VPN & Policy

From TCU Wiki
Revision as of 09:56, 4 June 2021 by Iffadmin (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Workshop: VPN & Policy


Date:Tuesday, November 10

Time:10am - 12pm (EST) / 3pm - 5pm (UTC+0)

More and more countries are passing laws that criminalize the usage of VPNs. For this two-hour workshop, we will be bringing together policy experts who can share the various strategies and legal frameworks being used to counter this growing criminalization. We will examine the impact on the VPN industry, how (or if) they have changed their business model, and challenges rising in the future.

  • Trends across the globe in the last few years, including how GDPR is impacting VPN policies
  • What TunnelBear has observed in places where VPN usage has been criminalized
  • How policy changes have impacted their anti-censorship framework.
  • Data Privacy laws and the the EARN IT Act's potential impact on VPNs
  • Proactive VPN policies that can defend user privacy


Shames Abdelwahab is TunnelBear's advocacy and community manager. she works on facilitating partnerships, campaigns, and community initiatives as part of the VPN provider's anti-censorship team.

Vadym Gud is a Researcher and Trainer at Digital Security Lab Ukraine, where he helps at-risk organizations and communities to build defenses against digital threats. He will be discussing During 2017-2018 he worked as an independent digital security consultant and conducted digital security workshops and SAFETAG-based digital security audits, as well as provided direct technical support to at-risk individuals inside the Ukrainian anti-corruption and activist communities. In 2016 he was a School of Data’s Responsible Data and Digital Security Fellow, focusing on topics of responsible collection, storage, and usage of sensitive data. For the last three years he co-authored and maintained two online courses on digital security for international alliance of civic society organisations.

Alexis is a technologist that focuses researching the intersections of consumer privacy and mobile technology. She is very passionate about encryption and tech equity for all. She has been assisting activists and educators with their tech needs for almost 10 years.

Joey Salazar is a software engineer passionate about open source and e-learning. Previously, she was a systems administrator in Costa Rica, a full-stack programmer intern at Hebei Software Institute in China, and an open source developer at Internet Systems Consortium where she worked on the DNS server BIND. As Programme Officer with ARTICLE 19’s Team Digital, Joey leads the team’s IETF engagement program focusing on policies, standards, and protocol implementations. In particular, her current work focuses on DNS and its related privacy and censorship considerations.


Shames Powerpoint Presentation

  • In the last 10 years, Tunnel bear has seen a rise in Cyber sovereignty, which is applying sovereignty principles to cyberspace. This is used to legitimize acts like the censorship of content and data localization practices. This was spearheaded by China.
  • How much cyber sovereignty matters. Bad state actors are normalizing bad digital acts by authoritarian entities.
  • Iran, Russia fight very hard to block VPN because its a way around cyber sovereignty
  • VPN is not banned in mainland China, but it can be subject to fines.
  • In Iran the government has gone to great length to discourage citizens form using VPN. Use is not unlawful but selling is punishable. The legal VPN initiative Iran government is working on, scares many digital rights activist, because surely they the government will have access to what you are visiting etc.
  • Tunnel has build their anti-censorship framework across 4 levels of censorship

1) Distribution/access

2) API blocking (Domain fronting; esni)

3) Connecting to a VPN (OBFs4, none PII telemetry)

4) Maintaining a VPN connection (OBFs4, none PII telemetry)

  • China is more aggressive than the other countries about 3 and 4.
  • For companies and organizations that process data of Europeans, GDPR lays out data principles to ensure the lawfulness, fairness and transparency of the process. They enforce data minimization and data up-to-date, they help orgs to stay accountable to the data they collect. This has had an effect on Tunnelbear. They started to increase the user's ownership of their data> As an example, users can download their data, and they can also delete their data.
  • Good VPNs should have data minimization already be embedded in their business models, but GDPR compliance helps.
  • GDPR brought a lot of conversations about responsibility into the VPN industry. There has been a push for regular security and transparency reports and building trust and accountability standards, that in the long wrong, makes the industry less susceptible to laws that try to crimimalize the use of VPNs.

..... Alexis from EFF

  • The EarnIt Act was proposed by Barr, the current attorney general.

- The bill has contingencies that undermines free speech in the USA. Specifically section 230, which says you are responsible for what you post on platforms and not the platform. They also want to make Its possible to build backdoor into encrypted messaging systems.

  • Earn It Act affect on VPN Usage

- VPN provides encrypted communications, which is directly tied to the language of this bill.

- Commercial VPNs could be subject to a potential task force that approves and asks for client side scanning, a system that effectively breaks end-to-end encryption.

- Commercial VPNs would either fight, comply, or pull out the US altogether.

- VPN logs may be subject to abuse by law enforcement.

  • More public awareness about privacy so VPN usage has gone up.
  • How VPN Companies can Help Users

- Don’t Delay or neglect to disclose breaches

- have transparent policies on usage, security and storage of user data

- explicits map and audit servers to outline what juristicication these services fall under, and communicate that regularly.

