VPN users with security concerns: What they need

bitmask

Bitmask is the LEAP Encryption Access Project’s VPN client, available for Android.

When OpenITP’s Secure User Practices project (SUP) approached the LEAP team about doing UX work on their tools, LEAP came back with a fifteen-page writeup of all the known usability issues for their virtual private network (VPN) client, Bitmask. Some of these issues were known bugs. Some were features the team thought they should build. Some were questions about what should be worked on. And some turned out not to be UX-related at all. The question then was, where to start? SUP’s first step was to triage these issues, sorting them into types and making recommendations for which should be addressed first.

SUP identified specific questions about priorities for development which could be addressed through a survey of users or through user testing. Over the six days of the 2015 Circumvention Tech Festival in Valencia, Spain, SUP researcher Gus Andrews conducted eight user/expert interviews about VPN usage in eighteen countries, and two user tests of the Bitmask Android client. The results of these interviews and tests are below.

Additional information, specifically about VPN use in Iran, is forthcoming in a report by ASL19 on their large-scale survey of technology use there. (ASL19’s information will definitely be more reliable and up-to-date on the situation in Iran than the single report from Iran listed here; that interviewee cautioned that his information is some years out of date. VPN usage has since become significantly more risky for Iranians. His interview is included here primarily for contrast with other countries, and in order to prioritize the development of certain features.)

PRIORITIES FOR DEVELOPMENT

Interviews suggested the following priorities among the features which LEAP is considering for development. (See the appendix at the end for a count of votes for or against the feature.)

Should LEAP bundle its mail client with the Bitmask VPN?
YES.

Users liked this idea (though they didn’t feel strongly about it). The fact that they use multiple email addresses suggests a secure email client might be of interest to them.

Should LEAP work on making in-session switches between gateways more seamless?
YES.

This is a feature users will make use of, as much for speed as for protection.

Should LEAP work to hide the fact that a user is setting up a VPN account?
MAYBE.

This is a high priority in Iran. Users in countries with developing technical surveillance abilities (Africa, Latin America) would like to have it. It is not seen as a priority in China. Most other users (and governments) don’t care; setting up a VPN is a relatively common practice for business or accessing entertainment content, and that provides plausible deniability for those using it primarily for free speech.

Should LEAP prioritize and make prominent the ability for users to look at certificates?
NO.

Even highly-technical users — even VPN providers! — rarely look at certificates. This should be left deeper in the interface.

Additionally, user testing turned up a number of show-stopping issues which the LEAP development team has already begun to tackle. These issues kept users from successfully making a connection using Bitmask, and/or led users to say they would uninstall the app. A Bitmask developer’s report on what he is doing to address those concerns appears in the second appendix at the end of this post.

REPORT ON THE INTERVIEWS

THE INTERVIEWEES

The eight interviewees were technologists, security trainers, academics, activists, NGO workers, and VPN providers who had worked — and made use of VPNs — in China, Costa Rica, Cyprus, Egypt, Georgia, Germany, Iran, Italy, Jordan, Lebanon, Malaysia, Palestine, Spain, Syria, Tunisia, Turkey, the United States, and Zimbabwe.

SUP’s researcher also gathered some information on VPN use in Cuba through informal conversations with, and a presentation by, attendees from the Cuban diaspora.

A ninth interview, with a VPN provider from Spain, has not been included in this study, as his use case was significantly different from most of the interviewees described here; he uses and provides VPNs solely for commercial purposes.

A brief introduction to the interviewees

Bocai is a scholar in the United States, and an operator of circumvention VPNs for China.

Gazelle works with lawyers and activists in Tunisia. She has used Riseup services in the past, and was excited to look into a new way to access their VPN. Many of her colleagues use VPNs for entertainment first and foremost.

Ali had worked as an activist in Iran, but eventually had to flee, working out of a range of other countries in the Middle East and Asia. When in Iran, he used VPNs to access blocked sites and hide sensitive political activities.

Kristabelle is new to using security tools, sometimes misunderstanding them but taking great pains to explore and use them. She is a radio and print journalist in the country of Georgia.

Rambo is a technologist for a number of NGOs in Zimbabwe. He is exploring a number of tools to see what works for his community.

Rose is an American scholar who does research on the circumvention tech community. Like many of the interviewees, she uses VPNs for entertainment access when she is travelling, as well as to protect her research subjects.

