“All of them claim to be the best”: A multi-perspective study of VPN users and VPN providers
- Date: Thursday, December 1, 2022
- Time: 11am - 12pm EST / 4pm - 5pm UTC (What time is it in my city?)
- Who: Reethika Ramesh, CS PhD Candidate at the University of Michigan, and lead researcher at VPNalyzer
- Location: Zoom
All of them claim to be the best”: A multi-perspective study of VPN users and VPN providers (Presentation and Q&A)
Earlier this year the VPNalyzer team “All of them claim to be the best”: A multi-perspective study of VPN users and VPN providers, reviewing the key findings of their study of 1,252 VPN users and qualitative interviews of 9 VPN providers which highlights the human factors of VPN use. In this session, join Reethika Ramesh, lead VPNalyzer researcher and co-author of the aforementioned paper, to hear about the key takeaways from the VPN user survey and VPN provider interviews and find out about new developments with the VPNalyzer Tool, a desktop tool that helps test and identify security and privacy issues with your VPN.
Bio: Reethika Ramesh is a fifth year PhD Candidate at the University of Michigan. She is the lead researcher at VPNalyzer: an academic research project that analyzes the VPN ecosystem through large-scale data-driven studies. She also investigated Russia's decentralized national-level censorship system, including their throttling of Twitter in March 2021.
Notes and Resources
"All of them claim to be the best": A multi-perspective study of VPN users and VPN providers Slides Additional Resources: Investigating Influencer VPN Ads on YouTube
There hasn’t been much research into the human factors that affect VPN use, however there has been more technical / security research into VPNs
Unanswered Questions about VPNs
- Why are users turning to VPNs?
- Diminishing trust in ISPs?
- What is the impact of dark patterns and marketing on usres?
- What are the incentives in sustaining such practices?
User Survey Overview
Disclaimer: This is not a comprehensive study. It’s based on US users and a select number of providers.
- Launched in March of 2021
- 1252 U.S. users
- Over 1500 users from 40 countries
Survey consisted of 27 questions. User types were determined based on subscription preferences (paid v. free) and technical expertize level.
What are users’ needs and considerations?
- GUI ease of use
- Logging (only for high expertise users)
What resources did users use to find VPNs?
- Google Search
- VPN Mentor
- Recommendation websites (95% of respondents felt these sites were trustworthy O_O)
- People are more likely to use a service if they have an emotional connection to it (it makes them feel “safe” etc.).
- Almost 40% of users have a flawed mental model, including users of all expertise levels.
A large number of people believe that VPNs have access to much more data than they actually do.
VPN Provider and User Alignment
- Mental Models
- User mental models are flawed and providers know this.
VPN Provider and User Misalignment
- Reliance on Recommendation Sites
- Most providers agree that recommendation sites are not reliable
- View on Data Collection
- VPN providers think that their privacy and logging policies are clear, but users are not clear about them.
- Oversight on VPN ads and marketing
- Attention to flawed recommendation sites
- User education campaigns need to be improved
- User VPN mental model, what a VPN can do, the threat models for which a VPN can be useful.
- Organizations need to focus more energy on VPN education.
Surprising that in the US people are more concerned about hackers than the government? Are Snowden and the like getting less popular?
- Definitely, this is related to the cultural shared image of hackers.
Do you have any plans to expand this research to examine VPN usage in other countries?
- The VPNalyzer team is adapting questions to other countries facing censorship.
As Wireguard gains popularity across VPN providers (disclosure: we - Mozilla VPN - use this protocol), do we know if it's been fingerprinted either in academic circles or in the field?
- If you mean DPI being able to recognize WireGuard for sure. Because WireGuard is not making any particular effort to be obfuscated.
Is there a timeline when the VPNalyzer tool will be made available for download? There are many people that need VPN because of the context.
- You can join the VPNalyzer mailing list to be updated of the public release.
Have you seen follow up from the providers?
- No efforts have materialized, but they are thinking and having conversations based on the recommendations of the research.
Insights on VPNs and Iran, China or Russia?
- There’s a community in Github where they update on how things have been blocked: https://github.com/net4people/bbs/issues
How did you choose the VPN providers to look at?
- They started from IFF Mailing list checking of VPN providers. They identified specific email addresses to connect with CEOs and researchers of those companies. Of 15 people they connected with, there were 10 responses. Once they confirmed the interviews, they started the analysis to see if the research was making sense.
Were they all US-based providers?
- At the time of the interviews, we were not sure of that. After we closed the process, we saw that there were a variety of locations.
After the research went live, were there more providers that were interested in participation?
Have you talked to the providers about their logging policies?
What Enterprise security tool is now used in practice for detection of VPN traffic? Like particular name or just referring to DPI
Do you have any reference of studies on the use of VPN for circumvention worldwide?