Emotional and Practical Considerations Towards the Adoption and Abandonment of VPNs as a Privacy-Enhancing Technology
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Proceedings on Privacy Enhancing Technologies ; 2020 (1):83–102
Moses Namara*, Daricia Wilkinson, Kelly Caine, and Bart P. Knijnenburg
Emotional and Practical Considerations
Towards the Adoption and Abandonment of
VPNs as a Privacy-Enhancing Technology
Abstract: Virtual Private Networks (VPNs) can help
people protect their privacy. Despite this, VPNs are
1 Introduction
not widely used among the public. In this survey study
In recent years, increased levels of mass surveil-
about the adoption and usage of VPNs, we investigate
lance and data collection have contributed to signifi-
people’s motivation to use VPNs and the barriers they
cant privacy concerns from end-users worldwide [1]. In
encounter in adopting them. Using data from 90 tech-
the United States, Congress enacted a Congressional
nologically savvy participants, we find that while nearly
Review Act to repeal existing privacy rules that re-
all (98%; 88) of the participants have knowledge about
quired Internet Service Providers (ISPs) to seek per-
what VPNs are, less than half (42%; 37) have ever used
mission from its customers to collect and share per-
VPNs primarily as a privacy-enhancing technology. Of
sonal information such as their browsing history [2, 3].
these, 18% (7) abandoned using VPNs while 81% (30)
This has driven privacy advocates to motivate inter-
continue to use them to protect their privacy online. In
net users to explore privacy-enhancing technologies such
a qualitative analysis of survey responses, we find that
as Virtual Private Networks (VPNs) as a technology
people who adopt and continue to use VPNs for privacy
that can provide an additional layer of privacy protec-
purposes are primarily motivated by emotional consid-
tion and anonymity when using the Internet [4]. VPNs
erations, including the strong desire to protect their pri-
are secure communication technologies that were orig-
vacy online, wide fear of surveillance and data tracking
inally developed to connect remote sites or users to-
not only from Internet service providers (ISPs) but also
gether over a public network [5]. They have evolved into
governments and Internet corporations such as Face-
a consumer tool that is used to provide users with an
book and Google. In contrast, people who are mainly
Internet Protocol (IP) address that is not subject to
motivated by practical considerations are more likely to
the censorship rules of their geographical location, as
abandon VPNs, especially once their practical need no
well as to hide users’ browsing behavior from surveil-
longer exists. These people cite their access to alterna-
lance [6]. As a result, they are now widely marketed
tive technologies and the effort required to use a VPN
as privacy-enhancing technologies (PETs) 1 that allow
as reasons for abandonment. We discuss implications of
internet users obscure and protect their personal iden-
these findings and provide suggestions on how to max-
tifiable information, including their online traffic, not
imize adoption of privacy-enhancing technologies such
only from their ISP, but also from their governments,
as VPNs, focusing on how to align them with people’s
and other online entities [7].
interests and privacy risk evaluation.
Around the world, adoption and usage of VPNs is
Keywords: privacy, Virtual Private Networks (VPNs), much higher in Asia-Pacific (i.e., 30% of internet users)
judgment and decision making, psychology, privacy- and Latin America (i.e., 23% of internet users) primar-
enhancing technologies ily as a technology to access restricted and censored
DOI 10.2478/popets-2020-0006
content [8]. However, VPN adoption and usage remains
Received 2019-05-31; revised 2019-09-15; accepted 2019-09-16. low (i.e., 18% of internet users) in Europe and North
America regions where the main reasons for usage are
to remotely connect to the network of one’s school in-
stitution or employer and as a privacy-enhancing tech-
*Corresponding Author: Moses Namara: Clemson Uni-
versity, mosesn@clemson.edu nology [8, 9]. According to a PEW research study [10],
Daricia Wilkinson: Clemson University, dari-
ciaw@clemson.edu
Kelly Caine: Clemson University, caine@clemson.edu
Bart P. Knijnenburg: Clemson University,
bartk@clemson.edu 1 e.g., https://mullvad.net/en/ and https://nordvpn.com/Adoption and Abandonment of VPN as a PET 84
only 13% of online adults in the United States are aware tent to which people find PET tools effective at improv-
that issues that defeat the concept of online privacy can ing and safeguarding their online privacy. In interviews
be minimized by use of a VPN, while 70% of users are with Chief Information Security Officers in the medical
not even sure what purpose a VPN serves. field, Johnson and Willey noted that “physicians work-
Within the privacy research community, there is a ing at home could use a virtual private network (VPN)
lack of an empirical understanding of the external fac- to gain access to hospital systems, but sometimes found
tors that motivate or hinder users from adopting VPNs it slow or cumbersome and chose to download the data
primarily as PETs. Likewise, there is no clarity on peo- to their remote laptops instead”[11]. Likewise, adoption
ple’s personal considerations or perceptions that under- could be thwarted by the lack of obvious tangible ben-
lie this adoption decision. As a step towards addressing efits. Within corporations, for example, there is often
this, we conducted a survey targeting VPN users and a positive business-related outcome and an economic
abandoners to investigate these external factors and per- justification for their investments in PETs before a pos-
sonal considerations that motivated or hindered their itive decision to adopt PETs is taken [12]. Note that
adoption and usage of VPNs as PETs. We find that in contrast to these works, our current work focuses on
while both practical and emotional considerations mo- VPN adoption by private individuals rather than cor-
tivate the adoption of VPNs as PETs, only emotional porations.