Saladin is a security trainer who has worked throughout the Middle East, North Africa, and Europe. He is highly tech-savvy, but knows well what the challenges are to get his trainees using secure tools.

Juan is a security trainer who works for an NGO. He is based in Costa Rica and works throughout Latin America. He connects to his organization’s VPN to protect his work, while many of the people he works with use VPNs for entertainment.

What is the local context for VPN use?

OVERVIEW: “Watching American Netflix!”
You could pooh-pooh the use of VPNs for entertainment purposes as irrelevant to the use cases of VPNs as a tool for hiding free speech and activism. But that would be a big mistake. People adopt technologies when they can observe their neighbors using and benefiting from those technologies. They stick with what is already familiar, and come to the circumvention tech universe with expectations of how our tools will behave. Users will be viewing any VPN the circumvention tech community presents to them through the lens of the VPNs they already know and use for entertainment purposes.

In most countries represented in these interviews, VPNs are overwhelmingly used for accessing music, movies, TV, and news in countries like the US, Canada, or UK. In China, they are heavily used for gaming. People around the world recommend VPNs to each other based on speed or other accessibility questions.

In China, VPNs are commonly used for getting around the firewall for whatever purpose — Twitter, YouTube, dating sites, and Google services as well as blogging and political news. There are over a million foreigners living in China who simply need it for Facebook and other day-to-day access. Academics need VPNs in order to access Google Scholar. Bocai says the average user in China has about as much concern for privacy and security as most people do about their email — protecting your password, etc.

“Hotspotshield, people have been using for ages,” says Gazelle, “and it’s literally only used to watch shows” in Tunisia, where for-pay VPNs are not widely used because they are cost-prohibitive and people cannot access PayPal or other aspects of the global financial system.

“If you ask people in Costa Rica, 90% of people have no idea what VPNs are,” says Juan. “Many people follow guides on how to connect to US netflix; they often don’t know they’re running VPNs. Basically they have no idea what they’re installing, but they just want to get the content no matter what happens to them.” The same holds true in China, says Bocai: users know these services let them use Google or get around the firewall, and very little else. Actually speaking of them as VPNs can get comments deleted.

According to Ali (who did his interview with the caveat that his knowledge of the tech landscape inside Iran is some years out of date), the Iranian landscape is a bit more challenging. Many users do use VPNs for social media or news, and there are many companies that openly advertise their VPNs. But the Iranian government has gotten smart, and is paying close attention to VPNs. The government has set up a black market of VPNs, and they are making money on it and monitoring traffic. Ali believes they monitor to ensure Iranians are not buying VPNs from outside the country. Within Iran, journalists and activists who are aware of these risks ask trusted contacts outside Iran for recommendations of VPNs which are working and trustworthy. Among less-technical, less-savvy users, Ali says, “there is still not much knowledge of how to choose, what a secure VPN looks like and how you select it.”

Interviewees reported that in Tunisia and China (and possibly other countries), tech industry workers are also familiar with using VPNs to access other content, like technology journals and websites. These are not necessarily politically-motivated people, but they are sympathetic because they need freer access to knowledge to do their jobs. (“Tech people feel this is a real bummer,” commented Bocai.) They may be aware of how VPNs can protect their privacy. Additionally, they may also serve as early adopters and respected sources of tech knowledge in their communities.

Bocai notes that some tech industry workers in China find it easiest to ensure this kind of free access by setting up a small VPN of your own — maybe share it with your friends, maybe get paid for it. The Great Firewall generally leaves these small VPNs alone.

Of the interviewees I spoke to, many were used to using VPNs for their work in journalism, NGOs, or academia, as well. This sometimes meant using dedicated networks.

How do you know to trust a particular VPN?

OVERVIEW: “Recommendations from my tech-savvy friends are the gold standard.”

SUP started out gauging the importance for users of gauging certificates by asking how a user would know if a VPN was secure. Unsurprisingly, not a single interviewee mentioned certificates first. Almost all interviewees mentioned relying on someone whose tech security judgment they trusted. Organizations in our space like Access, ASL19, ISC, Frontline Defenders, and Riseup were mentioned.

Saladin gives his trainees keywords to look for in judging the trustworthiness of a VPN provider. He emphasizes to them that VPNs are for “jurisdiction shifting, not ultimate security. If you’re looking up information that could get you arrested, you shouldn’t use” a VPN.

