#tor-meeting log

15:58:43 <cohosh> #startmeeting anti-censorship team meeting
15:58:43 <MeetBot> Meeting started Thu Jul 23 15:58:43 2020 UTC.  The chair is cohosh. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:58:43 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
15:58:43 <phw> o/
15:59:03 <cohosh> here is our meeting pad: https://pad.riseup.net/p/tor-anti-censorship-keep
15:59:27 <juggy> o/
15:59:39 <antonela> hey!
15:59:46 <cohosh> looks like we have just one agenda item today before reading group
16:00:03 <cohosh> but feel free to add something
16:00:28 <cohosh> i think the announcement is dcf1's?
16:00:53 <dcf1> yes, Snowflake CDN cost $0.01 last month, this is the first time the cost was nonzero
16:01:11 <cohosh> :D lol
16:01:12 <antonela> :)
16:01:17 <dcf1> you can see the number of users increasing slowly at https://metrics.torproject.org/rs.html#details/5481936581E23D2D178105D44DB6915AB06BFB7F
16:01:18 * phw starts a gofundme campaign
16:01:31 <cohosh> i've been wondering what these really tall spikes are
16:01:35 <dcf1> you lol now, just as I did in the early days of meek
16:01:38 <cohosh> since i think clients are binned by ip
16:01:53 <cohosh> dcf1: that's fair, heh
16:01:58 <dcf1> I've been telling myself the spikes are data errors, but I don't really know.
16:02:04 <gaba> o/
16:02:22 <dcf1> The mid-May one corresponded to the first alpha release, or a reboot of the broker, or something
16:02:30 <antonela> is this snowflakes being used?
16:02:41 <cohosh> antonela: this is the number of clients using snowflake
16:02:57 <antonela> nice
16:02:58 <cohosh> for the number of snowflakes used, https://metrics.torproject.org/collector.html#snowflake-stats is a better resource
16:03:27 <dcf1> I guess I will start a wiki page or something to track monthly costs
16:03:37 <cohosh> i haven't been keeping up with it but it would be interesting to visualize more of the stats just to see where we're at
16:03:45 <cohosh> dcf1: that's a good idea
16:03:46 <hanneloresx> hi everyone
16:03:54 <cohosh> hanneloresx: hi!
16:04:37 <dcf1> Feb 2019 cost for meek was $0.09 https://www.bamsoftware.com/papers/thesis/#fig:metrics-clients-meek
16:04:54 <dcf1> obv we don't expect Snowflake to increase *that* much, and we have ideas for other rendezvouses that don't cost money
16:05:11 <dcf1> *Feb 2014
16:05:29 <cohosh> nice
16:05:35 <dcf1> Oh hello moze
16:05:47 <dcf1> moze is one of the authors of the paper for reading group today
16:05:48 <cohosh> moze: welcome! you're the author of the vpn paper, right?
16:05:50 <moze> dcf1:hello
16:06:02 <moze> cohosh:yes
16:06:03 <cohosh> we're just wrapping up some agenda items and then we'll move onto the reading group
16:06:08 <phw> hi moze, welcome
16:06:18 <cohosh> on that note, anyone else have a discussion item before we assign reviews?
16:06:26 <moze> great
16:06:54 <moze> phw:thanks
16:07:21 <cohosh> okay, looks like phw would like general feedback on tpo/anti-censorship/bridgedb#32900
16:07:40 <phw> yes, i'd like to hear from anyone who has thoughts on this architecture
16:08:12 <cohosh> i'd like a review of tpo/anti-censorship/pluggable-transports/snowflake#30579
16:08:28 <phw> (or even just questions. because there's a good chance that i didn't take into account your question)
16:09:38 <cohosh> juggy: did you have a "needs help with" item?
16:09:55 <juggy> Yeah, but my connection got wonky while I was writing it
16:10:26 <juggy> Just wanted to say : open issues at https://github.com/jugheadjones10/anti-censorship-reading if you come across any papers/resources you think might be useful
16:10:55 <juggy> phw: Are there any specific reasons for moving to Golang from Python?
16:10:55 <dcf1> I'll review snowflake#30579
16:11:12 <cohosh> thanks dcf1
16:11:22 <cohosh> phw: woah nice figures in bridgedb#32900
16:11:46 <phw> juggy: the first bullet points talks about that: "We would implement our rewrite in Golang because 1) the anti-censorship team is comfortable with Golang, 2) it is fast, 3) it's less susceptible to runtime bugs, and 4) it makes it easy to implement bug-free concurrency."
16:12:56 <juggy> oh, got it!
16:13:09 <cohosh> okay waiting 1 more minute before starting the reading group...
