 Thank you for coming to my presentation. I am very happy to talk about virtual private networks today and kind of present on what they are, how they work and how to choose one. Security education is kind of like my bread and butter and foundation and security work on my day to day. I wish I was able to give these types of talk more often, but I'm really happy to do it here today with SFPL. As she said, I'm the, or as they said, I am the director of engineering at the electronic frontier foundation. I am on the public interest technology team in particular. So I oversee the open source projects that help secure the web that we provide for free for the general public to use to secure their traffic. I also do a little bit of mobile security research on the side. Most of it's accidental because I always come across some sort of security issue and then I end up investigating and then it becomes a whole thing. So I'm an accidental security researcher as well. And I help create security education materials with our guide SCC dot EFF dot org, or in SSD dot EFF dot org are surveillance self defense guides, provide different arrangement of guides on tools and how to use them. And this is me at a conference that I went to a couple years ago. I like all things space and astronomy and I'm very fascinated by that topic. As I said, the mission is to ensure that technology supports freedom justice and innovation for all people of the world. So we're very civil liberties focused in the internet space and if it has been around for a little bit over 30 years now. So today's agenda. What do VPNs do what VPNs don't do. And how do you choose one. And then after I go over the framework of how to choose one, I will go over the okay which one do I use questioned I usually go over towards the end. And so this is what I will go over today. The definition of a VPN is a virtual private network. When you connect to a VPN, you have to send your requests through something that being thing being a server so the VPN server will take that request and encrypt it and then send it through to the VPN server. So your original location does go to the VPN server and what they do is encrypt it and they send the request to whatever website you're trying to go to. And so it masks that initial IP address with theirs. So to whatever website you arrive at the IP address will be the VPNs IP address or location IP addresses are still very much so geolocation based. Just for more context there. So, a lot of people use different types of IP addresses or prefer different country servers to access certain content, but this is the general definition of a VPN. This VPNs can protect your internet activity from prying eyes, especially if you're connected to an unsecured Wi-Fi network, like a cafe. Or anywhere else that provides free Wi-Fi. That's on a public network with other various users. Thankfully, this issue around public Wi-Fi and internet cafes are less of a concern because most web traffic is encrypted today. Thanks to a large part of the efforts that a lot of my colleagues at EFF and other organizations like Mozilla where we pushed for encryption by default on web traffic and secure by default. So back in the days be HTTP in that URL scheme in your browser bar and HTTPS you can kind of think of that as HTTP secure where that is encrypted traffic so when you visit a website will normally have HTTPS more so often than just HTTP nowadays. So the whole snooping on your traffic in a airport Wi-Fi scenario is actually much harder to do now. A VPN in practice can also help you circumvent internet censorship on a network that blocks certain sites or services so censorship can be deployed in various ways. There could be websites that you know your job could be blocking. There could be websites that governments could be blocking. There could be websites that other institutions may block for various reasons. So some people may use a VPN in this case to circumvent that so that way the traffic will be encrypted and hidden from the prying eyes of whoever's trying to see the websites to block. You can also connect to a corporate internet in your office so this was the original use for many years for VPNs where you may remember you had to connect to a VPN to connect to different office websites that were on their internet in order to use them abroad or while you were traveling or at home. So commercial VPN usage is actually much more frequent today than it used to be but the original usage for VPNs I would say was way more corporate focused and accessing corporate services and networks rather than just general use VPNs. Where you can use VPNs you can use VPNs on your desktop PCs, your laptop, you can use VPNs on smartphones, tablets, not for the faint of heart but you can also put VPNs on your router actually and smart TVs and game consoles. So how do VPN secure your traffic so what ends up happening for a visual display of what I described earlier, where you will request the website and assuming that your VPN is already turned on. It'll encrypt that information and hide that information from the router itself from your internet service provider they can't see this information that you're requesting, and it just sees as encrypted information going through. And the VPN will reroute your request to its server. And then if you see the little country flags at the bottom, it kind of gives an indication of the change of IP address, right, so the VPNs country flag is different. So by the time I land on HTTPS EFF.org, it'll appear as if the traffic came from this VPN server. What VPNs can't do so there's a lot of misconceptions on what VPNs can do for people and at its core VPNs can only secure and encrypt your traffic as the base functionality of a VPN, any other promises any other. I would say platitudes to war, you know what a VPN can do can often be misconception misconception with other services of VPN provider may give and I'll explain a little bit at a little bit later in the slides but what they can do is provide absolute anonymity. You can secure your traffic but it cannot hide completely who you are and where