"All of them claim to be the best": Multi-perspective study of VPN users and VPN providers

Reethika Ramesh,Anjali Vyas,Roya Ensafi
DOI: https://doi.org/10.48550/arXiv.2208.03505
2022-09-29
Abstract:As more users adopt VPNs for a variety of reasons, it is important to develop empirical knowledge of their needs and mental models of what a VPN offers. Moreover, studying VPN users alone is not enough because, by using a VPN, a user essentially transfers trust, say from their network provider, onto the VPN provider. To that end, we are the first to study the VPN ecosystem from both the users' and the providers' perspectives. In this paper, we conduct a quantitative survey of 1,252 VPN users in the U.S. and qualitative interviews of nine providers to answer several research questions regarding the motivations, needs, threat model, and mental model of users, and the key challenges and insights from VPN providers. We create novel insights by augmenting our multi-perspective results, and highlight cases where the user and provider perspectives are misaligned. Alarmingly, we find that users rely on and trust VPN review sites, but VPN providers shed light on how these sites are mostly motivated by money. Worryingly, we find that users have flawed mental models about the protection VPNs provide, and about data collected by VPNs. We present actionable recommendations for technologists and security and privacy advocates by identifying potential areas on which to focus efforts and improve the VPN ecosystem.
Cryptography and Security
What problem does this paper attempt to address?
The paper attempts to address the following key issues: 1. **User Motivation and Needs**: Investigate the main reasons, considerations, and needs of users when using VPNs. For example, why do users choose to use VPNs? What factors do they consider when selecting a VPN provider? 2. **User Security Perception and Threat Model**: Explore users' sense of security when using and not using VPNs, and whom they wish to protect their online activities from. For example, from whom do users seek to protect or hide their online activities? 3. **User Cognitive Model**: Assess whether users accurately understand how VPNs work and whether they have a correct understanding of the types of data VPNs collect. For example, are users aware of the protections provided by VPNs and the data that VPNs collect? 4. **User Perception and Trust in the VPN Ecosystem**: Understand users' overall views of the entire VPN ecosystem, including their trust levels in different VPN providers. For example, how do users evaluate the VPN ecosystem? 5. **Differences in Perspectives Between Users and Providers**: Analyze the differences in priorities and incentives between users and providers to identify potential inconsistencies. For example, in which key areas do users and providers have different views and interests? Through the study of these issues, the authors hope to reveal the real situation of users and providers in the VPN ecosystem, identify potential problems, and propose improvement suggestions to enhance the transparency and credibility of the entire ecosystem. Specifically, the paper finds that users have misunderstandings about the protective capabilities and data collection of VPNs and overly rely on unreliable VPN recommendation websites, which are often driven by financial incentives. Additionally, users prioritize speed, price, and ease of use over technical features when choosing a VPN. These findings provide important references for improving the VPN ecosystem.