Establish a criteria for when a country is available as an exit location

One of the features we're working on is the option to select a global exit location – i.e. the ability to route all of my circuits through exits in a specific country. In the future we'll probably make this feature more granular, but a single global setting will be sufficient for the MVP.

Here's an initial design exploration of the menu (just imagine the bottom-sheet scrolls):

However:

• It can't be a standard ISO list of countries, since not all countries have exits available.
• Similarly, we may want to require a minimum number of exits before a country is included in this menu – for security and speed reasons?
• Or, do we simply offer a manually curated shortlist of generally "healthy" exit countries for the MVP?

Whatever decision we go with, we might need to add some text somewhere that explains the options. Also, I'm posting this in the vpn project, but if it should go in Network Health (or elsewhere) instead, please feel free to move it.

added Backlog Task UX VPN MVP labels

@gk What do you think about this?

changed the description

However:

• It can't be a standard ISO list of countries, since not all countries have exits available.
• Similarly, we may want to require a minimum number of exits before a country is included in this menu – for security and speed reasons?
• Or, do we simply offer a manually curated shortlist of generally "healthy" exit countries for the MVP?

What about a fourth option: TorVPN is populating the countries according to exits available dynamically? Arti should be able to provide the exits available and what it thinks about the country they are in (how would you select exits per countries otherwise anyway). You could just grab/get that info and then populate the respective entries in the menu when a user is opening that one.

I don't think curating a shortlist is the way to go here at least not in the beginning, in particular as users who want that feature most are probably mainly interested in accessing geo-blocked content, which requires specific countries and not anything we deem as "healthy" exit countries (yo, there are the tin-foil folks as well not wanting to exit from any 5-eye country but I think we can easily ignore those for now).

Additionally, I don't think a minimum number of exits per country is needed either (although that could work together with the fourth option) as the user is already indicating they don't care that much about possible security/speed implications ignoring our load-balancing and performance-guided path selection etc. but want to get at their damn geo-blocked content. A proper warning might be enough for those cases...

Right! That's kind of what I was thinking for the second option.

Additionally, I don't think a minimum number of exits per country is needed either (although that could work together with the fourth option)

Would there be significant benefits to, say, a minimum of 5 exits per country instead of 1 in terms of speed and security? If not, what number would make it worthwhile?

We could also consider displaying some kind of network-health-flag for each country option (based on the number of relays available?), for example:

However only if you think that would be useful.

We could also consider displaying some kind of network-health-flag for each country option (based on the number of relays available?)

LEAP do this too, see the screenshot wall of doom here for reference: Figma link

added Network health label

Right! That's kind of what I was thinking for the second option.

Aha, okay. Then I misunderstood the second option. I thought you wanted to exclude exit locations right from the beginning (given some criteria) where I suggested we go with a big warning ("Automatic (safest) Yes/No" does not do it IMO but I'll leave that up to you and other folks to decide) that per-country exiting might be dangerous but then include all available exit locations anyway.

Additionally, I don't think a minimum number of exits per country is needed either (although that could work together with the fourth option)

Would there be significant benefits to, say, a minimum of 5 exits per country instead of 1 in terms of speed and security? If not, what number would make it worthwhile?

I think we should not bother about the security question once the user has passed the big warning about per-exit country selection being potentially dangerous. Thinking about security advise in this context is hard and likely even hard to convey properly to a user. And, as I suggested, I believe users going that road just want to get to their (geo-blocked) content where security concerns are a secondary concern if any at all.

We could also consider displaying some kind of network-health-flag for each country option (based on the number of relays available?), for example:

However only if you think that would be useful.

Yeah, it might be neat if we could give some performance indicator and I like the mock-ups you made. The number of relays alone does not matter so much here, though, as you could easily imagine 50 exits being in a country where all of them are configured to just relay 100KiB/s or so, which would be very annoying. We should therefore look at the exit capacity (as well).

If that's the way to go let me know and I could look at the data we have for exit capacity per country and we could then think about proper thresholds for your poor/normal/good perf indicator.

Aha, okay. Then I misunderstood the second option. I thought you wanted to exclude exit locations right from the beginning (given some criteria) where I suggested we go with a big warning ("Automatic (safest) Yes/No" does not do it IMO but I'll leave that up to you and other folks to decide) that per-country exiting might be dangerous but then include all available exit locations anyway.

I can add a more explicit warning/dialog here, for sure. Let me know if you have any specific thoughts on what it should say.

I think we should not bother about the security question once the user has passed the big warning about per-exit country selection being potentially dangerous. Thinking about security advise in this context is hard and likely even hard to convey properly to a user. And, as I suggested, I believe users going that road just want to get to their (geo-blocked) content where security concerns are a secondary concern if any at all.

Got it, thanks!

Follow-up question: if we go the “no-minimum” route, very roughly speaking how likely/often would a single-exit country drop-off the list? Should I prepare some UX for when an existing country selection is no longer available?

Yeah, it might be neat if we could give some performance indicator and I like the mock-ups you made. The number of relays alone does not matter so much here, though, as you could easily imagine 50 exits being in a country where all of them are configured to just relay 100KiB/s or so, which would be very annoying. We should therefore look at the exit capacity (as well).

If that's the way to go let me know and I could look at the data we have for exit capacity per country and we could then think about proper thresholds for your poor/normal/good perf indicator.