you're from there's still different indicators of who you are as a person when you connect to a website. VPN servers still see where you're coming from so in the case of like law enforcement access. If VPNs had that information and logged that information, then they can give that over to law enforcement. VPNs still don't block fingerprinting a practice that a lot of websites use to try to track through cookies and things of that nature. Little text bits where you click on links and there'll be a textbook association associated with that link, and you'll go to the website and they'll try to associate you through your behavior so behavioral tracking VPNs can't prevent that so there's a lot of different ways to grab and capture people's identity based off, you know, different various ways they use devices, various way different browsers you use with different settings. It can provide absolute anonymity, but it can provide security, and those two things aren't synonymous. VPNs cannot prevent surveillance. So there could still be some sort of, you know, to not have such an extreme example around governments, say your job has a VPN, and they're still surveilling the fact that they can still see that you have your using a VPN from your computer. So, say that you're trying to access a site that's been blocked for whatever reason. I remember my first job, Facebook was blocked for productivity reasons from the company. And what ended up happening is either we run a proxy or VPN in order to access that or just access it through our phones because we had personal phones. So we didn't really need to access Facebook on our work computer, but Facebook being way more popular at the time to connect to people this is around 2011 2012. So, I stayed connected a lot with my college friends that way so you know corporate surveillance could still happen where they're hey you see that you're using a VPN it department my contact you. So you're using a VPN, but thankfully I've never really got flagged for using a VPN at work but I'm pretty sure it has happened to someone out there. VPNs don't provide all in one security. They just secure your traffic they just secure the website information that you're going to. They do not provide by default they do not provide ad blocking VPNs by default do not provide fishing protection when you get a phishing email or spam VPNs aren't by default anti virus blockers they're not virus blockers they don't act as anti virus. So you do approach different companies I say that you know their VPNs can do that usually because the extra added on product that you usually have to pay for. So VPNs just secure your traffic it's not a one stop shop for security VPNs don't automatically provide app updates they don't automatically provide updating your phone or your PC. Those those are still things you still have to do yourself or with a different products. They already went over preventing law it doesn't prevent law enforcement access. And so law enforcement access request go to VPN servers all the time and different companies handle it different ways. Some companies claim they don't log any information but then they were proven later that they did log just enough information about a person on their service, one of their customers to give and hand over to law enforcement. What's happened in various countries. Obviously, different countries handle censorship differently say, you know, the noted great firewall in China, where they block a lot of websites with their middleware, and a lot of people use VPNs within the country to access a lot of sites outside of the country such as Google.com and their services. You know, in the case of law enforcement access VPNs don't necessarily prevent that totally, and you usually have to look up the policy of the VPN and their history. VPNs don't guarantee guarantee speed some do some don't it kind of depends on the scenario depends on your router capabilities your internet service providers package that they gave to you. Like how much speed that they have allocated to your house on your plan. So VPNs can actually slow down your traffic in some case especially depending on the type of VPN technology, because I'll get into it in a second VPNs aren't just one technology it's different protocols. And VPNs come with different iterations they get modernized so there's old protocols of VPNs that can actually be slower but are more reliable, and then there's newer protocols that are used nowadays that are very fast. So it could actually speed up things because of whatever the VPN services providing you and what speeds, what is in their infrastructure as a VPN setup. So all those things kind of come together when you use a VPN and it doesn't guarantee speed all the time. So how do you choose the right VPN for you. So, this is a list of principles that at the EFF that we talk about in our guides that I usually tell people to look at before they jump and get a plan with a VPN. What often I tell people to look at the claims, I will get into all this and some examples, but this is just the principles listed. VPNs practices, you know, with their trust and transparency, do they say that they log information do they say they're a logless VPN do do they make other claims around trust and transparency. Do they have blogs dedicated to how they serve people with their VPN service. Look at their business model, how do they make money. So this became become a thing where you may ponder a free VPN but then you have to say, you know, why is this free and looking at the business model. Can they afford to just have a free VPN. So, a lot of these cases can look a little nefarious or a little sketchy when they don't really have a clear business model. Their reputation in history is a Google away, usually when a VPN company messes up, it hits the news. There are several breaches that's been recorded in the past in the news and normally you just have to type in in a search bar, reputation, this VPN, or breach the end the VPN's name and articles may or may not pop up and honestly, in this case, you could say this company's had too many breaches. I