Engineering

With DigitalOcean, Jigsaw's Private VPN Gives a Line Out to Journalists

Posted: November 23, 20187 min read

Imagine you’re a journalist covering an uprising against a military regime. You film a riot on your phone, then quickly send it to your server over the virtual private network (VPN) you found in the Android app store that promised high security. That night, when you finally make it back to your hotel room and boot up your laptop to write the story, you realize the video is nowhere to be found.

Unbeknownst to you, this government forced your VPN provider to give them access to all the data streaming through their VPN as a condition for operating in their country. Censors grabbed your video and the pictures worth a thousand words never make it to your server. But that fact was never mentioned anywhere in the Android store’s description of the product.

This type of scenario isn’t hypothetical. “Journalists should be aware that their online activities might be subject to surveillance either by government agencies, their internet service providers or a hacker with malicious intent,” said Laura Tich, technical evangelist for Code for Africa, a resource for African journalists. This is exactly the problem that the new private VPN Outline was created to solve.

Alphabet’s cybersecurity division Jigsaw designed the product for ease of use and maximum data security. Outline, which is open source and audited by the Radically Open Security, is targeted to journalists and activists working for change on a large scale. Those who are disproportionately more valuable to society because they are carriers of societal change, said Santiago Andrigo, Jigsaw’s product manager, who manages Outline.

“Their work makes them more vulnerable to attack,” he said. “It can get really scary when they’re outed and you’re passing over information.”

The Danger is Real

Laura Tich, the technical evangelist, is only too aware of this danger. It’s why Code For Africa recommends the use of Outline. The jeopardy is not just for journalists, but for whistleblowers, sources, and the data they provide as proof of corruption.

“As surveillance becomes ubiquitous in today’s world,” she said, “journalists face an increasing challenge in establishing secure communication in the digital space,” she said. This, along with other online attacks “pose serious threats to journalists who would like to protect not only themselves, but also their sources.”

One example, said Tich, is the arrest of Nigerian journalist Tony Ezimakor for writing a story about alleged ransom money kickbacks. The State Security Service demanded he disclose his sources.

Another example she cited is the report from the South African campaign Right2Know, whose mission is centered on freedom of expression and access to information.

Right2Know’s recently-released report “Spooked: Surveillance of Journalists in South Africa” [PDF] has 10 specific examples of targeted surveillance by security agencies towards journalists and whistleblowers, especially those who have uncovered government scandals and corruption cases, she said. And that’s just from one country.

These are far from isolated incidents. The 2018 World Press Freedom Index report is proof that the world has become a more dangerous place for journalists.

“You’re only as safe as your weakest link,” said Dan Keyserling, Head of Communications, Public Affairs, and Operations at Jigsaw. Data security is always critical, he said, but that is especially true for journalists and activists.

How VPNs Really Works

I was really surprised to find out that companies can reach in and grab data out of a VPN. I’ve been using them since my early days as a consultant back in the ‘90s. At every job, I’d VPN into the company network to send over timecards and documentation from Racine, WI; Bentonville, AR; or, whatever exotic local I was flying to that week. Until researching this article, I thought of VPNs like a transit tube where the data is put into the tube, then pulled out on the other end—like the Chunnel. I assumed the data was secure and invisible during transit, which was, after all, the whole point of a VPN.

It turns out, they’re more like a river, where the stream of data flowing by can be seen and fished out.

Unscrupulous VPN providers can peek in on your data, inject their own ads on non-secure pages, analyze your browsing habits, and sell that information to advertisers, said Keyserling. Or even steal your identity. And you can’t know for sure if you can trust them, regardless of what they say in the app store.

While it’s true that so much data flows through VPNs that it’s not practical to monitor all the data, the fact remains that it is possible. As seen above, journalists and others working to expose corruption are particularly vulnerable. This is exactly why companies build their own VPNs.

But what is a non-technical journalist or social justice activist to do?

[Related: Check out our Community Tutorials on VPNs]

Enter Outline

The private VPN focuses on security and simplicity. This tech is really innovative and took several years to build, said Keyserling. An innovative layer of security comes under the hood. “It’s a clever product and very technically advanced, and puts security in the hands of the small innovator.”