considerations are a primary driver behind their sus- Similarly, Caulfield et al. [13] used privacy at-
tained usage. tributes i.e., context (the setting in which and the pur-
In the following sections, we discuss related work pose for which a given technology is used), requirement
regarding the adoption and use of PETs, as well as im- (the level of privacy that the technology must provide
portant aspects of users’ judgment and decision-making for a user to be willing to use the technology), belief (a
practices surrounding adoption. In Section 3, we discuss user’s perception of the level of privacy provided by a
our survey methodology. Section 4 presents our results, given technology in a given context), and relative value
and implications are discussed in Section 5. Section 6 of privacy (how much a user cares about privacy in this
covers our limitations and future work, followed by our context and how willing they are to trade off privacy for
conclusion. other attributes) in an economic (rational) model to un-
derstand the adoption of PETs. Using this model, they
found that increased media coverage of Apple against
FBI [14] signaled to users that the iPhone was more
2 Related Work privacy-enhancing than Android devices. Such a shift
in user belief would increase the adoption of the iPhone
In this section we first cover related work on the
as a privacy-enhancing technology. Our work goes be-
adoption and acceptance of privacy-enhancing technolo-
yond the economic model proposed by Caulfield et al.
gies. We then discuss VPNs as PETs, and usability as a
by also covering emotional reasons for the adoption and
factor in the adoption of PETs, notably VPNs. We then
use of VPNs.
draw from the Technology Adoption Model (TAM) as
a useful adoption model that encompasses usability but
can also be used as a guideline to discuss other fac-
2.2 VPNs as PETs
tors that may relate to VPN adoption. Finally, we look
at decision-making psychology literature that highlights
Using VPNs serves as one of the means through
the existence of both practical and emotional decision
which people can safeguard their privacy [15, 16]. How-
processes. We subsequently use this distinction to for-
ever, people can mistakenly perceive VPNs to com-
mulate our guiding research questions.
pletely protect their online privacy [17]. VPNs do not
fully guarantee user privacy based upon their own prac-
tices and those of the website(s) the user is accessing [6].
2.1 Adoption and Acceptance of PETs
Specifically, VPNs afford users privacy and anonymity
through the alteration and re-routing of the user’s IP
Previous studies on privacy-enhancing technology
address through the VPN provider’s servers and encryp-
adoption found that PET adoption was impacted by
tion of all the data packets sent out from a user’s device
factors such as usability and usefulness [11–13]. In the
to the server through a secure “tunnel” (i.e., a private
context of PETs, usefulness refers to the belief and ex-
network) established by the VPN client installed on theAdoption and Abandonment of VPN as a PET 85
device [18, 19]. Through this secure tunnel, the user’s ple go through as they accept software and information
internet traffic is hidden from outside observers and pre- technologies [29]. According to TAM, actual system us-
vents the websites being accessed from identifying the age (i.e, the user’s behavioral response) is determined
user by their actual IP address. However, websites can by the user’s behavioral intention (affective response)
still track and identify a user through other means such towards whether or not they will use the system. Be-
as browser or device fingerprinting, logins and cookies havioral intention, is in turn, influenced by the user’s
[20]. cognitive (practical) response (i.e., ability to assess or
perceive the usefulness and usability of the system).
External stimuli such as the system’s design features
2.3 Usability as a Factor in PET Adoption and capabilities directly influence the user’s cognitive
response.
With the rise of downloadable applications, software TAM has been applied to successfully predict the
trials, and “freemium” pricing strategies, people are in- end-user acceptance of many technologies from various
creasingly able to experience the usability of a tech- domains such as the e-commerce [30], telemedicine [31]
nology before they commit to using it and/or spend- and even employee adoption of information security [32].
ing any money on it [21]. Therefore, the usability of In this paper, we use the TAM framework constructs
PETs is important, because people are more likely to (external stimuli, user motivation and actual system us-
adopt them when they are usable. For example, a PET age) to guide our understanding of the factors that mo-
like Tor2 , which guarantees user anonymity and pro- tivate people to adopt and/or abandon using VPNs as
tects against network surveillance and traffic analysis, PETs.
is not commonly used due to lack of usability [22]. Like-
wise, although Pretty Good Privacy (PGP) is an effec-
tive means to provide communication security through 2.5 Judgment and Decision Making
encryption, most tools implementing PGP have been
found to be unusable despite their attractive graphical Researchers have criticized TAM for not ground-
user interfaces [23]. People have instead adopted those ing the cognitive (practical) and affective (emotional)
secure communication applications which offer end-end responses which underlie user motivation and attitude
encryption and are usable (e.g., WhatsApp, Signal and in psychological theories that describe people’s decision
Telegram) [24]. processes [34]. TAM largely treats user motivation as a
Extrapolating from these examples, one could ar- function of the perceived consequences of a user’s target
gue that usability would be an important factor in the behavior for using the system, multiplied by the evalu-
adoption and usage of VPNs. However, while most of ation of those consequences [29]. This treatment is re-
the existing research focuses on technical capabilities of lated to the “expected utility theory” in judgment and
VPNs [25, 26], usability of VPNs has not been studied. decision making, which suggests that people make de-
In the current paper,we adopt the definition of PET cisions by assessing the severity and likelihood of possi-
usability suggested by Whitten and Tygar [23] to de- ble outcomes and then maximizing the expected value
fine “usability of VPNs” as the ability of users to re- of the outcome [35]. In conventional sense this means
liably and successfully use VPNs whenever online, and that when people evaluate risk cognitively (practical
are comfortable enough with the interface to continu- consideration), they make a decision to alleviate such
ing using them. We, therefore, explore factors such as a risk based on the premise of the consequences that will
VPN’s usability from an end-user perspective to learn result from the choice they select or the activity they
of how they foster adoption and use [27, 28]. engage in. In the field of privacy, this principle is en-
coded in the “privacy calculus”, which argues that peo-
ple trade off the privacy risks and potential benefits of
2.4 The Technology Adoption Model engaging in a certain activity in a deliberate process
[36]. For example, as a response to this cognitive eval-
The Technology Acceptance Model (TAM) was de- uation, people could decide to use a VPN in order to
veloped with the goal of understanding the process peo- protect their privacy by anonymously browsing the in-
ternet based on the severity of the consequences that
accrue with visiting the sites or activities they conduct
2 https://www.torproject.org/ over the internet.Adoption and Abandonment of VPN as a PET 86
Anticipated outcomes
(including anticipated Cognitive Evaluation
emotions) (Practical considerations)
Outcomes (incl,
emotions)
Subjective
probabilities Behavior
(decision to use ● Continuous
use of VPNs
a VPN)
● Pause/Stop
Feelings use of VPNs
Other factors e.g., (Emotional considerations)
vividness (of privacy risk),
immediacy (of privacy risk),
background mood
Motivators Considerations Decision Outcomes
Fig. 1. The Risk-as-feelings perspective (adapted from [33]). The colored annotations represent our interpretation of the theory with
regard to the decision to adopt VPNs as PETs.