Great, let’s do it 8)

Aha, okay. Then I misunderstood the second option. I thought you wanted to exclude exit locations right from the beginning (given some criteria) where I suggested we go with a big warning ("Automatic (safest) Yes/No" does not do it IMO but I'll leave that up to you and other folks to decide) that per-country exiting might be dangerous but then include all available exit locations anyway.

I can add a more explicit warning/dialog here, for sure. Let me know if you have any specific thoughts on what it should say.

Hrm. Not much from my side apart from "Automatic (safest)" not being enough. I wonder, though, whether we could have both a text and color change. Instead of having the same text in the on/off mode what about having the text change to "Custom (risky)" (or something) when auto mode is off, ideally with a color change (some warning color). Bonus points if we could include a link to some support page where the user can learn more. Or is that too much of a weird behavior for a mobile app?

I think we should not bother about the security question once the user has passed the big warning about per-exit country selection being potentially dangerous. Thinking about security advise in this context is hard and likely even hard to convey properly to a user. And, as I suggested, I believe users going that road just want to get to their (geo-blocked) content where security concerns are a secondary concern if any at all.

Got it, thanks!

Follow-up question: if we go the “no-minimum” route, very roughly speaking how likely/often would a single-exit country drop-off the list? Should I prepare some UX for when an existing country selection is no longer available?

The short answer is: we don't have that data yet but we know the Tor network has (for yet unknown reasons) quite some churn. We are about to collect that churn systematically to then answer questions like yours.

To give you an example about how just the country distribution of exits nodes currently looks like:

de (Germany) 603
us (United States of America) 360
nl (Netherlands) 345
lu (Luxembourg) 110
at (Austria) 97
ro (Romania) 67
se (Sweden) 57
ch (Switzerland) 41
no (Norway) 40
fr (France) 34
pl (Poland) 33
dk (Denmark) 19
is (Iceland) 18
sg (Singapore) 15
ru (Russian Federation) 13
gb (United Kingdom of Great Britain and Northern Ireland) 12
cz (Czechia) 12
fi (Finland) 11
ua (Ukraine) 11
ca (Canada) 10
md (Moldova, Republic of) 10
bg (Bulgaria) 9
it (Italy) 8
hr (Croatia) 7
es (Spain) 6
hu (Hungary) 5
lv (Latvia) 5
br (Brazil) 4
za (South Africa) 4
kr (Korea, Republic of) 3
tw (Taiwan) 3
hk (Hong Kong) 3
cr (Costa Rica) 3
cl (Chile) 3
my (Malaysia) 3
vn (Viet Nam) 2
au (Australia) 2
id (Indonesia) 2
lt (Lithuania) 2
ie (Ireland) 1
be (Belgium) 1
pe (Peru) 1
in (India) 1
kz (Kazakhstan) 1
tr (Turkey) 1
mx (Mexico) 1
il (Israel) 1
ar (Argentina) 1
al (Albania) 1

So, there are some candidates with just 1 exit or a handful. But I think the important point here is that regardless how brittle those exits are we should nevertheless prepare for the scenario that an exit country selection is no longer available. This could easily get triggered by a bug in our shipped geoip files or just a re-classification of IP addresses (which happens from time to time) without changing anything in our running exit relays. I'd suggest showing a notification in that case and defaulting back to automatic selection to be on the safe side, but maybe there is something smarter we could do in that case, not sure.

Yeah, it might be neat if we could give some performance indicator and I like the mock-ups you made. The number of relays alone does not matter so much here, though, as you could easily imagine 50 exits being in a country where all of them are configured to just relay 100KiB/s or so, which would be very annoying. We should therefore look at the exit capacity (as well).

If that's the way to go let me know and I could look at the data we have for exit capacity per country and we could then think about proper thresholds for your poor/normal/good perf indicator.

Great, let’s do it 8)

Great. By when would you need that data? Or better: by when do we need to be done for collecting that data AND have some thresholds extracted out of that?

Looping in @eta

I'd like to tease out the idea behind a "global" exit node selection, because I'm not sure I understand the rationale and there are a number of sticky points that it raises. I know that we maybe thought that this would be an easier thing to achieve than a per-app exit node selection, but I'm not sure the use-case bears that out.

Right now, each app has its own isolated circuit through Tor. That means each app will have an unique exit. Is the idea behind this "global exit node selection" is to make it so each app has its own circuit through Tor, but those circuits must all exit from one country?

I think I'm having a hard time understanding why you would want to select a country globally for all apps. I can understand the use-case of I want my bank app to exit out of the US, because I don't want to get blocked by them by appearing from a random country.... but that speaks to having country exit selection be per-app, and not globally. Is there a use-case for doing it globally?

Additionally, because people tend to have quite a few apps on their phone, limiting their exit to one country makes their circuit options very narrow, unless your country of choice is in one of the top three.

Because we already have per-app circuits, would it really be that difficult to make per-app exit selection, since this is more in-line with what users will want? If someone wants to set all of their apps to go through one country, then they can set it for each one.

marked this issue as related to tpo/core/onionmasq#63

assigned to @donuts

removed Backlog label

added Next label

marked this issue as related to #122 (closed)

mentioned in merge request !83 (merged)

mentioned in issue #132 (closed)

added Project 101 label

added VPN label

added UX Team label

mentioned in issue #186 (closed)

changed milestone to %VPN pre-alpha 09

added Needs Information label and removed Next label