Fighting VPN criminalization should be Big Tech’s top priority, activists say

“Women, life, freedom” became the protest chant of a revolution still raging in Iran months after a 22-year-old Kurdish woman, Mahsa Amini, died while in custody of morality police. Amini was arrested last September for “improperly” wearing a hijab and violating the Islamic Republic's mandatory dress code laws. Since then, her name has become a viral hashtag invoked by millions of online activists protesting authoritarian regimes around the globe.

In response to Iran's ongoing protests—mostly led by women and young people—Iranian authorities have increasingly restricted Internet access. First, they temporarily blocked popular app stores and indefinitely blocked social media apps like WhatsApp and Instagram. They then implemented sporadic mobile shutdowns wherever protests flared up. Perhaps most extreme, authorities responded to protests in southeast Iran in February by blocking the Internet outright, Al Arabiya reported. Digital and human rights experts say motivations include controlling information, keeping protesters offline, and forcing protesters to use state services where their online activities can be more easily tracked—and sometimes trigger arrests.

As getting online has become increasingly challenging for everyone in Iran—not just protesters—millions have learned to rely on virtual private networks (VPNs) to hide Internet activity, circumvent blocks, and access accurate information beyond state propaganda. Simply put, VPNs work by masking a user's IP address so that governments have a much more difficult time monitoring activity or detecting a user's location. They do this by routing the user's data to the VPN provider's remote servers, making it much harder for an ISP (or a government) to correlate the Internet activity of the VPN provider's servers with the individual users actually engaging in that activity.

But as demand for VPNs has peaked, authorities have recently started moving more intently to block VPN access. That includes potentially taking drastic steps like criminalizing the sale of VPNs. Ars couldn’t reach the Iranian parliament to confirm what, if any, new restrictions may be coming. But experts told Ars that it’s likely censorship will intensify. Seeming to confirm the ongoing escalation, Ruhollah Momen-Nasab, a parliamentary special adviser who is overseeing an Internet restriction bill condemned by more than 50 human rights groups, has recently called for VPN sellers to be executed.

VPN providers have not buckled under this intense pressure, though. Using a pseudonym to protect his identity under heightened government scrutiny, Lucas is a spokesperson for Lantern, one of Iran’s oldest and most popular free VPN tools, with close to 9 million monthly active users in the country. Lucas told Ars that Lantern’s traffic has grown by 400 percent since Amini's death, and because of that, server costs have skyrocketed. To keep VPN access stable while auto-scaling services to meet rising user demand, Lantern started taking donations, maxing out credit cards, and collaborating with other organizations providing VPN services in the area to troubleshoot connection issues as they arise.

“We're constantly getting attacked by the Iranian government,” Lucas told Ars. “So we're in this constant state of looking at the data, listening to users, and trying to come up with completely new techniques to keep everyone online.”

Censorship evolves daily

As part of a small group of organizations defending Internet access in Iran, Lantern helps people like Milad, a 35-year-old Lantern user who requested that Ars not use his full name while discussing his secret VPN use. Circumventing Internet blocks daily, Milad mostly relies on VPNs to “figure out which news is not as reliable” and to direct friends and family to “threads they should follow” so they can read beyond state propaganda and monitor how authorities are responding to protests. For Milad, getting online requires more than just one tool. He needs a complete toolbox of VPNs, anonymity networks, and varied proxy solutions—a personal arsenal of circumvention tools that he has been building for the past decade to stay ahead of ever-changing censorship tactics.

“Censorship here evolves weekly, if not daily,” Milad told Ars. “I use a few tools on a daily basis.”

Iran is behind only Russia as the nation most affected by Internet shutdowns, according to a report from Top10VPN, an independent review site that monitors VPN use and Internet shutdowns. Last year, Internet shutdowns cost the Iran economy $773 million—money that businesses lost during 130 hours of Internet throttling, 2,179 hours of Internet blackouts, and 4,863 hours of social media shutdowns. Globally, the cost to economies in 2022 was nearly $24 billion, which is more than 300 percent higher than shutdown costs in 2021.

Lantern plans to combat this worrying trend by deploying global networks that can be more resilient to increasing censorship tactics. But that plan depends on more support networks getting involved, Lucas told Ars, and only some major tech companies have responded with urgency to ever-increasing blocks and shutdowns. In one prominent example from earlier this year, Meta introduced a new proxy support feature to help WhatsApp users who were blocked indefinitely in Iran. Every new solution to get around blocks adds a tool to Iranians’ toolbox.

