How can it possibly be, that an ISP, which I’m paying for gets to decid, which sites I’m allowed to have access to, and which not?

All the torrenting sites are restricted. I know, I can use VPN, and such… but I want to do it because of my privacy concerns and not because of some higher-up decided to bend over for the lobbying industry.

While on the other hand, if there’s a data breach of a legit big-corp website (looking at you FB), I’m still able to access it, they get fined with a fraction of their revenue, and I’m still left empty-handed. What a hipocracy!!

What comes next? Are they gonna restrict me from using lemmy too, bc some lobbyist doesn’t like the fact that it’s a decentralized system which they have no control over?

Rant, over!

I didn’t even know that my router was using my ISPs DNS, and that I can just ditch it, even though I’m running AdGuard (selfhosted)

    • 𝒍𝒆𝒎𝒂𝒏𝒏@lemmy.one
      link
      fedilink
      English
      arrow-up
      57
      arrow-down
      4
      ·
      edit-2
      1 year ago

      Sadly doesn’t work for gov level blocks that look at the SNI rather than blocking at DNS level

      Edit: correction from ESNI to SNI

      • Eufalconimorph@discuss.tchncs.de
        link
        fedilink
        English
        arrow-up
        59
        arrow-down
        1
        ·
        1 year ago

        You mean SNI, not ESNI. ESNI is the Encrypted Server Name Indication that gets around that, though the newer ECH (Encrypted Client Hello) is better in many ways. Not all sites support either though.

        • MigratingtoLemmy@lemmy.world
          link
          fedilink
          English
          arrow-up
          6
          ·
          1 year ago

          If I utilise a DNS provider who supports ECH (mullvad) with a browser that supports ECH (Librewolf) will I still not be able to access certain websites? I haven’t come across a website blocked by my ISP yet so don’t know

          • noride@lemm.ee
            link
            fedilink
            English
            arrow-up
            8
            arrow-down
            1
            ·
            1 year ago

            Most ISP blocking is pretty superficial, usually just at the DNS level, you should be fine in the vast majority of cases. While parsing for the SNI flag on the client hello is technically possible, it’s computationally expensive at scale, and generally avoided outside of enterprise networks.

            With that siad, When in doubt, VPN out. ;)

            • MigratingtoLemmy@lemmy.world
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              They won’t be able to get to my SNI if I’m using ECH, yes? I just assumed ECH was secure enough but I don’t know much

              • noride@lemm.ee
                link
                fedilink
                English
                arrow-up
                6
                arrow-down
                2
                ·
                edit-2
                1 year ago

                You are absolutely correct, I should have lead with that. Encrypted client handshake means no one can see what certificate you are trying to request from the remote end of your connection, even your ISP.

                However, It’s worth noting though that if I am your ISP and I see you connecting to say public IP 8.8.8.8 over https (443) I don’t need to see the SNI flag to know you’re accessing something at Google.

                First, I have a list of IP addresses of known blocked sites, I will just drop any traffic destined to that address, no other magic needed.

                Second, if you target an IP that isn’t blocked outright, and I can’t see your SNI flag, I can still try to reverse lookup the IP myself and perform a block on your connection if the returned record matches a restricted pattern, say google.com.

                VPN gets around all of these problems, provided you egress somewhere less restrictive.

                Hope that helps clarify.

                • Darkassassin07@lemmy.ca
                  link
                  fedilink
                  English
                  arrow-up
                  5
                  ·
                  1 year ago

                  I can still try to reverse lookup the IP myself and perform a block on your connection if the returned record matches a restricted pattern

                  This is only effective when the host is the only one using that IP. Anything that uses Cloudflares WAF or similar services will just be a shared IP that responds for hundreds of hosts like one of Cloudflares Reverse Proxies.

                • MigratingtoLemmy@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  1 year ago

                  Ah, that clears it up! I feel silly that the idea of the ISP doing a reverse-lookup on my traffic didn’t occur to me, thanks.

        • Snowplow8861@lemmus.org
          link
          fedilink
          English
          arrow-up
          4
          ·
          1 year ago

          Bring free on cloudflare makes it widely adopted quickly likely.