A particular shortcoming of this treatment in TAM this difference in determinants, it is not uncommon for
is that it ignores the separate roles that practical and emotional responses to diverge from cognitive responses.
emotional considerations play in the adoption and ac- When such divergence occurs, the emotional consider-
ceptance of technology [29, 34]. Even though research ations often take the upper hand—they drive behavior
has shown that emotions (i.e., feelings that are usually and result in different outcomes.
associated by an individual with a particular act, such Hence, in line with the risk-as-feelings theory [33],
as joy, sadness, depression, anger, disgust, fear, like, dis- we make a distinction in the analysis of our study re-
like, or hate) are direct determinants of user behavior sults between the emotional and cognitive evaluations
separate from practical considerations [37, 38], TAM of the external stimuli and internal motivations that
assumes that in the decision making process, practi- influence people’s decision to adopt and use VPNs as
cal considerations such as perceived usefulness and ease PETs (we use the shorthand terms “emotional consid-
of use of the technology are made first—emotions are erations” and “practical considerations”, respectively,
only considered as a component of the expected con- see (Fig.1)). Our intent in doing this is to investigate
sequences of the decision, rather than being separately whether there is indeed a difference in the adoption and
experienced [33]). usage of VPNs as PETs when these stimuli and motiva-
In contrast, Loewenstein et al.’s [33] risk-as-feelings tional factors are emotionally or cognitively evaluated. If
theory reveals that people’s responses to risky situations so, this would confirm the risk-as-feelings assertion that
(including decision-making) are different when the sit- when present, people’s emotional considerations exert a
uation is cognitively evaluated (i.e., practically consid- separate, stronger, and more robust influence on their
ered) compared to when they are based on the feelings behavior than their practical considerations.
associated with the situation, such as fear, worry, dread To apply this theory and offer a better understand-
or anxiety (i.e., emotionally considered). ing on how people adopt and use VPNs as a privacy-
As illustrated in Figure 1, the risk-as-feelings per- enhancing technology, we define emotional and practical
spective posits that people’s emotional responses to the considerations as follows:
evaluation of risky situations independently inform de- – Emotional considerations: The judgment and
cision making. While anticipated outcomes and their decision to use a VPN for privacy protection pur-
subjective probabilities may cause emotional responses poses primarily based on emotions, such as the fear
(albeit to a much lesser extent for cognitive evaluation of ISPs’ uncontrolled access to and misuse of per-
than emotional evaluation), these emotional responses sonal information, anger with surveillance by the
can also result from the evaluation of factors that are government, or dislike of websites’ large-scale track-
not considered during cognitive evaluations, such as the ing of web browsing activities.
vividness and immediacy of the risk. In part due toAdoption and Abandonment of VPN as a PET 87
– Practical considerations: The judgment and de- ternal motivations that propel people to learn about,
cision to use a VPN for privacy protection pur- adopt, and use VPNs (as standalone applications) for
poses based on an objective to accomplish a prac- privacy protection purposes. Specifically, we queried re-
tical task or need, such as obtaining secure and/or spondents’ awareness of VPNs, their current use of
anonymous access to entertainment content, web- VPNs (i.e., never used, currently using, stopped/paused
sites, social networks, remote files/machines, or the use), their duration of use (i.e., since when and until
Tor browser. when, if applicable), their initial beliefs and values re-
garding VPNs including their motivations to start using
In summary, we pose the three following research ques- VPNs (if applicable), the number of VPN applications
tions: they explored for use, the overall cost of their VPN use,
RQ1: What factors motivate users to adopt VPNs the perceived pros and cons of VPN use, and their gen-
as a privacy-enhancing technology? eral sentiments about VPNs.
RQ2:What barriers do they encounter in adopting To quantify their perceptions regarding VPNs, we
VPNs as a privacy-enhancing technology ? also asked respondents to state their agreement on a 5-
RQ3: What are the differences in the adoption and point Likert scale (1 = Strongly disagree, 5 = Strongly
usage of VPNs as a privacy-enhancing technology be- agree) regarding a number of statements/items (see Ap-
tween users who mainly have practical considerations pendix A). These survey items were adopted from Col-
versus those who mainly have emotional considerations? nago et al.’s [39] survey and are related to the three
constructs detailed below. We provide the Cronbach’s
alpha for each of the constructs to demonstrate their
reliability [40]. Acceptable values of Cronbach’s alpha
3 Methodology range from 0.70 (acceptable) to 0.95 (excellent) [40].
– Affordance of a VPN to protect user privacy
The goal of this study is to explore how people
(5 items, alpha: 0.7):
adopt and use VPNs specifically for privacy protection
– Using VPNs helps me protect my privacy on-
purposes. We conducted a survey composed of closed-
line.
ended, multiple-choice, 5-point Likert scale, and open-
– It is worthwhile to put in the effort to start using
ended questions. To ensure that we asked the right ques-
a VPN.
tions and improve the validity of the survey data col-
– It is important to learn about the benefits of
lected, we pre-tested all our survey questions through
using a VPN.
interviews with five VPN users and subjected it to an
– It is important to learn about the drawbacks of
expert review by three human computer interaction ex-
using a VPN.
perts. We elaborate on our survey design in Section 3.1.
– I suggest that people should use a VPN at any
Due to the low prevalence of VPN use in society [8–
neccessary cost to protect their privacy online.
10], the resulting survey (which is fully listed in Ap-
– Difficulty of selection and installation of a
pendix A) was targeted to people with a high likelihood
VPN application (4 items, alpha: 0.79):
of at least knowing about VPN. In particular, we dis-
– I had a hard time deciding on the best VPN
tributed the survey to Reddit users (Redditors) of sev-
application to use.
eral VPN sub-communities and to Computer Science
– Installing a VPN was difficult.
students at Clemson University via email listservs. We
– Installing a VPN was easy.
elaborate on our recruitment procedures in Section 3.2.
