Today is International Data Privacy Day…
On this occasion we want to insist that you should not have to worry about surveillance. Most people today are aware of the problem, but…
On this occasion we want to insist that you should not have to worry about surveillance. Most people today are aware of the problem, but most people also feel entirely powerless at solving it. Which is understandable. Mass surveillance cannot be solved by an individual frantically trying to choose the right app, browser or VPN, or clearing cookies. The problem of mass surveillance is a collective problem of our shared infrastructures, and has to be solved collectively at a network layer, across all applications.
In this blogpost, we would like to offer our perspective on three global developments that we see play out, as well as three use-cases of the Nym mixnet that seek to address some of these.
…and 2022 will be a global privacy year
The year 2022 is likely going to see an “All Time High” when it comes to the topic of privacy. Why? Three major global developments have been building and will likely bring the issue of privacy to a head this year:
- The COVID-19 pandemic has caused both massive digitisation as well as compromises on privacy protections;
- Which sped up the shift from cash to digital transactions;
- And although the popularisation of blockchains and Web3 is generating awareness of privacy it is also bringing new risks.
1 The pandemic and algorithmic surveillance
The global COVID-19 pandemic has been rippling across the world for the past two years. As a result, we are traveling less, having less in-person meetings, less in the classroom or playground and are buying less in shops. Instead, people are meeting on Zoom, learning on Teams, socialising on TikTok and Twitch, shopping on Amazon and working on Slack and Keybase and so on. In short, the pandemic is nothing less than a watershed moment in the digitisation of pretty much all aspects of our lives. And given how vulnerable our current digital infrastructures are to surveillance, this means it is also a watershed moment for the loss of privacy — the consequences of which are yet to become fully evident.
The pandemic has also come in the midst of a historical period of “tech-solutionism”, where “more data” is often uncritically assumed to lead to the best solution, and where surveillance lies at the core of the digital business model. This means there is money to be made from presenting quick, data-driven solutions. And this means that politicians have opted for rapid roll-out of digital responses to the pandemic rather than analogue solutions. Despite the fact that experts, including Nym CEO Harry Halpin and Carmela Troncoso of EPFL, have argued that old fashioned paper vaccine passports are, for all intents and purposes, more secure and represent less risk than their digital equivalents. An issue which we have been working on in 2021 by researching and prototyping a privacy wrapper for COVID-19 apps.
These developments have been under way for more than a decade. Big data and mass surveillance changed the very nature of surveillance. Rather than an individual being targeted because they are a suspect, they become a suspect by being surfaced as a particular profile amongst a mass of behavioral data. This means the nature of surveillance in the algorithmic age is fundamentally collective, and concerned more with collections of data points than individuals. And this means that the resistance needs to be equally collective and able to protect machine readable information — the metadata.
2 Digital transactions
The intimate details of our lives are increasingly becoming data to be crunched and calculated. Surveillance in the algorithm ic age operates through calculating fine-grained probabilities across vast amounts of data. That means that every interaction becomes a “microtransaction”, both explicitly, in the ways we interact with each other online, and implicitly, through the data-markets that have been constructed around these interactions. As our new team member Chelsea Manning recently put it, “people become more and more commodified in this way, they’re becoming more alienated in their daily life.”
The pandemic also sped up the shift from cash to digital payment platforms. This shift is bringing about a new power battle around transaction infrastructures and data of money: between private financial institutions, central banks and fintech companies. And between these, there is not much incentive to secure the privacy of ordinary people. This shift was predicted by the early cypherpunks already in the 1990s, which also led to Bitcoin, initially intended to be anonymous digital cash: All transactions would be conducted as peer-to-peer transfers between wallet addresses; to solve double-spending, the transactions would be verified and listed on a public ledger; and in order to ensure anonymity despite the public ledger, wallet addresses would serve as pseudonyms. However, the public nature of the transaction ledger (the “blockchain”) means that anyone can observe the flow of coins. These flows reveal patterns, which in turn can reveal the people and purposes behind the transactions.
