Published June 7, 2023, 11:20 a.m. by Naomi Charles
Omer Akgul (University of Maryland), Richard Roberts (University of Maryland), Moses Namara (Clemson University), Dave Levin (University of Maryland), Michelle L. Mazurek (University of Maryland)
You may also like to read about:
all right uh hi everyone uh welcome to
this well it's the the talk of the
session but welcome to my talk uh i'm
omer uh this is going to be uh the
presentation i'm gonna make titled
infinite skating influencer vpn ads on
youtube uh these are all my co-authors
richard moses dave and michelle moses
was at clemson he just graduated the
rest of us are at the university of
maryland
now a common goal or one of the common
goals of the usable security community
in the past couple years was to
understand mental models or what users
understand of security and privacy tools
we think we found another influence on
mental models of security and privacy
namely these influencer vpn ads now i'm
sure a lot of you have seen these uh if
you watch youtube but these are
essentially ads created by the the
creators of the videos themselves put
directly inside the videos not served by
youtube um and they talk about a lot of
stuff i'll show you an example just just
in case you haven't seen any this is
gonna be by a youtuber called dj cook
with a respectable 1.5 million
subscribers and the videos about
fortnite uh but it has a vpn ad in it
and i want you to watch it so let's
watch
now the title of this video is meet the
fortnite scammers and nordvpn picked the
best video to sponsor because a vpn can
easily prevent you from being scammed
and no i'm not talking about on fortnite
but even worse maybe your credit card
information is stored on a website
somebody could get into that
if you have nordvpn you don't have to
worry
yeah so i i've got news uh vpn is not
going to protect your credit cards
that's stored on a server somewhere else
uh so that's that's misleading there
it's a privacy thing with a boatload of
other benefits i promise if you go ahead
and give northvpn a try you won't ever
have to worry about anything on the
internet again you'll be safe one of my
friends actually uses nordvpn and it's
made his internet experience way better
he doesn't have to worry about anything
and he can do what he wants
okay again clear overstatement a vpn is
not going to give you all the the
security and privacy you want in the
world
download nordvpn from the link in the
description
okay so this is a clear ad and
unfortunately we saw a lot of crazy
statements being made in here and as our
results will just show in a second uh
these are not this is not an isolated
example of vpn ads on youtube
in fact they're quite widespread this
one alone got 1.1 million views
and what's more concerning is that they
have an educational tone to them they're
almost teaching you what internet
security and privacy should be what a
vpn should give you
even more concerning is looking at the
uh the prior work mental models of
security and privacy tools researchers
have been looking at this for a while
especially in the context of
instant messenger
instead instant secure messaging and now
vpns because people are starting to use
those and they ask questions such as do
people understand what they're using do
they understand the guarantees of the
tools that they're using and are they
using them correctly and the answer
turns out to be no in a lot of cases
and so we think that this influence on
vpn mental models and more more broadly
uh security and privacy mental models is
could potentially be a bad one
so that's why we investigated them uh
and uh we had a couple goals in mind uh
we wanted to measure the prevalence of
these ads so how many of them are there
are out there what's the what's the
reach
we want to characterize what they said
so what's in them what's being actually
portrayed
and we want our results to be uh
generalizable and not just anecdotal so
we design our methodology with that in
mind and we analyze once we get the
videos that we want to analyze with the
vpn ads in them we analyze them through
qualitative means which essentially
means we sat through and systematically
watched and labeled all the vpn ads that
we found
now in order to do that we need to first
find the vpn ads and this is roughly how
we did it we first start off with all of
youtube that's that's all of youtube
trust me
and we use this thing called a random
prefix sample which essentially allows
you to get a random sample of youtube in
our case uh we got about 87 million
videos about 1.4 of youtube according to
our estimates by the end of 2020. uh if
you want any details on this it's in the
paper it's another paper from 10 years
ago
now
that sample is great 87 million that's a
lot of videos but where are the vpn ads
in them well this is how we found the
vpn ads we downloaded the english videos
subtitles first and then we searched for
vpn in this and this works surprisingly
well but it gives us a noisy candidate
data set of about 1700 videos which we