– Installing a VPN was a lengthy process.
The survey was completed by 90 participants, whose
– Ease of use of a VPN application (3 items,
responses were coded and qualitatively analyzed (see
alpha: 0.8):
Section 3.3). This study was approved by the Clemson
– I had a hard time understanding how to use
University Institutional Review Board (IRB).
VPNs.
– I think that VPNs are easy to use.
– I think that VPNs are difficult to use.
3.1 Survey Design
Additionally, we asked respondents’ different demo-
The main objective of our survey was to gain a
graphic questions including their gender, age, nation-
deeper understanding of the external stimuli and in-
ality and current country of residence. To account forAdoption and Abandonment of VPN as a PET 88
cultural variations in privacy attitudes and behaviors used them primarily as privacy-enhancing technolo-
[8, 41, 42], we also asked how long each respondent had gies for some period of time in the past, but have
lived in the country of current residence and whether currently momentarily or completely stopped using
their current country of residence was different from them.
their nationality.
These categories helped us better structure the survey,
as it allowed us to ask specific questions for each of
3.1.1 Survey Development and Refinement the user categories (groups) to better contextualize their
adoption and usage experiences. For example, abstain-
We pre-tested the initial set of survey questions with ers would be asked about their perceptions of VPN,
five participants who reported that they were VPN users while adopters and abandoners would be asked about
[43]. The purpose of the pre-test was to assess the clar- their perceptions as well as their actual experiences us-
ity, appropriateness and necessity of each of the ques- ing VPN (Appendix A indicates which questions were
tions to ensure that the collected data would allow us shown to which user group(s)).
to answer our research questions [44]. Moreover, the pre-test demonstrated that some
During the 30 minute think-aloud walk-through of of our initial questions were too long. Subsequently,
the survey, the interviewer read each question aloud and we rewrote those questions to make them more brief
asked pre-test participants to respond verbally to each and understandable. We also added five questions that
question. Beyond that, participants were asked whether specifically sought respondents’ perceptions regarding
the question was easy for them to comprehend, whether the privacy protection affordances of VPNs, as well as
they felt comfortable responding to the question, and additional demographic items such as nationality.
how valuable they found the question to be. In response,
some participants also volunteered other questions and
answer choices that we could consider adding to the 3.1.2 Expert Review
survey.
Overall, the pre-test interviews provided insights After the pre-test, three human computing expert
into how respondents would interpret and respond to reviewers with domain knowledge on survey method-
the survey questions. Moreover, the pre-test also helped ology and usable privacy reviewed our updated survey
us identify the different categories of VPN users that questions to ensure that they were correctly worded and
we were likely to encounter in our sample. Notably, we adequate enough to uncover valuable insights from re-
learned that despite knowing about VPNs, all five par- spondents. They helped us remove technical words that
ticipants did not constantly use them—at least not for our respondents would not easily comprehend thereby
privacy purposes. Based on this finding, we explored the making it possible to have the respondents self-report
literature around stages of technology acceptance (see as accurately as possible [45].
Section 2.4). This adoption literature (cf. [29]), in con-
cert with the VPN user types that we identified and
hypothesized based on our insights from the pre-test 3.1.3 Pilot Test
interviews, led us to come up with the following four
categories of adoption and usage of VPNs as PETs: Subsequently, we pilot-tested the survey with seven
– Unaware (Non-Adopters): Respondents who do participants to understand how long it would take to
not know about VPNs. complete the survey, to ensure correct branching for
– Never used for privacy (Abstainers): Respon- each of the identified adoption categories, and to en-
dents who know about VPNs but either have never sure that collected data was correct and in the expected
used them at all or currently use / have used them format. Based on time it took for the participants to
for purposes other than protecting their privacy complete the survey (at most 15 minutes), and compre-
(e.g. remotely accessing a work or school network). hension of the questions, we updated a number of our
– Currently use for privacy (Adopters): Respon- questions, the design aesthetics, and the branching logic
dents who know about VPNs and are currently us- of the survey, until no additional questionnaire problems
ing them primarily to protect their online privacy. remained.
– Paused/Stopped use for privacy (Abandon-
ers): Respondents who know about VPNs, haveAdoption and Abandonment of VPN as a PET 89
3.1.4 Final Survey and Administration 3.3 Coding and Analysis
The final survey instrument was administered via At the end of the study period (November 2018),
the Qualtrics web-based survey tool [46], which allows the survey responses were downloaded from Qualtrics
for a branching survey. For example, the first question for coding and analysis. After removing incomplete re-
asked whether respondents knew what a VPN is, and sponses, the responses of the remaining 90 participants
the response to this question determined the next set of were organized based on the VPN use and adoption cat-
questions. This ensured that respondents only saw and egory they belonged to (see Section 3.1.1).
responded to questions relevant to their situation. As Two researchers qualitatively analyzed [48] the re-
our study was targeted to individuals who are likely to sponses to all the open-ended questions in the survey
use VPN (students, users on VPN forums), the most de- to learn of the respondents’ attitudes regarding VPNs
tailed questions were administered only to participants and their experience using VPNs. Thereafter, the re-
who indeed (previously or currently) used VPNs for pri- searchers did a content analysis [49] to code the re-
vacy protection purposes. sponses of the adopters and abandoners to the two ques-
tions that were specifically focused on the factors that
motivated them to use a VPN as a PET: “How did you
3.2 Recruitment and Respondents finally end up using a VPN for personal privacy protec-
tion purposes?” and “Upon learning about VPNs, what
We conducted our survey between September and sparked your desire to actually use them for personal
November of 2018. Our recruitment goal was to find privacy protection?” Specifically, based on Loewenstein
respondents who primarily use VPNs as a privacy- et al.’s [33] risk-as-feelings theory, the answers to these
enhancing technology (PET). While the use of VPN to questions were coded as either emotional and practical
remotely accessing a work or school network is fairly considerations. The code was assigned based on whether
common [47], its use for privacy protection purposes re- the answer demonstrated an emotional need (e.g., “I re-
mains low [8, 9]. Considering that participants who do ally dislike the idea of being followed about online. [...]
