Following Team CommUNITY’s model of the Industry Standards Collaborative Conversation held at the 2020 VPN Village, the 2022 VPN Community Unconfrence brought together a diverse group of individuals working in and around the VPN ecosystem to discuss the most important challenges facing the industry.

Leading up to the event Team CommUNITY met one-on-one with researchers, commercial and non-commercial VPN providers, technologists and frontline defenders to better understand the key challenges they each saw in the VPN ecosystem. Based on these conversations and in a pre-event survey of participants, we narrowed down a series of prompts for the small group discussions.

Event Notes: Event Jamboard

Breakout Session One

The first set of breakout sessions separated participants into five groups based on their background: Users, Frontline Defenders and User Researchers; Academics and Researchers; Commercial VPN Providers; Technologists; and Technologists Working in Repressive Environments.

Users, Frontline Defenders and User Researchers

What are the most important challenges facing at-risk users in regards to selecting and using VPNs?

Cost and Payments

• Can I afford it? Many organizations are low on resources for basic operations, which means paying for a VPN isn't really an option.
• How do users working in censored environments manage payments? How do they avoid paid providers?
• Will payments for a VPN put a red flag on my bank account? Payments can expose that I'm using a VPN.

Legal Consequences

• What are the legal consequences for using a VPN in regions where it is criminalized? It’s challenging to understand the penalties.
  • India just passed a law that requires commercial VPN providers retain user data.
• 2 sides — What are the consequences when VPNs become 'illegal'? And VPN providers, what are the legal nuances in an international context?

Trust

• There's a lot of opacity in the VPN industry. Opaque ownership with possible conflicts of interest. Who are the owners?
• Which VPN should I use? People typically default to a VPN that someone they know is using. There's a lot of lack of understanding for users and even trainers.
• How do we know that a VPN provider doesn’t log information?
• VPN providers know your IP address and where you’re connecting from. Usually you trust the VPN not to share it.

Technical Literacy and Understanding of VPNs

• There is a lack of awareness of what a VPN is.
• How do I know if I’m experiencing censorship or my internet connection is just bad?
• There is a lack of technical expertise to set up a VPN.
• How do I find out which VPNs have better security?
• Individuals often don’t know that they are being surveilled or that they need to protect their communications until it’s too late.

Technical Limitations and Performance

• There is no app for my OS.
• "It's too slow".
• Services (not only streaming services) block VPNs.

Navigating Self-Deployed VPNs

• Looking for recommendations for self-deployed VPNs.
• NordVPN has a self-hosted option, but have heard that it may not be the best VPN option.
• WEPN - doesn't really require a lot of technical expertise and IP is not blacklisted, depends on hardware.

Researchers

What challenges and successes have you had collaborating with commercial and non-commercial VPN industry and end users in your research? How would you like to see your research applied in industry and the digital rights fields going forward?

Refer to #Addressing Known Security Vulnerabilities

Challenges

• Reporting vulnerabilities and having them fixed is unnecessarily difficult.
• Technologically, we have to rely on VPN vendors, software and hardware vendors and middleboxes on the internet to fix vulnerabilities.
• Responsibility for vulnerabilities and fixing them can be shifted from vendor to vendor. “It’s not my fault”.
• Vendors may report fixing a vulnerability when it in fact has not been fixed.

Successes

• Some providers and operating systems have offered patches.

Commercial VPN Providers

What are the biggest obstacles to establishing and upholding best practices in the commercial VPN industry? What are the successes and challenges of other industry initiatives around establishing best practices?

Establishing a Baseline

• It’s hard to establish a baseline on what providers should and should not do.

Commercial Incentives

• Balancing commercial incentives with mission.

Government Influence

• Government influence on free services.
  • Refusing to accept U.S. State Department funding.

User Access

• Biggest issue is getting users access to VPNs and a free internet.
• How can you freely give service to people?