don't trust this one, or you could say, they had a really good response they were fast, they told customers what happened, they told customers what to do. After a breach has occurred, and they remedy the issues, and you could say they learned their lesson and they seem like a stronger company for it. That has happened. It's not impossible in the security world, a lot of people learn their lesson after they've had a big breach at their company, a lot of trust gets discarded, you know, among their customer base, but some handle security instance better than others and so it will be very much known if a VPN provider had a really bad security event and they didn't respond properly. And what is their data collection practice in their privacy policy. I know no one likes to read privacy policies. It can be daunting because some people's privacy policies are a little bit more buried than others I would say in recent practice. Some companies are better than others for brevity, they'll shorten pieces of their privacy policy, and then lead you to the more legal texts below. But if they clearly outline and a lot of VPNs do do this now what a clearly outlined data collection and practice and what exactly that they're doing with the data. Whether or not, you can hold them to this because privacy policies can change. So normally you'll get a notice though. Our privacy policy has changed, and that can be cumbersome and burdensome that's for sure. When you get an email and usually well what changed and if they're a good one they'll say they'll say explicitly what changed without making you read the entire privacy policy again. And if they don't do something like that then you know it's it's very unfortunate. So hopefully, whatever VPN providers are out there actually being transparent about what changed in their privacy policy, instead of making you go through the whole thing again. So, in another of the last pieces, a lot of VPNs, the good ones will at least list two protocols to use. This is what I talked about with older protocols for VPNs versus the more modern ones. So encryption or the types of encryption that they use. Normally people are offering open VPN or wire guard these days wire guard is the new fancy kid on the block. It's a fairly younger protocol that's well tested, and a lot of bigger names use it now. They have their own implementations normally of these protocols but by the end of the day at base they'll say we offer an open VPN one which is older but tried and true and there's no real security issues with open VPN that are warranted any sort of like criticism if a company uses it. It's pretty standard VPN, a lot of corporations use open VPN still so in a wire guard like I said is more newer kid on the block and I say newer kid in terms of technology years. So I would say the last five years wire guard really got popular with VPNs because it's so fast. So, normally they're offering at least two protocols and they'll say that in their documentation somewhere like, how do we protect your data or this is the technology that we use. So, that example VPN number one. Years ago I did write about Nord VPN, and the page actually doesn't exist anymore because they didn't mend the language. They used to use this phrase called military grade encryption. What does that even mean. I don't like language fluff when you're providing security products for people. Military grade encryption in this case is talking about classified information versus top secret information and there is a standard encryption algorithm that you do have to use for classified information versus top secret. Yes. And I won't get into the unfortunate alphabet soup that is a security world but that's the military grade encryption that they're talking about so this term still floats around. And it's unfortunate because honestly if you've ever worked in government you would know that the tools can be very archaic and old so it's not a true reflection. It's a term of what our governments are using at large versus a standard that's been in place so Justin, I would say like like 2020 2021 actually put this political article up that I was actually interviewed for, and by the reporter, because the Pentagon, just during the time that they fixed their email security so a lot of top secret information was just floating around and the Pentagon's emails and easily snooped on. So when you say things like military grade encryption is not like a true reflection of what's being offered here and it gives the customer a false sense of in a fluffed up sense of what encryption means just say the protocols that you're using, and, and, and just leave it in my opinion. Other people may have different opinions like this article explains that you know whatever terms help people understand security is good, but I actually don't think military grade encryption explains very well, what's happening here. And also, oops, I have a typo here my apologies bad VPN example number two and I also want to preface that, even though I mentioned Nord VPN as a doing this as a bad practice, I am not necessarily endorsing or saying that the Nord VPN is bad as a whole I'm just saying that this was a bad practice that I had called out some years ago. They call it next generation encryption now which you know I don't. I understand that marketing needs something. So, I don't really agree with that term either. I just like using the word encryption and explaining what type of encryption that they're using. So, that's what I mean here and I'm not necessarily saying don't use Nord VPN at all. This is just something that they did I didn't agree with. Another bad VPN example is free VPNs. There's a lot of apps out there, especially on Android ecosystem. The Google Play Store was actually caught with many quote unquote free VPN apps that were actually very nefarious malicious in some case served malware. So, I definitely don't recommend going to the app store and just downloading any VPN that says free. VPN costs can be a thing right you don't necessarily want to add a new subscription. We're already very subscription heavy with our streaming