not know what VPNs are would not provide many rele- To me, that’s not okay.”) or a practical need (e.g., “I
vant insights for our study, we decided to forego random was on a network that restricted access to websites I
sampling from the population at large as a recruitment needed access to.”) The inter-rater reliability (Cohen’s
strategy. Instead, we specifically targeted people who Kappa) of the raw agreement between the two indepen-
were at least aware of what VPNs are, using two re- dent coders [50] was 0.65. A kappa above 0.6 is usually
cruitment methods. First, we posted recruitment posts considered satisfactory [51].
on a number of Reddit sub-communities about VPN: We did not find any qualitative response differences
r/VPN3 , r/VPNTorrents4 and r/Privacy5 . Second, we between Redditors and students. We therefore merged
sent recruitment emails via email listservs of Computer these samples in our further analysis and in the discus-
Science students at Clemson University. Our survey in- sion below. For clarity purposes, however, we will use
strument captured where the responses came from based R and S to distinguish the quotes from these different
on the two distribution avenues (i.e., posts on Reddit samples.
and email listservs). This recruitment method resulted
in a sample size of 90 respondents: 39 Redditors and 51
students (Fig. 2). Respondents were entered into a raffle
to win a $50 Amazon e-gift as incentive to complete the
survey.
4 Results
4.1 Quantitative Survey Results
Among the 90 respondents (39 Redditors and 51
students) who took the survey, the vast majority (88)
reported knowing what a VPN is (Fig. 2). Among those,
49 used it primarily to serve other needs that did not
3 https://www.reddit.com/r/VPN/
include protecting their privacy online and 2 had not
4 https://www.reddit.com/r/VPNTorrents/
5 https://www.reddit.com/r/Privacy/
used it despite knowing about it. The remaining 37Adoption and Abandonment of VPN as a PET 90
Fig. 2. A breakdown of the respondents in our sample by VPN use and adoption category (see Section 3.1.1).
VPN User Groups
as PETs (adopters; shown in green in Fig. 2) while 7
Total Abandoners Adopters of them reported having temporarily or permanently
N=(37) N =(7) N =(30) stopped using VPNs as PETs (abandoners; shown in
Gender orange in Fig. 2). These 37 respondents are the main
Male 25 6 19 basis of our results and findings, since they allow us to
Female 6 1 5 learn how people come to adopt and use VPNs as a
Unknown 6 0 6 privacy-enhancing technology. Their demographics are
Age shown in Table 1.
18-24 21 6 15 For these 37 participants, we examined the quan-
25-34 4 1 3
titative data (perception scales) and qualitative data
35-44 3 - 3
45-54 2 - 2
(open-ended questions) from the survey to examine the
55-64 2 - 2 motivations and external stimuli that influence people’s
65-74 1 - 1 adoption and use of VPNs as PETs. We report the re-
Unknown 4 - 4 sults of this analysis using the TAM framework con-
Nationality structs as a guiding framework, using external stimuli,
USA 28 7 21 user motivation, actual system usage, and hindrances
Azerbaijan 1 - 1 as the main structure of our result section. Note that
Canada 1 - 1
“hindrances” constitute the performance impacts con-
Cyprus 1 - 1
Gabon 1 - 1 cept that was originally conceived as part of TAM but
Germany 1 - 1 was later removed [29].
Great Britain 1 - 1 For each of these aspects, we show the similarities
Portugal 1 - 1 and differences between adopters and abandoners. We
Russia 1 - 1
provide quotes (labeled with S for students and R for
Slovakia 1 - 1
Redditors) to support our observations. Under the user
Table 1. Demographic data : Gender, Age and Nationality of the motivation section (Section 4.2), quotes are also labelled
main respondents in the study categorized by the VPN user as either Emotional Reasoning or Practical Reasoning,
groups (Abandoners and Adopters.)
based on how they were coded.
reported using VPNs to specifically protect their pri-
vacy online; 30 of them reported currently using VPNsAdoption and Abandonment of VPN as a PET 91
4.2 People’s Motivation to Adopt VPNs ing; “For the most part, I just hold my privacy in a
higher regard than many other people these days. I
Considering the quantiative results of the measured know just how much data can be collected about you
perception scales, both adopters and abandoners report and how easy it is to use ‘anonymous’ data to iden-
finding it easy to select and install (Mabandoners = 2.60, tify specific people.” S, Emotional Reasoning ). Ad-
SDabandoners = 0.33, Madopters = 2.38, SDadopters = ditionally, some respondents reported actually being
0.09), and use (Mabandoners = 1.90, SDabandoners = hacked in the past, so they used VPNs as PETs to
0.33, Madopters = 1.82, SDadopters = 0.09) VPNs. They better safeguard their online privacy (“I have been
also expect and perceive VPNs to protect their privacy hacked a couple times and it piqued my interest in
by default (Mabandoners = 3.66, SDabandoners = 0.33, cyber security. VPNs are one of the things I found
Madopters = 4.17, SDadopters = 0.09). While our sam- online that I could implement easily.” S, Emotional
ple of especially abandoners is not sufficiently large to Reasoning).