3 Blockchains and Web3
One of the main promises of Web3 is a new world where people have control over their own data and the value that is generated from it. However, the new privacy problems presented by blockchains are far from fully mapped out yet and might very well turn out to be worse than what we know from Web 2. In a level-headed post, Moxie recently pointed out some of the major privacy issues of Web3, including new intermediaries: “All write traffic is obviously already public on the blockchain, but these companies also have visibility into almost all read requests from almost all users in almost all dApps.” It is already looking like 2022 will be the year that the privacy issues at the core of Web3 will begin to come to the foreground: From the more philosophical questions around what should be public on public ledgers in the first place, to the deeper technical issues of surveillance of peer-to-peer broadcasts used in every transaction, as well as the new data intermediaries that are appearing. In response, a growing coalition of Web3 start-ups are organising to put privacy at the core of the Web3 agenda (watch this space).
So what can be done?
Protection against mass surveillance — Nym mixnet
There are many good applications, email clients, wallets and chains that offer good privacy protections. And we would recommend that you use these! However, when it comes to the network layer and metadata, very few are able to offer sufficient protections — in many ways, this can only be achieved collectively, and at the layer of the infrastructure itself.
The Nym mixnet is an overlay network, which protects users’ privacy by obfuscating the link between individual users and their online activities. This is achieved by combining three techniques: a users’ traffic is routed via multi-hop routes within a decentralized Nym mixnet. Furthermore, each packet sent by a user in the mixnet is layer encrypted, which ensures that our data cannot be traced within the network based on its binary pattern. And last, but not least, each mix node shuffles a pool of packets to ensure that packets cannot be traced based on their timing and order. This presents a general purpose network layer privacy solution. The more applications, coins and users, the better the privacy for everyone!
There is strength in the crowd and this provides a collective decentralised solution to the collective problem of mass surveillance.
But are my messages not end-to-end encrypted?
Instant messaging apps like Signal or Telegram use end-to-end encryption to secure the users’ communication. However, encryption is only the first step in the efforts to achieve privacy, as it only hides the content of our communication. Encryption is not intended to hide the distinctive characteristics associated with our communication. Such patterns leak from the underlying network layer. By looking at the network metadata we can easily link communicating parties, duration of the communication, time, location and more. These in result undermine the privacy properties provided by the use of encryption. In order to provide fully private messaging, applications like Signal or Telegram need network layer protection. And the good news is, the Nym mixnet is perfect for that. As each message is routed through a multi-hop network, no one can tell who is communicating with whom.
What about privacy preserving cryptocurrencies?
The public nature of a ledger means that anyone can observe the recorded transactions and track the flow of coins. The threats resulting from the lack of network-privacy are already well understood, however so far there have been only a few attempts to secure the network layer. The Kovri project aimed to integrate an I2P solution with Monero. However, similarly as Tor, I2P defends only against local network adversaries, and can be defeated by traffic analysis techniques. Bitcoin’s Lightning and Etherum’s Raiden both implement onion encryption to hide the payment’s sender and recipient from the intermediate nodes. However, this can be easily defeated if we perform timing analysis on the relayed packets.
Integrating Bitcoin, Etherum, Zcash or Monero with the Nym mixnet allows each user to add the critical network layer privacy to their transactions. Instead of broadcasting your transactions directly into the P2P network, you route them through the Nym mixnet. After that, your transaction — now unlinkable to your IP address — is broadcasted.
Privacy should be the default of online communications. Ensuring privacy online is a collective endeavor that needs addressing across the whole technology stack. Nym is only one part of a broader effort to achieve this vision. In order to support privacy initiatives at other layers of the stack, we are building a generic infrastructure that can provide network protection to a broad range of applications and services, wishing to enhance the privacy protections they can offer to their users.
Read More: Nym Whitepaper // Nym Github // Nym Docs