then sat down and watched systematically
and we
found what a vpn ad is we got we got
about 243 vpn ads in videos uh that's
about 63 million views we also labeled
what was in them while we were doing
this and because remember this is a
random sample because it's a random
sample you can scale it up to all of
youtube which means by the end of 2020
there were about 16 000 videos on
youtube that had vpn ads in them with
billions upon billions of views in total
so quite a widespread reach there
they're getting
now with label like i said we labeled
all this all these videos uh
what do we do with it exactly what's the
analysis
we looked at the obvious question what
did the video say
we looked at the more problematic claims
what can a vpn actually provide you
versus what's being claimed it can
provide you
we looked at changes over time so vpn
ads seem to appear
about in 2016 how does that compare to
end of 2020
and finally um
i'm just going to get rid of this mask
and finally we compare different vpn
companies to each other are they do they
have the same thing advertised
about
vpns
i won't talk about all of them but i'll
go through some
let's start off with what's in a vpn ad
one of the more surprising findings we
had is that vpns are often pitched as a
content consumption tool
in this case renee says stream your
country's streaming services and get
access to all those titles referring to
the case where you're traveling your
streaming service you're using is how
uses uh jira restrictions to separate
libraries between countries and you want
your home country's library
unsurprisingly a lot of it is about
utility uh for security and privacy uh
these include technical claims this
person says
and a vpn service encrypts your
connection and provides you with
anonymous ip
we saw a lot of broad claims such as
this one you're completely anonymous
again if you use a vpn of course
and finally threat statements we found
these quite interesting here's an
example hackers can exploit unsecured
connections to get inside your system
now because we found this so it's so
interesting we wanted to dig deeper and
this is how we did it
so this is a vpn ad
and here's what they say in the ad at
some point your internet service
provider can see every single website
you visited
the way we label these is in three parts
we start off with the adversary the
internet service provider in this case
what they do
they see
and finally the asset they're going
after in this case it's your browsing
history they say every single website
you visited because we did this labeling
we were able to distill the threat model
conveyed by youtube through these vpn
ads to all the users so we we identified
common adversaries what they do and the
assets
let's look at some of these in more
detail let's follow these flows
the isb it seems like the isb mostly
does surveillance and a little bit of
dissemination that's essentially selling
and what they're selling or or
surveilling is your interactivity for
the most part
you know that makes sense
let's look at the government
the government is similar but but
different in a unique way
it again surveils for the most part
but this time it's you your yourself or
everything it's more broad seemingly
more powerful
finally let's look at the hacker and the
vague adversary the vague adversary is
just you know the people or the mean
people or whatever it's vague but it's
very similar to the hacker you can see
that these guys are all over the place
they do everything
but one thing i want to
attract your attention to is
they do this forcefully take thing which
is essentially just saying they're
stealing or grabbing they're taking it
from you
and these are mostly your passwords your
credit card information you can see uh
some of the lesser
frequent examples or your device sensors
such as your webcam your microphone so
quite alarming stuff that they're um
conveying here
that and and the implication is that
well the
what they imply in these videos is that
the vpn can protect against all these
threats all right now that's a quick
overview of what's in a vpn ad but i
want you to i want to
show you some of the more alarming more
concerning statements made
starting off with over promising
exaggerations you guys just watched this
i promise if you go ahead and give
nordvpn a try you won't ever have to
worry about anything on our internet
again you'll be safe clear overstatement
this might lead
users to think that using a vpn is going
to give them all the security and
privacy and they might do more sketchy
things which is pretty concerning
we saw a lot of youtubers talk about
financial data and credential protection
if you use a vpn so this person says so
no one can see your passwords if you use
a vpn of course
and this might have been true
in the early 2000s when https wasn't
really a thing
but we'd argue that you'd have a pretty
hard time finding a reputable website
that deals with credentials or deals
with financial information that doesn't