make statistical comparisons, at the surface level, these – Fear of Internet surveillance: Thirteen respon-
results seem to suggest that adopters and abandoners dents are wary of their ISP or their government
are initially about equally motivated to adopt and use covertly monitoring their online activities. As such,
VPNs. they reported being compelled to use VPNs to safe-
However, considering our qualitative analysis, we guard their privacy and also to quell their fears of
find that the considerations underlying users’ motiva- online surveillance (“I wanted to be safer from gov-
tions to use VPNs as PETs are rather different between ernment and ISPs level logging and profiling, and
adopters and abandoners. Below, we elaborate on these disliked the impingement on my privacy and free-
qualitative findings and demonstrate how adopters de- doms. Snowden and the UK ‘Snooper’s Charter’
cide to use VPNs as PETs primarily based upon an emo- firmed this resolve.” R, Emotional Reasoning; “I do
tional consideration to protect their privacy, whereas not like when my data is tracked.” R, Emotional
abandoners initially decide to use VPNs as PETs based Reasoning, “[I used a VPN for] Privacy from ISP
upon a practical consideration to protect their privacy and forums.” R, Emotional Reasoning)
(i.e., to support an online activity that fulfills a specific – Dislike of the lack of or unfavorable change
need). of privacy legislature: Five respondents reported
being upset with constant changes in legislature
that lead to less privacy protections, or the lack
4.2.1 Adopters’ Motivation of legislature that protects people’s online privacy.
This compelled them to start using VPNs to take
Among the adopters, we found that their motivation matters into their own hands to protect their on-
to adopt VPNs as PETs was primarily based on emo- line privacy (“Introduction of SOPA-type bills in
tional considerations, such as the fear induced by past congress” S, Emotional Reasoning); “Snowden / As-
breaches of their private information, or their dislike of sange [revelations of US government spying pro-
perceived violations of their privacy. In our thematic grams].” R, Emotional Reasoning). A prominent ex-
analysis we categorized these emotional considerations ample that was often mentioned was the Congres-
along the following lines: sional Review Act, which repealed privacy rules de-
– Heightened privacy concerns: Ten respondents veloped by the Federal Communications Commis-
reported having little control over how their per- sion in March 2017.
sonal information is collected, accessed, and used
– Media Attention: Two respondents reported that
by various online entities. In particular, they were
their privacy concerns are fueled and amplified, in
concerned about third parties tracking and access-
part, by concentrated media attention on privacy
ing their data without their explicit consent or even
breach incidents such as the Target and Sony com-
their awareness. As a result, they were motivated to
pany hacks (“The media reported on data breaches
use VPNs as an online tool to help safeguard and ad-
and misuse of personal data, prompting me to take
dress these privacy concerns (“[I want to use a VPN]
action to prevent this from affecting me. One of the
just for privacy concerns” R, Emotional Reasoning;
actions I took was to use a VPN. Protecting my
“Constant breeches of personal consumer informa-
personal information.” S, Emotional Reasoning).
tion like credit card numbers and addresses at major
firms like Target and Sony.” S, Emotional Reason-Adoption and Abandonment of VPN as a PET 92
4.2.2 Abandoners’ Motivation 4.3 External Stimuli: How People Learn
About VPN
Among the abandoners, we found that their mo-
tivation to adopt and use VPNs as PETs was mostly Both adopters and abandoners reported using
based on practical considerations. Such practical con- Google searches, expert blogs and VPN application web-
siderations usually involved a practical need to over- sites to learn about and determine which VPN applica-
come a specific barrier or to attain a specific goal. Like tions to use. Most users selected a VPN based upon its
emotional considerations, these practical considerations user reviews, expert or friend recommendation, capabil-
manifested themselves as privacy concerns. But whereas ities and features such as server vantage points, privacy
emotional considerations were driven by a subjective logging policies, and/or the jurisdiction in which it was
fear of negative outcomes that might result from a loss located. As discussed below, the external stimuli were
of privacy, these practical considerations were driven by mostly similar for both adopters and abandoners, with
a desire to fulfill a practical goal while objectively avoid- only a few interesting differences.
ing the negative privacy outcomes of pursuing that goal
(e.g., the desire to anonymously download content from
the internet whilst safeguarding their identity). In our 4.3.1 External Stimuli of Adopters
thematic analysis we categorized these practical consid-
erations along the following lines: Just over half of the adopters (18/30) learned about
– Task requirement: Three respondents mentioned VPN’s features and capabilities through information
that to access and conduct particular institutional they found online, such as reviews. They accessed these
objectives such as the submission of documents that reviews by conducting simple Google searches (“A quick
contain highly sensitive private personal informa- Google search for ’Best VPN 2018’.” S), or through of-
tion, they were required to use VPNs to securely ficial VPN application websites and VPN expert blogs.
access the institution’s network and accomplish the These websites provide reviews and recommendations
task. (“For school it is necessary to be on a uni- on the “best” VPN applications to use. Based on
versity VPN to access some university features.” S, such recommendations, adopters formed an opinion and
Practical Reasoning). subsequent decision regarding which VPN to use (“I
– Need for anonymity: Based on their online watched a ton of reviews and decided on the most
browsing habits, two respondents reported the need trusted/used.” R), “I found the cheapest provider that
to obscure their identity online as a reason for the had good reviews and a good reputation. I ended up
adoption and use of a VPN (“I used to pirate movies buying a one-year subscription for private internet ac-
and TV shows a lot, so I was pretty much just cess.” S).
looking to cover my own ass.” S, Practical Reason- In contrast, eight adopters learned about VPN
ing; “I was browsing the internet for certain con- through recommendations from online social networks
tent that is possibly a gray area in terms of legal- (“Privacy advocates on Twitter recommended one.” R),
ity such as streaming movies from "illegal" websites whereas one started to use a VPN application that was
and so I wanted to find a way to create some type recommended by their school (“Clemson University pro-
of anonymity or at least mask my identity.” S, Prac- vided it. I will likely ask friends in the future when I lose
tical Reasoning). access.” S). Other adopters selected a VPN application
– Privacy concerns regarding specific actions: to use based on their own personal accrued knowledge
Two respondents mentioned that they sought out on VPNs (“I worked in computer information systems
VPN as a PET to obscure their traffic, personal in- for the Marine Corps before coming to school at Clem-
formation such as web browsing history from ISPs son University so I had some background knowledge
especially when they needed to accesses certain sites that suggested always using a VPN - especially when
(“When accessing some sites I felt more comfortable connecting to sites like financial institutions [...] I would
security wise accessing them through a VPN to pro- rather sit behind a VPN, even when connected over eth-
tect my privacy.” S, Practical Reasoning; “I wanted ernet at home.” S; “[It was through] luck and gambling.