Collaboration

• Implementation of censorship circumvention research with commercial providers.
• Collaboration between commercial and non-profit providers.
• How can commercial VPN providers work with civil society to work on scalable access for censored users?

Transparency

• There is too much pressure against transparency, and it’s hard not to become jaded.

Some Successes

• Distribution to those in need. Instituting something like bandwidth programs to ensure those who need access have it - for free.
  • TunnelBear uses a bandwidth program to enable free service in problematic countries
    • Working closely with NGOs to distribute codes.
• Normalization of security and privacy transparency. Conducting regular 3rd party security/privacy audits.

Technologists

What are the most important technical threats to VPN user protections and privacy?

User Education and Needs

• Threats to users are perhaps less technical and more misunderstandings of the technology and how it could/should be used. i.e., VPNs are not a solution for everything and may be over/under used depending on the situation.
• Technically it is hard for any VPN provider to develop a tool that satisfies security and privacy needs of different types of VPN users.
• What the VPN provides, and for which users, should be clear.
• How do we determine, on the fly, which tool/type of connection etc. is best for the user we're serving?
• Commercial VPNs potentially leaning into user demand to be "more than just a VPN"

OS-Level Limitations

• The OS level complicates the protections you can provide.
• An insufficient firewall integration between OS and VPN app.
• Ways information can leak depending on the OS.

Legal Regulation

• Legislation that requires "filtering".
• Splinternet: Different technical specifications across different regions (i.e., different versions of TLS are required in different regions making singular implementations difficult)

Censorship and Circumvention

• VPN evasion strategies are hard to implement especially to survive the hectic times.
• As state censors change strategies, more, diverse solutions are needed.
• Distributing (the right type of) VPN connection to users in heavily censored areas.
• The cat-and-mouse nature of obfuscation methods. Juggling multiple evasion methods in a maintainable way.
• Fingerprinting of VPN connections to surveil users of circumvention. Unsure how much of a threat this is in practice.

Other Comments

• Looking more at the implementation decisions and threats that technologists need to consider when VPNs are implemented.
• Providing a VPN service can be complicated by multiple compounding technical issues.

Technologists (China, Iran, Russia)

What are the most important challenges you face working with users who are facing severe censorship?

Information Sharing

• Censorship technologies are being shared among governments.
• Lack of knowledge sharing across the community.

Technical

• Rapid detection and response to new government filtering.
• Sometimes censorship is more strict and there is not enough time to predict or respond.
• Customized protocols.
• Extensible protocol implementations.
• Determining non-tech ways to fight censorship.

Breakout Session Two

The second breakout session presented participants with five discussion topics based on and accompanying prompting questions. Participants spent 5 - 10 minutes responding to the prompts and brainstorming on a Jamboard and then following up with group discussion.

VPN and Circumvention Technology Access and Use in Repressive Environments

How can collaboration improve the distribution and development in highly censored regions. What could collective efforts look like and focus on? What is low hanging fruit? What is high hanging fruit?

Open Questions

• What do groups like IODA, OONI, or censoredplanet are seeing and can share with the rest of the community?

Notes on Commercial VPN Incentives

• What are the motives for commercial VPN providers to serve such regions?
  • Point of view from commercial VPN provider: When I think of distribution and development in highly censored regions they aren't big business hubs, the majority of our users are in the U.S.
  • Have specific programs for access that are not focused on business return - Bandwidth

Notes on Approaches and Collective Efforts

• Create a shared space to share what protocols / circumvention techniques work in countries that have censorship incidents.
• Incident response management for censorship incidents across organizations.
• Central hub to track major internet disruptions / censorship events. Looking at using IODA with getaggie.org
  • Aggie - “Aggie is an open-source social and online media aggregation tool designed specifically for monitoring events in real time.”
• Create a protocol / checklist of what to do once a disruption happens
• Once we are able to bypass censorship, we need to communicate with providers to implement circumvention techniques in particular regions.
• Ensuring steps and programs exist for targeted users / regions, so that they have unrestricted access to VPN services.

