Investigating Influencer VPN Ads on YouTube

all right uh hi everyone uh welcome to

this well it's the the talk of the

session but welcome to my talk uh i'm

omer uh this is going to be uh the

presentation i'm gonna make titled

infinite skating influencer vpn ads on

youtube uh these are all my co-authors

richard moses dave and michelle moses

was at clemson he just graduated the

rest of us are at the university of

maryland

now a common goal or one of the common

goals of the usable security community

in the past couple years was to

understand mental models or what users

understand of security and privacy tools

we think we found another influence on

mental models of security and privacy

namely these influencer vpn ads now i'm

sure a lot of you have seen these uh if

you watch youtube but these are

essentially ads created by the the

creators of the videos themselves put

directly inside the videos not served by

youtube um and they talk about a lot of

stuff i'll show you an example just just

in case you haven't seen any this is

gonna be by a youtuber called dj cook

with a respectable 1.5 million

subscribers and the videos about

fortnite uh but it has a vpn ad in it

and i want you to watch it so let's

watch

now the title of this video is meet the

fortnite scammers and nordvpn picked the

best video to sponsor because a vpn can

easily prevent you from being scammed

and no i'm not talking about on fortnite

but even worse maybe your credit card

information is stored on a website

somebody could get into that

if you have nordvpn you don't have to

worry

yeah so i i've got news uh vpn is not

going to protect your credit cards

that's stored on a server somewhere else

uh so that's that's misleading there

it's a privacy thing with a boatload of

other benefits i promise if you go ahead

and give northvpn a try you won't ever

have to worry about anything on the

internet again you'll be safe one of my

friends actually uses nordvpn and it's

made his internet experience way better

he doesn't have to worry about anything

and he can do what he wants

okay again clear overstatement a vpn is

not going to give you all the the

security and privacy you want in the

world

download nordvpn from the link in the

description

okay so this is a clear ad and

unfortunately we saw a lot of crazy

statements being made in here and as our

results will just show in a second uh

these are not this is not an isolated

example of vpn ads on youtube

in fact they're quite widespread this

one alone got 1.1 million views

and what's more concerning is that they

have an educational tone to them they're

almost teaching you what internet

security and privacy should be what a

vpn should give you

even more concerning is looking at the

uh the prior work mental models of

security and privacy tools researchers

have been looking at this for a while

especially in the context of

instant messenger

instead instant secure messaging and now

vpns because people are starting to use

those and they ask questions such as do

people understand what they're using do

they understand the guarantees of the

tools that they're using and are they

using them correctly and the answer

turns out to be no in a lot of cases

and so we think that this influence on

vpn mental models and more more broadly

uh security and privacy mental models is

could potentially be a bad one

so that's why we investigated them uh

and uh we had a couple goals in mind uh

we wanted to measure the prevalence of

these ads so how many of them are there

are out there what's the what's the

reach

we want to characterize what they said

so what's in them what's being actually

portrayed

and we want our results to be uh

generalizable and not just anecdotal so

we design our methodology with that in

mind and we analyze once we get the

videos that we want to analyze with the

vpn ads in them we analyze them through

qualitative means which essentially

means we sat through and systematically

watched and labeled all the vpn ads that

we found

now in order to do that we need to first

find the vpn ads and this is roughly how

we did it we first start off with all of

youtube that's that's all of youtube

trust me

and we use this thing called a random

prefix sample which essentially allows

you to get a random sample of youtube in

our case uh we got about 87 million

videos about 1.4 of youtube according to

our estimates by the end of 2020. uh if

you want any details on this it's in the

paper it's another paper from 10 years

ago

now

that sample is great 87 million that's a

lot of videos but where are the vpn ads

in them well this is how we found the

vpn ads we downloaded the english videos

subtitles first and then we searched for

vpn in this and this works surprisingly

well but it gives us a noisy candidate

data set of about 1700 videos which we

then sat down and watched systematically

and we

found what a vpn ad is we got we got

about 243 vpn ads in videos uh that's

about 63 million views we also labeled

what was in them while we were doing

this and because remember this is a

random sample because it's a random

sample you can scale it up to all of

youtube which means by the end of 2020

there were about 16 000 videos on

youtube that had vpn ads in them with

billions upon billions of views in total

so quite a widespread reach there

they're getting

now with label like i said we labeled

all this all these videos uh

what do we do with it exactly what's the

analysis

we looked at the obvious question what

did the video say

we looked at the more problematic claims

what can a vpn actually provide you

versus what's being claimed it can

provide you

we looked at changes over time so vpn

ads seem to appear

about in 2016 how does that compare to

end of 2020

and finally um

i'm just going to get rid of this mask

and finally we compare different vpn

companies to each other are they do they

have the same thing advertised

about

vpns

i won't talk about all of them but i'll

go through some

let's start off with what's in a vpn ad

one of the more surprising findings we

had is that vpns are often pitched as a

content consumption tool

in this case renee says stream your

country's streaming services and get

access to all those titles referring to

the case where you're traveling your

streaming service you're using is how

uses uh jira restrictions to separate

libraries between countries and you want

your home country's library

unsurprisingly a lot of it is about

utility uh for security and privacy uh

these include technical claims this

person says

and a vpn service encrypts your