They named the product Outline because it “gives them a line out, from a place where the internet is restricted,” said Keyserling.

Outline is specifically designed to be resistant to censorship. Because of the protocols used, Outline is harder to detect as a VPN, and therefore is less likely to be blocked by countries who take measure to block the flow of content out of their country.

With Outline, said Keyserling, each account uses its own DigitalOcean servers, so you get complete control over your data. In addition, Jigsaw brings that power into the hands of anyone with a phone. Now users can create their own personal VPN to their own personal server, said Keyserling: “It is super simple and very affordable. They don’t need to trust a third-party VPN company.”

We Found Your Server

Outline is insanely easy to spin up, which is a critical part of the design. And because ease of use was the most important feature, DigitalOcean was the obvious choice when Jigsaw started looking for partners.

While you can build an Outline VPN on a different server, the UI was designed to work with DigitalOcean. “DigitalOcean is the default and what we recommend,” said Keyserling, “because the UI we built with DigitalOcean is nicer, slicker than the rest, and a little bit easier for our users.”

Users can create their own private VPN in three easy, self-explanatory steps following the prompts at GetOutline.org. Sign up, pick a server location, and add users and boom! You have your own secure VPN feeding into your own server in five to seven minutes. If you can create an email account, you can set up an Outline VPN.

It’s just as simple to add users. For example, a journalist has found a whistleblower source and wants to add them to her VPN to transfer the incriminating files. The journalist adds the whistleblower to her VPN, then sends them an email from Outline that contains an access code as a link, along with simple instructions. When the whistleblower copies the access code into their browser, an “Add Server” button pops up. They click the button and the application connects them, and then shows the message, “We found your server.” They’re off and running.

“It knows which server because they just copied it to the clipboard,” said Andrigo. “It leads me to installing the right client and upon opening that client, it already knows which server I was invited to so it just automatically adds in.”

Behind the Curtain

It’s not that simple, of course. That five-minute magic is hiding a lot of complexity.

Which was the goal, said Andrigo. “Outline is about taking something that is very complex and making it simple, making meaningful choices for the user, and hiding the complexity.”

Once the user chooses a server location, Outline spins up a DigitalOcean server on Ubuntu, installs Docker, and imports an image that has the actual server itself. Then it installs a component of Watchtower, which makes sure that the server is always up to date so the user doesn’t have to worry about installing a steady stream of security updates.

Outline relies on the Shadowsocks protocol, which is an open-source project to create an encrypted socks5 proxy to redirect internet traffic.

By contrast, a socks5 proxy looks like normal internet traffic. What this means is that your new Outline VPN doesn’t look like a VPN, so your data doesn’t get flagged or monitored by countries that regulate data in and out of their borders. Which is crazy helpful to journalists and activists who are working in dangerous parts of the world.

Outline’s ease of use did not come easily. “We did a lot of usability studies,” said Andrigo, “because we are lucky enough to have a very strong design and usability team, and we went through a lot of iterations to figure out what models of user interaction are clear.”

One surprising result from their usability studies led to actually adding a step in the process. “Sometimes things happened so fast that some of the users got startled," he noted. They actually slowed the install process to make it easier to use.

The end result? A super simple, super safe way to transfer data for people with limited technical ability.

For Andrigo, that what makes it all worthwhile. “Those moments,” he said, “where you take something that is very complex and you make it simple and remove all that complexity and you hopefully make wise choices for the user about the things that they don’t need to know and that stand in the way of them getting their job done.”

[Read more TC Currie: How 2,000 Droplets Broke the Enigma Code in 13 Minutes]

TC Currie is a journalist, storyteller, data geek, poet, body positive activist and occasional lingerie model. After spending 25 years in software development working with data movement and accessibility, she wrote her first novel during National Novel Writing Month and fell in love with writing.

Share

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!Sign up

Related Articles

Dolphin: Mastering the Art of Automated Droplet Movement
engineering

Dolphin: Mastering the Art of Automated Droplet Movement

January 23, 20243 min read

DigitalOcean's journey to Python Client generation
engineering

DigitalOcean's journey to Python Client generation

January 26, 20233 min read

How DigitalOcean uses Let’s Encrypt
engineering

How DigitalOcean uses Let’s Encrypt

November 28, 20223 min read