Challenges

• Lack of automation tools to detect incidents.
• When looking at highly censored regions / countries one of the challenges is alerting the providers about the major censorship / disruption events.
  • Information sharing about what each one of the players see from their perspective.
  • How are the censorship events taking place?

Notes on Establishing Incident Levels

• How do you even identify an incident? What's considered an incident?

Proposed incident levels:

Level 1: Internet shutdowns, by region (examples: OONI, IODA, etc, often worldwide coverage)

Level 2: specific websites/services/resources blocked or restricted access, by region (OONI + often country-based services like https://en.greatfire.org/analyzer for China or https://globalcheck.net/en for Russia, because local context is important, i.e. which websites are of importance)

Level 3: specific circumvention technologies/protocols/IPs/ports/signatures blocked, or throttled (e.g. shadowsocks ports A/B/D blocked in country E, CDN F restricted domain fronting on its servers, VPN provider G blocked in region H, ESNI blocked from date X in region Y and so on)

Problems:

• Information collected for all levels is often ad-hoc, from multiple forums/Slacks/twitters/news etc; there's no one place to post what every researcher/VPN company/NGO discovered. Everyone posts in their own channels
• Level 3 is non-existent in any centralized way compared to levels 1 and 2.

The Future of Censorship and Circumvention

What are the new and upcoming technical, legal and other challenges to providing open access to the Internet to users? Which challenges could benefit from collective action and collaboration?

Challenges

• Network fragmentation / termination (splinternet / shutdowns)
  • Communal solution: p2p/mesh networking?
  • VPNs can't solve all of these issues of network filtering and blocking.
• Dealing with new root certificates (eg., Russia's new cert authority).
• Democratizing the centralization of power and access.
  • If we formalize the notion of users helping each other connect to the internet, that begins to be users taking on the role of ISPs.
• Risk of using VPNs and the rise in different regions.
  • Helping people to understand what can and can't work.
  • Users need to be able to know their options.
• Most VPNs are trivially blocked (see Roskomnadzor list), and can be compromised legally / ethically as well by local incentive structures.

Approaches to Challenges

• Community mesh networking collaboration - raspberry pis.
• Circumvention techniques built into apps themselves - Making apps more resilient.
• Make the internet itself more censorship resistant:
  • Implement IETF standards.
  • DNS over HTTPS (DoH) and Encrypted Client Hello (ECH).
  • Newer TLS protocols
• Habitualize apps with built-in techniques before the crisis hits.
• Snowflake - next iteration democratizing ISPs?

Other Thoughts

• Technologies can implement social problems as well.
• ISPs are vectors for government control in many cases.

Addressing Known Security Vulnerabilities

How can VPN protocols, clients and providers be motivated to address vulnerabilities and be held to account? How can the process of reporting and addressing vulnerabilities be streamlined?

Refer to #Researchers

Background

• There have been very mixed experiences with different VPN and OS vendors.

Suggestions

• Create a single place where vulnerabilities are reported to VPN providers to collaborate on solutions and motivate other VPN providers to participate.

VPN User Education

What are the current challenges to both a) educating users; and b) establishing signals of trust that resonate with users and can help them make better choices about which VPNs they use? What could collective efforts look like toward addressing these challenges or how could they help?

Challenges

• It is a complex question. There are different threat models and many variables. People need solutions now vs. in-depth educational materials.
• People (users, trainers) need access to information in order to educate people correctly about different VPNs (verifying claims and good practices, audits, ownership).
• Getting the right audience, the right message. Educating 1B vs. 1M with different technical knowledge, scope, language used.
  • How do you measure the reach of the materials?

Solution: Create materials for different levels.

• Mainstream news and Google results do not present unbiased information and information security experts shy away from recommendations.
• What are the signals to determine whether you can trust a commercial VPN provider other than what they say on their website? For example, audits?
• Educating entry level users on how to pick servers, how to connect etc. is challenging.
• Can we create standardized VPN service comparisons and learn from previous and existing attempts? Leverage community spaces / trusted third parties to vet VPN providers.