services, and other things that we have. So, adding another subscription can be you know I can add up. And so that's why these free VPN apps can be appealing but if it's just as like free VPN or you know, with no indication of what their business model is. It's very sketchy. It can be something that was raised as a red flag. So, a good VPN example is blogs or blogs and explanations. So, I think Cloudflare does a really good job of blogging when they've changed something or like most good VPNs will have some sort of language or literature around their approach to how they secure people's traffic. Cloudflare does a really good job. Mozilla writes some blogs here and there but you know, without getting into what this means on the left or the right. It's just an example saying okay they regularly update their blogs on how they implement the latest and how to secure people's traffic and they often make moves that are very much so a scaled approach because of the fact that Cloudflare is an internet infrastructure company they provide different internet protection and services for different enterprise customers, which is why they're able to provide a what they say a free VPN service but in this case is not technically a VPN but I won't get into that too much. They're able to provide free services but their main business model is because they make so much money and revenue from being an internet infrastructure company and security company. So that's how they're able to provide free services because of the fact that it's very clear where they make their money from. And good VPN example number two, you know, I really like it when someone just says, we provide a VPN that's it, they may have a suite of products. And Mozilla definitely provides more than just a VPN they provide a browser to the public. They provide other services as well they provide technical documentation and different services around that. So their products we can change from time to time that's for sure, but Mozilla VPN. That's all they offer in this case is we just provide this VPN, you get a subscription from on the monthly basis, or maybe an annual basis. That's it. Now, to the right you'll see Nord VPN once again not saying that they're all bad, but Nord VPN does this thing where he's like hey Nord VPN more than a VPN, their protection with Nord VPN at no additional cost so these are the little things that they sprinkled into the VPN service that's not necessarily the VPN itself. It's what they wrap up into it so they'll provide, you know, protection. If you download a link that looks suspicious, the Nord VPN service will flag it. They have a tracker blocker and add blocker a URL trimmer because there's often tracking tags at the end of URL after that question mark. There's like, if you see like a large link. And it's just a bunch of things after a question mark those are normally just marketing and tracking tags to see where you came from or if you came from an email campaign. Some of you may be familiar with that so you may not. So they have a URL trimmer as well with their product that you probably download onto your PC or laptop. So this can be the part where I get a little flustered because I'm like well this doesn't this isn't just a VPN and I'm glad that they say more than the VPN here but but it can conflate with people think VPNs do and VPNs do one thing. If you're adding more stuff to to provide more security for your customers that's fine, you know, but it's very very important to make that clear that VPNs at its base aren't default ad blockers or tracker blockers. So which one do you pick. I'm not going to give you which one to pick because I don't like endorsing a company companies practices changes every day. So these ones out there that are tried and true and there's other ones I've had different practices I've disagreed with, but honestly, I can't provide a one size fit all because everybody has different needs really when it comes to a VPN. So what I usually tell people before I even get into the VPN talk, whatever default security features you have on your phone and your PC goes a long way and updating your devices go a long way. System update or an app update that you've been ignoring, you know, put some tea in a kettle, you know, and go sit and actually just upgrade and take some time to do that. Upgrading your stuff and upgrading your apps on your devices is probably the best security tip tip I can ever give someone because there's so much that is involved with patches that come through, especially on like an operating system level of your phone or your PC or your laptop. And I just want people to get into the habit of, you know, just updating your stuff when you need be. And that portion can take you very far because there are attacks that happen every day that try to target people with older devices and older apps, or older operating systems. So before I do the VPN talk, I usually do that. Now getting into the VPN stuff. What does your budget look like? Do you feel like paying for yet another service? How much can you allocate for yet another subscription? Definitely look at your budget and look at that first before you start looking around at VPNs. There's some more expensive than others. There's some that may tack on some features that you don't need. Once again, if they're just offering the VPN and you just want the VPN, that's great. You could pay for extra protection, but at this point, you know, if you're just looking for a VPN to encrypt your traffic and, you know, keep your internet more secure. That's what you can do and allocate your budget for that. How many devices? There's different VPNs that offer different subscriptions based on how many devices you want a VPN profile on. So some will say a basic subscription will be one device or a plus subscription could mean three devices. How many people in your home are using different devices and you can count from there and then look at the subscription prices after that. And do a little homework. All the principles that I talked about, you know, Google searching the company, looking at their practice, looking