The goal of the proposed project is to provide journalists, human rights defenders, and marginalized people who need high-quality, device-wide privacy and censorship circumvention with a Tor VPN client or Android devices.

To accomplish this goal, the Tor Project will: (1) Design a Tor VPN client that meets the needs of target users. (2) Implement a VPN client for Android. (3) Implement tor-side changes.

We will work directly with the Guardian Project, the organization building and maintaining Orbot, as a subgrantee and collaborator in this project.

As a result of this project, users will be able to route their Android phone’s traffic through the Tor network and easily protect their privacy and circumvent censorship on any application that connects to the internet.

For this project we are going to mainly track all tickets by the Label Sponsor 101 as we are using milestones for specific iterations of the product

OBJECTIVE 1: Design Tor VPN client that provides browser safety to meet the needs of target users.

Outcome 1.1: The Tor Project understands user needs in terms of VPNs and browser safety and is prepared to implement.

Design Tor VPN client to meet the needs of target users. Objective 1 covers conducting research on the existing VPN ecosystem (e.g., ioXt Alliance Certification Program1), browser safety, and popular user interfaces, focused on understanding tools that are popular with target populations, and evaluating the existing body of research surrounding Orbot. In this Objective, we will conduct research on Android, desktop, and iOS platforms simultaneously to build a cohesive plan for offering a VPN client and browser safety feature with parity across devices from the start. Although we have removed plans to develop or implement a browser safety feature as part of this project, we will conduct initial research as part of this Objective when speaking with target users, which will help inform our future work in this area, and ensure we are collecting relevant feedback about a Tor VPN and needs related to browsing while using a Tor VPN in this phase.

We have established relationships with hundreds of human rights defenders, NGOs, journalists, activists, and marginalized people around the world and will engage this network in this Objective. Our goal with this phase is to understand the features and functionalities necessary to build a minimal viable product for our target audience, and to bring this research to Objective 2.

To complete this Objective we will:

• O1.1: Conduct interviews and surveys with target users to create user stories representing the needs of various types of users with respect to VPN usage, browser safety, and censorship. Collaborate with Guardian Project to utilize and integrate their existing and ongoing user research on Orbot.
• O1.2: Analyze user experience, safety features, and best practices of other VPNs in the ecosystem. Ensure noteworthy safety features and best practices are documented for use in our client implementation.
• O1.3: Create wireframes and potential user flows for the VPN client based on research conducted in O1.1 and O1.2.
• O1.4: Test wireframes and user flows with target users, identify user challenges, iterate on these designs throughout the project.

OBJECTIVE 2: Implement a VPN client for Android

Outcome 2.1: Target users can route their Android phone traffic through Tor, device- wide.

Implement a VPN client for Android. In this Objective, we will focus on development. First, our team will evaluate Orbot and identify which parts of the application that can be used. Orbot has some features that need to be modified or removed in order to become a Tor VPN client. We will do this work in collaboration with our subgrantee, Guardian Project. We will use the research conducted in Objective 1 to prioritize features and functions that are important for our target users when developing this client.

To complete this Objective, we will:

• O2.1: Informed by results from O1.1 and O1.2, evaluate which components of Orbot can be reused, refactored, and/or streamlined for use in the Tor VPN client. Perform this refactoring and re-implementation work.
• O2.2: Create VPN safety and app safety design criteria, informed by O1.2.
• O2.3: Build additional user interface, following the design criteria from O2.2, and ensuring support for user stories from O1.1. Iterate on these implementations as O1.4 progresses and the browser ecosystem changes.
  • O2.3.1: Document these interfaces for user support articles, and ensure strings are provided for localization.
• O2.4: Ensure user-facing VPN client properly interfaces with the Tor client underneath, as it evolves under Objective 3.

OBJECTIVE 3: Implement tor-side changes

Outcome 3.1: Target users can route their Android phone traffic through Tor, device-wide.

Outcome 3.2: Integrating Tor as part of another app consumes fewer resources and has a smaller library, particularly beneficial for mobile implementations.

Implement tor-side changes. In this Objective, we will focus on tor-side changes that need to be made in order for the VPN client to work smoothly. Much of the work here involves providing an improved Tor client with reduced consumption of resources on mobile devices, as well as a smaller library size to reduce the bandwidth required to download it. Building a VPN client for Android first has its advantages: Android requires a superset of the underlying Tor functionality for desktop. When this Objective is complete, the groundwork for building future desktop clients will be done. Some of this work will also benefit a future iOS client and the iOS+Tor work conducted by Guardian Project.

Part of this Objective involves enhancing Tor to act as a VPN service; the activities listed below are required for success, including support for relaying UDP traffic. We plan to support UDP traffic over Tor in a very similar way to how Tor currently supports TCP. It will be transported on Tor circuits like TCP streams are today, and unpacked into UDP only at Exit relays. This means that intermediate relays will not need to upgrade; only Exit relays will need modifications, and support can be determined automatically. Tunneling UDP inside of Tor in this way is the most secure mechanism of supporting this traffic.2 We have demonstrated the feasibility of this approach and successfully tested transporting UDP over the current Tor network in a prototype.3

UDP traffic will be governed by the same congestion control, traffic splitting, and load balancing work we are implementing in DRL project titled, Making the Tor network faster & more reliable for users in Internet-repressive places,4 and will be distributed evenly and fairly with regard to other traffic, just like with TCP on Tor. This change, along with other changes outlined in this Objective, will not negatively impact the traffic on the network on other platforms; in fact, the work in this Objective will benefit users outside of Android. UDP support will vastly improve the quality of streaming, video calling, and voice apps for all users. For example, people who rely on Signal or Whatsapp for encrypted chat over Tor will now be able to use voice and video calling on these apps over the Tor network. The work to reduce library size will benefit any apps that integrate Tor in a mobile setting, making Tor faster in those contexts.

One exception to completing this Objective in Rust is part of O3.2, adding support to the Tor protocol for relaying UDP. This requires Exit node support, which is the final stage of the Arti transition. We will likely need to implement this piece in C based on the Arti release timeline.

• O3.1: Address challenges in the Tor client’s consumption of resources.
• O3.2: Enhance Tor to act as a VPN service, rather than an opt-in proxy as it does today.
  • Reassemble user traffic as it arrives at the Tor VPN, repackage it as a data stream.
  • Improve Tor’s support for complex DNS traffic.
  • Add support to the Tor protocol for relaying UDP traffic. Specifically, we will:
    • Design & specify UDP port assignment and connection tracking to be managed at Exits.
    • Design & specify handling UDP traffic from the VPN interface into Tor; perform connection mapping on incoming UDP traffic into Tor circuits.
    • Design and specify how UDP optimally interacts with Tor's Congestion Control deployment from DRL project titled Making the Tor network faster & more reliable for users in Internet-repressive places to maximize throughput and minimize packet drops and delays at Exits and clients.
    • Implement our specifications for Tor Exits and the VPN client.
• O3.3: Make the Tor client library smaller to minimize impact on bandwidth for downloads and upgrades.
• O3.4: Ensure Tor VPN client works well on popular Android apps, and develop optimizations, bug fixes, and improvements where needed.

---

Key Indicators we are tracking for this project:

For the research:

• Number of interviews with users conducted.
• Number of survey participants.
• Number of reports.
• Number of user flows.
• Number of focus groups.

For the client's implementation:

• Number of tools supported by this project.
• Number of average unique monthly users of the tools developed.

For tor:

• Amount of non-mapped memory allocated when used for example workloads.
• The size of the Tor client library.
• Number of Android apps tested, including success and failure data.