July 28 2022, VPN Community Gathering
From TCU Wiki
Past Event Updates
- VPN Community Unconference Report Out
- August Africa Monthly Meetup focused on use of VPNs in Sub-Saharan Africa.
Resources
VPN Trust Initiative (VTI)
i2coalition
CDT Signals of Trustworthy VPNs
- Unedited Answers: Signals of Trustworthy VPNs - CDT
- CDT Launching Effort to Improve Trust in VPNs - CDT
- Helping Consumers Choose a Trustworthy VPN - CDT
- Signals of trustworthy VPNs – a multilateral initiative - Mullvad Blog
- Signals of Trustworthy VPNs -– Talking Tech w/ Joseph Jerome - CDT
- The CDT Presents: Signals of Trustworthy VPN - TunnelBear Blog
- Signals of Trustworthy VPNs – Quick Questions for VPN Services - CDT (PDF)
- VPNs - CDT
Notes
Project Updates
Outline / Jigsaw
Overview of Projects from Jigsaw:
- Prevent
- Mitigate
- DIY VPN: https://getoutline.org
- Serverless circumvention: https://getintra.org
- Expose
- Near real-time Google traffic data.
- Collaboration with CensoredPlanet on pipeline, methodology and dashboard to explore censorship measurements.
- Ongoing methodology collaboration with OONI
- netanalysis open source library, including sync_measurements for OONI, fetching Google Traffic data and measure.sh blocking test.
More and more communities are running Outline servers and offering them to communities for free.
- Access is distributed via Facebook groups and Telegram channels.
- It's hard to trust these communities. How can you create a marketplace for these VPNs and ensure people can trust them?
- Interesting property of Outline is that anyone can run a VPN so you don't have to trust your VPN provider.
- However an inverse problem seems to have arisen and now there is a question of trusting these community VPNs.
- Call to action written by Sen. Wyden and Rep. Eshoo to FTC about VPN ecosystem and lack of regulation.
Presentation
Viktor from IVPN presented on the need for an inclusive and collaborative approach to establishing VPN industry trust and ethics standards.
Notes
- The talk is geared more toward commercial VPNs, potentially not so much for providers with other use cases like Outline.
- IVPN use case is most focused on privacy.
- As a result of the lack of education around VPNs, users are misinformed about trust signals.
- Providers cannot agree on a baseline for evaluation.
- Ideal would be to be able to create an independent framework to sift the trustworthy providers from the rest.
- There have been several initiatives to address signals of trust / industry standards / guidelines.
- CDT trust signals: Project born at RightsCon
- Failed to have wide reach and get more uptake
- VPNalyzer is another project for evaluation of VPNs
- VTI
- Aimed to present commercial providers in a good light as opposed to holding them to a higher standard?
- There are providers that participate who discredit the trustworthiness of the efforts.
- CDT trust signals: Project born at RightsCon
- There are also independent reviewers:
- ThatOnePrivacyGuy was sold to a VPN review site that is now owned by Kade Technologies (owner of ExpressVPN etc).
- PrivacyGuides
- They look at ownership, logging, open source etc.
- They are pretty restrictive; they don't share information about how other providers fail these quality checks.
- Need: Establish a trusted, open framework created by independent contributors
- Tier structure (listing providers based on meeting set criteria).
- Not an endorsement site.
- Evaluation based on...
- Transparency
- Ownership
- Infrastructure
- Protocols used
- Marketing
- Kill Switch
- Strong privacy policy
- Key problems…
- Who agrees on the rules?
- Can we set objective criteria?
- Who verifies providers, claims
- Some providers won’t agree or participate
- How can we reach a large audience, make an impact
- Do you want to protect people from things that they don't understand?
- Impact - How do you make this impactful? How do you make sure it has reach?
Discussion
- What is the data that the provider can take from the user and what can be done? When most traffic is now encrypted.
- Google Transparency Report
- 10% of the web (Explorer users) is unencrypted
- Majority of people are sending raw DNS
- VPN providers can make good income on DNS info
- Metadata is the key valuable info.
- Are VPN providers actually selling user data?
- There are free providers that have millions of installs. Maybe they aren't selling data, but the question is open.
- Google Transparency Report
- VPNalyzer: Working with a friendly ISP to see how much you can learn about a user from the ISP.
- You can detect if specific users of that ISP in a region are Muslim.
- You can use a profile easily if you look at metadata. And a VPN can view this.
- Surveillance is a big problem
- In the US, with the fall of Roe v. Wade, there is an open question about what the ISP or VPN provider are logging around reproductive care.
- Recommendation: Use HTTPS only by default.
- Will depend on the user and the threat model.
- Guides and methodologies often fail because we don't take into account different threat models.
- For this kind of user, this is what matters. For these users, this is what matters.
- The question that came to mind: Do we even have a list of use cases?
- A user who is using a VPN for bypassing filtering, then maybe they don't care about targeted ads.
- Or maybe you are trying to bypass targeted ads.
- How are we going to create a framework when we don't have the actual use cases for some of these VPNs in our own communities?
- Who is validating the VPN providers in our own community?
- There is zero presence of some of the VPN providers (especially in Africa) and what are the actual use cases that they are creating these VPNs with?
- Let's create a framework that can be applied within the community as well.
- Shutdowns, censorship and surveillance are regular challenges in Sub-Saharan Africa.
- The Team CommUNITY Africa meetup has great notes on this.
- When you are working with at-risk users, you need to be able to show that you yourself are familiar with and connect with the developers and the tool.
- There are 3 levels: ISP, VPN service, Client
- Who do you trust more?
- In different regions it may shift drastically.
- What if the VPN client let me only send Netflix with the VPN?
- Centralized VPNs control the VPN and the client and they control what you can send to the VPN or not.
- Onion routing system with VPNs?
- Requires a client independent of the provider.
- Providers could provide standard protocols that can function with different clients.
- Can I tunnel my traffic to another government to hide my traffic from my government?
- It's not about an ISP adversary, it's about government adversaries.
- Separation of client and service:
- This is possible, but generally with the better providers
- Some of the better providers offer split-tunneling
- Chosing a VPN
- 1st question: Do you need a VPN?
- 2nd question: Do you trust the VPN more than your ISP?
- After you have said yes to these first two questions, what comes next?
- ISPs package, collate and sell data on a mass scale
- FTC reporT
- There is not a clear solution for the diversity of problems and use cases that we face.
- What is a VPN?
- VPN is the kingdom or the phylum - but what're the genus or species within?
- Maybe it will be helpful to start branding VPN user cases into profiles.
- Selective providers use special naming for gamers avoiding DDOS attacks for example.