Regular ping checks should be opt-in and by default disabled (about 500 unique IPs hit per hour)

[yofreke]

Is your feature request related to a problem? Please describe.

I noticed while doing some network monitoring, that the PIA client on OSX will run latency ping checks about once per minute, and to some large number of servers each time. I found a reddit thread that confirms this suspicion. A user there found the relevant code and the latencyRefreshInterval that is set to one minute.

This check happens when the VPN is enabled, and when the VPN is disabled. If I am correct, that means my un-obscured IP address is being sent to some 100ish countries, once per minute, the entire time the daemon is running? That seems like a huge tradeoff, considering the information is only useful to display in some UI most people never see?

Based on the name of the app including "Private", I am to assume sending a very recognizable (and fingerprint-able) batch of requests, once per minute, to every continent in the world, is bordering on a bug. I submitted this request as a feature request, but honestly am not sure why a company that is privacy focussed would think this is a good idea? If the only goal is to generate a list of servers that are most easily accessed by the device, I can think of several more privacy-focused ways of accomplishing this, none of which require a connection to Mongolia or Kazakstan once per minute (picking a couple at random, the list is long).

Describe the solution you'd like

This should not happen by default, on an application designed to enhance user privacy.

I am happy to discuss alternatives in more depth, and am happy to contribute to the FOSS project if the team agrees this is a feature that is worth having? The change to the desktop app to provide a configuration option to disable this feature should be minimal. The changes required to implement a new solution will be slightly more complex, but still quite minimal. For example, a few small things that would make me much happier:

• Randomize the check interval
• Do not check all servers at once
• Change the default ping refresh from 1min per server to minimum 15min
• Allow user to select countries where they want to automatically ping check (most users will not change their physical country location once per minute, so probably pinging countries on the other side of the world will not help with automatic server selection)
• Use client-based heuristic to determine a list of viable servers based on known IP addresses. For example, a client in the US should be able to use its current public IP, and a known list of PIA IPs, to generate a list of anticipated best ping times based on geography (this can be augmented with anonymized data, but absolutely not required). Once a client has a list of likely best options, it tries each option in small batches (...with some jitter between requests), until it finds a clear winner

Describe alternatives you've considered

As someone who has supported PIA for years, all of these options are sad:

• Blocking pia-daemon with device networking rules
• Opening the PIA app less often
• Investigating competitor VPN clients to see if there are other companies who do not require this functionality

Additional context

[yofreke]

I see a potentially related issue where the resolution appears to be "rebuild the app from source with these lines commented out". https://github.com/pia-foss/desktop/issues/13

I still hope to work with the team on this to find a better alternative than telling customers they should rebuild the app. I am happy to build the app a few times if needed to help contribute to the project, but if I need to rebuild the app every time there is an update, there may be easier solutions elsewhere. Looking forward to collab!

Continuously measuring helps get the best connection when connecting with "auto".

FWIW this also happens when the user has explicitly selected a server, like in my case

[yofreke]

Additional datapoint: The one person who I recently recommended PIA to, upon finding out about this behavior, has asked how to uninstall the application. I told them for now it is adequate to disable the 'launch at system boot', and exit the program unless they are actively using the VPN. I remain hopeful that the team will take this as seriously as myself and other customers.

[jimmyweee]

Piling on. Unhappy about this behavior. Would entirely prefer that this be limited by opt-in, region, or some other option.

[banister]

Thanks for your feedback. I’ll leave this ticket open as I agree it’s something our product manager should re-evaluate. We may add a toggle for it in the future.

[DavyBeeX]

Is your feature request related to a problem? Please describe.

I noticed while doing some network monitoring, that the PIA client on OSX will run latency ping checks about once per minute, and to some large number of servers each time. I found a reddit thread that confirms this suspicion. A user there found the relevant code and the latencyRefreshInterval that is set to one minute.

This check happens when the VPN is enabled, and when the VPN is disabled. If I am correct, that means my un-obscured IP address is being sent to some 100ish countries, once per minute, the entire time the daemon is running? That seems like a huge tradeoff, considering the information is only useful to display in some UI most people never see?