          It’s also going to break all the firewalls at work which will no longer be able to do dns and http filtering based on set categories like phishing, malware, gore, and porn. I wish I didn’t need to block these things, but users can’t be trusted and not everyone is happy seeing porn and gore on their co-workers screens!

          The malware and other malicious site blocking though is me. At every turn users will click the google prompted ad sites, just like the keepass one this week.

          Anyway all that’s likely to not work now! I guess all that’s left is to break encryption by adding true mitm with installing certificates on everyone’s machines and making it a proxy. Something I was loathe to do.

        • 𝒍𝒆𝒎𝒂𝒏𝒏@lemmy.one
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Corrected, thanks!

          I’m looking forward to ECH, if i’m not mistaken that relies on DoH which has pretty widespread adoption in browsers at the mo

        • redcalcium@lemmy.institute
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          It’s still require DoH, right? Not sure what my ISP does, but DoH has very high latency and often timeout on my end, probably to discourage their customers to turn on DoH.

            • redcalcium@lemmy.institute
              link
              fedilink
              English
              arrow-up
              2
              ·
              1 year ago

              Hmm, kinda doubt it’s the DoH provider’s fault (cloudflare). On the other hand, my ISP already transparently redirecting plain DNS requests to their own DNS server, so it’s not a stretch to think they found a way to degrade DoH experience (at least for well known endpoint like 1.1.1.1).

      • asudox@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        ·
        edit-2
        1 year ago

        You can try the new ECH feature, in the FF browser for example. It encrypts the SNI on compatible websites

    • moreeni@lemm.ee
      link
      fedilink
      English
      arrow-up
      25
      arrow-down
      1
      ·
      1 year ago

      Sometimes the block is on whole different level than a DNS

      • noride@lemm.ee
        link
        fedilink
        English
        arrow-up
        4
        ·
        1 year ago

        Yeah, even if they miss your DNS request, the ISP can still do a reverse lookup on the destination IP you’re attempting to connect to and just drop the traffic silently. That is pretty rare though, at least in US, mainly because It costs money to enforce restrictions like that at scale, which means blocking things isn’t profitable. However, slurping up your DNS requests can allow them to feed you false error pages, littered with profitable ads, all under the guies of enforcing copyright protections.

        • moreeni@lemm.ee
          link
          fedilink
          English
          arrow-up
          3
          ·
          1 year ago

          It’s pretty much the only way they enforce stuff here in Ukraine. Back in 2015 when the government blocked social media websites tied to Russian companies and in 2022 when .ru domains were blocked, changing your DNS provider didn’t help. I’m not sure about piracy sites, though, because everyone kinda doesn’t care about this stuff here, but I don’t think they would invent other mechanisms when they have a working one that doesn’t rely on DNS.

          • noride@lemm.ee
            link
            fedilink
            English
            arrow-up
            4
            ·
            1 year ago

            That makes sense! Believe it or not it’s actually easier for an ISP to block a whole country than select websites and services. We actually null route all Russian public IP space where I work, that would absolutely be plausible on a national scale as well.

            It’s imperfect, you can get around it, but it catches 99% of normal users, which is the goal.

            • Case@lemmynsfw.com
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              Not just ISPs, it can be blocked at the enterprise level in a few clicks.

              I was temping at a place during the pandemic when my hospitality based IT job shuttered. With their set up, I could just block a country in a couple clicks.

              I didn’t do the clicking, but we were getting hit with a DDoS from a nation we had no business in, and it was just blocked in a matter of minutes once the meetings and BS were attended to. Those took hours over days.

  • CriticalMiss@lemmy.world
    link
    fedilink
    English
    arrow-up
    82
    arrow-down
    3
    ·
    1 year ago

    I don’t know where you’re from and therefore don’t know what laws affect you but unless the ISP is involved in the media game (i.e HBO & AT&T) they don’t care about restricting access. In fact, they’re against it in most scenarios because if a competitor that doesn’t restrict access to piracy related websites exists, that competitor is likely to siphon customers from ISPs who impose restrictions.

