Censorship Circumvention

How to pick the right VPN for you

Kuala Lumpur, 9th May 2024

What is a VPN?

• It’s useful to separate VPNs into two different categories:
• Encrypted tunnels
• Anonymizing tunnels

Encrypted Tunnels

• When people think of a VPN, they usually think of Encrypted Tunnels
• Other names for this Encrypted Tunnels might include:
• One hop tunnel
• Proxy

How do encrypted tunnels work?

ooni.org

User

Tunnel Server

Site or service

Users network

Key points for Encrypted Tunnels

• The Tunnel Server is usually operated by the same entity
• The Tunnel Server operator usually knows a lot about who you are
• The Tunnel Server can see all your internet traffic and can connect it to your identity
• With Encrypted Tunnels, you need to trust who runs the tunnel

Anonymizing Tunnels

• Few tools of this sort exist
• Every Anonymizing Tunnel is also an Encrypted Tunnel, but not vice-versa
• The most used and robust Anonymizing Tunnel is Tor
• It uses a concept known as Onion Routing, which they pioneered

How does Onion routing work?

User

Tunnel Server

Site or service

Users network

ooni.org

Onion routing provides privacy by design

User

Site or service

Users network

Entry Node

Exit Node

ooni.org

Key points for Anonymizing Tunnels

• If implemented properly, Anonymizing Tunnels offer privacy by design
• You don’t have to trust the Node operators or even Tor
• It’s very hard to get right and requires a lot of research to do right
• Not only to initially build it, but also ensure it stays secure
• Tor’s protocol has been studied for 20 years and is secure
• Due to it’s design, it inherently introduces additional latency (ie. “slowness”)

Good reasons to use an Encrypted Tunnel

• Circumvention network level blocks
• When a site or service is blocked by your ISP or government
• Circumventing geo blocking
• When a site or service is blocking access from your country
• To protect from advertisers and trackers
• To stop ads loading on pages
• To make it harder for your ISP to know what sites you are accessing
• Caveat: it makes it harder, but not impossible

BAD reasons to use a Encrypted Tunnel

• Providing privacy protection that goes beyond just simple ad and tracker blocking
• Having strong anonymity
• The sites you visit, if they invest resources, can still probably figure out who you are
• Powerful state actors (like governments), might be able to figure out what websites you are visiting

Choosing a censorship circumvention tool

• Research is needed to pick a safe and functional encrypted tunnel
• You need to trust the tunnel/VPN operator (i.e. background check on the company)
• Not all encrypted tunnels work the same, some are easier to block than others
• If you don’t have time to research the tunnel operator, just use Tor, because it’s safe by design.

Picking an Encrypted Tunnel is hard!

dubious

dubious

dubious

dubious

Cloudflare

McAfee

How to assess trust in Tunnel Operators

• Does it work in your country or regions?
• Where is the company behind it incorporated?
• What’s their business model?

Tunnel Economy

• Internet bandwidth has a cost and someone has to pay for it:
• Users paying for subscriptions
• Non-profit grants for some Internet Freedom tunnels (eg. Psiphon, Lantern, RiseupVPN)
• … or selling of your user traffic to data brokers
• If you aren’t paying for the product, you are probably the product
• Do your own research and check the app terms of service and privacy policy

Tunnel Economy

• Tor avoids this by having the network be run by a community of volunteers
• Because the system is private by design, this is possible
• An encrypted tunnel, could not operate in the same way, because each node has disproportionate amount of power to harm users
• Internet Freedom Encrypted Tunnels (eg. Psiphon or Lantern) might also be an option, but they might have bandwidth caps in your region

Questions?