Conclusions and Opportunities from the 2022 VPN Community Initiative 

In 2022, Team CommUNITY (TCU) launched the VPN Community Initiative,  focused on bringing together diverse actors from different disciplines and regions that are working on, or are directly impacted by, the current state of the VPN ecosystem. 

This initiative was born out of a need to make VPNs safer for everyone, but especially vulnerable communities in the Global South, noting that those regions currently lead VPN usage globally as a result of the censorship and surveillance issues they are seeing.

The main goals we set out to advance include: 

• Advancing industry standards, given the number of bad actors and practices that exist.

• Improving how researchers and technologists share information and intel with each other.

• Helping the for-profit industry understand the censorship and surveillance tactics experienced by at-risk users, given that they serve as “canaries in the coal mine”. Tactics first used against at-risk communities are then implemented on larger audiences. 

• Highlighting the unique issues faced by users of VPNs in specific locales. 

• Educating users so that they can better navigate the various VPN options available to them.  

The Work

This program was overseen by Erin McConnell who in 2022 launched a series of network building projects, given that our first identified need was community building - many actors in the VPN ecosystem barely knew each other. For this, she organized private unconferences and monthly meetings, hosted a public VPN Village, and helped connect individuals from diverse professional backgrounds and regions.

The project was additionally given the opportunity to facilitate a one-day in-person event - hosted by a well known digital rights organization - that brought together 60 individuals from diverse projects working in the VPN and circumvention space.

These community building initiatives are having lasting impact. At a minimum, they have helped individuals meet, network, and advance important conversations. 

The Main Takeaways

• In 2022, we found that challenges and priorities are overlapping across the various actors working in the VPN ecosystem. While 2022 allowed individuals to meet each other, and align shared goals, the challenge in 2023 and beyond is to find time to collectively hack on these problems and deliver solutions.

• Communications between providers are improving, but large gaps still exist between providers and researchers and nation-level civil society organizations, and end users, especially those found in El Sur (aka Global South or Global Majority). 

• Highly curated opportunities for extended collaboration are needed, and that collaboration needs to be incentivized. Additionally, more resources are needed for managing the building community and industry standards. 

The Detailed Findings

The detailed findings are summarized into five overarching subject areas: 1. Circumvention - Technology and Information Sharing, 2. Circumvention - Distribution and Operating Environments, 3. VPN Privacy, Security, and User Education, 4. User Needs and Usability Research, and 5. VPN Industry Standards. In addition to key findings, you will find steps forward in each section as well.

1. Circumvention - Technology and Information Sharing

Mapping the challenges to rapid response and staying resilient in emerging censorship events, and finding opportunities to address them are key. There are also challenges to information sharing within the VPN and circumvention technology space. Individuals shared that projects have incentives to not share key information and intel because of the competition for funding and/or the lack of incentives provided for them to collaborate.

The  lack of processes, safe spaces, real-time secure communication channels, and methodology pose additional challenges to effective information sharing.

Another question that has arisen is determining what type of data is needed, and how to make that data useful. Even if data can be collected, it is often challenging to determine if it is valuable and / or trustworthy, particularly during censorship events which are dynamic and change quickly. Additional challenges arise with lack of context and nuance around collected data (time, server, cloud provider, protocol, client AS and location, user agent, providence etc.).

There were also questions about whether sharing information outside of a project / trust circle can do more harm than good, especially if there is a risk that information can reach adversaries and censors.

Lastly, it was stressed that good communication is incredibly important around emerging censorship events, particularly because collaboration between circumvention providers and local communities helps to make applications more censorship resistant.

Solutions and Steps Forward for Circumvention - Technology and Information Sharing

• In the short term, create smaller, vetted groups where data can be shared more securely. This needs to be complemented by secure feedback mechanisms. Because sharing sanitized data can be labor intensive, we also need to better think through intelligence sharing, versus just sharing high-level conclusions.

• Experts need to be brought in to help make collected data more useful, like user experience (UX) specialists.

• A definition of metrics that is commonly used by all needs to be created, including simulation of scenarios. It was also suggested that simulation be cross-validated in a laboratory condition to see if it is matching what is happening in the wild.