Idea: Can we use this community to evaluate friendly VPNs and use that list and leverage the community to help vet providers?

• Protecting brands - are you really using the service you think you trust? e.g. Tor. Integrity of software and copycats.
  • Fake VPNs using IDs of more established providers.
• Trust building happens on the surface and bad actors can leverage that.
  • How do you get people to understand what they need to trust?

Solutions:

1. Third party validations are useful.
2. Tresor example: Teach the user base to prevent phishing for example. Identify and solve related issues.
3. Elementary school and up should have IT education as part of the curriculum, improving digital literacy.

Designing for At-Risk Users

What are the challenges to understanding the needs and designing for at-risk users and their diverse use cases? Where are there gaps in knowledge and understanding and how can organizations collaborate more around user research and design?

“Future Proofing” vs. Dealing with Immediate Threats

• If a user is worried about X, which is more valuable? Research about what attackers are *actually* doing? Or research about what attackers are *capable* of doing?
• There is a gap between theoretical threats (interesting CS problems for academia) and actual threats (talking to real users/first hand experience)
  • We need to meet users' real-world use-cases too, and not overburden them with academic/technical approaches where possible.
  • Cat-and-mouse game problems are focus of tech community.
  • Some problems are over-engineered when they could be solved for PEOPLE in more simple ways that are less interesting to academic publications.
  • Idea to address incentive problem with over-engineered but less helpful solutions for at-risk users: Capture the flag type competitions and hackathons to address with undergrads and package as educational recruitment.
• How do you design features and interfaces for lower risk users (who may often be the majority) without potentially compromising at-risk users?

Censorship Scenarios

• What do users do in an internet shutdown / censorship tightening crises? For example, before elections?
• Server-side vs. client-side mitigation of censorship (e.g., VPN blockages)
• It’s difficult to determine censors' strategy and technical capabilities and how they're practically being deployed.

Understanding At-Risk Users

• What/who ARE the range of at-risk use cases and users? And how do they change/evolve?
• What predicts whether or not someone can figure out VPN access within a different censored environment? Digital literacy? Age? Community ties?
  • Response: Peer support, and often a lot of trial and error too!
• How do we perform user research and reach out to at-risk users without putting them in danger?
• How do we ensure at-risk users' safety while validating prototypes to make sure they work in their region, with their communities, and meet their needs?
  • Potentially: offer non-public/private/safe channels to do so, e.g. 1:1 discussions and user research arranged through community partners, and anonymous feedback mechanisms like surveys.
• What factors are most important in tool selection to people in different at-risk scenarios?

Lingering Thoughts and Questions from the Parking Lot…

• How do paid providers balance user payment versus need for anonymity in censored environments? What do users in censored environments do?
• This space (or at least my view into it) has become very focused on censorship circumvention in recent years - super interesting and important - but we shouldn’t lose track of the use of VPN as tool to ward against mass surveillance. They are different views, different users, and different problem sets.

Additional Resources Shared at the Unconference

Learn more about VPNalyzer:

VPNalyzer

VPNalyzer: Systematic Investigation of the VPN Ecosystem

VPNalyzer Mailing List

Investigating the VPN Recommendation Ecosystem: Investigating the VPN Recommendation Ecosystem

OpenVPN is Open to VPN Fingerprinting

How is NordVPN unblocking Disney+? It might be through YOUR own computer. Even if you’ve never used Disney+ or NordVPN.

Breakpointing Bad: We are a non-profit founded in 2019 based out of Albuquerque, New Mexico. Our research team has over 66 years combined experience focusing on technical security issues motivated by privacy, free speech, and human rights. Our goal is to provide technical expertise and capabilities to at-risk populations subjected to repressive and authoritarian control.

Port Shadows via Network Alchemy: (CVE-2021-3773)