    On top of that, most ISPs do the absolute bare minimum to restrict your access so that you can bypass it easily, the most common being the modification of DNS records which you can easily bypass by changing your resolver.

    TL:DR blame your lawmakers not your isp

    • Morgikan@lemm.ee
      link
      fedilink
      English
      arrow-up
      9
      ·
      1 year ago

      The DNS modification is slightly off. Some ISPs check UDP packets since they are insecure and will modify query results regardless of the DNS server you are sending to. Mediacom is known to do this for their billing and DMCA systems. They use DNS redirection to assist in MITMing the connection to load their own certificate to your browser. With that done, they can prepend their own Javascript to the response they receive from whatever web server you are trying to contact. That’s how they get their data usage and DMCA popups loaded when you load up whatever site.

        • Morgikan@lemm.ee
          link
          fedilink
          English
          arrow-up
          5
          ·
          1 year ago

          Even if it is not being done for a malicious reason, it is still a malicious practice. Websites can help prevent this by adopting wildcard Subject Alternate Names in their certificates thereby making the redirection much less likely to succeed, but you shouldn’t have to view your own ISP as a threat actor.

  • nephs@lemmy.world
    link
    fedilink
    English
    arrow-up
    59
    ·
    edit-2
    1 year ago

    They already do restrict you from using lemmy by charging full Internet price for it, and allowing special free data plans for Facebook.

    Net neutrality matters.

  • gordon@lemmy.world
    link
    fedilink
    English
    arrow-up
    51
    ·
    1 year ago

    My state of residence restricts access to certain sites. It’s all bullshit.

    Anyway… The ISP is either a common carrier or a content provider. Pick a fucking lane. You can’t have half and half. Either you are responsible for ALL content provided or NONE.

    If you choose none then you MUST NOT restrict access to any content.

    If you chose ALL then you may restrict content based on what you are willing to take responsibility for. But in that case if someone does something illegal with content you provided you are liable.

      • MorrisonMotel6@lemm.ee
        link
        fedilink
        English
        arrow-up
        13
        arrow-down
        1
        ·
        1 year ago

        California. The internet contains chemicals known to the State of California to cause cancer and birth defects or other reproductive harm.

      • thirteene@lemmy.world
        link
        fedilink
        English
        arrow-up
        6
        ·
        1 year ago

        The list is growing: Utah, Florida, Kansas, South Dakota, and West Virginia, Arkansas, Mississippi, and Virginia all have legislation in progress

  • XTornado@lemmy.ml
    link
    fedilink
    English
    arrow-up
    47
    arrow-down
    1
    ·
    edit-2
    1 year ago

    No offense but if they can do that you have to blame your government not the ISP… as those are the ones allowing this to happen.

    • Blackmist
      link
      fedilink
      English
      arrow-up
      15
      arrow-down
      1
      ·
      1 year ago

      The government are the ones telling the ISPs to do it, not just allowing it.

      • XTornado@lemmy.ml
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        1 year ago

        In some cases yes, but I would say that is allowing it too… Idk… I don’t see the need to nitpick but yeah.

        • RogueBanana@lemmy.zip
          link
          fedilink
          English
          arrow-up
          4
          arrow-down
          1
          ·
          1 year ago

          The only choice he have here are stupid people and tech illiterate ones. Not a lot we can do except face palm at the ridiculously stupid solutions they come up with.

    • nephs@lemmy.world
      link
      fedilink
      English
      arrow-up
      5
      ·
      edit-2
      1 year ago

      As if the government wasn’t controlled by probate lobbyists.

      Blame goes to private interests being allowed to influence public decision makers, in my opinion. Infrastructure companies should not be for-profit companies.

      • XTornado@lemmy.ml
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        1
        ·
        1 year ago

        Yeah… But if there were laws that prohibited it they couldn’t do it that is my point.

    • RealFknNito@lemmy.world
      link
      fedilink
      English
      arrow-up
      33
      arrow-down
      1
      ·
      1 year ago

      Or the FCC to make internet a utility and strip their ability to restrict access, throttle speeds, or be bias in any way. Always use a VPN. Getting Mullvad on my next paycheck.