• We have to find ways to share data with the general digital rights community, but avoid sharing that with censors. This may be improved by having spaces for retrospective following censorship events, where we can debrief and evolve our responses to these experiences. 

2. Circumvention - Distribution and Operating Environments

The current priority challenges revolve around distribution methods in highly censored regions, user education, and outreach in highly censored regions.

Current forms of distribution include mirror sites, messenger bots, local sharing, sneakernet, trust networks, “dual-purpose” apps that resist blocking (Telegram as an example), and progressive web apps. However, there are issues with all these methods including:

• Determining the trustworthiness of mirror site downloads and the potential liability posed by hosting software downloads. 

• Mirror sites, taking into account that it takes time for people to learn about a large download source and by the time that they do, that source could already be blocked.

• Apps have vulnerabilities and are not bulletproof solutions. For example, in Telegram,  channels can be blocked.  There are also difficulties with app stores, especially Apple’s AppStore, where it's hard to get anything listed that is not pre-approved.

• Circumvention tool providers have to distinguish between distribution purposes, understanding that different purposes may require that you use different techniques. For example, you may handle distribution (and advertisement) of initial software downloads differently from updates and maintenance (of code or configuration).

Solutions and Steps Forward for Circumvention - Distribution and Operating Environments

• Reach out to civil society organizations and consult experts in local culture and language. Create a centralized place where individuals doing outreach work can keep updated around what tools are suitable and available (with documentation that is constantly updated).

• Establish more regular communication between organizations that offer similar services and tools to learn from diverse approaches to educational outreach, awareness building, and technology distribution.

• Broadly improve user education offerings, critical reviews of tools, and clear standards for VPN and circumvention technologies. Create a standardized verification for trust-worthy tools and help users distinguish what the right tool for them is and how to spot bad apps.

3. VPN Privacy, Security, and User Education

With regard to VPN services and technologies, priority challenges included establishing minimal baseline technical standards and baseline evaluation criteria for VPN recommendations, as well as having viable options for third-party evaluation of tools.

Tools need to do a better job of building and maintaining trust with users, as well as with each other. This includes finding ways to improve communication between researchers and providers. Part of building trust is effectively addressing security vulnerabilities, and holding themselves, as service providers, accountable to their users in concrete ways.

On the human side, identifying and addressing gaps in user education and finding ways to deal with the cognitive load / fatigue that users experience when tasked with finding reliable tools are continued challenges. Users are still missing a basic understanding of VPNs and the implications of using them, as evidenced by notes from a session on gaps in user education below: 

What are the key gaps in existing user education around VPNs?

• Understanding the risks around VPNs and ISPs

• VPNs provide Anonymity

• Understanding what VPNs actually do and what their limitations are.

• Lack of independent information sources

• How to critically select a VPN

• Understanding of VPN marketing, incentives, and affiliate partnerships

• Understanding how people are actually hacked

What important information about VPNs, how they work, and what their risks are, and VPN use cases are users missing?

• Understanding the differences between VPNs and Tor

• Users place all of their trust in a VPN company

• Understanding the risks of using a VPN

• Government coercion of VPN providers

• Understanding that most sites and apps have TLS encryption standard, meaning there is less of a need for an added layer of security even on public networks

• Understanding VPN provider ownership and how they are making money

• Insider threats (see ExpressVPN)

• Transparent policies that are not baked into confusing End-user license agreements (EULAs)

• Regionalized information and the nuance of law is not described to users

  
  What misleading information about VPNs is most prevalent and damaging to users?

• Targeted VPN misinformation campaigns

• Using a VPN is not equivalent to being security conscious and safe

• All major VPN providers are trustworthy

• VPNs provide anonymity

What opportunities are there for collective, community action to compete with misleading VPN advertising and education?

• Regulation, specifically through the U.S. Federal Trade Commission

• Collective advocacy efforts to target bad actors as well as gatekeepers

• Exposing bad actors through reviews and outreach

• Developing industry standards and sets of principles that allow for differentiation

• Community-driven education initiatives

Solutions and Steps Forward for VPN Privacy, Security, and User Education

• Set up a clearing house of tools based on scenarios and use cases.

