15:58:43 <cohosh> #startmeeting anti-censorship team meeting 15:58:43 <MeetBot> Meeting started Thu Jul 23 15:58:43 2020 UTC. The chair is cohosh. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:58:43 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic. 15:58:43 <phw> o/ 15:59:03 <cohosh> here is our meeting pad: https://pad.riseup.net/p/tor-anti-censorship-keep 15:59:27 <juggy> o/ 15:59:39 <antonela> hey! 15:59:46 <cohosh> looks like we have just one agenda item today before reading group 16:00:03 <cohosh> but feel free to add something 16:00:28 <cohosh> i think the announcement is dcf1's? 16:00:53 <dcf1> yes, Snowflake CDN cost $0.01 last month, this is the first time the cost was nonzero 16:01:11 <cohosh> :D lol 16:01:12 <antonela> :) 16:01:17 <dcf1> you can see the number of users increasing slowly at https://metrics.torproject.org/rs.html#details/5481936581E23D2D178105D44DB6915AB06BFB7F 16:01:18 * phw starts a gofundme campaign 16:01:31 <cohosh> i've been wondering what these really tall spikes are 16:01:35 <dcf1> you lol now, just as I did in the early days of meek 16:01:38 <cohosh> since i think clients are binned by ip 16:01:53 <cohosh> dcf1: that's fair, heh 16:01:58 <dcf1> I've been telling myself the spikes are data errors, but I don't really know. 16:02:04 <gaba> o/ 16:02:22 <dcf1> The mid-May one corresponded to the first alpha release, or a reboot of the broker, or something 16:02:30 <antonela> is this snowflakes being used? 16:02:41 <cohosh> antonela: this is the number of clients using snowflake 16:02:57 <antonela> nice 16:02:58 <cohosh> for the number of snowflakes used, https://metrics.torproject.org/collector.html#snowflake-stats is a better resource 16:03:27 <dcf1> I guess I will start a wiki page or something to track monthly costs 16:03:37 <cohosh> i haven't been keeping up with it but it would be interesting to visualize more of the stats just to see where we're at 16:03:45 <cohosh> dcf1: that's a good idea 16:03:46 <hanneloresx> hi everyone 16:03:54 <cohosh> hanneloresx: hi! 16:04:37 <dcf1> Feb 2019 cost for meek was $0.09 https://www.bamsoftware.com/papers/thesis/#fig:metrics-clients-meek 16:04:54 <dcf1> obv we don't expect Snowflake to increase *that* much, and we have ideas for other rendezvouses that don't cost money 16:05:11 <dcf1> *Feb 2014 16:05:29 <cohosh> nice 16:05:35 <dcf1> Oh hello moze 16:05:47 <dcf1> moze is one of the authors of the paper for reading group today 16:05:48 <cohosh> moze: welcome! you're the author of the vpn paper, right? 16:05:50 <moze> dcf1:hello 16:06:02 <moze> cohosh:yes 16:06:03 <cohosh> we're just wrapping up some agenda items and then we'll move onto the reading group 16:06:08 <phw> hi moze, welcome 16:06:18 <cohosh> on that note, anyone else have a discussion item before we assign reviews? 16:06:26 <moze> great 16:06:54 <moze> phw:thanks 16:07:21 <cohosh> okay, looks like phw would like general feedback on tpo/anti-censorship/bridgedb#32900 16:07:40 <phw> yes, i'd like to hear from anyone who has thoughts on this architecture 16:08:12 <cohosh> i'd like a review of tpo/anti-censorship/pluggable-transports/snowflake#30579 16:08:28 <phw> (or even just questions. because there's a good chance that i didn't take into account your question) 16:09:38 <cohosh> juggy: did you have a "needs help with" item? 16:09:55 <juggy> Yeah, but my connection got wonky while I was writing it 16:10:26 <juggy> Just wanted to say : open issues at https://github.com/jugheadjones10/anti-censorship-reading if you come across any papers/resources you think might be useful 16:10:55 <juggy> phw: Are there any specific reasons for moving to Golang from Python? 16:10:55 <dcf1> I'll review snowflake#30579 16:11:12 <cohosh> thanks dcf1 16:11:22 <cohosh> phw: woah nice figures in bridgedb#32900 16:11:46 <phw> juggy: the first bullet points talks about that: "We would implement our rewrite in Golang because 1) the anti-censorship team is comfortable with Golang, 2) it is fast, 3) it's less susceptible to runtime bugs, and 4) it makes it easy to implement bug-free concurrency." 16:12:56 <juggy> oh, got it! 16:13:09 <cohosh> okay waiting 1 more minute before starting the reading group... 