16:14:19 <cohosh> cool, let's get started
16:14:40 <phw> let me provide a summary of the paper
16:14:50 <phw> which will feel a bit awkward given that we have an actual author here
16:14:54 * phw nervously looks at moze
16:15:03 <dcf1> no it's good
16:15:04 <dcf1> be bold
16:15:08 <phw> <summary>
16:15:15 <phw> this paper studied why people start using and eventually abandon the use of vpns
16:15:23 <phw> the authors administered a survey and advertised it among their cs students and on three reddit forums
16:15:43 <phw> they ended up with 90 survey responses, 37 of which use vpns specifically to protect their privacy
16:15:52 <phw> broadly speaking, one can distinguish between people who are motivated by emotions (eg fear of government surveillance) and people who are motivated by practical tasks (eg file sharing)
16:16:17 <phw> a key result is that the former group tends to use vpns longer while the latter group tends to only use vpns for specific tasks, and therefore not as long
16:16:25 <phw> </summary>
16:17:08 <moze> phw: great summarization
16:17:16 <dcf1> Parts of this were new to me, such as the formalisms for modeling user behavior
16:17:21 <phw> let me start the discussion by pointing out that i was surprised to read that more than half of the respondents actually read their vpn provider's privacy policy
16:17:34 <dcf1> The TAM (Technology Acceptance Model) of 1989 and the risk-as-feelings model of 2001
16:18:23 <dcf1> If I understand right, TAM is about reasons *for* adoption, while this paper seeks to go beyond and find reasons for *non-adoption*
16:19:05 <dcf1> phw: yes, and I was also surprised at the point about adopters trying 2 or 3 VPNs before settling on one (from memory, I may have that wrong)
16:20:34 <phw> i expect the respondents to be highly technical (either cs students or people who care enough to subscribe to /r/vpns etc), so that probably affects the results
16:20:53 <cohosh> yeah the trying out more than one point is at the beginning of section 4.4 i also found that interesting
16:21:16 <dcf1> thanks cohosh, I was looking but couldn't find it
16:21:40 <dcf1> The paper sites this chart of VPN usage regionally in 2018
16:21:41 <dcf1> https://blog.globalwebindex.com/chart-of-the-day/vpn-usage-2018/
16:22:16 <dcf1> 30% of Internet in users had used a VPN in the past month, compared to 23% in Latin AMerica and 18% in North America
16:22:43 <dcf1> The paper does not talk much directly about censorship, but I would guess that for most people, evading censorship is a practical, not emotional consideration?
16:23:45 <phw> dcf1: these numbers strike me as very high. i wonder what method they used to get these numbers
16:23:57 <dcf1> Very coarsely, I would say that Asia has higher censorship in general (India, China, Thailand, Iran for example) than the other regions.
16:24:19 <dcf1> The metric is "used a VPN at least once in the past month", it doesn't seem overly high to me
16:24:45 <dcf1> what do you think, moze, regardin the use of VPNs to avoid censorship?
16:25:58 <dcf1> I think of examples like this, a temporary block of Facebook in Bangladesh (https://phys.org/news/2015-12-bangladesh-facebook.html)
16:26:02 <dcf1> https://people.torproject.org/~dcf/metrics-country.html?start=2015-09-01&end=2016-03-01&country=bd
16:26:17 <dcf1> Check out how the graph goes right up and then right down again as soon as the block is lifted
16:26:19 <moze> dfc1: yes, censorship was seen as a practical issue to overcome.
16:26:51 <dcf1> To me, this says that people used Tor to get around a block, then abandoned it as soon as it was no longer necessary.
16:27:24 <phw> yes, one of my takeaway from the paper is that we will always have a significant number of "abandoners" who use tor for one-off tasks
16:28:04 <dcf1> Here's another temporary Facebook block, this one in Sri Lanka
16:28:05 <dcf1> https://people.torproject.org/~dcf/metrics-country.html?start=2018-01-01&end=2018-05-01&country=lk
16:29:02 <phw> wow, there's basically no retention after a few months
16:29:13 <phw> or very little, rather
16:29:25 <gaba> query antonela
16:29:27 <gaba> ooops
16:29:49 <hanneloresx> i thought it was interesting how the survey responses were coded as "Emotional Reasoning" or "Practical Reasoning." i'm wondering if the categorization was based on a common-sense read or whether some kind of heuristics were used in categorizing?