Based on the name of the app including "Private", I am to assume sending a very recognizable (and fingerprint-able) batch of requests, once per minute, to every continent in the world, is bordering on a bug. I submitted this request as a feature request, but honestly am not sure why a company that is privacy focussed would think this is a good idea? If the only goal is to generate a list of servers that are most easily accessed by the device, I can think of several more privacy-focused ways of accomplishing this, none of which require a connection to Mongolia or Kazakstan once per minute (picking a couple at random, the list is long).

Describe the solution you'd like

This should not happen by default, on an application designed to enhance user privacy.

I am happy to discuss alternatives in more depth, and am happy to contribute to the FOSS project if the team agrees this is a feature that is worth having? The change to the desktop app to provide a configuration option to disable this feature should be minimal. The changes required to implement a new solution will be slightly more complex, but still quite minimal. For example, a few small things that would make me much happier:

• Randomize the check interval
• Do not check all servers at once
• Change the default ping refresh from 1min per server to minimum 15min
• Allow user to select countries where they want to automatically ping check (most users will not change their physical country location once per minute, so probably pinging countries on the other side of the world will not help with automatic server selection)
• Use client-based heuristic to determine a list of viable servers based on known IP addresses. For example, a client in the US should be able to use its current public IP, and a known list of PIA IPs, to generate a list of anticipated best ping times based on geography (this can be augmented with anonymized data, but absolutely not required). Once a client has a list of likely best options, it tries each option in small batches (...with some jitter between requests), until it finds a clear winner

Describe alternatives you've considered

As someone who has supported PIA for years, all of these options are sad:

• Blocking pia-daemon with device networking rules
• Opening the PIA app less often
• Investigating competitor VPN clients to see if there are other companies who do not require this functionality

Additional context

Hi yofreke, It still seems that PIA haven't addressed this issue. I'm just getting into network monitoring and security and would like to ask which software did you use to get this map of pia-daemon accessing various ip addresses? Thanks

[kp-john-mair]

Hi guys!

We actually have this on the roadmap for 2024, the plan is to batch the pings for each region, rather than pinging everything at once - this will not only limit the number of icmp requests we make, but also result in more accurate results.

This work will likely happen mid 2024 (due to quite a full roadmap) - is this sufficient? If not, i could try to put in a small change much earlier alowing latency measurement to be disabled - but i may have to couple that together with a warning message indicating latencies will not be up to date.

Let me know what you guys think, thanks!

(EDIT: @DavyBeeX i believe the app that @yofreke is using is Little Snitch)

[number65259]

We actually have this on the roadmap for 2024, the plan is to batch the pings for each region, rather than pinging everything at once - this will not only limit the number of icmp requests we make, but also result in more accurate results.

Spent several days tracking down the source of these ICMP packets thinking I had a compromised machine and I'm shocked to see PiA is the cause. As a general rule for developers everywhere, polling of any sort - pinging, API polling, local file checks, anything, should by default be done very conservatively. Batching by region is great, but at this point I think everyone would just prefer a way to shut off the spam entirely.

If not, i could try to put in a small change much earlier alowing latency measurement to be disabled - but i may have to couple that together with a warning message indicating latencies will not be up to date.

This sounds great, even without the warning honestly. Outbound ICMP spam every 1m while I have no intention on making a server selection for the next 18 hours has extremely questionable usefulness. Especially when, if I connect and see the ping is bad, I can just pick a new server myself based on locality. The ping results are the generally the same every time.

Mentality should be the opposite here imo. Pings off and cached close to connection time by default (on server selection screen load, on actual connection, etc.). Then, if the pingspam "feature" is turned on a warning displayed that your firewall is going to be absolutely bashed like it owes PiA money just to give a more frequent confirmation of what you probably already know - the closest servers ping the lowest.

[kp-john-mair]

Thanks for this. I agree with a lot of it.

We are rethinking our entire approach to latency checks currently.

I already added a toggle in settings to disable pings, it will go out in the next release.

[jimmyweee]

That's fantastic to hear and I look forward to the changes! Removing a feature that broadcasts our IP address all over the world, that we're ostensibly looking to obfuscate, helps to put the private back into PIA.

[kp-john-mair]

The most recent beta allows you to opt out of latency checks. Check it out in the settings>general tab.

Let me know how you all get on