What is the justification for disliking VPNs?
Having got more and more concerned about using public WiFis to access sites, I have started to trial an industry leading VPN.
When I access FamilySearch, it clearly doesn't like it much as I have to click (not sure how often) to show that I am human - it advises me that one of the top 3 methods to avoid these extra click(s) is to disable my VPN.
Can someone please explain this? It feels to me that FamilySearch believes VPNs are more dangerous than having my public WiFi hacked. If this is so, why isn't the IT security industry stopping the use of VPNs? (Well, of course, there are places that try to stop VPNs - the People's Republic of China for one…)
The extra clicks to access FS are mildly irritating - more irritating is the apparent view of FS that VPNs form an attack vector. It's unexplained and surely out of step with the rest of the IT industry…
Answers
-
Hello @Adrian Bruce1
My two cents on your question…
VPNs are valuable and provide some level of security to you as a user of public systems. VPNs are not in any way dangerous.
What I believe could be happening is a side effect of the way VPNs work. With a VPN, all your data traffic is routed from your location to a specific remote IP address owned by the VNP company. Think of this remote IP address as a specific geographic location, and from that location your traffic is released into the global internet. The fundamental impact of this is to hide your actual geographic location and obstruct anyone from observing what tasks you are performing.
If you and I, and possibly hundreds of others, are all using the same VPN company as we use FamilySearch, then the FamilySearch servers will see a large volume of traffic coming, apparently, from that one IP address, the IP address the VPN company uses.
This large volume of traffic, from the one IP address, will be viewed by the FamilySearch servers as somewhat suspicious. Suspicious in that an actual user could not possibly be interacting with so many FamilySearch profiles all at the one time. Thus, it would be standard security practice to assume this could be some sort of automated, or robot system, potentially trying to access FamilySearch for other than its intended purpose.
When such a potential security situation is identified, a situation that could be risky or detrimental to FamilySearch, a standard basic challenge would be to request some verification that this user was in fact human. I assume it's this challenge that you are seeing.
On the positive, the challenge that you are seeing is an indication that your VPN is working, your actual IP is being hidden, however, you may be using a VPN that is very popular hence the large amount of traffic seen to apparently originate from the one IP address.
There are some possible work arounds. If your VPN provider permits you to select a different VPN server location within their network, you could try selecting a different server and see if that addresses the problem.
1 -
@John Curran - thanks for that as you suggest a possible issue that I hadn't considered. I'd just started using a VPN so was looking out for any issues. When FS immediately came up with login challenges that I'd never seen before, and their top tip for overcoming them was "Switch off any VPN", it was, I suggest, a not unreasonable conclusion that FS was indeed detecting the VPN and objecting to it on principle.
However, the idea that FS was detecting an unlikely amount of traffic from an address in "a small town in Belgium" (in my case) and therefore being wary about accepting it, seems, to my mind, quite possible. Nothing really to do with the VPN except that the VPN happens to concentrate a lot of traffic via one server farm there.
I am still puzzled why FS regards that density of traffic as suspicious and one of my finance sites doesn't, but perhaps I should just be grateful that the challenges aren't that major. At least it's not one of those challenges where you are reduced to wondering if a tiny bit of a bell constitutes a square containing a bicycle...
1 -
@Adrian Bruce1 Another possibility is that FamilySearch is concerned about complying with various laws regarding the use of their software in certain countries. The use of a VPN can obscure the location of the user's computer — and that obscuring is in some cases intentional (e.g., I'm located in Russia or China with their laws, and I want to get around those laws) or in other cases just an unintended side-effect of using a VPN. FamilySearch tends to be very conscientious about legal compliance, and so I wouldn't be surprised if they are wary about a VPN getting in the way of that in some cases.
0 -
@Alan E. Brown - certainly some administrations ban VPNs (as I said, the People's Republic of China, for one). I'd be surprised if anyone thought there was a legal obligation on FS to block VPNs from China (say) given that Beijing blocks them themselves. But equally I shouldn't be surprised at what lawyers say, especially risk-averse lawyers. (I guess that if FS have any servers in the PRC, then Beijing laws about VPNs would definitely apply there)
Having said that, in my case, the VPN isn't banned - it just generates a drag of one, two or even three(?) extra steps to logon, giving the impression that FS is behind the curve on privacy (and indeed, security for anyone using public WiFi). On that basis I'm inclined more towards @John Curran's suggestion about VPNs not actually being the target per se but just an innocent victim of a justified concern not to allow the possibility of flooding.
It would be nice to get an official explanation - if there is one anywhere, I've missed it.
1 -
@Adrian Bruce1 I think you misunderstood the scenario I was talking about. I wasn't talking about countries where VPNs are banned. Rather, I was talking about a scenario such as this (completely fictitious, but illustrative):
Suppose that Luxembourg has a law that any access to genealogical data from within its borders cannot show any records regarding burials. Then it would be important for FamilySearch to make a good-faith effort to determine if a user is accessing FamilySearch from within Luxembourg. If a user is in that country, then FamilySearch will block access to burial records. But a user within that country who is not particularly law-abiding, but really wants to access burial records, might use a VPN to spoof that they are in Italy so that FamilySearch will not block access to those records.
Now it's challenging to determine if a VPN is obscuring the location, but this is a conceivable reason that FamilySearch might be concerned about VPN usage. And of course, FamilySearch could have multiple concerns with VPNs -- there's no need to try to determine the one reason why VPNs might be problematic. And you're certainly right that FamilySearch doesn't actually prohibit VPN usage outright. My guess is that we won't hear any official explanation on this, since explaining specific security or privacy concerns might give clues for subverting security mechanisms.
1 -
@Alan E. Brown - apologies - you're right, your Luxembourg scenario isn't what I was thinking about but is most certainly a valid concern. In fact, I'm sure (as far as fallible memory goes) that there was supposed to be some condition of access to some European country X's parish records that varied depending on the country of the enquirer. And yes, that would require the ability to make an accurate determination of where the enquiry came from.
How interesting... Gulp.
(I still think that FS could mention that such conditions might exist without imperilling the efficacy of the counter measures... It would surely help people to understand rather than to imagine FS being behind the privacy curve)
4