to be able to pirate software without receiving copy- Still better than no VPN.” S).
right infringement notices from my isp.” R, Practical Finally, two adopters reported building their own
Reasoning), VPN applications due to a lack of trust in the existing
VPN choices (“I looked a bit at public VPN providers,Adoption and Abandonment of VPN as a PET 93
but a lot of them seemed sketchy or had questionable anything important.” S; “I heard about it [VPN] and
business models (i.e., they seemed like they would sell started to take my privacy seriously.” R; “[I] read the
my data to advertisers). As such, I decided to set up my privacytools.io 6 and got serious concerns of my privacy,
own VPN server on amazon web services.” R). However, [besides I] travel a lot and using VPN, it makes me feel
they reported this being an extremely long process with safe and good” R).
lots of trial and error. Additionally, four respondents reported they felt
protected against internet surveillance when using a
VPN. This quelled their fears about their online activi-
4.3.2 External Stimuli of Abandoners ties being monitored by ISPs (“I didn’t want my history
to be seen by my ISP/controller, and I wanted to access
Roughly similar to adopters, just under half of the sites that demand privacy to be upheld.” S), government
abandoners (3/7) learned VPN’s features and capabil- agencies (“[Awareness of the] Dragnet surveillance by
ities through information they found online, e.g. via the United States government.”R), and corporate orga-
Google, expert blogs, and various VPN forums. But nizations (“The repeal of net neutrality had me bugging
whereas adopters’ search focused on finding the high- hard, and I needed to keep the government out of my
est quality VPN, abandoners focused on price (“I just dark webzz bizness” R; “I didn’t want the government
googled the best and cheapest options.” S; “Whatever to possibly look at my [web] history. I wasn’t [going to]
was free and had good reviews was enough for me.” S). give that data to them willingly (like using a normal
Four other abandoners reported relying on friends ( browser [without a VPN]).” S).
“I think the one recommended by a friend” S) and social Furthermore, four respondents reported they felt
media for recommendations (“I did research online and more comfort in the anonymity provided by their VPN.
got a lot of recommendations from people on various This comfort allowed them to express their ideas and
forums” S) on which VPN application to use. opinions without fear, thus avoiding self-censorship
(“Mostly just wanted to be on a secured connection
while browsing. I play games online and sometimes peo-
4.4 Actual VPN Usage ple will pull your IP then boot you offline and a VPN
prevents that” S; “You need [VPN] to be connected to
Both adopters and abandoners on average tried the TOR network to access TOR sites, it is free, it is
out more than two VPN applications before ulti- completely private, I trust the tech because it was orig-
mately selecting one which they were comfortable us- inally a DARPA project, and my continued use further
ing. Adopters, driven by an emotional need to protect anonymizes other users.” S).
their privacy, had used their current VPN for a period Many adopters put a great amount of trust in their
of time that ranged from several months to several years selected VPN application—14 of them reported not
by the time of the study. Most abandoners, on the other reading their VPN’s privacy policy and terms of service
hand, had used their selected VPN for a much shorter before installation. The other 16 of them did read the
period of time—ranging from as little as a week to about privacy policy, though, and some even reported chang-
a year at most—before completely abandoning the ap- ing their mind about installing and using the VPN ap-
plication. In our qualitative analysis we observed that plication when they found that this privacy policy did
their abandonment was usually caused by the fact that not align with their privacy preferences on issues such as
the practical need that had lead them to initially adopt logging practices and server locations. Moreover, 8 re-
VPN no longer existed. In other words, their practical spondents reported making changes to the default con-
considerations turned VPN usage into a temporally lim- figuration of their VPN application to align its settings
ited endeavor. to their preferences (“Adjusting some settings to match
my use. For example, I changed the default location
[where] to connect to.” S). This was usually done with
4.4.1 Adopters’ VPN Usage the purpose of making their VPN connection more pri-
vate (“[The] kill switch lets me stop all connections even
A majority of adopters (20) reported that they felt when the VPN stops working, so I turned that on.” S),
safer online when using a VPN (“Having some informa-
tion taken from me, which I assume was based on my
IP, made me feel insecure without a VPN when doing 6 https://www.privacytools.io/Adoption and Abandonment of VPN as a PET 94
increasing obfuscation (“[adjust the VPN to my] per- VPN applications (“Laziness stopped me from re-
sonal preference and increase obfuscation” R), and/or newing.” R).
getting faster connection speeds (“I needed to tinker – Usability: Three Abandoners were turned off by
with it to get better speeds.” S). the usability issues of the VPN application, such as
pop ups (“I think I didn’t see the point of it, or
maybe it had pop-ups.” S), convoluted documenta-
4.4.2 Abandoners’ VPN Usage tion (“The documentation was unclear” S), slowness
and lagging of the connection (“Slowness and lag”
Whereas adopters used VPNs to generally feel more S) and unnecessary requests for personal informa-
private, abandoners reported using VPNs to engage in tion such as credit card information.
specific behaviors that required them to be private. For – Cost: Five abandoners reported using free VPNs
example, they reported using VPNs to access online con- and were not willing to subscribe for a paid VPN
tent without negative legal repercussions (“I wanted to service due to the lack of immediate and apparent
be able to pirate software without receiving copyright benefits of using a paid VPN (“I was not willing
infringement notices from my ISP.” R; “I was browsing to pay, but wanted some [anonymity] effects” S; “I
the internet for certain content that is possibly a gray wasn’t ready to pay” S; “I’m cheap” S; “Money.” S).
area in terms of legality such as streaming movies from Whereas students’ and Redditors’ responses were
illegal websites and so I wanted to find a way to create otherwise similar, this hindrance was more common
some type of anonymity or at least mask my identity.” among students than among Redditors. These aban-
S). The use of a VPN as a PET was conditional upon doners were also more apprehensive about divulging
the practical activity they were engaging in, and the us- their credit card information as part of the subscrip-
age would continue for as long as they were engaging in tion process, in part due to their lack of trust in
the activity. the VPN providers themselves (“I do not want to
spend money or give my credit card information to
a company I’m not sure about.” S). This is despite
4.5 Hindrances to Using VPNs the fact, that some perceive free VPN applications
to be risky to use (“Lots of options, difficult to find
Both adopters and abandoners reported on factors which ones are credible and which are not, especially
that hindered their use of VPNs as PETs. But whereas when free” S; “Some ended up being obvious scams
for abandoners these hindrances caused them to eventu- with massive amounts of ads and malware.” S). In
ally pause or stop using the VPN application, adopters parallel, one respondent reported having paid for
generally overcame, avoided, or simply discounted these the VPN after the trial period, as they still needed
hindrances in an effort to continue using VPNs. Below, access to certain sites (“I needed to keep using [it],
we elaborate on these factors which led to distinct usage because, at the time, I was still downloading movies
patterns between adopters and abandoners. and TV shows left and right.” S).