16:30:46 <cohosh> i wonder how easily the reasons for abandonment map to tor
16:30:50 <dcf1> There's something about that in section 3.3, page 89
16:30:50 <cohosh> we can rule out cost
16:31:18 <cohosh> and it doesn't need a renewal
16:31:32 <cohosh> which leaves effort to use/usability issues
16:31:35 <dcf1> "Specifically, based on Loewenstein et al.’s [33] risk-as-feelings theory, the answers to these questions were coded as either emotional and practical considerations. ... The inter-rater reliability (Cohen’s Kappa) of the raw agreement between the two independent coders [50] was 0.65."
16:31:58 <hanneloresx> ah ok, thanks dcf1
16:32:23 <dcf1> But I also wondered a little about the coding. Like "fear" of surveillance is an emotion, but I can see how it could also be practical.
16:32:40 <phw> i remember a respondent calling vpns cumbersome. that's much more of a problem for us. if only we had a "don't use tor for this site" feature, to make it easier for people to stick with tor browser
16:32:59 <dcf1> I guess there's a difference in that surveillance is invisible while blocking is noticeable, and gets in the way of getting things done.
16:33:17 <moze> dcf1 & hanneloresx: the categorization came about from Loewenstein et al.’s [33] risk-as-feelings theory. Then we basically went through the responses and coded them as such.
16:34:06 <arma2> dcf1: re "used tor browser to get around censorship but abandoned it when the censorship stopped", one of the lessons we learned from iran long ago is that in the *next* round of censorship, many people already had tor browser installed, so it was easier for them to go back to.
16:34:07 <dcf1> Another point that was interesting to me
16:34:28 <hanneloresx> thanks, interesting to know about these models.  i wonder if it'd be useful to use in our own usability studies?
16:34:32 <dcf1> "both adopters and abandoners appeared to have a good understanding (i.e., mental model) of how VPNs work."
16:34:48 <moze> dcf1: so anything that had an explicit mention of an emotion such as fear or dislike we coded that as an emotional driven reasoning.
16:36:46 <moze> hanneloresx: the good understanding of the mental models could also have been due to the tech savviness of our respondents. Unlike people who are just going from 0-1 in terms of getting to use VPNs for the first time.
16:37:10 <dcf1> Perhaps one could infer the proportion of emotion-driven and practically driven users by looking at the baseline of the graphs I posted
16:37:30 <phw> a lot of respondents picked their vpns by doing google searches, eg for "best vpns" etc. this makes me worried that fake tor browser apps may be a bigger problem that we realise
16:37:40 <hanneloresx> yeah
16:38:07 <dcf1> steady state of ~800 in the Sri Lanka graph, compared to the spike of 8000; estimate that 10% of potential users have some emotional connection to continued tor use, while 90% use it only if there is a practical need
16:38:37 <cohosh> phw: that's a good point :-S
16:38:39 <arma2> phw: i think the fake tor browser apps are a huge huge huge problem. maybe they are still worse than that, but, bad bad bad :)
16:39:26 <dcf1> I've noticed that Reddit /r/privacy has a rule against mentioning specific VPNs
16:39:42 <dcf1> I guess because the business is so cutthroat and otherwise you'd have people constantly shilling.
16:39:43 <hanneloresx> can't tor take action to take fake tor apps down? trademarks etc
16:39:50 <dcf1> "Due to the commercial nature of VPNs and most blockchain technologies, discussions are better directed the appropriate Subreddits. Discussing them as a category is great, advocating for individual ones not as much."
16:40:34 <arma2> hanneloresx: in theory yes, in practice it takes a great amount of energy, and once you finally succeed, ten more replace the ones you just got rid of
16:41:47 <cohosh> here's a list of known bad tor browsers: https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Bad_TorBrowsers
16:42:58 <cohosh> you can see by looking at the application names/urls how easy it is to add more
16:43:03 <moze> cohosh: people relied on google searches, but also friend and expert recommendations (most trusted)
16:43:39 <dcf1> phw: section 4.5.2 says that Adopters were more likely to be suspicious of free VPNs, either because they lacked features or were suspected of doing bad things to make money
16:44:08 <dcf1> phw: so it's possible that Tor's lack of cost is actually a deterrent for some users
16:44:42 <phw> that's a good point
16:44:54 <hanneloresx> in that vein, perhaps if tor publicizes a list of fake tor browsers  (without spending all the energy on takedowns), tor can take the expert recommendation role
16:45:19 <hanneloresx> but i wonder if there's a way to do takedowns more efficiently at the apple/android app store level than by individual apps
16:46:03 <dcf1> I was atlking to someone at Lantern who said that takedowns are a constant battle
16:46:34 <dcf1> They had the problem of people unpacking their app, recompiling it with a little bit of extra advertising, and posting it with a name that would be found by searches
16:46:44 <moze> phw: for people who interested in protecting their privacy. If they do not see how the money is being made then they believe the provider is making money through their data. Thus, they would prefer to pay. But I am curious as to whether the open source nature of the tor changes people's perspective about the cost?
