VPNalyzer Privacy and Data Policy

Last updated: February 25, 2021

What is VPNalyzer?

VPNalyzer is an academic research project from the University of Michigan that aims to analyze the VPN ecosystem.

VPNalyzer consists of three parallel efforts: large-scale quantitative and qualitative user studies, a cross-platform desktop tool for users to test the security and privacy features of their VPN connection, and qualitative studies surveying VPN providers.

Our goal with the VPNalyzer project is to advance the public interest, inform practical regulations and standards, enforce accountability and empower consumers to find more trustworthy VPN products.

vpnalyzer overview

What data is collected

User Study (Survey):

We will be collecting the answers you provide as a survey participant, but note that we do not collect your name, email address or any personal identifier along with the survey. Hence, we will not be able to attribute a survey response to any one respondent. The survey questions merely focus on our research concerns and do not ask for any personally identifiable information.


VPNalyzer Tool:

Once downloaded and installed, you can run the tool’s measurement test suite to ascertain if your VPN provider has support for good security practices, check for malicious behavior, and test for misconfigurations and leakages. We will also ask you, the user, to give us the name of your VPN provider, how much you paid for your VPN provider, the name of your Internet Service Provider, your current location, and the VPN server’s location.

The tool requests administrator privileges to your machine for advanced tests that require access to the computer’s firewall and to record packet captures for in-depth analyses. Note that we provide you with the means to opt-out of giving us the administrator privileges. One full test takes approximately 20 minutes to perform and we advise you not to use your computer to do "personal browsing" during the testing since the packet captures may record them and the advanced test that modifies your firewall may disrupt your browsing. Packet capture collects data on open interfaces on your computer which could include data about bluetooth-connected or Internet-connected devices on your network and it may also include data about existing connections on your machine.


Joining our mailing list:

We collect your full name, email address, the name of the organization that you belong to, general questions about your background with respect to your familiarity with computer science and/or technology, whether you would like to be updated when the VPNalyzer tool is released for MacOS, Linux, or Windows, and if we can contact you about any follow-up studies that are part of the VPNalyzer project. We will store and use this information only to contact you for the purpose of this study.

How data collection occurs

Participating in our user survey is entirely voluntary. Survey data will be collected through the Qualtrics survey linked on our website. The University of Michigan Institutional Review Board (IRB) has determined that our user study is no more than minimal risk and exempt from on-going IRB oversight.

Participating in running our VPNalyzer tool is entirely voluntary. Users run VPNalyzer at their own risk. By installing and using VPNalyzer, users agree to this privacy and data policy and certify that they have read our consent form. Users must be informed of the local laws regarding the use of VPNs and download and use VPNalyzer at their own discretion. The University of Michigan Institutional Review Board (IRB) has determined our study done with the VPNalyzer tool to be "Not Regulated by the IRB", because we aim to study the VPN products rather than the human subjects.

The alpha and beta releases of the tool will be circulated privately via email to those who sign up to be part of the testers group. The public releases of the tool will be available to download from our website.

Joining our mailing list is also entirely voluntary and can be done by filling out details in the Google Form linked on our website.

How the data will be used

User Study (Survey):

Our study will use the survey data collected to discern patterns in VPN user knowledge, needs and concerns of the users. The results we obtain will be published as a paper and as blog posts. The data will be reported in an aggregated manner and since no personal identifiers and linkers are collected, we do not anticipate that the survey respondents can be uniquely identified by our results. But please also note that since we do not collect personal identifiers and linkers within the survey, you will not be able to send an opt-out request to us or rescind your response once you have submitted your survey response.


VPNalyzer Tool:

We aim to systematically investigate the commercial VPN ecosystem through the lens of security and privacy using a crowdsourced data-driven approach. As the commercial VPN ecosystem is vast, the data collected from users like you running our tool will empower us to analyze various VPN providers at scale.

Only the team members (“Research Group”) mentioned in vpnalyzer.org/about#team will have access to the raw data. We will only publish results in an aggregated format on our website when reporting data on VPN providers. The results will be made available at vpnalyzer.org/r/uuid (example) which will be accessible to you a few minutes after you complete a test and obtain your UUID (universally unique identifier) from the tool. This webpage will contain results from your test alone and we will never publish your IP address, MAC address or any other identifiable data on this webpage or anywhere else on our website or other publications.


Joining our mailing list:

We will add you to respective mailing lists for the VPNalyzer Tool based on the platform (MacOS, Linux, Windows) that you are interested in and we will only contact you if we have updates with respect to the release of our tool. If you have indicated that you would like to be contacted for surveys or any follow-up user studies that are part of the VPNalyzer project, you will be added to those mailing lists as well.

Measures to protect privacy and security of data

Note that we collect no personally identifiable information in the survey. Since the survey is run on Qualtrics, we ensure that no identifiers and linkers are collected in our survey questions or metadata. We have ensured that our survey and the data that will be collected in the survey are all permitted under University of Michigan’s Qualtrics Senstive Data Guide.

The survey data collected and the data collected for the mailing list will be stored on a secure server at the University of Michigan and only the Research Group will have access to the data. The servers themselves are secured by authentication and Identity & Access Management provided by the University of Michigan. Any and all files, figures, and knowledge generated from analyzing the data will also be stored on the aforementioned servers.

Similar measures are taken for the data collected from the tool as well. We store the data on a Google Cloud Storage bucket to ensure availability, reliability, and also to facilitate faster data analysis to ensure we make the results webpage (like: vpnalyzer.org/r/uuid) available as soon as the analysis pipeline completes its run on the uploaded data.

Data retention policy

The survey data collected containing no personal identifiers will be retained on our University of Michigan servers, and will only be available to the Research Group. We maintain this data over time since the academic paper review process may request further analysis or clarification. The Research Group may also use the data collected to design any further research studies.

The data collected from the tool will be retained on our private Google Cloud Storage bucket for 2 years for the same reasons outlined above. We limit the data retention period for the tool as it contains data collected directly from the user’s machines. At the moment, we do not support opt-out for our tool users. Once the data is uploaded by the tool, our analysis pipeline will begin to operate on the data and will be included in our aggregate reporting. If we support opt-out at a later date, we will announce it on our website.

Data collected for the purpose of adding interested users to the mailing list will be deleted upon the completion of the VPNalyzer project which will be announced on our website. We retain this information until the end of the project since we may contact willing participants for any further studies under VPNalyzer.

Sharing of data

The raw data collected from the survey and tool shall only be accessible to the Research Group. Knowledge and results generated from the data collected will be shared to the public in the form of research papers and blogposts. The individual results from the tool will be made available at the results webpage that the user can access. However, please note that any data collected will never be shared or sold for commercial or other purposes.

Questions?

You can reach out to vpnresearch@umich.edu

If you have any queries, please use this form to reach us.


© 2021 VPNalyzer. All rights reserved.