- no fantastical descriptions, plain language about what you offer and how.

- proactive navigation of privacy law

  • Antivirus companies didn’t work or trust each other, they didn’t innovate, and have lost confidence from users. This is why its so important for VPN companies to not repeat that pattern.
  • The CLOUD ACT is very problematic and expands surveillance cross borders.

https://www.eff.org/deeplinks/2018/02/cloud-act-dangerous-expansion-police-snooping-cross-border-data The supercharged,

UK-US CLOUD Act Agreement: https://www.eff.org/deeplinks/2019/10/race-bottom-privacy-protection-us-uk-deal-would-trample-cross-border-privacy

- Enable foreign police to collect and wiretap people’s communications from US companies without obtaining a US warrant.

- Allow foreign nations to demand personal data stored in the US without prior review by a judge

- allow the US president to enter “executive agreements” that empower police in freight nations that have weaker privacy laws than in the US to seize data in the US while ignoring privacy laws.

- Allow foreign police to collect someone’s data without notifying them about it.

- Empower US police to grab any data, regardless if its a US person or not, matter where it is stored.

They can client scanning software the will only be for law enforcement.

  • What are Consumer Privacy Hopeful stories?
  • Brazil, Barbados and Panama have been the first countries in the region to adopt GDPR inspired data protection laws
  • Also the CCPA california consumer privacy act) in the US also influenced by GDPR and great.
  • Privacy is only a recommendation not a requirement in the US.
  • Side note, tech companies should share info about policies threatening it. VPN companies take a stand help consumers see what’s in front of their face. ALSO Transparency

Malware VPN Bonding together and helping mobilize folk

Shames Tunnel bear - one of the most remarkable criminalization in china and iran. where they have a specific way to enforce their regulations and enforcing protocols

Alexis Earn act and cloud act. Which both seem to work together to create a lot of vulnerabilities in everyone’s encrypted services. to open backdoors for law enforcement, but then it means that everyone has access to it.

Using a VPN is the only way you can get full and private internet access in Russia. This is, unfortunately, why Russia bans any VPN that doesn't comply with its censorship laws. There is a list of government-approved VPNs. 

Export legal framework

We need to work together. And involved in policy that protect user data and prevent censorship.

Anti-virus software. Malware developed so fast that the anti-virus software over promised, and did not bond together. A lot of people lost trust because it wasn’t working. lack of innovation, standards, or proactivity

immunity passports A lot of laws we have seen in proposals in latin america and others, centering certain applications, to show your testing status or immunity status. What does it look like to enforce this technology on the border. Countries can influence others we are doing this with covid, you should also adapt this technology, so there ease between us. In the pursuit of reopening the economy. So data privacy on the border.

Rodrigue We have seen it and not a way that can be measured. If censorship is happening in a specific technical way. WE don’t see one model and then happens to 20 other countries.

Policy themselves take a lot longer.

It has happened a long fspread of time.

Export of language to justify -= language around child exploitation to Access and police and msging system. Language travels faster than laws.

This may be interesting in this context, the author tracked the global diffusion of information controls (both in the form of training and technology): https://www.opentech.fund/news/examining-expanding-web-chinese-and-russian-information-controls/

Working academic project looking VPN ecosystem, crowdsource data collection.

14 eyes, don’t share data. no logging.

vpnalyzer.org — this is our website, we don’t have too much information about our work there yet. We’re still working on building the tool I talked about, and a few other projects around VPNs we are doing. But we will definitely reach out to you all via the IFF mailing list/mattermost when we are launching. Meanwhile, feel free to reach out to connect with us (reethika@umich.edu, my advisor is Prof. Ensafi ensafi@umich.edu)

the discussion of privacy and censorship, has gotten a lot louder as it should. And i see greater reason to see more attention to see it as an industry. The more people users get confused. VPNs have a responsibility and seeing when those policies are coming down the pipeline, and communicate how it will effect you as a day to day user as a product.

In latin america, privacy lawes are not having an approach to protect data that private companies store that we don’t have any laws that protect users. We are some okay…..because we re not having any censorship. we are actually behind digital protection laws.

4 stages of models. if we build enough capabilities. diverse set of companies. Their focus is on Iran. Mostly on China. Validated VPN in china. I don’t think want to be, b/c it does mean We don’t even engage.

Utilizing what we have CCPA act, and request their data. Make it common practice. to see that people are concerned about. More so, inventory what devices are in their lives, and what is shared around different platforms. Expand IOT devices, your mobile devices. More features added. If consumers start looking outside of social media platforms. at least some type of consensus.

Alto of companies in the US operate abroad. People need to see patterns abroad. Different forefront with GDPR. Different examples that can be applied here. people driven narrative. Connection to be made more. Being affected abroad. What is happening internationally.

Privacy. More collaborations who are also policy experts. We can do better at consumers. bandwidth support program. Monthly bandwidth gif. Let us know. general feedback on how to protect the community. Collaborating

Reduce harm. build community and trust. methods and strategies. Together.

>> Check out notes from other sessions here