Juan and Kristabelle both mentioned looking around the website for a VPN service to gauge who backs and finances it, and perhaps who is a board member. They also check forums and other websites to triangulate based on others’ experiences and concerns. Gazelle also mentioned she uses VPNs against commercial sharing of her data, so that is one of her criteria.

When asked how he would know whether a VPN had access to identifying information, Ali said he expected to see “audits, so there would be a lot of news” about the tool’s security. He would ultimately consult with people he knew, as well.

Bocai emphasized that different audiences in China will pick VPNs based on different criteria. Students look for free services. Businesspeople look for reliable ones. There is a network of blogs, including his own, which provide information about viable and secure VPN services.

Gazelle and Saladin referred to checking the IP address their VPN had assigned them using whatsmyip.com, to ensure it was working; Saladin teaches his trainees how to do this. Gazelle expressed great satisfaction at being able to view the location of the exit point of her VPN (a reaction that SUP has observed in other users of jurisdiction-shifting tools, like Tor). “I get Kansas a lot,” Gazelle smiled.

Saladin tends to recommend tools to his trainees based on ease of use. For this, he often recommends Tunnelbear, when his trainees are able to pay for it. He also praised Tunnelbear’s attention to pleasant graphic details — for example, depending on the country it is connecting through, Tunnelbear’s mascot wears different local costumes, like a beret in France. “These small touches — these touches allow people to identify with the technology and tool, and keep them in the game in the way that many other companies’ services don’t,” Saladin says.

What are your frustrations with VPN use?

OVERVIEW: “It’s slow and sometimes unreliable.”

There’s almost nothing else to say on this point — every single interviewee mentioned speed and reliability as a frustration. In Northern Africa and the Middle East, being unable to pay for a service and set up an account, due to inability to access financial infrastructure, is also a major pain point.

“If I was a VPN company, I would ban video streaming,” suggests Ali. “As a person from a closed society, we need a little speed just to get the Internet.” When pressed about the possibility of using video to document protests or abuses, he backpedaled on this a little, noting this had been important during protests. “There’s a lot of fake news coming out,” he said; “you don’t know which source to trust. Video is proof.” So he suggested some other possibilities. There could be separate servers for different purposes, he thought, or a “freemium” model where the free service does not provide video for free but a paid one does.

How would Riseup fare with these interviewees and the populations they work with?

OVERVIEW: “It depends. In China, its political reputation would be an obstacle.”

Generally, Riseup might have a hard time making inroads in China, according to Bocai. Being associated with activism would definitely make a VPN likely to stand out, and authorities would shit it down. Marketing can’t be done too openly there, which would be a challenge. Word of mouth might help. Still, demand for VPNs is definitely greater than supply in China, so there is a possibility it could take off.

Recommendations from trusted tech sources is the key reason these interviewees trust and try a new technology. Those who knew of Riseup thought of it favorably. Kristabelle, Gazelle, and Rose all found Riseup appealing for their own purposes. Gazelle recommends Riseup to people she works with.

Gazelle is an ardent Riseup fan. “It’s so low key, it does a job and does it humbly and efficiently. It has a good reputation of looking out for activists.” She contrasted this to commercial services. “The more shiny and bright and glittery (a service is), how do I know I trust you?”

Saladin is aware of Riseup, but was skeptical of its utility given its demands that users be recommended. In an hour of need, he said, his trainees do not have enough personal connections to others on the network. He also said he doesn’t know whether Riseup’s VPN is fast, and so he isn’t able to recommend it in that sense.

What do you think about bundling email and VPN?

OVERVIEW: “We all use more than one email account, so this might be of interest (though maybe less so to our trainees). Trust is important to us, and some of us love Riseup for that reason. But will we stick with using a new email service? That remains to be seen…”

Kristabelle and Gazelle both said they felt they would trust the VPN of a known, trusted email provider like Riseup. They and Rose all thought the VPN/email bundle would be a good idea.

Ali says he thinks the bundle would be “a good idea, but I would like to see if the VPN has access to personal data like username or password.”

Saladin was ambivalent. He first said a bundle would be convenient, but then said “Personally, I would rather just have the vpn. I would be more comfortable giving them that than email service as well.” He has had low levels of success getting people off gmail accounts, so he’s not sure if this is just adding another thing for users to do. He has an interest in ensuring his trainees know the difference between client and server, and thought this might confuse them.

