Censorship circumvention and encrypting your traffic with a VPN

Lesson Content

Warmup: Blocked Content, Exploring Trustworthiness and Partner Introductions
 

Ask the following question:  “Raise your hands if you have done the following. Have you ever tried to read an article, watch a TV show, or play an online game on a network that wouldn’t let you?” If learners appear stuck, you can give the example of being blocked from a site or service while on a school network, at work, or in another country.

If learners seem comfortable, you can follow up with the question: “What did you do when you found out the content was blocked?”

Some of them may answer with: “try the mobile site,” “try the site with a different country URL at the end,” “go through Google translate,” “google a block of text to find the content hosted somewhere else,” “try the HTTPS version of the site,” “use Tor Browser,” “give up,” or “use a VPN.” Highlight any answers about a VPN—you can ask a volunteer to elaborate on how they used it and what it looked like for them.

Then, have attendees break into small groups of four or five. Give them five to ten minutes to introduce themselves with the following icebreaker questions:

1. What’s your name and pronouns?
2. What brought you here today?
3. Has someone ever asked you to watch over something of theirs? For example, has someone ever asked you to watch their bag?

• How did they know you were trustworthy?
• What did you do with the valuable information or item they gave you?

Now reconvene and have participants share examples of the valuables that they were entrusted to protect. Ask: Has this ever happened with a stranger? Did they ask you to watch their wallet, bag, or computer when you’re at a coffee shop, bus stop, or a train station?

Knowledge Share: Introduce the general idea of what an ISP can see, and what a VPN is.

You can use their answers to the warmup as a transition to explain how participants’ Internet Service Providers (ISPs) are also entrusted with valuable information.

Facilitator: “Internet Service Providers, or ISPs, are able to see valuable information when you connect to a WiFi network. What are some examples of what they can see?”

Answers you may get are, “my email” or “my browsing history.” Some participants may also bring up Net Neutrality when discussing what ISPs are able to see and control, like blocking or slowing down content.

Then ask whether participants place the same level of trust in their ISP as they would place in their friends or family with sensitive information or belongings.

A Virtual Private Network (VPN) is software that masks your IP address and makes it look like you’re coming from somewhere else, by routing your Internet activity through a server. It is often used for censorship circumvention—for example, when you are using a school’s censored Internet connection or in a country that blocks content. Using a VPN, you should be able to access blocked websites.

The facilitator should highlight the following point: There is no “one size fits all” VPN. Each person may have different needs for how they hope to use a VPN.

Then, explain that just as you trust some people more or less than others, some VPNs are more or less trustworthy than others as well. It’s often difficult to assess a VPN’s trustworthiness, but there are a few specific things that you can look for when investigating a VPN's trustworthiness.

Knowledge Share: What makes a trustworthy VPN?

Have participants get back into their groups, and pose the question:

“What might you look for when choosing a VPN? Think of what makes you trust another person, and use that as a guide. In five minutes, we’ll share what we discussed.”

Have the groups discuss with each other and reconvene. Have participants share what answers they came up with in their groups. Some answers you may get are, “They have a good reputation,” or, “They have a history of others trusting them.” Explain that just like with deciding whether to trusting another person, a VPN’s reputation matters. Other answers that may come up are, “They keep their data safe,” and explain how a VPN’s use of encryption technologies can help with keeping data safe.

Your learners may have questions instead of answers—such as “How do I know if a VPN does what it says it does?” Encourage these questions, as they show critical thinking around hard issues that security professionals also grapple with when evaluating software. You can revisit their questions after explaining how VPNs work.

Activity: Drawing “You,” “ISP,” and “VPN.”

Participants will now be asked to draw, either individually or in groups, what they think the relationship is between themselves, their ISP, and their VPN.  Before they start to draw, explain some of the helpful imagery that they might use in their illustration:

• “Tubes,” “pipes” or “tunnels” can be used to illustrate paths through which information flows.
  • Tubes can be *nested* inside other tubes.
• “Scrolls” or “postcards” can be used to illustrate bits of valuable information. Some examples of valuable information include: messages between friends, websites you visit, articles you read.
• “Robots” or “computers” can be used to illustrate ISPs and VPNs, who can either:
  • Hold up a tube (keeping the infrastructure running by supporting it), or
  • Be a point where a tube begins or ends (e.g., where the connection goes).

