Investigating the VPN Ecosystem through the Lens of Security, Privacy, and Usability

Abstract

Global events affect the Internet in new ways every day, be it through increased blocking during sensitive events or through user tracking, surveillance, and targeting. Governments, service providers, advertisers, and online threat actors, often enabled by powerful deep packet inspection technology, insulate users from critical information, invade users' privacy, and monitor and tamper with users' traffic. As a result, users are increasingly turning to Virtual Private Networks (VPNs) as a panacea to overcome various security, privacy, and information restrictions, thereby fueling the growth of the commercial VPN ecosystem into a multi-billion dollar industry. Nevertheless, understanding how users discover, use, and interact with VPNs, as well as investigations into the efficacy, security, and privacy provided by such critical tools, remain severely understudied.

This dissertation will demonstrate analyses of threats to user privacy by exploring how commoditized deep packet inspection technologies allow network operators to implement Internet restrictions. It will advance the understanding of key stakeholders of the commercial VPN ecosystem: VPN users and providers. By studying them in tandem, it will illuminate their needs, motivations, and incentives, and use that to highlight misalignments and key areas of concern. Next, it will demonstrate an in-depth technical investigation of VPN products by developing a scalable, rigorous system to test them from a security and privacy standpoint. Finally, this dissertation will explore a service provider's perspective on the malicious misuse of VPNs and present a usable, privacy-focused solution that uses minimal connection features to detect and deter such abuse.