A new decentralised VPN aims to patch a gaping security hole
VPNs have become popular means of protecting personal data, but there’s a big vulnerability in their defences: the service provider.
These companies can technically gain access to all your unencrypted traffic. Consequently, they can see all the data on your browsing habits.
This frailty has sparked interest in decentralised VPNs. Instead of funnelling all user data through a single server, they disperse the traffic across a network run by multiple users. In theory, this makes the shield more difficult to breach, because there’s no central authority controlling the service.
It’s a theory that Nym Technologies wants to prove true. The Swiss startup today announced that it will launch a new decentralised (dVPN) in the first quarter of next year. Named NymVPN, the service promises to provide an “unparalleled” level of privacy and security.
At the core of the system is a so-called “network of nodes.” A collection of hundreds of gateways, this obfuscates the flow of data by transmitting internet traffic through entry and exit points.
The nodes are run by independent individuals in various countries. Each of these operators routs a user’s internet traffic through various stages of the information pathway, known as hops. According to Nym, this reduces the risk of data breaches, surveillance, identity theft, and censorship.
“We believe that privacy is a fundamental right, and our vision has always been to empower individuals to take full control over their online security,” said Harry Halpin, Nym’s CEO and co-founder. “The NymVPN offers just this.”
Risks of centralisation
The principal appeal of dVPNs is preventing access to unencrypted traffic. However, even encrypted traffic can’t fully conceal metadata, which can expose the sites you visit and the apps you use.
“Don’t just take our word for it,” Jaya Klara Brekke, Chief Strategy Officer at Nym, told TNW. “As former NSA General Counsel Stewart Baker said: ‘Metadata absolutely tells you everything about somebody’s life. If you have enough metadata, you don’t really need content’.”
Users of centralised VPNs, therefore, must place great faith in the provider. If a centralised VPN is asked to hand over data to third parties, the trust could be severely tested.
The internet internet may come to look like a very different place.
Even ostensibly private centralised VPNs could turn over information to authorities. NordVPN, for instance, has acknowledged that it complies with law enforcement data requests. Free VPNs, meanwhile, can sell user browsing habits and data to anyone they like.
“It’s better to eliminate the risk of holding unnecessary data at all,” Brekke said. “This is what actual decentralisation offers.”
Nym’s approach
In the NymVPN app, the decentralisation comes in two different levels.
The first is VPN mode, which is better for streaming, browsing, and other use cases that require high performance but only moderate privacy. Data is transmitted through two hops, each of which is hosted by an independent node operator. The operators are rewarded with NYM tokens, which are used to incentivise good governance.
For extra protection, the app has a mixnet option. This mode is designed for messaging, sensitive file sharing, transactions, and other use cases that require high levels of privacy but only mid-range performance. Data is divided into small, identically-sized packets that are encrypted with a novel system called Sphinx. It travels through five ‘hops’ in the network before reaching its destination.
To further obscure communications, Nym generates fake dummy traffic, which is indistinguishable from the real thing.
“Even in the presence of global network observers or advanced machine learning attacks, this mode ensures your online activities remain confidential and shielded from prying eyes,” Brekke said.
“Thus, it surpasses the privacy properties of traditional VPNs and Tor and is the fastest, most secure mixnet available today, keeping your online activities truly private.”
The VPN market
A dVPN remains a specialist product, but Nym argues that it has mainstream potential. The company is initially targeting four different user groups. The first is privacy enthusiasts, who are typically interested in emerging technologies.
Once that establishes a solid user base, Nym will target journalists, activists, and whistleblowers. B2B and B2G clients are also “definitely on the radar,” according to Brekke. “We’ve received interest,” he said.
In time, Brekke expects the general public to also become customers. As evidence, he can point to the sector’s rapid growth. Industry researchers predict that the global VPN market alone will be worth $358bn by 2032. The value of the worldwide data privacy market, meanwhile, is projected to reach $30bn by 2030.
Investors have also made bullish predictions. In 2020, Fred Wilson, a prominent venture capitalist, warned that mass surveillance by both governments and corporations “will become normal and expected this decade.” This, Wilson continued, will spark a market boom.
“The biggest consumer technology successes of this decade will be in the area of privacy,” he concluded.
Unsurprisingly, it’s a view that Nym welcomes.
“With the shifting sands of censorship and companies threatening to pull their services in the wake of regulations like the Online Safety Bill, it may come to pass that the internet looks like a very different place indeed,” Brekke said.
“In this scenario, a VPN would be an essential part of anyone’s toolkit in order to access the internet as we are used to.”