Bocai did not think this would be of interest in China. “Email has never been as important in China,” he explains..

Do you care what country the provider or gateway is in? Why/which one(s)?

OVERVIEW: “We do care, very much, about getting out to countries where free speech is protected by law. But it doesn’t really matter which ones. People we know will pick based on speed. We’re split about the importance of switching gateways mid-session. Speed beats privacy on this question.”

Most interviewees said they sought out connections in countries with better legal track records of protecting free speech than their own. Frequently this meant the US, Canada, Europe, and Australia. “The particular country does not matter for security,” explained Bocai. But Rambo noted, with a grin, “Our president has beef with Obama, and we appreciate that.”

Within these protective countries, users select gateways based on what is working or which is fastest. “It depends on what you’re trying to access,” says Kristabelle; as an example, she noted she is registered for Netflix in the UK. “The user will first be concerned with speed,” says Bocai of Chinese users, who may be aware of a range of VPN providers, many of them commercial.

This may mean users change gateways within a session, but not necessarily. Ali thinks the option would be nice, but does not “feel it as a need.” Saladin does not think his trainees have the technological awareness to switch. Rambo tries to make his trainees aware of the possibility, but is worried about them doing it: “If you’re working on one thing for a few hours, there’s no reason for you to switch. If you try, that could raise a flag of suspicion, because the surveillance could see it came from a lot of servers, they could say it’s VPN use.” Rambo says VPN use is uncommon enough in Zimbabwe, and he feels the surveillance apparatus of the country is unsophisticated enough, that even using the tool could cast suspicion on the user.

Saladin described his own criteria for picking a gateway country. Some countries he “can’t take seriously” as providers, he says, due to the pervasiveness of criminal elements. “I can do a sniff test with a Scandinavian country, but not with another jurisdiction which has a high record of high spam nets and crackers and malware providers.” That makes him go

(I think that octopus was a direct quote, actually.)

Rose and Juan do not switch, because they are using dedicated VPNs provided by the organizations they work with. Juan mentioned that he sees providers advertising that they specifically are based in Iceland or Sweden, “but it’s not all about that,” he says, “there’s other factors that are important.”

Are you worried that surveillance in the country where you work might know that you are setting up an account with a VPN provider?

OVERVIEW: In countries where VPN traffic stands out as suspicious, yes. But in countries where VPN usage is very common for business and entertainment, no. Surprisingly, China does not care much. VPN use in Iran, however, can mean jail time. Countries with developing surveillance (Latin America, Zimbabwe) worry about traffic that stands out. Traffic through a common port could help keep VPN usa from looking suspicious.

Bocai reports: “China does not try to block VPN really. They are standard. It is an economically open space. Most businesses need one to communicate with their home office. They can’t really do without it. But the Chinese government has started interrupting VPN for bloggers this year. They can’t absolutely cut all those off, but they worry about the scale of it. Free and popular usage — particularly free ones — they might block. If it’s a paid commercial service they’ve chosen not to interrupt until recently. They have been target blocking. Sometimes it’s more severe than other kinds. There is no clear pattern to it, but in general the trend is they’re getting harsher and harsher.” So in China, there is still some cover — though it is shrinking — for VPN use.

Not so in Cuba. There, “there is no privacy by numbers” according to Cuban diaspora activists. Additionally, encryption systems are technically illegal in Cuba. Despite this, they still report that VPN access works very well in the country, better than Tor, which is painfully slow in Cuba when it’s not actually blocked. They viewed web proxies as their best option in this range of tools, however, citing how easy they are to discover and use.

Juan and Rambo both expressed concern about the governments of Zimbabwe and various Latin American countries “putting pressure on someone whose traffic stands out. But if it’s going to a port that’s frequently used it would likely be ok,” Juan added. He would prefer that VPN traffic be obfuscated. “Zimbabwe is looking east to China,” Rambo noted. Rose is not concerned with being seen as using VPNs given her current setup (she uses a VPN to access resources at her university when she is not on their network), but she was concerned that setting up a service could be viewed negatively by the authorities.

