Friday Digest #7: VPN Restrictions in 2024
VPNs are under attack by an increasing number of governments around the world. And it’s not just authoritarian governments that are to blame.
Today, we’ll look at some recent restrictions on VPN access around the world and explore what the next 12 months might have in store.
VPNs pose a serious challenge to censorship-hungry governments that want to control what people can see and do online. That’s because VPNs allow people to bypass geo-restricted content and conceal users’ internet browsing history from ISPs and, by extension, governments.
In November, Turkey’s Information and Communication Technologies Authority (BTK) took additional steps to limit their use, banning 16 popular VPN providers.
It’s a predictable move given the widespread internet censorship in the country. After all, why block hundreds of websites if people can freely download software that enables continued access?
According to data from OONI, several VPN apps’ websites began to be inaccessible at the beginning of December. Below is a chart showing the increased inaccessibility of the ProtonVPN website in Turkey over the past three months.
However, on Reddit I saw a lot of discussions of the workarounds that still exist. Sixteen VPN apps may seem like a lot, but there are literally thousands of similar apps that haven’t been blocked, so it’s likely many will continue to simply bypass the content restrictions.
Not only will these blocks have a negative impact on internet privacy and security in the country, they are also unlikely to completely prevent their use.
Russia has taken even more drastic steps to disrupt access to VPNs since implementing heightened censorship in the past 2 years. They are now interfering with the underlying protocols that enable VPNs to work like Shadowsocks, OpenVPN and WireGuard.
However, this approach comes with its own problems.
Now, businesses that the Kremlin considers “legitimate” users of VPN are also being disrupted as they also rely on these protocols. According to a government press release, businesses using VPNs for remote access or secure internal communications must write to Roskomnadzor to get their IP addresses added to an allow list to prevent their tools from being disrupted.
This additional red tape is likely to go down badly with many businesses in Russia and again shows that trying to completely ban VPNs simply isn’t viable — just ask China.
These recent developments in Russia and Turkey are also useful examples for democratic countries to consider in the months ahead.
In the UK, VPNs cropped up several times during the seemingly never-ending Online Safety Act debates and, while it remains unclear exactly how the legislation will shape VPN access in the UK, it’s worth considering Lord Moylan’s stark warning:
We are in danger of putting ourselves in the same position as China, with a hermetically sealed national internet, attempting to put borders around it so that nobody can breach it.
And in France there have been discussions over VPN access during several legislative debates, with politicians at one stage suggesting that Google and Apple should restrict access to VPN apps that aren’t subject to local laws.
While VPN restrictions in democracies are unlikely to ever be as restrictive as those in Turkey and Russia, politicians in the UK and France should still be wary of imitating them by restricting access to these crucial internet privacy tools.
Not only would restrictions represent a significant erosion of our digital rights, they would also be unlikely to work.
What We’ve Been Reading
Software Freedom Law Center: The Telecommunications Bill, 2023: A Primer
India’s Telecommunications Bill, which passed at the end of last year, could have significant repercussions for digital rights in the country. Read SFLC’s primer on the Bill to get up to speed with the most significant clauses.
Filterwatch: Nazer App: How Iran is Using Technology to Suppress Women’s Rights
The Nazer app, developed for Iranian police and approved volunteers, is a digital tool used to enforce the mandatory hijab law. The app allows users to report perceived violations of the hijab law and could potentially be updated to report other government-deemed criminal activities, functioning primarily within the National Information Network and indicating a broader governmental agenda for surveillance and control.
404 Media: Impact: FTC Stops Data Broker X-Mode Selling Sensitive Location Data
The Federal Trade Commission (FTC) has banned data broker X-Mode, now known as Outlogic, from selling sensitive location data, following an investigation that began with a 2020 exposé by Joseph Cox. This landmark settlement, a first for the FTC, comes after revelations that X-Mode's clients included U.S. military contractors and that the location data was harvested from apps like a Muslim prayer app and a dating app.
SCMP: China forensic firm cracks Apple’s AirDrop to help Beijing police track senders
Beijing's Municipal Bureau of Justice reported that a private forensics firm successfully cracked Apple's AirDrop feature to assist police in identifying individuals accused of sending 'inappropriate speech' to a subway passenger. This effort was part of a larger move by Chinese authorities to regulate anonymous file sharing and maintain surveillance, challenging AirDrop's design which allows file sharing without an internet connection and with user anonymity.
WIRED: The US is Openly Stockpiling Dirt on All Its Citizens
In a reminder that China is far from the only country looking to monitor its citizens online, this WIRED article details the U.S. government's extensive collection of sensitive and intimate information on American citizens through purchases from commercial data brokers. This practice, which bypasses traditional legal protections and surveillance checks like the Fourth Amendment, allows the government to track millions of Americans persistently without a warrant. The report highlights the government's exploitation of legal grey areas and the growing surveillance state, raising significant privacy concerns and constitutional implications.
The Independent: Hackers discover way to access Google accounts without a password
Security researchers have discovered a new form of malware that exploits third-party cookies to gain unauthorized access to Google accounts without needing passwords, potentially allowing continuous access to these accounts even after password resets. This vulnerability, actively being tested by hackers and first reported in October 2023, highlights the complexity of modern cyber threats and underscores the need for continuous monitoring of both technical vulnerabilities and human intelligence sources.
404 Media: Hackers Break into AI Hiring Chatbot, Could Hire and Reject Fast Food Applicants
Hackers infiltrated the backend of Chattr, an AI chatbot used by fast food franchises for hiring, gaining the ability to accept or reject job applicants and accessing sensitive data including applicant information and internal company details. The vulnerability, discovered by a researcher named MrBruh, was reported to Chattr and later fixed, but not before revealing a significant privacy risk and the potential for data ransom.
TechCrunch: A geofence warrant typo cast a location dragnet spanning two miles over San Francisco
A typo in a geofence warrant application resulted in a nearly two-mile-wide dragnet over San Francisco, raising concerns about privacy violations and the constitutionality of such warrants. The ACLU of Northern California discovered this alarming error, highlighting the potential for geofence warrants to infringe on the rights of many innocent people, as these warrants allow law enforcement to access data from tech companies on all devices in a specific area at a certain time.
Top10VPN.com in the News
The Independent: Russia’s ban on social media cost its economy £3.1bn last year
Business Insider: 5 African countries with the costliest internet shutdown last year
Forbes (Russian): Falling under the consequences: Russia leads in the amount of damage from Internet restrictions
9to5Mac: Temporary government Internet censorship was imposed almost 200 times last year
Iran International (Farsi): اهداف و عملکرد جمهوری اسلامی در قطع اینترنت