4.5.1 Hindrances for Abandoners 4.5.2 (Lack of) Hindrances for Adopters
Abandoners, and especially those who no longer had Whereas the cost of a VPN service was found to
the need to use VPNs due to a change in their goals be a hindrance to abandoners, it compelled adopters
and social context (“I graduated” S; “I stopped pirat- to sustain their usage of VPNs as PETs. Particularly,
ing things, so I no longer needed it.” S), reported the we observed that sixteen respondents either out-rightly
following hindrances that led them to pause or quit the paid for a VPN service or paid for it after the trial pe-
use of VPNs once their practical needs no longer existed: riod. This was mainly due to:
– Effort to use/renew: Three abandoners found it – Affordability: Adopters found the actual subscrip-
cognitively burdensome to always engage a VPN in tion value affordable and thus chose to pay for
order to use it (“[I] didn’t always need it.” S; “[It] the VPN application (“Good price, right timing[...]”
seemed like a pain for no good reason” S). Likewise, R; “The pricing seemed reasonable and the perfor-
some would forego the burden of paying for their mance was adequate.” R).Adoption and Abandonment of VPN as a PET 95
– Capability and usability: The VPN’s speed and their emotional consideration of the risk to their online
capabilities (e.g., multiple vantage points or server privacy. As a result, their adoption is more resilient com-
locations, clear and transparent terms and services pared to abandoners, who largely used VPNs to serve
such as the “no-logs” policy, and security features a particular practical purpose. Interestingly, such emo-
such as a “kill-switch” that would prevent traffic tional considerations are not a major construct in TAM
leakage in case of tunnel failure) compelled adopters [29], which arguably makes this model insufficient for
to pay for a VPN subscription rather than using a the study of PET adoption. Complementing TAM with
free one (“[VPN Name] provides an excellent ser- the risk-as-feelings theory gave us a better framework to
vice. It has fast speeds and plentiful geo-regional understand the differences between adopters and aban-
servers.” R; “Some cool features. Namely, you can doners. We suggest that researchers interested in the
specify which type you want and get double encryp- adoption of PETs consider using this framework in their
tion and pick from a list of servers. You can find a studies.
table online that ranks the servers in real time.” R). What causes adopters to be emotionally invested in
– Personal beliefs and a lack of alternatives: VPNs? Their emotions, such as fear and worry about
Most adopters failed to find reliable free VPNs that online privacy, were usually induced by high-profile pri-
would offer features similar to those in paid VPNs vacy violations, such as the discovery of surveillance pro-
(“No reliable free services were available.” R). More- grams (e.g. Dragnet and other surveillance program of
over, most of them believed that free VPNs were not the United States governement, uncovered by Edward
safe and thus decided to pay for a VPN service in- Snowden, that provided concrete evidence that govern-
stead. This would guarantee their privacy, since the ments spy on the communications of their citizens [52]),
VPN would not have to use their data to earn in- and privacy-eroding legislative efforts (e.g. the Investi-
come (“If you aren’t paying for the service, you are gatory Powers Act 2016 [53] which comprehensively set
the product” R). out to expand the electronic surveillance powers of the
United Kingdom government, and the recent repeal of
US rules that would have required ISPs to seek permis-
sion from people to collect and share sensitive personal
5 Discussion information such as their internet browsing history [2]).
On the other hand, abandoners do not have the
To our best knowledge, our study is the first to ex- same profound emotions to sustain a continous use of
plore from an end-user perspective the adoption and us- VPNs as PETs. Instead, their adoption and usage of a
age of VPNs as PETs. Our findings showcase the distinct VPN is largely driven by the need to accomplish a prac-
roles that privacy risk-related emotional (affective) and tical online activity (e.g. by-passing geofilters, or down-
practical (cognitive) considerations play in the judg- loading movies and music (this could be either “legal” or
ment and decision making process towards the adoption “illegal” [54]), accessing web content, sites and services)
of VPNs. while avoiding consequences (e.g. receiving a copyright
We did not find a pattern of over or underestima- infringement notice from ISPs or being hacked). Once
tion about the overall workings and benefits of VPN these practical needs no longer exist or alternatives are
usage as both adopters and abandoners appeared to found (e.g. use of legal streaming services like Netflix to
have a good understanding (i.e., mental model) of how watch movies or Spotify to listen to music), they tend
VPNs work. However, one abandoner had a faulty men- to abandon the use of VPNs.
tal model as indicated by the false interchangeability of In the section below, we reiterate the main take-
VPNs for other privacy protection tools (“I don’t need aways of our study and derive design recommendations
a VPN anymore because now I use browser extensions that can bolster the adoption and use of VPNs as PETs.
like Ghostery and AdBlockPlus.” R) — these two mech-
anisms are not interchange-able as they protect different
issues. This highlights the importance for researchers 5.1 Duration of VPN Use
and practitioners to always consider the fact that peo-
ple might at times have faulty mental models of VPNs Our findings reveal that abandoners use VPNs for
(see Section 2.2). a relatively short amount of time because once they
Specifically, we find that adopters largely embarked achieve their practical goal, they no longer have a strong
upon the usage of VPNs as PETs primarily based on intrinsic motivation for the continued use of VPNs. AsYou can also read