at their website. Is it clear, you know, that this is a VPN that is reputable to you? Is it clear what their business model is? If they're just straight up saying we have a subscription model for a VPN, it's usually a good sign. If they're offering a free VPN and it's not quite clear how they're making money, not a great sign. So just do a little homework. Pick one and stay vigilant of any news about the company that you do choose. So things can change. There's different ones out there like ExpressVPN, NordVPN, Surfshark, I believe that's the other one, but there's quite a few out there already. And things change over time. So if you see something pop up in the news about the VPN service that you're using, just check in on it, see what happened. Did your VPN service even email you about the issue that you saw in the news? If not, I will contact customer support like, hey, what's going on? I haven't seen any communication from the company about this thing I'm seeing in the news. So, you know, pick one but stay vigilant, you know, just keep your ears out for any news about the company that could concern you. What do I like and what do I use? What do you use, Alexis? So normally, when my friends and family are bugging me, like Alexis just install a VPN on my phone, I normally don't do that. So I do use Cloudflare's 1.1.1 app and just that's not technically a VPN. That's a DNS resolver, which I won't get into, but when you do make requests for websites, the IP address of the website resolves to a name, which is why we don't look up website names with their IP address of 1.6. However, we look up the name of the website. So DNS resolvers do that for us. So Cloudflare offers a nice little product that encrypts that DNS request to keep that, even that information private. So I usually turn that on on people's phones if they're asking me for something and if they have like a laptop or something, I'll put in basic settings. Usually, and I'll go for that instead of installing a VPN on their device. Because one, it takes a little bit longer because you have to think about subscription models and all that. So I do, I don't want to pigeonhole them into a singular VPN service and think that's like, oh, Alexis suggested this one so this one must be reputable, and then they don't check upon it later if something happened and then I'm held responsible for that. So I rather just configure basic security settings that probably aren't there on their phone or their PC before I actually recommend a VPN. As far as basic security settings and tools, I like to direct people to this website. Normally, we have our own guides at ssd.eff.org, but those are getting updated right now. So I'm pointing people to this because I also contribute to the security planner by consumer reports. And it's a really nice guide, especially for different devices and it gives a nice little walkthrough on the little security features you can turn on. If you want them, it explains password managers, explains different types of tools that you could possibly use for your devices. So I send people there normally when they ask me for a particular VPN to use. And if I'm really looking for like pure anonymity, which doesn't really exist because anytime you connect to the internet, nothing really makes you a ghost. There's always a signal of some kind that you connected to the internet. But if I'm looking for more anonymity, I use a tour browser, and we also have guides for that on ssd.eff.org. So if you're interested in using something like that where it's like I really am in a situation where I need more anonymity and I really need a little bit more privacy and didn't VPN can provide. Tour browser is usually about I usually tell people to use. And as far as VPN servers, I use a wire guard protocol based VPN server that I run my myself at my own risk, I would not use this VPN server for my friends and family because that means I'm also responsible for their traffic and their data. And if my own VPN got compromised and I applied it to them, then you know that's on me in many ways. I would rather for you to choose a VP VPN company that has a dedicated team and security team behind them with more resources, rather than going the route that I did I just do this because when I'm cheap I have a kid and so and I know how to do it and so I've done it and I and I monitor that VPN server very heavily. Best way I can doesn't mean that I am without risk though and it could potentially be breached one day for some reason, but that is what I do and that's usually where I point people. Thank you for listening to my talk questions will likely happen after this but I also have an email and I also encourage people to become an EFF member. If you go to the donate link on that website. And also, thank you so much for listening and I'm glad I was able to give this talk. Terrific thank you so much we do have some questions. When would I want to use a VPN. So when you would want to use a VPN. Normally, I tell people in situations where you feel like you're you won your data doesn't feel safe. So that could be in many different situations, like using a public Wi Fi network, or even at home you can use a VPN, you know, for your networks because honestly there's a lot of fingerprinting and you know things that websites and web browsers do a lot and you may want to just use VPN traffic in general as a good practice from your internet service provider so you can really use a VPN whenever really you want. And if there are situations like travel is a good case, you know, so if you don't want to use a VPN at all times I usually see people normally strike up a VPN when they're traveling because they're, especially if they're going outside the country, or anything like that and they are the resources back in their home country they may use a VPN for that as well so it's really whenever you want. Does a VPN encrypt traffic at DNS level. No. So that's why I had talked about that DNS resolver situation earlier. So that doesn't always happen by default. So some VPN service providers a little better than others but VPN encrypt your HTTP