Milad told Ars that as far as he can tell, “there is no plan” to reduce restrictions in Iran, and it’s discouraging to know there’s only so much that individual people or companies can do to open the Internet back up. Like Lucas, he dreams of a greater collective response that would provide both technical support and social activism—one that’s powered by a global network of government agencies, Big Tech companies, and other organizations that could combine resources to build support systems that would make government Internet shutdowns impossible.

Until that day comes, Lantern remains one of many go-to VPN tools for Milad and others. Lucas told Ars that Lantern has no plan to abandon Iran; seeing protesters sacrifice to defend their rights has inspired Lantern to invest in building more long-term solutions. He also wants to rally others in the industry to build more technologies to help more users around the world combat authoritarianism.

“I feel like as an Internet community, in general, there needs to become more urgency around implementing these censorship-resistant, privacy-preserving technologies now because authoritarianism, it's just getting crazier and crazier,” Lucas said.

Keeping Iranians online

A week after Iran responded to protests by blocking WhatsApp and Instagram last September, Top10VPN documented a spike in demand for VPNs on September 21 that was 2,164 percent higher than the demand over the previous 28 days. Over the next few days, demand kept rising, peaking at more than 3,000 percent higher than it was before the protests started. Remarkably, demand stayed high for weeks, remaining almost 1,000 percent higher than pre-protest rates.

“It was one of the most pronounced and sustained increases in demand that we've seen,” Samuel Woodhams, Top10VPN’s digital rights lead, told Ars.

Then, in mid-October, demand suddenly started dropping. That drop “may reflect that the Iranian authorities are having increasing success at blocking VPN traffic,” Top10VPN reported. Lucas told Ars that was true in Lantern’s case.

As VPNs are targeted, a cat-and-mouse game starts between the government and VPN providers, Woodhams told Ars, saying that “as the restrictions get more and more repressive, the methods which people use to get around them will become more innovative.”

For Lantern, innovating in this space has meant developing techniques or methods that make it harder for Iranian authorities to block VPNs with simple firewalls. VPNs commonly use standard methods that are easy for censors to identify and block without impacting other traffic, but Lantern uses a wider variety of obfuscation and encryption methods to hide user activity that's less desirable to block.

When VPNs employ this strategy, Woodhams said it's effective, and the “really blunt approaches” to block VPNs “don't seem to work,” mostly because blocking access to Lantern could impact access to web services authorities want to keep online, such as bank services. By relying on 20,000 global proxies that constantly change IP addresses while retrieving user data, Lantern makes it more cost-prohibitive for authorities to target its VPN tool or monitor its users.

While its VPN tool is more sophisticated than standard VPNs, Lantern doesn’t require much tech savvy to use, Milad told Ars. He said it might even be a little “too easy,” saying that “anyone with the simplest abilities can find their way around the app.” Digital rights experts told Ars that for many VPN users, it’s not a struggle figuring out how to use VPNs. Issues only arise when users have to troubleshoot a tool that stops working.

That’s where organizations like ASL19 come into play, according to Executive Director Fereidoon Bashar, who told Ars that his organization's help desk gets more than 2,000 requests daily from Iranians trying to connect to the Internet. Fielding these requests, Bashar said, “it’s very hard to really pinpoint what the underlying issue is,” but ASL19 works to determine whether access is blocked due to a solvable roadblock—like issues affecting a certain IP address used by a certain tool—or due to larger issues affecting access to all tools, like confirming whether there are regional Internet shutdowns where the user is based.

ASL19 was founded in 2012 specifically to help people in Iran circumvent Internet censorship, providing a wealth of resources over the past decade to help Internet users develop customized solutions as restrictions have tightened, including providing its own VPN tool. Lantern is just one of many tools available on ASL19’s platform, which became more popular when the Google Play Store was blocked in Iran.

Lantern experienced “quite an uptick in downloads,” Bashar told Ars. Since September, ASL19’s platform has seen more than 20 million downloads of VPNs. Over just four months, the spike in downloads amounted to a third of the total downloads on the platform since its 2016 launch. This spike troubles Bashar, though, because the more users try to connect to VPNs and other tools, the more issues are likely to arise, he said.

“As much as there’s been an increase in demand for these tools and usage, with that also comes a significant number of people who struggle to be able to connect to different tools on any given day,” Bashar told Ars.

Big Tech’s role in ending Internet censorship

ASL19 also runs proxies for Iranian Internet users who want to use WhatsApp. Bashar said that “it's good to see major tech companies are taking notice” and that recently, “there's been a fairly good movement on their side to try to help people in Iran get access to tools.” TechCrunch reported a variety of ways tech companies have responded to help Iranians get online after protests started last fall.