Meanwhile, Saladin and Gazelle said they have not heard concerns from their trainees and colleagues about being recognized as using VPNs. Gazelle notes that VPN use is common for entertainment in Tunisia, providing good cover; she does not believe VPN use is illegal there. Ali is not concerned as an activist outside of Iran, but within Iran setting up a VPN would definitely be a red flag that could get a user jailed.

Should LEAP prioritize and make prominent the ability for users to look at certificates?

OVERVIEW: Not even VPN providers look at certificates! New users might do it because they feel they have to, but they don’t know what they’re looking at. The gold standard for trust is whether an expert you trust has recommended a service as safe.

The need to look at certificates is rare. It matters in one case where the government is a threat (Iran), but not yet in another (China). The View Certificate feature should be available, but it can remain a few menus deep in the interface.

Bocai and ElEremvite (the Spanish interviewee whose interview is mostly not included here) are both VPN providers, and neither of them felt it was urgent for all users to look at certificates.

“It should be important to view certificates, but there is no habit of doing it,” said Bocai. “Chinese VPN service is kind of a black market” — it’s not competitive, there are no brands, and it’s semi-legal anyway. He said he would recommend looking at certificates to Chinese tech industry workers, but anyone outside that community would likely rely on someone they trusted, with good tech expertise. “There are reliable voices,” he said.

Kristabelle was the one interviewee who insisted it was vital to view certificates. “There is a necessity to see who developed it,” she said. Note she is also newest to circumvention technology out of everyone interviewed, and when asked what VPNs do for the user she gave an explanation that was not wholly correct.

Saladin says he has only installed VPNs with trainees once. “We did not engage in certificate checking, under the presumption, perhaps false, that the software’s written in a way where they don’t have to check them… I don’t see it as the biggest issue (trainees) have, compared to poor quality passwords.”

Ali thinks he has looked at certificates once or twice on the suggestion of someone at Access, but he can’t remember why; potentially the Iranian government had stolen certificates, or attacked them.

“I don’t know what it means,” Gazelle said of what she saw on certificates. She thought it was unlikely other users would check certificates unless they were techies. “I never really thought about it,” she said. Juan said he had never checked certificates, but “now I think I will.”

APPENDIX 1

PRIORITIES vote count

For those who prefer to work quantitatively, here is a tally of whether users responded yes, no, or maybe to questions about features LEAP thought it might develop. Votes which ended up with a pretty even split between yes and no are counted as “maybe.”

Should LEAP bundle the mail client with Bitmask?
(SUP asked: Do you use more than one email account? ← note the question mismatch)
YES: |||||||
NO:
NO DATA: |
(SUP asked six interviewees: “Is bundling email with the VPN a useful idea?”)
YES: |||
NO: |
MAYBE: ||

Should LEAP work on making in-session switches between gateways more seamless?
(SUP asked: Do you care what country the provider or gateway is in? Why/which one(s)?)
YES: |||||||
NO: |
(SUP asked: Do you switch back and forth between providers (or gateways) in a given session?)
YES: ||||
NO: |||
IT DEPENDS: |

Should LEAP work to hide the fact that a user is setting up a VPN account?
(SUP asked: Are you worried that surveillance in the country where you work might know that you are setting up an account with a VPN provider?)
YES: |||
NO: ||
MAYBE: |||

Should LEAP prioritize and make prominent the ability for users to look at certificates?
(SUP asked: Have you looked at the certificates for a provider?)
YES:||
NO: |||||
IT DEPENDS: |

APPENDIX 2

Here is a report from LEAP developer parmegv on the issues turned up by user testing of Bitmask at the Festival, and his schedule for completing them, as of March 17th:

“Last week I fixed the most urgent and immediate issues: turning off the VPN if an error occurs and no real VPN connection happens, log in button inconsistencies that didn’t allow people to switch providers, give some wording whenever an error happens, and showing log in status independently from vpn status, so that when you change the orientation for example, the messages stay the same in the UI.

“Now I’m trying to improve the mechanics of how I can test that everything’s working ok, these last 2 days I’ve been focused on being able to test if the providers work or not easily. This issue will allow us to make changes and fix bugs without the fear of breaking anything.

“Once this is done… I’ll implement the warning about browser sessions when VPN is turned off, and after that, Riseup’s warning about their user accounts.

“By the following’s week’s Friday, 0.9.3 should be released containing these improvements.”

 

Post a Comment

Your email is never published nor shared. Required fields are marked *