traffic. That is the website level requests DNS happens before that because even the VPN server needs to know where you've got to go home and so it's like where do we map this at because you're requesting the website name but there's a resolver out there working on and it normally is your internet service providers DNS resolver, say you got Comcast, or Xfinity, or AT&T is normally there DNS resolvers unless you configure otherwise. But it's normally there DNS resolvers that need to say hey this person requested Google.com but that needs to resolve to an IP address. So that's the DNS resolver doing that so VPNs don't always encrypt DNS request but there are tools available for you to do that and configure your DNS. If you want to be private. Right. How much does VPN slow the speed of connection and what type of VPN is best for online banking. VPNs do not guarantee speed because speed comes with different parameters that are just outside the VPN itself. So, say you're gaming and you're live streaming the game that's about like high you really need like a high throughput there and a high bandwidth, and it depends on how much internet you're paying for so that's one how much internet speeds and bandwidth you need at that moment. And if you're just requesting requesting a website you don't need much bandwidth but if you're streaming or on a zoom call with a bunch of different connections with a bunch of different people with their video open, that's more bandwidth, which is why normally people end up cutting off their zoom video when things get a little shaky because the throughput and bandwidth is actually the latency is pretty bad so there's different factors and VPNs can't guarantee speed in this case because honestly I don't know your home setup or your home network. What was the second question. I'm sorry. A VPN for online banking online banking. There's no specific one I would recommend just for online banking, whatever one you're comfortable with to use that you end up choosing is probably the best one for online banking. I wish banking apps and services were a little bit better with offering account control sometimes but as far as like VPNs, whichever there's no particular one that that's better than the other for for banking services. Okay, and that kind of leads into the next question. Do you have any comment on VPNs that are included with accounts such as with your internet service provider or paid Google accounts. What do I want to say about those that some companies that offer VPNs along with, you know, the, the service that you're providing them. It's really a matter of how they're running this VPN. Are they providing some sort of VPN service where it's coupled with their infrastructure normally and are they making it clear what happens with your information with this VPN service. I don't really know any of them out there off the top of my head that's been so reputable that I would recommend them like even Google VPN with people services has to come up as like not as private as they say. It can vary on what services that they use, and what they as a practice, anybody who's not a VPN company or a VPN service themselves, and they're packaging things in, I normally have to have a little bit more scrutiny because I'm like, well, you know, originally ISPs, they collect information on us they they they do marketing based off whatever websites that we use which is why a lot of people use VPNs nowadays. In the first place because there is marketing information from your internet service provider that they get from the requests for websites you get to. But they're also offering a VPN that's kind of conflicting with their business model. And I kind of wonder why I'm like, okay, have you stopped this practice. If not, then I don't really trust it too much. I'm just looking through the rest of the chat so someone asked for suggested websites or articles with the metrics to help select one but I think security planner dot consumer reports.org was your recommendation there. You've brought us in the chat to this is the one that EFF has I said it several times but I want to make sure that everybody sees it. That's the other one that we have that provides guides on tools. We have it thankfully in different languages as well. And you can, you know, share those guides among your friends and family, and read them yourselves for your own knowledge. Could you help explain the difference between browsing and incognito mode versus being and using a VPN. So incognito mode this is interesting because Google is actually in a $5 billion lawsuit for their incognito mode right now. If you look up the news. So incognito mode for a long time, it was a misconception that it was hiding your traffic incognito mode does not hide any traffic doesn't encrypt anything by default. There is some changes now that may provide a bit better security, but basically what incognito mode did was tell the browser to forget your, your history. In particular, but it doesn't necessarily mean that the history is forgotten with your internet server service provider. That doesn't mean that the internet history is forgotten with the website that you visited. It just means that your browser didn't save it in the history anymore and it may have also discarded some cookies, but in some cases that wasn't even happening. So incognito mode is a very thin veil of privacy because it just says we're not using your account to do this. So, say I'm using incognito mode on Google maps on my phone. It just won't use my account associate my search with that account, and in particular, but that's a very loosely then veil because I'm using the same phone still so they still see the traffic from my phone and my device. And it's really that great it doesn't provide a whole lot of security or privacy. I would say guards for you and hopefully it does get better. I know they've improved incognito mode in Firefox it's called private browsing which they actually provide a gtps by default and private browsing now something that I had advocated for. So that's nice, but it still doesn't really hide who you are what you're doing