September 17 2020 GM

Time: 9:00am EST / 1:00pm UTC+0

Where: IFF Mattermost Square Channel. Email us at team@internetfreedomfestival.org if you need an invite.

What: This VPN Glitter Meetup is part of the IFF VPN Village program. We want to hear from our community on what issues or questions they have when using VPNs in their respective regions. The goal of this meetup is to provide the community with a place to map out challenges and brainstorm on possible next steps that we can do collectively as a community. To enhance this, we will invite a few key VPN researchers to participate and provide guidance. This is a chat-based meetup.

Topic of discussion: VPN

This is the VPN Glitter Meetup, part of the IFF VPN Village. We dedicated this Town Hall to brainstorm our questions and concerns about VPNs, as well as working on teams to specify what are the needs of the community.

Questions, needs and concerns:

• What VPNs protect you from?
• What do VPNs offer beyond what HTTPS does?
• How does Intra work?
• More information about WEPN?
• How to figure out who is good or not: how do you know if they log? What is Outline? Why is everyone talking about it?
• Should we be recommending VPNs or Tor? Or both?
• Why is DNS + VPN on Linux so headache-inducing every single time?
• More discussions about DNS over HTTPS (particularly on android)
• Is it worth it to run your own VPN if you are a non technical person?
• What is the experience of the community with Outline: what troubles do they have? Pain points. Do servers get blocked?
• What countries block VPNs? How can we track that?
• How do VPNs really work? (in one sentence or a neat analogy besides"tunnel")
• If you wanted to run your own VPN, either at home or on a server you own, what would be your biggest concern?
• For commercial / third-party hosted VPNs, how do we know if they are living up to their data / zero-knowledge commitments?
• What good resources can we use to find VPNs in general?
• Is it legal to use Intra in the UAE and other countries where VPNs are forbidden? (Intra is not a VPN, it doesn't redirect traffic)
• Are there "free" VPNs that we can trust? If not, why?
• Why do people want to run their own VPN?
• What VPNs are circumvention-forward? (Least likely to be blocked)how do these VPNs manage that?
• Do you always use a VPN?
• What are the legal consequences of using a VPN?
• How do countries block VPNs? (Or are they just illegal, but not blocked?)
• Do people feel safe using VPNs? (IN a local sense - as in, from repercussions)
• Best practices around VPNs for users: Always on? Find one provider and stick with them? Host my own?
• What are the cases in which we should recommend to use a VPN for?
• More VPN concerts from the IF Community here

Some of these questions and concerns were answered:

• How does Intra work?
  • At a high level, Intra uses DoH and packet fiddling to get around censorship or hardcore phishing (as in VZ) based on domain name (not IP - e.g. DNS + SNI) in certain circumstances. A network snooping hard would still be able to see what domains you're visiting, so it's not a super-strong privacy tool.

• How do VPNs really work? (in one sentence or a neat analogy besides"tunnel")
  • There are a bunch of nice analogies on the Sideways Dictionary
  • We can use the expression "armored tunnel" to explain to people that the tunnel protects you from snooping as well as getting you somewhere else

Some of the things that the community would like the VPN Industry to adapt in the future.

• The VPN industry is full of shady practices/communications. The community would like to see some kind of standards for signaling which VPNs are trustworthy. A good example is CDT's attempt to do work at industry norms setting. They made good initial progress but got stymied by VPNs not really wanting to go further.
• It would be great if there was a standard list of parameters that every VPN should answer clearly on their website. Things like logs policy, protocol, how data is protected, security audits, etc. That One Privacy Site has something similar to this too.
• More transparency on where the VPN endpoints are located, if they have security audits, are their logging practices known?
• It is often not clear for non technical users what accounts for a trustworthy VPN and what are the different factors that one needs to look into for choosing VPNs. Technical folks work on their own Threat Model but this is not enough.
• Non-technical people should have a simple threat model clear based on the impact they could receive, how to prevent the harm, and clear mechanisms.
• There is a need to make VPN apps cute (like TunneBear). Many apps seems intended to hackerish type of people.

Tools to help you with the educational journey:

• Graphics to help visually illustrate how a VPN works.
  • EFF Work: Tor and HTTPS
  • EFF Work: Choosing a VPN
• We need to explain VPN better, simpler and more often, explaining at the same time how important is to understand how the internet works.
  • Sideways Dictionary Work
  • Jigsaw Work: Automatically Delete Data
  • A good solution would be creating a video with several sections: There are these N types of VPNs / For Watching X, use these free VPNs / For accessing web in a coffeeshop, use this type / For doing something sensitive, use X
• Tools like IETF, a new internet standard that will allow to be logged in privately.