use https and if your https is broken
you've got way more to worry about than
just using a vpn
finally we got outright confusing or
false statements such as gary over here
claims he can
actually digitally shred files using
military grade encryption
i don't know what military grade
encryption really means i have no clue
what this statement means
all right now that's a general
characterization of what a vpn ad looks
like
uh but we also saw that not all vpn
companies have the same thing advertised
about them and i'll make this point by
showing you two graphs first
we'll start off with what video genre do
vpn ads appear in and i'll compare surf
shark and virtual shield to uh
vpn companies starting off with sheriff
shark they seem to advertise about
everywhere maybe a bit more biased
towards lifestyle which is essentially
vlogs and beauty channels and whatnot
but virtual shield they really like
society and politics and in fact if you
dig a little bit deeper this is usually
a far-right and or conspiratorial videos
and on the american internet
and recall that it's the youtubers that
are creating these videos it's not the
vpn companies and so the content bleeds
into the vpn ads themselves
so if we look at this other graph here
uh what do vpns talk about
and again comparing substrate to virtual
shield we'll see that surf shark likes
to talk about credentials a lot and in
fact comparing it to all the other vpn
companies surfshark is the one that
talks about it the most
but if you look at virtual shield they
really really like to talk about the
government threat and if you're not
aware in the united states the the right
wing likes to talk about how there's
government overreach
and they're concerned by it
so you you clearly see this manifest in
the ads themselves they're tailoring
towards the audience uh they're
tailoring it towards what's what's the
content in the channel
now these are just graphs so let me let
me show you the actual quotes
just for some context
surfshark notifies you in case your
password appears in a leaked database
would you like to keep your passwords
private uh again you need to use
software for this presumably
and then with virtual shield
reclaim your right to privacy from
intruding governments and
the united kingdom and australian
governments just killed your privacy
again implying that getting virtual
shield is going to protect you from this
all right
now we saw that these things can be uh
concerning how can we make them more
accurate how can we make them better we
identified a couple different parties
that can help with this
starting off with vpn companies
themselves they're the people who are
funding this whole ecosystem paying
people to say stuff about their products
they can create clear guidelines and
enforce these guidelines when they
review the ads because we kind of know
that they do review the ads
what we think need really needs to
happen and we didn't really see any
much evidence of this in the videos is
acknowledging limitations
vpns
will not give you all the security and
privacy in the world they won't make you
absolutely secure and private they can
help and their acknowledge their their
limitations need to be acknowledged as
such
youtubers are the ones that are creating
these ads so
they have the responsibility of
understanding the products before they
advertise it to not be misleading to
their audiences
and finally government agencies
we know that there are
in the united states fdc has a history
of going after false advertisers
including influencers on instagram and
whatnot so they might have to play a
role in here as well
now this work uh primarily focused on
measuring what a vpn ad is but we also
argue that we need to understand
influence on users as future work
looking at impact on on
users in terms of vpn mental models so
what users understand a vpn can give
them
but also internet security and privacy
mental models because of the threat
statements they're pretty broad
and finally uh we need we're concerned
of the adoption of untrustworthy vpns if
you look at prior work there's a lot of
there's a lot of sketchy vpns out there
outright malicious or misimplementations
that hurt privacy and whatnot so we're
concerned about that all right to sum up
vpn ads are incredibly widespread on
youtube if you scale it up they got
billions of views as of end of 2020 they
say a lot of information they have this
educational tone but they also include
false information unfortunately we're
concerned about the impact on users the
amount of models of vpns and internet
security and privacy in general and we
explore who can make this better
with that i am happy to take questions
[Applause]
this looks like plenty of questions hi
sabrina from here thank you for the
amazing talk
i've seen these ads a lot especially in
front of video game or pop culture
videos so i'm wondering if you have any
findings on the target groups of them
yes so we initially thought that maybe
some channels would get them more than
