ML to profile users rapidly Certain providers looking for monopoly in users traffic

Issue Group Breakouts

Overall thoughts VPNs are not well suited for at-risk users. Needs to be evolved in order to be a suitable tool for at-risk users Newer protocols created to make VPNs resilient to blocking Follow-up workshop proposal: looking at the legal issues/history with Tor/VPN payment system is a major point of attack. this is why blind token systems for payment or not requiring payments are critical IADL (international association of democratic lawyers) can be a good group to empower/increase their capacity for technical know-how in order to support Having a people-centered, people-powered framework with technical solutions The trust relationship between client and server is broken if you stop identifying users, making them pay

Laws, Policies & Jurisdictions: Understanding the Current Climate

Establish new calculus around developing legal strategies for VPN, especially around jurisdiction requirements. Combining that with public awareness/education for users so they can better Foster legal allies in other areas than just the US Legal support infrastructure is very thin Identify legislative threats. Yes, it will be more US- How do we approach this from a contracts issue? example: if a user's access is being blocked, can user raise contracts claim to the service provider Building Dialogue Between Academia, Industry & Digital Rights Communities

What we would like to do/do more of: A joint working group would be awesome. Working group for the tech, working group for internet shutdowns. No structured approaches to check in with different areas/industries. etc. Even if talking about User feedback instead of always rating. we can be more proactive then reactive. Maybe there is a mailing list, monthly meetup. We can create the chat. More intersectionality helps all of us. We all need to talk each other a lot more: the faster and more robust honest conversation, the better it is!

What would be good output, what can guarantee to be worth your time: Pitch a paper out (academia) Access of users and ability to help with this work (digital rights community) For companies like Jigsaw(@google) is mission driven. How can we convice our Acknowledgement and recognition: Higher ups recognize that we are accomplishing a mission, and also identify opportunities from users that are lacking. Opportunity to make an impact and engage with the community. Emerging threats where they can be useful (Tunnel Bear) Use platform to highlight policy struggles. Technical sounding board, where this is this security prompt, where they can reply with VPN technical folks team. Specific firewall rules etc. Where you can share best practices and exchange ideas. Industry experience with researchers is very helpful. Share stories / Story times with VPN. Their main use case is censorship. Values discussion and what you get back from the community

Signals of Trust for VPN Providers

A-ha! moments VPN are not made for at-risk users, have not had the chance to evolve to be on that tool. Different stakeholders communicating, it can evolve over time to be an appropriate tool for them. In terms of best practices, they can evolve.

Future challenges VPN are expected to provide more than the VPN functionality in the future Repositories are removed by the market, governments, etc. There are many different ways that VPNs are removed. users that need it the most will not be able to use it, because it’s removed from apple store, government forbids it, or you are doing something illegal. We have to collaborate to make VPNs harder to block Realization when the business is sold. The only way business is communicating is through policy. We are not dealing with issues countries outside with alot os security incidents from the inside too.

Signals of Trust - Community / stakeholders can work together to increase expectations and increase the bar. Inform users to understand, to bridge gap between different stakeholders.

- Influential researchers can identify what the credible signals are, and help users better understand how to figure out what they are.

- The idea of raising the bar if we found a way to collaborate better. There is a real need for more pro-active collaborations, monthly meetings, IFF Mattermost cha

What happens when your servers are seized? How do you get that rapid response between users and VPN companies. Talk about jurisdictional delineations. Legal strategies to optimize for your regional knowledge.

Need for robust communication with each other USA is no longer a safe haven for data. What people have in mind when we are ready for a time when it's not so legal to run a VPN company in a western country

Legal support infrastructure That legal support infrastructure is so thin. such a thin line of lawyers that understand that technical implications. The legislation threats coming out in the USA (like earn it act). How do we in the freedom community demystify the BS. How do we attract this? How do we protect VPN servers? The law labs or clinics in other countries, introduce more of this, and work and recruit.

Transparency & Strategies in Repressive Environment

Questions: How can we create rapid response to attacks? Can VPNs be tailored to specific privacy concerns in specific regions of the world? How do we bootstrap the process? How can users end up with a VPN they can trust?

Strategies: Simple: Maintain no logs so you can't share them! Enforce principles of least privilege regarding who at the company can access what. Have folks who constantly monitor the laws in the laws where jurisdiction applies. When jurisdictional regulatory changes happen: Have a plan-B, have other places to move the business to, but this can't happen over night. Not clear how you can ensure that nothing changes within the organization itself Add some redundancy: ensure that big changes would require multiple humans to enact them, and that at least some of them would speak out if that were the case. For information you *can't* avoid having, operate those functions in countries that make it difficult for other countries to get Dealing with changes is very tricky. If someone were to purchase the company and they try to change the privacy policy, then what? Play out "what-if" scenarios; be prepared. Upcoming Issues that will affect VPNs and what can be done

VPN removals Apple has publicly admitted to removing over 1000 VPN apps It's not acknowledged in their transparency report, where they only call out porn and gambling Laws can conflict - e.g. constitution vs. government orders

Export of Chinese censorship apparatus If your solution doesn't work in China, it won't work in countries that they're helping / sending equipment to

Sophisticated blocking coming to more countries Countries may be doing shutdowns right now, but will they do more VPN-specific blocking if they buy more equipment

Blackouts Not much we can do

Middlebox vendors in “more free” places selling their equipment In Belaurs, Sandvine equipment was used, and they were forced to cancel the contract More important than ever that VPNs provide privacy VPNs sometimes exit in countries with high personal data collection, so it's important to be aware More governments making VPNs illegal VPN abuses by government There's an expectation that VPNs should be better Harder to use banking services if your VPN is based in an offshore tax haven Lack of transparency for VPN companies Blocking is performed at many different levels Interesting to think about financial industry and hollywood, and their vested interests They may standardize, research, and aggressively develop server-side tools Maybe we need to ask "if it doesn't get you to Netflix, it doesn't work anywhere"