connection and provides you with

anonymous ip

we saw a lot of broad claims such as

this one you're completely anonymous

again if you use a vpn of course

and finally threat statements we found

these quite interesting here's an

example hackers can exploit unsecured

connections to get inside your system

now because we found this so it's so

interesting we wanted to dig deeper and

this is how we did it

so this is a vpn ad

and here's what they say in the ad at

some point your internet service

provider can see every single website

you visited

the way we label these is in three parts

we start off with the adversary the

internet service provider in this case

what they do

they see

and finally the asset they're going

after in this case it's your browsing

history they say every single website

you visited because we did this labeling

we were able to distill the threat model

conveyed by youtube through these vpn

ads to all the users so we we identified

common adversaries what they do and the

assets

let's look at some of these in more

detail let's follow these flows

the isb it seems like the isb mostly

does surveillance and a little bit of

dissemination that's essentially selling

and what they're selling or or

surveilling is your interactivity for

the most part

you know that makes sense

let's look at the government

the government is similar but but

different in a unique way

it again surveils for the most part

but this time it's you your yourself or

everything it's more broad seemingly

more powerful

finally let's look at the hacker and the

vague adversary the vague adversary is

just you know the people or the mean

people or whatever it's vague but it's

very similar to the hacker you can see

that these guys are all over the place

they do everything

but one thing i want to

attract your attention to is

they do this forcefully take thing which

is essentially just saying they're

stealing or grabbing they're taking it

from you

and these are mostly your passwords your

credit card information you can see uh

some of the lesser

frequent examples or your device sensors

such as your webcam your microphone so

quite alarming stuff that they're um

conveying here

that and and the implication is that

well the

what they imply in these videos is that

the vpn can protect against all these

threats all right now that's a quick

overview of what's in a vpn ad but i

want you to i want to

show you some of the more alarming more

concerning statements made

starting off with over promising

exaggerations you guys just watched this

i promise if you go ahead and give

nordvpn a try you won't ever have to

worry about anything on our internet

again you'll be safe clear overstatement

this might lead

users to think that using a vpn is going

to give them all the security and

privacy and they might do more sketchy

things which is pretty concerning

we saw a lot of youtubers talk about

financial data and credential protection

if you use a vpn so this person says so

no one can see your passwords if you use

a vpn of course

and this might have been true

in the early 2000s when https wasn't

really a thing

but we'd argue that you'd have a pretty

hard time finding a reputable website

that deals with credentials or deals

with financial information that doesn't

use https and if your https is broken

you've got way more to worry about than

just using a vpn

finally we got outright confusing or

false statements such as gary over here

claims he can

actually digitally shred files using

military grade encryption

i don't know what military grade

encryption really means i have no clue

what this statement means

all right now that's a general

characterization of what a vpn ad looks

like

uh but we also saw that not all vpn

companies have the same thing advertised

about them and i'll make this point by

showing you two graphs first

we'll start off with what video genre do

vpn ads appear in and i'll compare surf

shark and virtual shield to uh

vpn companies starting off with sheriff

shark they seem to advertise about

everywhere maybe a bit more biased

towards lifestyle which is essentially

vlogs and beauty channels and whatnot

but virtual shield they really like

society and politics and in fact if you

dig a little bit deeper this is usually

a far-right and or conspiratorial videos

and on the american internet

and recall that it's the youtubers that

are creating these videos it's not the

vpn companies and so the content bleeds

into the vpn ads themselves

so if we look at this other graph here

uh what do vpns talk about

and again comparing substrate to virtual

shield we'll see that surf shark likes

to talk about credentials a lot and in

fact comparing it to all the other vpn

companies surfshark is the one that

talks about it the most

but if you look at virtual shield they

really really like to talk about the

government threat and if you're not

aware in the united states the the right

wing likes to talk about how there's

government overreach

and they're concerned by it

so you you clearly see this manifest in

the ads themselves they're tailoring

towards the audience uh they're

tailoring it towards what's what's the

content in the channel

now these are just graphs so let me let

me show you the actual quotes

just for some context

surfshark notifies you in case your

password appears in a leaked database

would you like to keep your passwords

private uh again you need to use

software for this presumably

and then with virtual shield

reclaim your right to privacy from

intruding governments and

the united kingdom and australian

governments just killed your privacy

again implying that getting virtual

shield is going to protect you from this

all right

now we saw that these things can be uh

concerning how can we make them more

accurate how can we make them better we

identified a couple different parties

that can help with this

starting off with vpn companies

themselves they're the people who are

funding this whole ecosystem paying

people to say stuff about their products

they can create clear guidelines and

enforce these guidelines when they

review the ads because we kind of know

that they do review the ads

what we think need really needs to

happen and we didn't really see any

much evidence of this in the videos is

acknowledging limitations

vpns

will not give you all the security and

privacy in the world they won't make you

absolutely secure and private they can

help and their acknowledge their their

limitations need to be acknowledged as

such

youtubers are the ones that are creating