others and that certainly is the case
but i think that takeaway we have is
that they appear everywhere on youtube
they're they're not representative of
like the youtube genres in terms of
percentages but they appear everywhere
they're on car videos they're on beauty
channels they're everywhere tech videos
um did
did you show not vpn your your research
so because i think in the first video
there was an affiliation link
and
yeah i really want to know if they are
aware of what's happening in those
videos and if they do actions against it
uh so
we've tried in a couple different ways
some of them are aware we don't really
have a communication with them uh we
tried looking at the relationship
between the um the youtubers and the the
vpn companies
we have like anecdotal evidence in the
paper if you want to read it but it's
you know we can't characterize it that
well okay and very nice talk thank you
thanks
omer from university washington uh
really nice talk
one question
did you see any correlation between the
over claims and the content of the
videos may be better videos that have
better content have less
over claims as compared to the others
that's a pretty good point unfortunately
we didn't do that analysis
i don't know if our data set is large
enough although we i think it's pretty
good to characterize videos i don't know
how specific we can get with like these
i don't know we so over claims we saw
about in 10 10 15 of our videos i don't
i don't know how much generalization we
can make in terms of statistical
significance
thank you
hi you bro jagawel from carnegie mellon
thank you for your talk really
entertaining um i wanted to ask sort of
a follow-up as in how many of these
videos did you find had a referral link
because that would sort of tell you that
it's not like and it's the referral link
is on the provider so it's not like
they're not aware right so so prism
presumably that is even more surprising
that they know about it and they're
paying out and then still like letting
them sort of do wrong things and then
sort of a related question did you see
the level of overclaiming with the
popularity of the vpn
meaning was it like small providers only
who are like just claiming anything just
to be able to sort of get market share
or uh so let me start from off with the
second one and then the first one was
about refilling all right the second one
uh so nordvpn is one of the biggest
advertisers and they clearly have crazy
stuff express does too i i don't think
it like the small ones also say crazy
stuff i don't think there's a
correlation between how popular they are
versus not uh affiliate links
i think almost everyone had them except
maybe one or two uh the way this works
from what we can gather is that either
they can directly talk to the vpn
company themselves
or some vpn companies will just have a
page where you sign up they just give
you a link and you can post it wherever
to make money
or there are affiliate networks there
was a great poster yesterday
where
they will just outsource it to another
company to do their affiliate marketing
thank you yeah
um hello i'm claudio from university of
washington thank you for your talk
and i want us to ask you um do you think
there are there there were like
some
like
specific events in the political
scenario or in the social context that
lead to an exponential increase of
vpn usage
and
the spreading of this like
advertising tool
thank you i
i think the reason these ads got really
popular is that someone figured out they
worked i think someone figured out that
influencer marketing really works
and once someone makes starts to make
money everyone jumped on the bandwagon i
think that's the explanation i can't
know for sure that's speculation
okay hi victor from caleb and great talk
did you see any honest advertisers or
influencers who like said the right
things they they knew what they were
talking about that's a good point yep
there were a couple these were the
minority there were a couple that were
very nicely phrased they didn't
overclaim anything they just stated what
a vpn actually does for you these
generally appear to tech channels like
people who actually know the technology
uh but i think for the most part it they
don't look good
and do you know how who provides the
scripts is it mostly the companies or
are really the influences on their own
too we know they
some of them are ad reads
that's the minority we know that they
provide guidelines but adherence to that
guideline is a question
i i don't think they do i i think a lot
of them get a lot of leeway in terms of
what they can say as long as they can
make the cell
who cares what they're talking about i
think is
the general sentiment okay thanks
all right let's thank armor again
[Applause]
2CUTURL
Created in 2013, 2CUTURL has been on the forefront of entertainment and breaking news. Our editorial staff delivers high quality articles, video, documentary and live along with multi-platform content.
© 2CUTURL. All Rights Reserved.