I was recently trying to renew the registration on my motorcycle at the Massachusetts RMV website, when I was stymied by the fact that when I got to the page where I was supposed to enter my credit-card information, the form fields were missing. After attempting to perform the renewal in three different browsers and with all of my extensions disabled and running into the same problem everywhere, I decided I had to escalate.
It’s difficult to impossible for end users of the RMV website (or, for that matter, most government websites) to reach anyone who has anything to do with making it work, but I know from experience that state legislators have effective contacts inside state agencies, so I emailed my (very response) state senator, Will Brownsberger, about the problem and asked him to let the RMV know their website was broken.
A few minutes after doing that, I realized that the one thing I had not tried was turning off my VPN, and what do you know, when I did that, the website worked properly. I quickly sent this followup email to Senator Brownsberger:
Ha, never mind, I figured it out. The website was silently refusing to load the embedded form for the credit card details when I was connected to my VPN. I had to disable my VPN to be able to pay for my registration renewal.
That kind of sucks, you know? We use VPNs to protect our privacy and security, and government websites should not fail to work properly for people who are using a VPN.
Senator Brownsberger wrote back the following day:
and government websites should not fail to work properly for people who are using a VPN.
But then again, maybe they should.
Not that there is anything wrong with using a VPN, but a hacker from anywhere could be pretending to be a Massachusetts resident using a VPN, right?
I replied with the long explanation below. You might think it was a waste of time for me to try to explain something like this to a legislator, but Senator Brownsberger is a good guy who actually listens to his constituents, and he and I have been exchanging emails for years. And indeed, after reading my email, he replied:
These are good points, well made.
We’ll share this thread with the RMV.
To be perfectly honest, I do not believe the RMV is going to fix this problem, for three reasons:
- I’m sure the website was built by a contractor, and now that it’s built and working the contract in place for maintaining it has little capacity for non-urgent changes.
- I haven’t looked to confirm, but I suspect that the embedded credit-card form that wasn’t showing up is actually provided by a third party payment processor, and it’s that payment processor rather than the RMV that is deciding to reject requests from VPNs, and even if the RMV wanted to change that the payment processor will probably say no.
- I don’t actually believe there is a good tech culture at the RMV, i.e., I don’t think the folks at the RMV actually care about stuff like this.
Having said that, I did manage to convince Senator Brownsberger, and that itself was a good outcome, because this is now knowledge that he will carry with him into his future work legislating and overseeing government tech. It would seem, therefore, that it was a convincing enough argument to be worth sharing for others to use when they run up against this problem. So here you go. Feel free to steal the following text and do whatever you want with it, with or without attribution; I don’t need credit, I just need websites to stop blocking VPN users who aren’t bad guys.
The simplest answer to your question is, “Not there is anything wrong with using a VPN” and “a hacker from anywhere could be pretending to be a Massachusetts resident using a VPN” are contradictory statements. But that is, I grant you, a bit flippant. The full answer is much longer…
As I discussed in my blog posting about the privacy bill, using IP address geolocation as prima facie evidence of someone’s location is unacceptable for two reasons: (1) IP address geolocation is often inaccurate for completely legitimate and innocuous reasons, and (2) it forces people to turn off their VPNs when interacting with websites that do this, i.e., the problem we’re discussing here.
Let’s talk about why this is a problem. Nobody does just one thing at a time that uses the network on their computer. Even people who think they’re doing just one thing on the network, actually aren’t. There are things running on pretty much everyone’s computer or device that are reaching out to sites on the network constantly. This is true of your web browser, which is constantly phoning home telemetry data; of the tabs that you have open in your web browser; of messaging apps such as Signal, WhatsApp, Telegram, Matrix, etc.; very much of social media apps; and of the OS itself, e.g., Windows especially seems hellbent on building news, weather, games, ads, etc., ad infinitum into the OS. Every device we use is using the network all the time in the background in numerous ways.
So here’s the thing: if a user needs to turn off their VPN to access a specific website, they’re not just turning off the VPN for that website. they’re turning it off for everything accessing the network from their device, even the things doing that in the background. Immediately when they turn off the VPN, their real IP address is exposed to all of the services that are accessed in the background without their knowledge while the VPN is off, defeating the whole purpose of using a VPN to protect their privacy.
(Caveat: there are a some VPNs that allow the VPN to be toggled on or off for specific websites. However, the majority of VPNs don’t support this, and the majority of users don’t use their VPNs granularly like this.)
In short, when you force the user to turn off their VPN for your website, you’re not just forcing them to turn it off for your website, you’re compromising their privacy across the entire internet.
The situation we have now, with the part of the information security community that advocates for end users telling end users to use VPNs to protect their privacy against the completely legitimate fear of privacy violations and intrusive tracking of their online activity, while the part of the information security community that advises website maintainers is telling them to block traffic from VPNs because hackers like to use them, is completely unsustainable.
The way this is supposed to work is that IP geolocation and whether someone is using a VPN are supposed to be taken into consideration as just one factor when deciding whether a person’s identity has been sufficiently established. Some websites get this right. Many, like the RMV’s, do not.
Let’s take that specific example… By the time I got to the page where I was blocked from paying on the RMV website because I was on my VPN, I had already (a) entered my birth date, driver’s license number, last name, and last four digits of my SSN, (b) entered a two-factor code generated by my phone, (c) been allowed to view, and potentially modify, private information about my vehicles, and (d) indicated that what I was trying to do was pay the renewal fee on a vehicle registration (I was trying to give the RMV money, certainly not something a hacker would have much interest in doing!). Furthermore, when I enter my credit card information on that last page, it’s going to be authenticated by the payment processor and bank in real-time. In short, there is no legitimate threat the website is defending against at that point by deciding that I should not be allowed to pay that fee over a VPN. It’s not security, it’s pointless user hostility.
I’ve spent my entire career working in information security, but I’ve also spent my entire career working on making technology more user-friendly and effective for the people it is supposed to serve. These two ideas are not incompatible; in fact, they’re complementary, since when security safeguards becomes too burdensome to users, they inevitably find ways around them, thereby compromising security.
The behavior of the RMV site, and many others like it, isn’t improving security. It’s just violating people’s privacy and making computers harder to use for the people they’re supposed to serve, because the people who build those sites would rather take user-hostile shortcuts than put in the work to do things right.
Thanks for listening.
