Resources

• “All of them claim to be the best”: A multi-perspective study of VPN users and VPN providers - VPNalyzer
• VPNalyzer Site
• Investigating the VPN Recommendation Ecosystem
• NordVPN Ad Banned for Exaggerating Threat of Public Wi-Fi

Notes

Updates

• VPN Village 2022
  • Proposed dates: Week of November 14
  • Opportunity to host hour-long presentations, discussions and workshops related to the VPN ecosystem that are open to the broader internet freedom and digital rights community.
  • Opportunity to host invite-only discussions around specific VPN-related topics.
  • Previous VPN Village Sessions:
• VPN User Needs Discussion with Myanmar Frontline Defenders
  • Discussion to address criminalization of VPN use in Myanmar and approaches to safely using VPNs and circumvention tech.
  • Need for data on what is going on on the ground in Iran to find ways to respond rapidly to the censorship situation.

Presentation

VPNalyzer User Survey Slides

Questions that remain unanswered from the user survey:

• Why are users looking to VPNs?
  • Distrust of ISPs?
  • Geo-locked content?
• What are the perceived benefits of using a VPN?

Survey Overview

• Over 1200 users in the U.S participated in the survey.
  • 1500 responses were received from users in over 40 countries.
  • There were 27 questions in the user survey.
• 9 VPN providers were interviewed
  • CalyxVPN, Hide.me, IVPN, Jigsaw Outline, Mullvad VPN, RiseupVPN, Surfshark, TunnelBear VPN, and Windscribe were interviewed.
  • 15 questions were asked of each provider on average.

User Subsets
Users could ultimately be grouped by:

• Expertise level
  • Expectations around logging more of a priority for experienced users.
• VPN payment preferences
  • Price was important for limited to moderate experienced users. However speed still prioritized by users over price.

Emotional Connections

• Do users have any emotional values associated with chosing and using a VPN?
• Users using paid VPNs tend to feel safer while using a VPN than users who are using a free VPN.

Mental Models around VPNs

• Results found flawed mental models around how VPNs work and what they do across expertise levels.

Alignment between users and providers
Privacy

• Respect for user privacy results in limited information about user habits and needs.

Mental Models

• VPN providers agreed that they believed users had flawed mental models around VPNs.

Misalignment between users and providers
Reliance on recommendation sites

• High portion of people who use recommendation sites, think that they are really trustworthy.
  • Users think they are reliable.
• Providers believe they are not reliable - the recommendation ecosystem is not objective.

Data Collection

• Over 40% of users are not sure about what data is being collected about them.
• Providers think that they share clear and accurate information about data privacy and logs to the users.

Recommendations from the Report

Oversight on VPN ads and marketing is sorely needed.

• NordVPN ads were blocked in the UK because they were found to be misleading.

Attention needs to be paid to flawed recommendation sites.

• Investigating the VPN Recommendation Ecosystem

User education campaigns are needed.

• What does a VPN do?
• What threat models are VPNs actually useful for?

Additional Notes on the Report and Report Recommendations

• VPNalyzer is working on expanding the survey to address users with different threat models (VPNalyzer will advertise any updated survey with the community.)
• Reasons users are using free accounts outside of Western Europe and North America:
  • Sanctions (payments)
  • VPN monitoring, tracking and cat-and-mouse blocking.
• Think about all of the different things that the user should be doing, not just recommending VPN.
• Participant Comment: Providers are not incentivized to make the recommended changes in the paper.
  • What can incentivize them to make these changes?

Presentation Q&A

What advice do you have to convey the message that recommendations sites are not trustworthy?
Should you share trustworthy recommendations sites? Or just tell people not to trust the sites over all?

• Compile a list of trusted resources to share yourself.
• Security Planner can be a good resource for users. Includes resources outside of VPNs.
• The clearest filter is to check if the recommendation site has affiliate links on it.
  • The best recommendation sites will not have affiliate links.
    • PC Mag and other big sites will have affiliate links.
    • Freedom of the Press Foundation, Consumer Reports, Wirecutter all have non-affiliate recommendations.

How do users learn how to recognize affiliate links? How do they learn what the implications of affiliate links are?

• You usually have to look at URL parameters.
• The average user will not be able to recognize what an affiliate link is.
• Maybe this is where regulation is required.
  • Forcing disclosure of affiliate profits.
• It's uncertain how many of the recommendation sites are hosted in the US and are subject to US laws.

Open Questions

• What about expanding the research to a wider user audience?
• What were the provider profiles that you interviewed for this project?