• Establish a trusted independent VPN reviewer / auditor that can test different tools, including client-side vs. server-side testing

• Having more third-parties that can provide security views 

• Continue conversations around the limitations of audits and reviewing which parameters are looked at.

• More research on use cases and user needs to support, as well as more efforts on user education, and the dangers of affiliate marketing and misinformation.

4. User Needs and Usability Research

Conducting user testing with individuals in highly censored regions and effectively and securely receiving feedback has been a continued challenge for providers of circumvention technologies. Related to user feedback mechanisms and engagement with end users, conducting educational and outreach campaigns in these highly censored contexts is complicated as well, but very much needed.

Most users still need help understanding when to use VPNs and when not to, what tools are available to them, and how to best diagnose and solve any technical problems they encounter (for example, is the connection slow, or is the VPN being blocked?).

This is complicated by other issues around localization support, and identifying what educational materials to create (and how to disperse them), as well as affordability of services, and the low bandwidth of users. Needless to say, the cost of data topped with the cost of VPN services may be inaccessible for many. The technical complexity of some VPNs and circumvention tools may additionally be too much of a hurdle for some users.

Most pressing, however, is that the lack of education and resources on how to critically choose a VPN means some users are at best inadvertently downloading applications that do not address their real needs, and at worst, downloading malicious apps.

Solutions and Steps Forward User Needs and Usability Research

• There is a need to improve user feedback loops and testing in highly censored environments. ISAC (Information Sharing Analysis Center) could be used as a precedent for setting up a system for information sharing and user feedback and testing. In addition, this will require establishing trusted regional ambassadors who are technically savvy and well connected to local communities. 

• Further explore how to responsibly employ beta testers in-country, particularly who are tech savvy.

• Establishing multiple, secure channels - that allow for anonymity - where users can ask for help. For example, sometimes people are afraid to use communication channels that are associated with personal contact information.

5. VPN Industry Standards

Establishing industry standards is a complicated challenge, given the lack of communication and alignment of priorities  across VPN players in the commercial sector, as well as in the not-for-profit sector.

Despite differing priorities, there is overlap across a diversity of VPN and circumvention tools in some key areas that industry standards could help to address:

Marketing

• Third party oversight is needed that can establish recommendation systems and explain possible harms, so that users don't get confused with the volume of marketing they receive from different VPNs. 

• There need to be marketing standards and ads oversight for VPN companies. This includes having more affiliate accountability; better communicating honesty on what their tool can and cannot do (no anonymity or perfect privacy); and avoiding the use of trackers on websites and apps.

• In addition, VPN companies need to better invest in educational campaigns for users 

• Recommended that companies use standardized shared jargon

Required / Standardized Features

• Address DNS leaks

• Address IPv6 leaks

• If using OpenVPN: AES-256-GCM or AES-256-CBC

• If using Wireguard: Configured to not log

Data Practices, Privacy Policies, Logging

• VPNs should have a no-logging policy, including no logging of user web traffic, no profile building

• They also should include easy to read privacy policy and clear legal guidelines

• They should also share auditability and public attestations

• Make sure to be clear and transparent about log retention (“Zero log” is never true)

• Have standard metrics reporting

• Publish transparency report regularly
  

Usability and Accessibility

• Accessibility audit

• User support availability

Audits

• VPN companies need a variety of audits include: Security audits, Recent server / backend audits, Security properties auditability and Reachability / Functioning auditability of claims 

Security Disclosures

• Clearly documented reporting process and resolution

• Bug bounty program

• Security disclosures

• Commitment to privacy-preserving data for retention policy

Ownership and Business Strategy

• Disclaimer of company ownership

• Disclosure of funding sources

Open Source

• Open standards about failure / success rates (with comparable semantics)
  

Solutions and Steps Forward for VPN Industry Standards

• Continue to provide needed secure spaces for building trust, and furthering conversations between different players in the VPN ecosystem.
  

• Investigate alternative approaches to establishing baseline community / industry standards for VPNs, including initially limiting the scope of tools subject to standards, and funding a project manager to oversee standards research and development with community members.