Censorship circumvention and encrypting your traffic with a VPN

“Do I need a VPN?” and “Which VPN should I use?” are questions that often come up during digital security workshops. Learners might hear of Virtual Private Networks, or VPNs, when they’re looking for ways to protect their Internet connection on public WiFi, such as at a coffee shop or in an airport. Others, like journalists, may want to use a VPN as a way of seeming like they are using a different network than the one that they are working from. Learners may also be interested in circumventing Internet censorship in their country. The question of how to know which VPN to use, however, is packed with additional considerations and nuances, and it may be difficult to address these in a clear way. This lesson plan helps learners think through what tools are right for them, and what factors they should consider in their search for a VPN.

Recommended Reading

• Choosing a VPN That's Right for You
• Recommending Tools
• An Introduction to Web Browsing Security

• What Should I Know About Encryption?

• This 2019 consumer-facing report from Wirecutter evalutes VPNs and provides a thorough assessment of how the VPNs were compared for security, privacy and additional consumer considerations.

• This lesson plan from Level Up covers how censorship and Internet circumvention work.

• This blogpost from Localization Lab explores how VPN usage has been popularized in Zimbabwe through memes.

• This post from Freedom of the Press Foundation provides in-depth information on what to look for when choosing a VPN.

• This explainer from CDT covers what a VPN is and how it works.

• This list of questions from CDT for assessing VPNs can help with understanding evaluation criteria.

• It may be useful to have your learners review this NPR article about why VPNs shouldn’t automatically be trusted before the lesson.

• For learners who are curious about VPNs as they relate to travel, Great Fire’s website might be a useful resource.  

• This story from CyberScoop includes a useful example of when someone (like a journalist) may want to use a VPN.

Gotchas and Problems You Might Hit

Learners are often confused about the role of VPNs. It’s common for people to confuse VPNs with Tor. Additionally, learners may not understand what data and metadata VPNs can see.

One common misconception is that VPNs are just for one type of device (for example, “I thought a VPN is just for your computer”). An important takeaway to share is that you can have a VPN on your phone, just like you can have one on you computer, to encrypt all traffic between your device and your VPN provider.

Some trainers use metaphors to describe how a VPN works, ranging from a “tube” to a “tunnel” to describe safely transporting something, to a “condom” to describe protection from public wi-fi networks. As with anything else, please evaluate cultural relevance, gender sensitivity, and your level of trust with your audience. For example, consider using the condom/safe sex metaphor sparingly, as it may be an uncomfortable framing for many audiences.

Anticipated Questions and Answers

* You will likely find yourself saying “It depends” for many questions.

Question: “I’m overwhelmed by information! Can’t you just recommend one VPN that you like?”

Answer: If there’s a VPN that you—the facilitator—like and have spent time assessing for your own uses, it may be okay to recommend it. However, we strongly encourage you to carefully consider how you recommend such a tool. Be sure to share the caveat that it is hard to assess the security and claims of VPNs, and that the security and privacy considerations for each VPN can change quickly. Encourage learners to stay informed by periodically searching for news involving their VPN.

Question: “Why is it so hard to get my VPN to work?”

Answer: A learner may ask this question out of frustration with usability or slow speeds. One possible response is: “The range and quality of VPNs varies a lot from one service to another. Just like email, who you choose as your VPN provider will impact the quality of service a lot.”

Consider returning to this question when discussing the advantages and disadvantages of dedicated VPN software.

Question: “My workplace provides a VPN. Should I just use that?”

Answer: Explain that whatever VPN you choose, you’re entrusting it to provide the Internet for you. You can give the following examples to illustrate the advantages and drawbacks of using a workplace VPN.

“Connecting to a work VPN is a lot like connecting to your WiFi at work. While a workplace-provided VPN will protect against someone snooping on your connection in a coffee shop, it won’t be the best option if you, for example, choose to look at job listings for other companies, or if you want to reach out to a reporter about workplace misconduct. Just as your systems administrator at your workplace will see activity when you are on the network while physically at the office, they can also see your activity when you are connecting to the work VPN from anywhere outside of the office. The most important thing to keep in mind is that you’re shifting the trust from your ISP or WiFi point to the VPN itself.