these ads so

they have the responsibility of

understanding the products before they

advertise it to not be misleading to

their audiences

and finally government agencies

we know that there are

in the united states fdc has a history

of going after false advertisers

including influencers on instagram and

whatnot so they might have to play a

role in here as well

now this work uh primarily focused on

measuring what a vpn ad is but we also

argue that we need to understand

influence on users as future work

looking at impact on on

users in terms of vpn mental models so

what users understand a vpn can give

them

but also internet security and privacy

mental models because of the threat

statements they're pretty broad

and finally uh we need we're concerned

of the adoption of untrustworthy vpns if

you look at prior work there's a lot of

there's a lot of sketchy vpns out there

outright malicious or misimplementations

that hurt privacy and whatnot so we're

concerned about that all right to sum up

vpn ads are incredibly widespread on

youtube if you scale it up they got

billions of views as of end of 2020 they

say a lot of information they have this

educational tone but they also include

false information unfortunately we're

concerned about the impact on users the

amount of models of vpns and internet

security and privacy in general and we

explore who can make this better

with that i am happy to take questions

[Applause]

this looks like plenty of questions hi

sabrina from here thank you for the

amazing talk

i've seen these ads a lot especially in

front of video game or pop culture

videos so i'm wondering if you have any

findings on the target groups of them

yes so we initially thought that maybe

some channels would get them more than

others and that certainly is the case

but i think that takeaway we have is

that they appear everywhere on youtube

they're they're not representative of

like the youtube genres in terms of

percentages but they appear everywhere

they're on car videos they're on beauty

channels they're everywhere tech videos

um did

did you show not vpn your your research

so because i think in the first video

there was an affiliation link

and

yeah i really want to know if they are

aware of what's happening in those

videos and if they do actions against it

uh so

we've tried in a couple different ways

some of them are aware we don't really

have a communication with them uh we

tried looking at the relationship

between the um the youtubers and the the

vpn companies

we have like anecdotal evidence in the

paper if you want to read it but it's

you know we can't characterize it that

well okay and very nice talk thank you

thanks

omer from university washington uh

really nice talk

one question

did you see any correlation between the

over claims and the content of the

videos may be better videos that have

better content have less

over claims as compared to the others

that's a pretty good point unfortunately

we didn't do that analysis

i don't know if our data set is large

enough although we i think it's pretty

good to characterize videos i don't know

how specific we can get with like these

i don't know we so over claims we saw

about in 10 10 15 of our videos i don't

i don't know how much generalization we

can make in terms of statistical

significance

thank you

hi you bro jagawel from carnegie mellon

thank you for your talk really

entertaining um i wanted to ask sort of

a follow-up as in how many of these

videos did you find had a referral link

because that would sort of tell you that

it's not like and it's the referral link

is on the provider so it's not like

they're not aware right so so prism

presumably that is even more surprising

that they know about it and they're

paying out and then still like letting

them sort of do wrong things and then

sort of a related question did you see

the level of overclaiming with the

popularity of the vpn

meaning was it like small providers only

who are like just claiming anything just

to be able to sort of get market share

or uh so let me start from off with the

second one and then the first one was

about refilling all right the second one

uh so nordvpn is one of the biggest

advertisers and they clearly have crazy

stuff express does too i i don't think

it like the small ones also say crazy

stuff i don't think there's a

correlation between how popular they are

versus not uh affiliate links

i think almost everyone had them except

maybe one or two uh the way this works

from what we can gather is that either

they can directly talk to the vpn

company themselves

or some vpn companies will just have a

page where you sign up they just give

you a link and you can post it wherever

to make money

or there are affiliate networks there

was a great poster yesterday

where

they will just outsource it to another

company to do their affiliate marketing

thank you yeah

um hello i'm claudio from university of

washington thank you for your talk

and i want us to ask you um do you think

there are there there were like

some

like

specific events in the political

scenario or in the social context that

lead to an exponential increase of

vpn usage

and

the spreading of this like

advertising tool

thank you i

i think the reason these ads got really

popular is that someone figured out they

worked i think someone figured out that

influencer marketing really works

and once someone makes starts to make

money everyone jumped on the bandwagon i

think that's the explanation i can't

know for sure that's speculation

okay hi victor from caleb and great talk

did you see any honest advertisers or

influencers who like said the right

things they they knew what they were

talking about that's a good point yep

there were a couple these were the

minority there were a couple that were

very nicely phrased they didn't

overclaim anything they just stated what

a vpn actually does for you these

generally appear to tech channels like

people who actually know the technology

uh but i think for the most part it they

don't look good

and do you know how who provides the

scripts is it mostly the companies or

are really the influences on their own

too we know they

some of them are ad reads

that's the minority we know that they

provide guidelines but adherence to that

guideline is a question

i i don't think they do i i think a lot

of them get a lot of leeway in terms of

what they can say as long as they can

make the cell

who cares what they're talking about i

think is

the general sentiment okay thanks

all right let's thank armor again

[Applause]