  • meseek #2982@lemmy.ca
    link
    fedilink
    English
    arrow-up
    37
    arrow-down
    2
    ·
    1 year ago

    Yeah this is government level. They tell the ISPs what to block and they do what’s ordered. ISPs want your money. All the legal crap they have to do is part of business.

    • JewGoblin@lemmy.world
      link
      fedilink
      English
      arrow-up
      6
      arrow-down
      1
      ·
      1 year ago

      seems like a violation of our first amendment, it’s none of the government business what site or what we can access on the net

    • yukichigai@kbin.social
      link
      fedilink
      arrow-up
      30
      arrow-down
      2
      ·
      1 year ago

      Holy hell that sounds cursed. How obnoxious are they? Can you share a screenshot?

      Next time I’m cursing Spectrum I’ll remind myself that they aren’t doing that at least.

      • redcalcium@lemmy.institute
        link
        fedilink
        English
        arrow-up
        7
        ·
        1 year ago

        Before Wikipedia default to https, I remember being surprised seeing ads in a Wikipedia page. I was so disappointed that Wikipedia has stoop so low before eventually realizing my cursed ISP was the real culprit.

        • yukichigai@kbin.social
          link
          fedilink
          arrow-up
          2
          arrow-down
          1
          ·
          edit-2
          1 year ago

          As your typical American I can only read English, what do those “news” ads say, roughly? Tinfoil hat nuttery? Increase your Pen-One-Five size?

          Either way that’s still pretty bad. And there are video popups? Jeez. I’m guessing you either don’t have much choice in ISPs or the other options are even worse somehow. My sympathies. Also thanks for sharing.

          • corrupts_absolutely@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            4
            ·
            edit-2
            1 year ago

            i have an ad blocker on my desktop so i never see them. as far as i know the adverts are particular to this isp and the others dont do that, but all of them block more or less the same amount of websites. this is actually one of the largest providers in the country too.
            in terms of content of those ads they are largely the government line about the ukraine conflict and some other affairs. i dont think ive seen the typical 2010s pop culture bait ads. the videos tend to be some store advertisements like leroy merlin.

      • redcalcium@lemmy.institute
        link
        fedilink
        English
        arrow-up
        9
        ·
        1 year ago

        Shenanigan like this was one of the main driving force to push website operators to use https by default. The other driving forces are the computational cost of serving https got significantly cheaper thanks to modern CPU with accelerated cryptography instructions support, and letsencrypt providing free TLS certificate to everyone.

    • Monkey With A Shell@lemmy.socdojo.com
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      Never saw it on a website but back when I just plugged things in and used it the one at the time liked to swipe bad DNS requests and use it to push an ad page rather than a name not resolved.

      • yukichigai@kbin.social
        link
        fedilink
        arrow-up
        2
        ·
        1 year ago

        OpenDNS used to do that. Caused a lot of unexpected problems, enough that I stopped using it entirely. I’m still hesitant to even though they’ve stopped doing it.

  • DeltaTangoLima@reddrefuge.com
    link
    fedilink
    English
    arrow-up
    33
    arrow-down
    5
    ·
    1 year ago

    Censorship is wrong. Every rational, adult human being should have the fundamental right to their autonomy, without third party intervention, with full awareness of the laws that apply to them.

    If they decide to abuse that freedom and awareness by accessing illegal content (even CSAM), then they are taking the risk of being discovered, prosecuted, and punished accordingly. And, in many cases (like CSAM), I hope they are caught and punished.

    Regardless of the outcome, it still starts with the freedom for that individual to make that decision for themselves.

    • RealFknNito@lemmy.world
      link
      fedilink
      English
      arrow-up
      13
      arrow-down
      1
      ·
      1 year ago

      That’s part of the price of freedom. Tor is a browser that makes it hard to be tracked down, so people use it to facilitate illegal activities. Crypto is a currency that makes it hard to be tracked down, so the same occurs. While most of us use and support these services for legal activities, just to be free from corporate and government oppression, there will always be people who use them to be from legal consequences.