Another consideration is what type of encryption your work VPN provides. Some encryption protocols (or methods) are outdated and in some cases provide very little protection at all. You may suggest that learners pick a public VPN they have investigated themselves for sensitive browsing, or consult with the IT department at their workplace to determine just how safe their work VPN is.”

Question: “I can’t afford a monthly/yearly fee. What should I do? Should I download a free VPN?”

Answer: To consolidate cost, you might suggest using a VPN that is packaged with other security software. Some VPN services require you have an account with them first, but offer a VPN service for free when you are referenced by another user. There are other free VPN services available, too.

You can say something along the lines of: “The most important thing when investigating a free VPN service is determining how they are able to operate for free.  Are they selling your data? If so, are you comfortable with this trade-off? In some instances, free VPNs may have malicious advertising (sometimes called “malvertising”) incorporated in their software.”

Question: “Someone told me I can create my own VPN. Should I do that?”

Answer: Even if your learners are comfortable with systems administration and the command line, setting up a VPN can be very challenging. Some router software (such as OpenWRT or LEDE) will run OpenVPN and allow you to configure it via a web interface, but this should only be suggested for the most advanced users. It may be best not to distract the rest of the learners with details about how to set this up and instead encourage the more advanced learner to contact you after the session.

Question: “I’m traveling to a country that has a reputation for censoring content. What should I do?”

Answer: This is an advanced question often requiring more assistance and context.

Circumstances change, and it’s important to keep up to date on security news for specific countries’ policies on VPNs. For example, it may be illegal to run certain VPNs (or a VPN at all) in certain countries, and it may be risky to have a VPN installed on your computer when entering such counties, especially since the most likely point of search may be when you are entering the country. You can encourage the learner to reach out to you after the workshop.

Question: “If I’m using a VPN, do I need to use HTTPS too?”

Answer: You can mention that HTTPS and VPNs are both forms of transport-layer encryption, providing ways to protect the learner’s traffic from unwanted eavesdroppers. However, the way that HTTPS and VPNs protect that information differs significantly. The main point that learners should come away with is to use HTTPS whenever possible to take full advantage of the additional security protections, including using HTTPS when they are using a VPN or when they are using Tor.

You can point learners to An Overview on Web Browsing Security for a breakdown.

Question: “What’s the difference between a VPN and Tor?”

Answer: While the Tor network uses encryption just like many VPNs do, there is a key difference: with the Tor network, you don’t place your trust in any one company or service.  

The Tor network is run by a system of volunteers, and routes through three separate computers that run the Tor software dispersed across the globe before being passed on to the service you’re using. Each Tor software-operating computer server (called a “hop” or “node” or “relay”) along the way unwraps a layer of encryption to reveal the next destination. This is to keep the message contents as well as the route of the message secret. With all three hops working together to obscure your identity, it is extremely difficult—if not impossible—to tell which message is sent from where and by who.

(Note: Some learners might be confused that computers using Tor Browser are not the same as Tor relays. You might need to clarify that Tor relays are explicitly volunteer computers for running Tor software to provide this network.)

The Tor network differs from a VPN, which operates just as a single hop. This is important because it means that a government subpoena or court order could demand data from the VPN company, so you have to trust the VPN company to be diligent in protecting your data (or, even better, not collecting it at all).

Another way to frame the difference between a VPN and Tor is in terms of censorship versus privacy concerns: if you want censorship circumvention but aren’t as concerned about  privacy issues, use a VPN. If you want censorship circumvention and privacy, you may want to look into using Tor. Give learners the caveat that the Tor network and Tor Browser have their own constraints and recommended practices for use, so interested parties should look at the Tor Project website: torproject.org.

Question: “Can my ISP or government see that I’m using a VPN?"

Answer: Yes, you should expect that your ISP or government will know that you’re using a VPN. Depending on where you are, the government may be able to make this determination in real-time or after contacting the ISP.

Some pieces of software, such as Tor, can mask the fact that the software is in use; however, in the case of Tor, you must choose this as an option when you start Tor Browser. You should also be aware that this is not perfect masking: a government may still be able to detect use of Tor using sophisticated methods.