And some companies already providing services worked to raise awareness of anti-censorship tools. For example, within the past few years, the Google-managed tech incubator Jigsaw launched Outline VPN, which people have been using to create their own VPN servers since 2018. Groups like ASL19 have been increasingly promoting Outline VPN as a new solution for people in Iran, and Bashar told Ars that ASL19 has been using Outline VPN code to improve its own network and VPN tools, which is “a big priority” right now.

Vinicius Fortuna, the lead engineer on the Jigsaw team behind Outline VPN, told Ars that it became harder to track usage when the Google Play Store was blocked but that clients like ASL19 shared metrics that showed “large growth in Iran,” bringing in millions of Outline VPN users since September. That spike represents roughly 15 times more users than Fortuna said Outline VPN drew before protests started.

Fortuna told Ars that as censorship tactics have evolved, Outline VPN has collaborated with researchers to create a dashboard monitoring Internet blocks globally and to update Outline VPN with new mitigation methods to circumvent blocks as they arise in different regions. Fortuna said his team considers China the most sophisticated at blocking VPNs, so if a mitigation method works in China, it usually "works everywhere.”

Based on observations in China, for example, Outline VPN released a new feature in Iran that makes it easier to disguise connections—a feature Lantern has since implemented. But it’s “trickier” to mitigate blocks in Iran because, unlike in China—where methods of government Internet censorship, including VPN blocks, are very centralized—Internet service providers in Iran have varied strategies for blocking VPNs. “So you need to try different things with different ISPs” in Iran, Fortuna told Ars.

As Outline VPN develops new mitigation strategies, it is sharing insights, code, and features with VPN providers like Lantern and ASL19—becoming part of the increased collaboration that Lucas wants to see more of. Fortuna told Ars that because Internet censorship is “a constantly evolving game,” it requires “constant investment and collaboration,” and Outline VPN has strived to be “the missing piece” by providing Google’s engineering and product expertise to communities constantly in need of novel solutions.

But even Jigsaw's dedicated efforts to share Google's expertise may not be enough. Bashar told Ars that when censorship increases in Iran the way it is now, coping with it can feel like running a marathon, trying to update circumvention technologies to stay ahead, as authorities slowly chip away at Internet access day by day. To make it through the marathon, Bashar said there’s an ongoing need for more resources to fund both existing infrastructure and research-and-development efforts exploring new technologies.

Obviously, Big Tech companies would have the deepest pockets to provide such resources and build new technologies, but Bashar said that an even more urgent need is for tech companies to push governments to remove tech sanctions on Iran. Companies’ overcompliance with tech sanctions ends up blocking a large number of services, Bashar said.

This issue was raised earlier this year by Cloudflare, which decided to deny a senior White House official’s request to help circumvent Iranian Internet censorship because Cloudflare said sanctions prevented the company from putting equipment in Iran, CNN reported. Cloudflare discussed the troubling impacts of these sanctions on the free global Internet in a December blog post, providing policy recommendations and noting that "it’s a tricky balance to impose costs on bad actors while maintaining open lines of communication for ordinary citizens." A Cloudflare spokesperson told Ars that the company is working with human rights organizations to track how government Internet shutdowns evolve.

The Internet Society, a nonprofit advocacy group, welcomed a US Department of Treasury decision to shift sanctions guidance last September to “authorize technology companies to offer the Iranian people more options of secure, outside platforms and services,” according to Hanna Kreitem, the group's senior adviser on Internet technology and development in the Middle East and North Africa. But Kreitem told Ars that this decision illuminated “how sanctions are also bad for the Internet.” To reduce the impact of sanctions on Iranians' Internet freedom, Kreitem said the Iranian technical community needs to be invited to participate in wider Internet governance activities, protocol development, and standards development. Because of sanctions, Kreitem said, “many of the global forums do not include people from Iran.”

While governments and tech companies grapple with changing sanctions guidance, Internet users in censored regions keep waiting for more solutions. Milad told Ars that tech companies and organizations “should be more vigilant."

“There’s a lot that can be done, but little has,” Milad said.

Lucas told Ars that there’s a “huge disconnect” between organizations like his and cloud providers. But he thinks “the whole world” needs to mobilize to “actually solve these problems,” saying it would be very helpful if more Big Tech companies took responsibility for providing services to people living in “shocking conditions” where censorship and state surveillance is increasingly becoming the norm.