16:14:19 <cohosh> cool, let's get started 16:14:40 <phw> let me provide a summary of the paper 16:14:50 <phw> which will feel a bit awkward given that we have an actual author here 16:14:54 * phw nervously looks at moze 16:15:03 <dcf1> no it's good 16:15:04 <dcf1> be bold 16:15:08 <phw> <summary> 16:15:15 <phw> this paper studied why people start using and eventually abandon the use of vpns 16:15:23 <phw> the authors administered a survey and advertised it among their cs students and on three reddit forums 16:15:43 <phw> they ended up with 90 survey responses, 37 of which use vpns specifically to protect their privacy 16:15:52 <phw> broadly speaking, one can distinguish between people who are motivated by emotions (eg fear of government surveillance) and people who are motivated by practical tasks (eg file sharing) 16:16:17 <phw> a key result is that the former group tends to use vpns longer while the latter group tends to only use vpns for specific tasks, and therefore not as long 16:16:25 <phw> </summary> 16:17:08 <moze> phw: great summarization 16:17:16 <dcf1> Parts of this were new to me, such as the formalisms for modeling user behavior 16:17:21 <phw> let me start the discussion by pointing out that i was surprised to read that more than half of the respondents actually read their vpn provider's privacy policy 16:17:34 <dcf1> The TAM (Technology Acceptance Model) of 1989 and the risk-as-feelings model of 2001 16:18:23 <dcf1> If I understand right, TAM is about reasons *for* adoption, while this paper seeks to go beyond and find reasons for *non-adoption* 16:19:05 <dcf1> phw: yes, and I was also surprised at the point about adopters trying 2 or 3 VPNs before settling on one (from memory, I may have that wrong) 16:20:34 <phw> i expect the respondents to be highly technical (either cs students or people who care enough to subscribe to /r/vpns etc), so that probably affects the results 16:20:53 <cohosh> yeah the trying out more than one point is at the beginning of section 4.4 i also found that interesting 16:21:16 <dcf1> thanks cohosh, I was looking but couldn't find it 16:21:40 <dcf1> The paper sites this chart of VPN usage regionally in 2018 16:21:41 <dcf1> https://blog.globalwebindex.com/chart-of-the-day/vpn-usage-2018/ 16:22:16 <dcf1> 30% of Internet in users had used a VPN in the past month, compared to 23% in Latin AMerica and 18% in North America 16:22:43 <dcf1> The paper does not talk much directly about censorship, but I would guess that for most people, evading censorship is a practical, not emotional consideration? 16:23:45 <phw> dcf1: these numbers strike me as very high. i wonder what method they used to get these numbers 16:23:57 <dcf1> Very coarsely, I would say that Asia has higher censorship in general (India, China, Thailand, Iran for example) than the other regions. 16:24:19 <dcf1> The metric is "used a VPN at least once in the past month", it doesn't seem overly high to me 16:24:45 <dcf1> what do you think, moze, regardin the use of VPNs to avoid censorship? 16:25:58 <dcf1> I think of examples like this, a temporary block of Facebook in Bangladesh (https://phys.org/news/2015-12-bangladesh-facebook.html) 16:26:02 <dcf1> https://people.torproject.org/~dcf/metrics-country.html?start=2015-09-01&end=2016-03-01&country=bd 16:26:17 <dcf1> Check out how the graph goes right up and then right down again as soon as the block is lifted 16:26:19 <moze> dfc1: yes, censorship was seen as a practical issue to overcome. 16:26:51 <dcf1> To me, this says that people used Tor to get around a block, then abandoned it as soon as it was no longer necessary. 16:27:24 <phw> yes, one of my takeaway from the paper is that we will always have a significant number of "abandoners" who use tor for one-off tasks 16:28:04 <dcf1> Here's another temporary Facebook block, this one in Sri Lanka 16:28:05 <dcf1> https://people.torproject.org/~dcf/metrics-country.html?start=2018-01-01&end=2018-05-01&country=lk 16:29:02 <phw> wow, there's basically no retention after a few months 16:29:13 <phw> or very little, rather 16:29:25 <gaba> query antonela 16:29:27 <gaba> ooops 16:29:49 <hanneloresx> i thought it was interesting how the survey responses were coded as "Emotional Reasoning" or "Practical Reasoning." i'm wondering if the categorization was based on a common-sense read or whether some kind of heuristics were used in categorizing? 16:30:46 <cohosh> i wonder how easily the reasons for abandonment map to tor 16:30:50 <dcf1> There's something about that in section 3.3, page 89 16:30:50 <cohosh> we can rule out cost 16:31:18 <cohosh> and it doesn't need a renewal 16:31:32 <cohosh> which leaves effort to use/usability issues 16:31:35 <dcf1> "Specifically, based on Loewenstein et al.’s [33] risk-as-feelings theory, the answers to these questions were coded as either emotional and practical considerations. ... The inter-rater reliability (Cohen’s Kappa) of the raw agreement between the two independent coders [50] was 0.65." 