Give participants 5 or 10 minutes to draw. Ask them to label each of the components. If learners are stuck, you can give them the following guidelines for their drawings:

• The drawing must show the initiating computer or phone attempting to connect with a website.
• The drawing must show a connection with a VPN.
• The drawing must show a connection with an Internet Service Provider.
• The drawing must show the intended destination (the website) of the initial computer.

Once the drawings are done, learners can post up their drawings on a wall.  

Some things to ask when going over their illustrations:

• What is happening in this diagram?
• What information is being shared?

Review some of the drawings, giving positive feedback when you see something that hints at the way VPNs really work. Be careful to take note of any places of misunderstanding in their explanations, and go over these misconceptions with the group as a whole.

More nuanced questions you can ask to check for their understanding are:

• Is the [connection metaphor, e.g., tube or tunnel] transparent? Or is it hiding contents inside?

• What can the Internet Service Provider see if you’re not using a VPN?

• What changes when you connect to a VPN?
• What can the VPN see?
• Where does the Internet Service Provider think you are connecting from?
• Where does the VPN think you are connecting from?

After going over the participants drawings, you can illustrate your own version of a diagram, which describes this relationship.

Knowledge Share: VPN constraints

Now that your learners have a general sense of the role of a VPN, you can go in more detail on  VPN characteristics.

Privacy and Security Claims

Some VPNs claim to not share or sell data. You should encourage learners to think about: how can you verify these claims? Encourage learners to look closely at all claims that a VPN makes, and emphasize that marketing claims are not guarantees.  For example, reviewing the the privacy policy for a VPN will often uncover details about how the VPN monetizes your data, even if the VPN doesn’t sell it directly to third parties.

Business Model

Even if a VPN isn’t selling your data, it must be able to stay in operation somehow. If the VPN provider doesn’t sell its service (i.e., if its a free VPN service), teach your learners to ask: How is it keeping its business afloat? Does it solicit donations? What is the VPN’s business model? Some VPNs run on a “freemium” model, meaning they are free to join but will charge you after you transfer a certain amount of data over their service. Others are completely free, but they might come at a privacy cost (e.g., they may sell or otherwise monetize data). Particularly if your users’ budgets are constrained, these are important  considerations for your learners to be aware of. These are all important considerations that your learners should think about before settling on the VPN that is right for them.

Reputation

Another consideration is reputation. This can be a difficult judgement to make. It is worthwhile to do some research on the people and organizations associated with the VPN. Is it endorsed by security professionals? If a VPN is established by people that are known in the information security community, it is more likely to be trustworthy. Does the VPN have news articles written about it?  Be skeptical of a VPN offering a service that no one wants to stake their personal reputation on, or one that is run by a company that no one knows about.

Data Collection Practices

A service that does not collect data in the first place will not be able to sell that data. When looking through the privacy policy, see whether the VPN actually collects user data. If it doesn’t explicitly state that no user connection data is being logged, chances are that it is. And, depending on jurisdiction, a government can demand that data or issue a subpoena for it.

Even if a company claims not to log connection data, this may not always be a guarantee of good behavior. Encourage your learners to investigate instances where a VPN has been mentioned in the media. They may have been caught misleading or lying to their customers. A simple search can go a long way.

Encryption

You can encourage your learners to look at how safe their VPN encryption is; that is, if the transport-layer encryption utilized by a VPN is doing its intended job. You can use the analogy of how “transparent” or “fragile” a tube is in the previous drawings. If a VPN is using broken encryption—such as Point-to-Point Tunneling Protocol (PPTP) or weak encryption ciphers—it is  as if your tunnel is see-through. Any data flowing through it can be seen by your ISP, government or bad actors. Evaluating the strength of a VPN’s encryption can be difficult to do, so you may want to point the learners to the technical considerations outlined in the Freedom of the Press Foundation's helpful VPN guide or the “technical security” column in this VPN comparison chart. If any of your learners are using (or considering using) a workplace VPN, encourage them to contact their IT department and inquire about the security of the connection.