“It's fairly clear that if we did [mobilize], we could fully uncensor the Internet in Iran in a much more robust way,” Lucas told Ars.

VPN access increasingly blocked globally

For Iranians coping with Internet shutdowns, the question isn’t when restrictions will end but what restrictions are coming next. It’s hard to know what exactly will be covered by the “Regulatory System for Cyberspace Services Bill” that the Iranian parliament has been drafting over the past few years. The human rights group Article 19 reported that some parts of the law have already been implemented prior to ratification.

Other human rights groups have warned that in addition to increasing the risk of complete Internet blackouts, the bill could introduce criminal measures against anyone developing, reproducing, or distributing VPNs or proxy services, possibly resulting in two years' imprisonment for violators, Human Rights Watch reported last year. As peer-to-peer proxy services—like the feature WhatsApp launched this year—become more popular, censorship circumvention methods could put tech companies and individual Internet users at risk of being charged with crimes.

Bashar told Ars that there have been even more rumors swirling about the current version of the bill, which he said is difficult to track because it’s currently being drafted “behind closed doors.” However, Bashar said there isn’t necessarily consensus among Iranian officials on whether to outlaw or criminalize VPNs. Some factions want to make accessing the Internet “as hard as possible,” Bashar said, while others are in favor of creating tiers of access to the Internet so that different demographics can retain access to more services than others.

If Iran did decide to outlaw VPNs, it wouldn’t be the only country to do so. Russia recently outlawed a group of popular VPNs, Woodhams told Ars. Last year, Fortune reported that Russia has banned at least a dozen VPN services, and TorrentFreak reported that Russia’s anti-VPN legislation led Google to block hundreds of thousands of VPN-related links. This created a scenario in which alternative VPN tools became harder to find, just as some popular tools became less reliable. Lantern started experiencing issues in Russia when VPNs were banned, a common outcome when governments in Iran, China, and Russia target major VPN providers, Lucas told Ars. “There are definitely moments when Lantern’s not going to work for everybody,” Lucas said.

Woodhams told Ars that when trusted circumvention tools go down, shoddy products sometimes take their place, subjecting Internet users to privacy vulnerabilities and surveillance risks. In one case in Iran, authorities allegedly blocked a VPN tool, Woodhams said, then launched their own tool with the same name, deceiving users who didn’t realize their data was being monitored by the government.

Iranians must stay vigilant to detect when their online activity might be tracked, which chills online speech, Kreitem told Ars. “Even if they had access to the service, the perception that the service is being monitored impacts how much they can express,” Kreitem told Ars. That’s why, beyond economic impacts, Internet shutdowns endanger “the future of the Internet Itself,” Kreitem told Ars. Woodhams agreed, telling Ars that “alongside all of the censorship, I think increased surveillance works in tandem in quite terrifying ways that will really, really negatively impact the kind of freedom of expression in the country going forward.”

Just a few months into 2023, Internet shutdowns have been reported not just in Iran but also in Ethiopia, Myanmar, Iraq, India, Turkey, Mauritania, and Suriname, costing economies close to $230 million already, Top10VPN reported. Circumvention tools are the only reliable way for people in these regions to track information and express themselves online, Bashar told Ars. The tools become especially crucial to citizens during protests, which are the events Top10VPN reported have been triggering the majority of shutdowns this year.

Kreitem told Ars that the Internet Society expects to “record more and more Internet shutdowns and Internet limitations in general,” while noting that “shutdowns seem to actually increase violence during unrest and protests.”

As of January, more than 500 Iranian protesters have died, and approximately 14,000 are believed to have been jailed, PBS reported. In response to this and other violence, the US Treasury Department in March announced more sanctions against Iran officials accused of "rape, torture, or other cruel, inhumane, or degrading treatment" of jailed protesters. These sanctions are viewed as critical to ending state violence, but without safeguards, experts said they can work to further isolate Iran’s tech community.

As bleak as the situation has become, Kreitem told Ars that Iranians have never given up on fighting censorship to defend open communication and free expression. “In the case of Iran, people will still be able to communicate using circumvention tools,” Kreitem said.

While Big Tech companies weigh how much they want to get involved, dedicated VPN providers like ASL19 and Lantern will continue defending Internet access in the region as protests continue, censorship tactics evolve, and ordinary citizens get caught in the crossfire.

“Access to these tools becomes quite vital during events such as protests because there's a lot of footage of the protests that is shared online,” Bashar said. “It's important for people to be able to communicate with each other in a safe way, securely, inside the country, and to be able to check in on family or friends to make sure they’re safe.”