Growing With the People: How Outline VPN Providers Adapt to Support Diverse Populations

This session is part of the 2023 VPN Village, a two-week virtual series of events focused on VPN user education and solidarity. The sessions held over the last week of November and first week of December will focus on regional user education, legal challenges to using VPNs, and using and scaling your own circumvention tools.

• Date: Tuesday, December 5
• Time: 10am EST / 3pm UTC (what time is it in my city?)
• Who: José Gutiérrez, Carrie Winfrey and David Ho
• Location: BigBlueButton, Google Meet or Zoom (Link to the meeting will be shared with attendees the week of the event)

👉🏾 RSVP: https://digitalrights.formstack.com/forms/3vpn2023

Growing With the People: How Outline VPN Providers Adapt to Support Diverse Populations

Join us to discuss findings from research conducted with 8 VPN providers who have built unique services using the Outline technology stack. We’ll explore the lived experience of people using VPNs in different regions. And learn how providers have adapted to fit the needs—not only technically, but operationally and socially. This session is a preliminary preview of the research and intends to shed light into what VPN providers need now.

Speakers: José Gutiérrez, Carrie Winfrey and David Ho.

• José Gutiérrez, UX Researcher and Designer, is a curious individual who tries to make sense of the world he lives in. He researches humans to survive. A newcomer to the internet freedom space, José has explored research in physical security, circumvention, and internet shutdowns.
• Carrie Winfrey is founder and director of Okthanks, a collective of product designers, researchers and advocates pioneering technology for a freer, safer world. With a decade of experience and a passion for putting marginalized communities at the center of the design process, Carrie is molding the future of internet freedom around the world.
• David Ho is a UX Researcher at Jigsaw, a unit at Google that explores threats to open societies. He investigates the needs of at-risk users for better online safety and freedom. Among this work, he works closely with the Outline VPN team to explore the needs of Outline VPN service providers and users.

Notes

Download the Report

The User Research

The user research consisted of a series of exploratory and deep dive interviews with Outline VPN providers.

Provider Backgrounds: China, Nigeria, Uganda, Tanzania, Ethiopia, 4 in Iran, and 2 in Russian

• Exploratory Interviews: Talked to 8 providers - interviews of 1.5 hours
  • The providers ranged in their use of Outline: using the Outline Manager interface, using the Outline Manager, bootstrapping and updating their own service, integrating the Outline services into another tool or hardware.

• Deep Dive Interviews: Talked to 4 providers that built on top of Outline.

Censored Environments and the Lived Experiences of the Outline Providers' Users

• Censorship and circumvention are all unique based on country / region

• One thing in common across the board, governments will enforce controls during periods of heightened political tension.

China:

• If one website works on one internet provider, it may not work on another, so location within China can determine accessibility of content.
• Limitations to getting apps due to pre-approved apps in app stores, fear of physical search of devices.

From Chat:

• But it's interesting that Outline still exists on China version App Store, while many other VPN apps were removed.

• One key difference is that the Outline client app doesn't come with a service, so it doesn't require a license.

Iran:

• Lots of rotation of VPNs and apps depending on what works from day to day.
• Frustrating and tedious task for individuals.

Russia:

• Russian government are purchasing things from China, specialists and infrastructure.
• It's challenging to access Russian services from outside of Russia, in addition to dealing with censorship within Russia.

Sub-Saharan Africa:

• Infrastructure and internet connectivity and speed are additional hurdles.

Small Scale Outline Providers (<100 users)

• Few problems generally speaking.

• >100 users, number of challenges start to increase.

Large Scale Outline Providers (>1000 users)

• Adaptations: Automation, flexibility to move across servers, support, user management, VPN service

Large Scale Provider User Support

• Provide customer services 12 hours / day
• Use a ticketing system
• FAQ and documentation
• Telegram bots to respond to questions
• Community-driven support - can support each other with responses

Large Scale Provider Challenges

• Onboarding Experience: People get lost in the multi-step process.
• Censors Using Keys: Keys can be distributed to unintended users. Telecom providers can see the IP address and monitor traffic.
• Trust: If keys are distributed online, you can't always tell who is providing the service.
• Avoiding Detection: Keys linked to servers and when exposed, servers can be detected.

Needs for Large Scale Providers

Evolving Circumvention Tactics

• The censors are evolving
• Worried about their service being blocked
  • Outline leverages Shadowsocks, which has been effective generally speaking, but providers are looking into other protocols as they try to make their services more resilient.
  • You don't always know where the problems may be coming from - could be the ISP or elsewhere...

The Opportunity: New protocols, metrics to learn from the censor (collect anonymized data to learn more about what is happening when blocking is actually happening)

Improved VPN Experience

• Managing expectations

• The exception that a VPN will work 100 - 70% of the time is not a realistic expectation.

The Opportunity: Alleviate friction by providing education about realistic expectations when a connection cannot be made. Inform users of events - communicate when increased blocking is expected or communicate when the service is expected to be up again.

Troubleshooting

• When the user can't connect, we need more insights into why they can't connect.

• During censorship periods, the connection through the app is one of the only lines of communications considering other avenues might be blocked.

The Opportunity: Better service metrics, direct communications...

Communicating Status

• Users usually don't know what their current bandwidth usage is.

The Opportunity: Usage displays. Display the amount of data consumed by the app. Big way to reduce support questions.

Split Tunneling

• Allows specific traffic to go through the VPN, while not having other traffic go through. Ex. have specific app traffic through the VPN, but not for the rest of apps.

• Example: Allow traffic for most apps on VPN, but not for apps related to local services that require local connection (banking sites etc)
• Participant Comment: On the topic of split tunneling, in Iran domestic bandwidth is half the cost of international bandwidth for end users. So when they use VPN all of their traffic is considered international and will be billed double the domestic bandwidth. Split VPN can help reduce their cost.
• Participant Comment: Also, in certain cases government websites monitor IP addresses of incoming requests and can use that to identify VPN addresses and report them to be blocked. Providers sometimes block outgoing traffic from VPN to Iran/CN to prevent this. However this can also be done on the client side with Split VPN.

The Opportunity: Provide split tunneling.

Content Controls

• Limiting the content that people access through the services (ex: torrenting)

The Opportunity: Content control for providers to mitigate abuses and misuse of their service. Importantly, need to note the costs and the potential legal implications of these content controls.