16:46:47 <phw> personally knowing somebody in google/apple would probably go a long way
16:47:13 <dcf1> Not even an evil Trojan attack trying to break the security of the tunnel, just people trying to make money off a popular app
16:47:16 <arma2> dcf1: yep. it breaks my heart every time i hear "i love tor but the advertisements are obnoxious" or "i love tor, but why does it cost $5"
16:47:51 <cohosh> :/
16:49:17 <dcf1> moze: one point I was a little confused about
16:49:48 <dcf1> The paper talks specifically about "VPNs as PETs"; i.e., it's excluding non-privacy-related uses of VPNs
16:50:27 <dcf1> Taking the example of someone who needs a VPN to access their work network, is that considered a VPN as a PET? Or is that excluded from your survey?
16:51:12 <dcf1> I guess I'm talking about the "For Non-privacy reasons (49)" part of Fig. 2 on page 90.
16:51:40 <moze> dcf1: that was excluded from our study unless if it was a combination of both privacy + work network access. We were explicitly looking for people who came to use VPNs for privacy protection purposes.
16:52:06 <moze> excluded we mean from interpretation of our results.
16:52:21 <dcf1> ok. I guess section 3.1.1 covers it
16:53:34 <phw> hm, we may want a "why is it free?" section on torproject.org's landing page.
16:54:02 <dcf1> Section 5 has some recommendations for VPN providers to increase trust and adoption. Are there any that apply to us?
16:54:42 <dcf1> E.g. "VPN service providers need to find a way to convince them to transition into longer-term users by offering a trustworthy free application and/or by periodically reminding them of potential emotional considerations...
16:55:44 <dcf1> arma2 has a good point that short-term practical considerations can drive someone to get over the barrier of installing and using Tor for the first time, and that it will be easier for them to do the second time
16:56:45 <cohosh> "notification with a message describing some protection statistics"
16:57:02 <phw> there's a fine line between "reminding someone of emotional considerations" and "being alarmist and/or manipulating someone". many of the vpn players engage in a race to the bottom, which makes it difficult for us
16:57:25 <dcf1> that poor sad bear... hates to see you go
16:57:50 <moze> dcf1: **smiley face**
16:58:16 <dcf1> I'm thinking about all the people who now run our Snowflake extension. I have to think that they are primarily motivated by emotion, in the fraework of this paper
16:58:17 <phw> sad onion hates to see you go: https://i.kym-cdn.com/photos/images/original/000/904/233/3ec.jpg
16:58:28 <antonela> haha
16:58:36 <cohosh> lmao phw
16:58:37 <dcf1> Because there's nothing in it for them, they just feel good about helping provide access to someone
16:58:46 <cohosh> dcf1: yeah i think you're right
16:58:49 <cohosh> we also provide stats
16:59:06 <cohosh> and lately my stats have shown 1-5 users/day
16:59:29 <dcf1> oh sweet. I admit I haven't run the extension in a while.
16:59:31 <cohosh> which feels good even though i suspect i am at least 1-2 of those users
16:59:41 <dcf1> I mean, what's in it for me? ;)
16:59:44 <moze> The stats are definitely helpful in bubbling up/showing value or the benefit of using.
17:02:44 <dcf1> I'm thinking now that it would be interesting to know some of this same information about users of circumvention systems
17:02:58 <dcf1> I suspect that a lot of them find a VPN and that's good enough
17:03:13 <dcf1> If a VPN doesn't work, what next? How do they decide what to use and trust?
17:04:01 <cohosh> yup, i can imagine trust here being interesting
17:04:07 <dcf1> Or it may be that just about anything will work, so people use whatever is cheapest and most usable
17:04:12 <dcf1> just brainstorming
17:04:37 <dcf1> https://github.com/topics/censorship-circumvention
17:04:42 <dcf1> no shortage of tools to choose from
17:06:26 <cohosh> and those are just the open source ones
17:06:44 <cohosh> some of them anyway
17:07:23 <hanneloresx> probably a mix of name recognition, trust, word of mouth, etc. but yeah, it would be really interesting and helpful to see a more formalized study of how people choose
17:10:54 <cohosh> looks like the discussion is winding down a bit, any last comments?
17:12:15 <arma2> i liked the notion of trying to encourage moze with the questions you hoped somebody would answer :)
17:14:04 <cohosh> yup :)
17:14:23 <cohosh> okay I'll end the meeting here, thanks for the discussion everyone!
17:14:38 <cohosh> #endmeeting