      Sadly, making it easier to find people who do things like post CSAM in turn makes it easier to find people who want to watch Porn without supplying a government ID. (Still can’t believe my state of Virginia passed that law.)

      • DeltaTangoLima@reddrefuge.com
        link
        fedilink
        English
        arrow-up
        6
        ·
        1 year ago

        people who want to watch Porn without supplying a government ID

        Yeah, and this is where the part of my comment that discussed “laws that apply” is nuanced. If the laws that apply are designed to abridge people’s autonomy, and right to privacy, then that’s an unjust law.

        • RealFknNito@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          1
          ·
          1 year ago

          No disagreement here, just unsure if there will ever be a way to grant freedom to the common man without enabling unsavory actors as well.

          • hardcoreufo@lemmy.world
            link
            fedilink
            English
            arrow-up
            5
            ·
            edit-2
            1 year ago

            Unsavory actors will find ways around any restriction put in their way. So these restrictions only serve to remove freedoms from the rest of us not commiting unsavory acts.

          • DeltaTangoLima@reddrefuge.com
            link
            fedilink
            English
            arrow-up
            3
            ·
            1 year ago

            Yeah, sadly there isn’t. I don’t envy lawmakers - there’s a knife edge they have to walk, between enabling them to catch the bad guys, but without infringing on the rights of the innocent.

  • lambalicious@lemmy.sdf.org
    link
    fedilink
    English
    arrow-up
    10
    arrow-down
    1
    ·
    1 year ago

    Switch over to an ISP that doesn’t do that. Leave record with your country’s customer protection service and/or open press / open culture office that’s why you did it. There. Done.

    • seitanic@lemmy.sdf.org
      link
      fedilink
      English
      arrow-up
      11
      ·
      1 year ago

      Lots of people come have a choice in who their ISP is. I don’t. For my area, there’s one provider. If I want to change that, I have to move.

      • lambalicious@lemmy.sdf.org
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        1
        ·
        1 year ago

        A fair point.

        Still, in this case you should direct your issue to your country’s consumer protection and culture protection services. Since they are essentially charging you for an incomplete service.

        Of course, there’s other measures that one can take by themself to route around the issue, such as using a VPN. But they don’t deal with the real issue at hand that is what the thread title says: that the ISP is doing something that it shoudn’t.

        • Ottomateeverything@lemmy.world
          link
          fedilink
          English
          arrow-up
          10
          ·
          1 year ago

          It sounds like you’re not from the US. Our consumer protection services ara a joke. You’re more likely to solve the problem by yelling into a pillow than complaining to US consumer protection.

          • TrenchcoatFullOfBats@belfry.rip
            link
            fedilink
            English
            arrow-up
            5
            ·
            1 year ago

            You’re more likely to solve the problem by yelling into a pillow

            You mean the Casper Original Pillow I’m buying with Klarna for 4 easy payments of $39.95 at 29.99% interest?

            I hear they’re partnering with Amazon on a new version that has a tiny Alexa speaker in it that will whisper ads in your ear while you’re sleeping unless you pay them $15 to turn it off. It’s called the Casper Pillow Talk with Special Offers.

            Yelling: ALEXA! HOW CAN I GET CONSUMER PROTECTION IN THE UNITED STATES?

            Casper Pillow Talk with Special Offers: I’m sorry, I don’t understand. By the way, did you know that Amazon Pharmacy is now selling antidepressants at a discounted price? To order, just say “Add Xanax to my next drone delivery”. To receive the discount, say “I waive my right to sue Amazon via the justice system and agree to private corporate arbitration until the end of time!

  • cecilkorik@lemmy.ca
    link
    fedilink
    English
    arrow-up
    21
    arrow-down
    16
    ·
    1 year ago

    Counter rant: This is why we built encryption and VPNs many years ago. This is a solved problem, but rather than solving it you’d rather just complain ineffectually about it. The solution, the product of years of work of technical people and privacy people, is sitting right there staring you in the face available for you to use as a free service, a paid service, or your own self-hosted service. Use a VPN, that’s what it’s for.