16:31:58 <hanneloresx> ah ok, thanks dcf1 16:32:23 <dcf1> But I also wondered a little about the coding. Like "fear" of surveillance is an emotion, but I can see how it could also be practical. 16:32:40 <phw> i remember a respondent calling vpns cumbersome. that's much more of a problem for us. if only we had a "don't use tor for this site" feature, to make it easier for people to stick with tor browser 16:32:59 <dcf1> I guess there's a difference in that surveillance is invisible while blocking is noticeable, and gets in the way of getting things done. 16:33:17 <moze> dcf1 & hanneloresx: the categorization came about from Loewenstein et al.’s [33] risk-as-feelings theory. Then we basically went through the responses and coded them as such. 16:34:06 <arma2> dcf1: re "used tor browser to get around censorship but abandoned it when the censorship stopped", one of the lessons we learned from iran long ago is that in the *next* round of censorship, many people already had tor browser installed, so it was easier for them to go back to. 16:34:07 <dcf1> Another point that was interesting to me 16:34:28 <hanneloresx> thanks, interesting to know about these models. i wonder if it'd be useful to use in our own usability studies? 16:34:32 <dcf1> "both adopters and abandoners appeared to have a good understanding (i.e., mental model) of how VPNs work." 16:34:48 <moze> dcf1: so anything that had an explicit mention of an emotion such as fear or dislike we coded that as an emotional driven reasoning. 16:36:46 <moze> hanneloresx: the good understanding of the mental models could also have been due to the tech savviness of our respondents. Unlike people who are just going from 0-1 in terms of getting to use VPNs for the first time. 16:37:10 <dcf1> Perhaps one could infer the proportion of emotion-driven and practically driven users by looking at the baseline of the graphs I posted 16:37:30 <phw> a lot of respondents picked their vpns by doing google searches, eg for "best vpns" etc. this makes me worried that fake tor browser apps may be a bigger problem that we realise 16:37:40 <hanneloresx> yeah 16:38:07 <dcf1> steady state of ~800 in the Sri Lanka graph, compared to the spike of 8000; estimate that 10% of potential users have some emotional connection to continued tor use, while 90% use it only if there is a practical need 16:38:37 <cohosh> phw: that's a good point :-S 16:38:39 <arma2> phw: i think the fake tor browser apps are a huge huge huge problem. maybe they are still worse than that, but, bad bad bad :) 16:39:26 <dcf1> I've noticed that Reddit /r/privacy has a rule against mentioning specific VPNs 16:39:42 <dcf1> I guess because the business is so cutthroat and otherwise you'd have people constantly shilling. 16:39:43 <hanneloresx> can't tor take action to take fake tor apps down? trademarks etc 16:39:50 <dcf1> "Due to the commercial nature of VPNs and most blockchain technologies, discussions are better directed the appropriate Subreddits. Discussing them as a category is great, advocating for individual ones not as much." 16:40:34 <arma2> hanneloresx: in theory yes, in practice it takes a great amount of energy, and once you finally succeed, ten more replace the ones you just got rid of 16:41:47 <cohosh> here's a list of known bad tor browsers: https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Bad_TorBrowsers 16:42:58 <cohosh> you can see by looking at the application names/urls how easy it is to add more 16:43:03 <moze> cohosh: people relied on google searches, but also friend and expert recommendations (most trusted) 16:43:39 <dcf1> phw: section 4.5.2 says that Adopters were more likely to be suspicious of free VPNs, either because they lacked features or were suspected of doing bad things to make money 16:44:08 <dcf1> phw: so it's possible that Tor's lack of cost is actually a deterrent for some users 16:44:42 <phw> that's a good point 16:44:54 <hanneloresx> in that vein, perhaps if tor publicizes a list of fake tor browsers (without spending all the energy on takedowns), tor can take the expert recommendation role 16:45:19 <hanneloresx> but i wonder if there's a way to do takedowns more efficiently at the apple/android app store level than by individual apps 16:46:03 <dcf1> I was atlking to someone at Lantern who said that takedowns are a constant battle 16:46:34 <dcf1> They had the problem of people unpacking their app, recompiling it with a little bit of extra advertising, and posting it with a name that would be found by searches 16:46:44 <moze> phw: for people who interested in protecting their privacy. If they do not see how the money is being made then they believe the provider is making money through their data. Thus, they