it just tells the browser to be get some history. So that way someone else who gets on the same browser can't see that you went to the website. Alright, so if I'm shopping for a birthday present and I have a shared computer, the neck, the other person in my household won't necessarily see my search, but everybody in theory and can still see where I went. Yeah, yeah. Let's see. Where do you get information about tour browsers. I don't know if that's on topic. So, ssd.eff.org has tour browser guides. So I know I don't, I don't go over in this talk because towards a different talk. It's a different set of information. But if you go to ssd.eff.org we do a tour browser guides and and if we have them for various platforms like Windows Mac Linux. So, and I believe also Android if I'm not mistaken but tour browser is also available on Android and and I think on iOS it's still called onion browser if I'm not mistaken. The onion thing is a related to tour because of the onion router protocol that they use so that's why it says onion, but those guides are up there on ssd.eff.org. And I run those and I write those guides. Please put the tour browser that you just mentioned in the chat. And is AWS VPC basically a VPN in cloud. I don't know what any of those letters mean. So, that is a cloud based infrastructure products that Amazon provides AWS is called Amazon Web Services and they're in. And so most of the Amazon's outside of crime and buying packages from them all design. They're other really largely based business models providing internet infrastructure so that's what AWS is and AWS VPC or virtual private connection. There's way too many acronyms and security so I apologize but basically is a virtual private platform that emulates an endpoint that can be encrypted and connected on an infrastructure with your company. If you're using AWS for your infrastructure for your websites for your servers. There's normally VPC that you can set up and connect for your employees to connect to with these services. This has this is not a commercially available thing to just consumers everywhere this is something where you're running cloud infrastructure in your company. Right. Is double factor authentication a substitute for using VPN. No, so two factor authentication is actually a talk actually gay for SFPL couple years ago. So it's a way of protecting your account so say someone found out your password. And now they're trying to log into your account and your password was password. And it's like, okay, I got her, you know, log in. And then they're met with a code that they have to put in. They also have to get that somehow. So normally you set that up various ways you can use an authenticator app. You can use, you know, SMS or text to get the other pin code if you turned on two factor authentication in your account. You do this. Google has to a factor authentication. So if you go into security. If you go into security settings in your accounts, normally two factor authentication will be available there for you to turn on and it's a great bang for your buck for security, because if for some reason there is a password breach with your company. The attackers will still need that second code in order to actually break into your account. So that has something to do with account protection has nothing to do with securing your traffic. All right. In addition to all you wonderful people that have joined us on zoom we have some people in person here at the library and our learning studio. And so I'm going to unmute the learning studio and let them ask their question. Yeah, I think we had one question. I like to know what effect this has on your spam traffic. So VPNs themselves will will have little to no effect on your spam traffic that will probably up to your email provider. So the email providers normally have spam filters and mechanisms for you to report spam. But there are VPN services that do tack on different features such as fishing detection or some sort of malicious downloaded links that you may have accidentally clicked on in your email. They ignore VPN provide something called threat protection. And that's a that's an extra feature that they tack on on top of their VPN and other VPN service providers do this as well. Anti virus companies also provide some sort of protection as well around this so you could probably get an anti virus software to do this. I also have beef with the anti software anti virus software industry because they did such a poor job over the years of not a good practice where a lot of the times a lot of people didn't even was able to differentiate between their anti virus software because of all the pop ups at the anti virus software had versus actual malware, actual adware and it was very bad for a long time. I heard they're a little better, but they're thankfully like things like on Windows machines there's built in anti virus protection. So unfortunately with spam VPNs will have very little effect on that they'll likely be more so up to your email provider and how good they are and catching it. It looks like a participant has a question so Ruben I'm going to unmute you and see what your question is. Hi, I have a couple of questions. One is kind of practical and one is more asking about total security. So the practical one is when I travel and I go to other homes and they they have their own Wi Fi and I type in their user ID and password to get access to the Wi Fi. Are there security concerns there can that person if they were malicious do something because I'm using their Wi Fi network. So when multiple devices are on the same network they can peer into each other because they're behind that wall the router right they can see that there's other devices on the network and potentially talk to them. So it will take a times and scaled attack for someone they have to actually be targeting you in this case probably where you know you go to someone's home and they know you have a certain device, and they may try to like send malicious files on the network and send them to your device, possibly there there could be instances where they could just see