    • mlfh@lemmy.ml
      link
      fedilink
      English
      arrow-up
      25
      ·
      1 year ago

      It’s still right to complain and protest about something that is unjust, even when ways to circumvent it exist. Because the next logical policy step is to ban VPNs, as many countries already have, and the solved problem becomes unsolved again.

    • folkrav@lemmy.world
      link
      fedilink
      English
      arrow-up
      17
      ·
      1 year ago

      Free VPNs should be avoided at all costs for many reasons, and the alternatives are an additional service to pay for, to fix another service you already pay for too that doesn’t work the way it should work in the first place.

      I don’t see what’s ineffectual about the complaints. Of course people will, and should, complain. Loudly.

      • ferret@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        1
        ·
        1 year ago

        Cloudflare’s 1.1.1.1 is free and can be as trusted as any of their other services.

            • folkrav@lemmy.world
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              Hmm, Cloudflare themselves seem to say it’s not.

              What WARP Is Not

              From a technical perspective, WARP is a VPN. But it is designed for a very different audience than a traditional VPN. WARP is not designed to allow you to access geo-restricted content when you’re traveling. It will not hide your IP address from the websites you visit. If you’re looking for that kind of high-security protection then a traditional VPN or a service like Tor are likely better choices for you.

              https://blog.cloudflare.com/announcing-warp-plus/

              • ferret@sh.itjust.works
                link
                fedilink
                English
                arrow-up
                1
                ·
                1 year ago

                It will get you around ISP and network level blocking, with high bandwidth and considerable less privacy concerns than any other free vpn. It is not surprising that you will need to pay money for geo-spoofing, and due to the nature of it’s design it can only expose your client IP to cloudflare customers. As far as VPNs go, those are very minor restrictions.

                Saying it isn’t a VPN is pedantry and also wrong no matter what they say.

      • Free Palestine 🇵🇸@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        1
        ·
        1 year ago

        The ProtonVPN free plan is good though. There’s no reason not to trust them, Proton is a privacy company and their business model is very clear. Also, their apps are completely free and open source. Windscribe might also be an option, but they have bandwidth limits. Proton doesn’t limit bandwidth, instead they only allow you to connect to a small amount servers in only 3 countries. They also block P2P on the free plan, but it’s fine if you just want to get around censorship and browse the web.

        • folkrav@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Yeah, fair enough. My point still stands though: VPNs are a mere band-aid to the underlying issue, not a solution. You’re merely shifting your trust from your ISP to another company, not fixing the problem.

          • Free Palestine 🇵🇸@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            1
            arrow-down
            1
            ·
            1 year ago

            I always use a VPN, no matter what network I’m on. I don’t need or want to trust my ISP, I just need to trust my VPN company. And when I don’t trust my VPN anymore, I can easily switch to another one, while I can’t switch ISPs that easily, because they actually own the fiber-optic cable that runs to my house. Censorship is not the only issue with ISPs, privacy is another reason why a trustworthy VPN is mandatory for me. You can’t fix ISPs, they are garbage, and they will always be. But you can use a VPN, so you don’t have to care about your ISP.

            • folkrav@lemmy.world
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              Which is exactly my point. Not all VPN companies are trustworthy (I’d say most are not, tbh). You’re still stuck trusting some third-party. The problem lies elsewhere. VPNs are a band aid.

    • pete_the_cat@lemmy.world
      link
      fedilink
      English
      arrow-up
      9
      arrow-down
      1
      ·
      1 year ago

      The problem is that VPNs can be a lot slower (for example large downloads) than a “normal” connection, at least iny experience.

    • neutron@thelemmy.club
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      There are many ways to solve this problem, with different degrees of acceptance: legally (arguing for personal freedom granted by basic laws, depends on jurisdiction), or technologically (tools to evade or deceive censorship techniques, could require technical knowledge for proper use).

      We have the tools, but legal grounds can also play a greater role (e.g. declaring vpn/tor illegal causes a chilling effect for potential beneficiaries).