Location and Laws

Finally, some learners may choose a VPN based on where its headquarters are located. You can mention that for some people, such as activists and high-stakes journalists, choosing a VPN based on the applicable data privacy laws may be an important factor. But also be sure to mention that company policies and laws are subject to change at any time.

Knowledge Share: VPNs and Software

Now that your learners know some of the criteria for evaluating VPNs, you can go into more detail about how they might connect to a VPN, and what they should be thinking about when installing software. You can explain:

Facilitator: “Some VPNs have you install a custom application that is specific to that particular VPN. How can this be helpful?”

One answer you might hear is that it is more convenient to connect using an application that is specific to their particular VPN. VPNs with friendly user interfaces are often easier to adopt than generic interfaces that require custom configuration (e.g., entering server names and port numbers in order to connect).

You can explain:

“Yes, having a dedicated, separate program that is provided by your VPN can be really useful. It can make connecting to that VPN a painless process, without the need to enter confusing settings such as the server name and port number.”

You can then pose the question:

“But, what might be dangerous about installing VPN software?”

Someone may answer, “Because VPNs can be untrustworthy!” Unlike ISPs, it’s easy for anyone on the Internet to set up a VPN service with minimal effort. You may explain that because any piece of software you install can be malware in disguise, it is important to establish the trustworthiness of  any software before you install it. It is worth reinforcing this point:

Facilitator: “You must be very confident in any VPN software you choose to install, since any malicious software installed on your machine can do a lot of harm. Very few VPNs have had formal ‘security audits,’ which means allowing external evaluators to comprehensively examine a software’s security and practices.”

Encourage participants to do their research on VPN providers and look for articles from reputable media sources on any VPN software they are considering installing before they install it.

Recap Activity: VPNs - What are they good for? What aren’t they good for?

Now that you’ve covered the benefits of using a VPN and the important considerations your learners should be thinking about when assessing the privacy and security of any particular VPN service , you’ll want to review the material with your learners.

Have the room break into groups. Give them the following prompt and have them write down their answers on sticky notes, with one idea per note:

Facilitator: “You have five minutes to come up with answers to the following question: ‘How would a VPN would be useful?’”

Meanwhile, in a visible area, you can write the following categories:

Security

Privacy on untrustworthy networks (e.g., unfamiliar WiFi)

Censorship circumvention

Protecting data from ISPs

Protecting data from governments

After learners have written their ideas on the sticky notes, explain the categories you’ve provided. Then, have the participants come up and place their answers in the appropriate categories. After everyone is done, you can explain how students can see for themselves that VPNs have a wide range of uses, keeping the caveats in mind. Read some of the notes aloud and provide positive reinforcement for the answers that stand out.

Once this is done, ask your learners to discuss in their groups: “What are VPNs *not* good for? In a few minutes, we’ll share what we talked about.”

After they have chatted in their groups for 2-3 minutes, ask them to share what they talked about. Answers may include: “VPNs aren’t good for real anonymity,” or “VPNs won’t protect a government from accessing your data with a subpoena,” or  ”VPNs don’t protect my browser from trackers.”

Learners will likely have many questions. Be sure to allocate enough time for questions and answers.

Learners will need refreshers on the topics covered in this lesson. Be sure to point them to follow-up resources, such as:

• Choosing the VPN That’s Right For You
• What Should I Know About Encryption?
• An Overview of Web Browsing Security

For learners who are concerned about anonymity (rather than censorship circumvention) or about privacy from ISPs and governments, you may want to point them to SSD’s Tor Browser guides (MacOS, Linux, Windows), as well as the Tor Project’s resources on how to use the Tor Browser. Please note that Tor Browser has unique considerations for maintaining anonymity, so special training is recommended.