you know the IP address or your traffic even coming from your device if they have some sort of they would they would they would need more than just a router to see your traffic though they need actual programming software and some sort of software to actually look at all the requests coming in behind the network so they need all that installed first before they could even look at your traffic first. In the case of a targeted attack like that. Yes, there is possibilities because you're all on the same network. But if you're using a VPN. They actually can't snoop your traffic. So, even in that case there's like well this device is on the network, but I actually can't see where they're going. So then that case of VPN will help you a lot. Good. That's what I was. Also, I wanted to let you know that your, your talk is very practical and answers a lot of questions that are very helpful. The second question I had is, I was talking to a young cousin of mine and he's working on chat software has to do with the lightning network that's on top of a Bitcoin system. And that he says is very secure. As far as governments looking into it and blocking communications between peoples have you heard of that. I have not heard that in particular blockchain based networks are a little bit different in operation. And normally in most security products when they are introduced and use is mostly to make a defined ledger, and you can't change the information on that ledger, which is the main benefit, I would say of blockchain which is why Bitcoin transactions. Once they're there they're there. But it doesn't necessarily provide any other at its base. You can build stuff on top of this that could potentially be secure, right, but at its base blockchain just, you know, makes things immutable where you know if things connect to it, they can't change it. So, if it's logged in that ledger it's logged in that ledger. So I have not personally heard of that though, but yes blockchain networks are definitely in discussions of security often. Thank you. All right, let's go back to the learning studio. Okay, thank you have one more question. Yeah, my question is concern about security. It's a big umbrella under how many VPNs over the global or in the US like 100 or 1000. And this is kind of like a comparison of the security of all VPN because after I, I learned from your lecture that it's very difficult for ordinary people to pick a VPN. Because as you say different company with different policy or whatever. So, is that there's a thing that we can find out. We can find out around the group like UK compared to Japan compared to Europe and USA VPN or the basis in Europe is more secure than UK. And then we have 1000 VPN in in the US so how many have failed or close or whatever that is. So this is a consumer report says some kind of information like that. Thank you. That's a good question. There's been various analyses and reports over the years on different VPNs and comparisons. So there was actually a website that did do this but unfortunately that website was bought by a VPN company and so now it's highly biased and it's very unfortunate that happened to that website. There's different countries with different rules regulations and laws. So, say EU versus US, the EU has something called the GDPR, which is their federal level data protection law. In the US we do not have a federal level data protection law actually California does it's called the CCPA was enacted a few years ago, but not every state has a privacy protection law for data. In the EU, you would say like say like companies do have to adhere to that when they're handling user and customer data, but unfortunately right now there's not one place right now where you can find that information there's different VPNs with more reputable. I would say timelines and others. And usually you could see it very easily in the news but say you'll compare a few and you'll see some operating in the US that the whole point a lot of VPN servers they have servers in different areas to adhere to different laws. So you'll have some most VPN companies even though they may be US based, they have to adhere to if they have a EU server they have to adhere to the laws in the EU for that server, in particular, or if they have a server in Japan. They need to adhere to the laws of Japan in order to operate there and having a server there so they actually could be filtering different data compliance with different countries, countries and different ways. The first thing I would like to see though is them to have a full scale privacy policy that is very strong and actually covers all those countries needs where they don't have to pick and choose which data we want to collect here and there. I would rather for them not to to to minimize as much data as possible in collection and be a logless VPN because that is bought that is possible. So, it's a hard question to answer only because of the fact that a lot of these companies will be a little different in their privacy policy on the servers that they operate in different countries. So even though the UVP and maybe US base or EU base, they'll still have servers around the world and you still have to see in their privacy policy, how do they address this international scheme of servers. All right, we're running up against two o'clock so I'd like to thank you so much for joining us. If folks have additional questions that are somewhere they can reach out to you after the event or just go to EFF website what's, what's their best option. Just email me, you know, I put Alexis at EFF.org. I look at my email all the time it's open all day, I will likely see you. So just put like the title SFPL or something like that talk, and I'll see it and and I respond soon as I possibly can so feel free to reach out to me with extra questions. All right, I'm sorry to the folks that we didn't get a chance to address a couple of questions live but hopefully you can follow up after the event. Thank you so much Alexis for joining us and to all of our SFPL patrons for being with us this afternoon. Have a great day. Thank you. Bye everyone.