would prefer to pay. But I am curious as to whether the open source nature of the tor changes people's perspective about the cost? 16:46:47 <phw> personally knowing somebody in google/apple would probably go a long way 16:47:13 <dcf1> Not even an evil Trojan attack trying to break the security of the tunnel, just people trying to make money off a popular app 16:47:16 <arma2> dcf1: yep. it breaks my heart every time i hear "i love tor but the advertisements are obnoxious" or "i love tor, but why does it cost $5" 16:47:51 <cohosh> :/ 16:49:17 <dcf1> moze: one point I was a little confused about 16:49:48 <dcf1> The paper talks specifically about "VPNs as PETs"; i.e., it's excluding non-privacy-related uses of VPNs 16:50:27 <dcf1> Taking the example of someone who needs a VPN to access their work network, is that considered a VPN as a PET? Or is that excluded from your survey? 16:51:12 <dcf1> I guess I'm talking about the "For Non-privacy reasons (49)" part of Fig. 2 on page 90. 16:51:40 <moze> dcf1: that was excluded from our study unless if it was a combination of both privacy + work network access. We were explicitly looking for people who came to use VPNs for privacy protection purposes. 16:52:06 <moze> excluded we mean from interpretation of our results. 16:52:21 <dcf1> ok. I guess section 3.1.1 covers it 16:53:34 <phw> hm, we may want a "why is it free?" section on torproject.org's landing page. 16:54:02 <dcf1> Section 5 has some recommendations for VPN providers to increase trust and adoption. Are there any that apply to us? 16:54:42 <dcf1> E.g. "VPN service providers need to find a way to convince them to transition into longer-term users by offering a trustworthy free application and/or by periodically reminding them of potential emotional considerations... 16:55:44 <dcf1> arma2 has a good point that short-term practical considerations can drive someone to get over the barrier of installing and using Tor for the first time, and that it will be easier for them to do the second time 16:56:45 <cohosh> "notification with a message describing some protection statistics" 16:57:02 <phw> there's a fine line between "reminding someone of emotional considerations" and "being alarmist and/or manipulating someone". many of the vpn players engage in a race to the bottom, which makes it difficult for us 16:57:25 <dcf1> that poor sad bear... hates to see you go 16:57:50 <moze> dcf1: **smiley face** 16:58:16 <dcf1> I'm thinking about all the people who now run our Snowflake extension. I have to think that they are primarily motivated by emotion, in the fraework of this paper 16:58:17 <phw> sad onion hates to see you go: https://i.kym-cdn.com/photos/images/original/000/904/233/3ec.jpg 16:58:28 <antonela> haha 16:58:36 <cohosh> lmao phw 16:58:37 <dcf1> Because there's nothing in it for them, they just feel good about helping provide access to someone 16:58:46 <cohosh> dcf1: yeah i think you're right 16:58:49 <cohosh> we also provide stats 16:59:06 <cohosh> and lately my stats have shown 1-5 users/day 16:59:29 <dcf1> oh sweet. I admit I haven't run the extension in a while. 16:59:31 <cohosh> which feels good even though i suspect i am at least 1-2 of those users 16:59:41 <dcf1> I mean, what's in it for me? ;) 16:59:44 <moze> The stats are definitely helpful in bubbling up/showing value or the benefit of using. 17:02:44 <dcf1> I'm thinking now that it would be interesting to know some of this same information about users of circumvention systems 17:02:58 <dcf1> I suspect that a lot of them find a VPN and that's good enough 17:03:13 <dcf1> If a VPN doesn't work, what next? How do they decide what to use and trust? 17:04:01 <cohosh> yup, i can imagine trust here being interesting 17:04:07 <dcf1> Or it may be that just about anything will work, so people use whatever is cheapest and most usable 17:04:12 <dcf1> just brainstorming 17:04:37 <dcf1> https://github.com/topics/censorship-circumvention 17:04:42 <dcf1> no shortage of tools to choose from 17:06:26 <cohosh> and those are just the open source ones 17:06:44 <cohosh> some of them anyway 17:07:23 <hanneloresx> probably a mix of name recognition, trust, word of mouth, etc. but yeah, it would be really interesting and helpful to see a more formalized study of how people choose 17:10:54 <cohosh> looks like the discussion is winding down a bit, any last comments? 17:12:15 <arma2> i liked the notion of trying to encourage moze with the questions you hoped somebody would answer :) 17:14:04 <cohosh> yup :) 17:14:23 <cohosh> okay I'll end the meeting here, thanks for the discussion everyone! 17:14:38 <cohosh> #endmeeting