Ethereum-Powered Decentralized VPN: A Truly Secure Internet Connection?
A silent war is being waged online regarding privacy and internet anonymity. Government agencies and cyber criminals are on opposite sides, with the average internet user stuck in the middle. These are the days of giving Facebook all of your information, then complaining (often on Facebook) about how little privacy you have online. Those who choose to go further, and actually take action to safeguard their privacy, often turn to VPNs.
A VPN (Virtual Private Network) allows a user to establish a secure connection to a network over the Internet. That means a person could keep their identity (and their IP address) anonymous while accessing the Internet. A VPN does this by creating an encrypted tunnel to a remote server, through which a person would then access the Internet. Without a VPN, your Internet Service Provider (ISP) could track almost everything you do online since you’re routing all your unencrypted traffic through their servers.
Although, even a VPN might not be fully secure. When routing your traffic through a VPN, you’re simply taking your information away from your ISP and giving it to the VPN provider. This is an issue because a VPN provider is a central point of failure, and a “closed source.” Without open-source code, it’s not possible to know what’s actually happening to your private information “under the hood” of the VPN. What’s worse is, if the VPN’s servers are compromised, or were illegitimate from the start, someone could be collecting all the information you think is private. This is where a decentralized VPN could change the status quo.
The Mysterium Network aims to create a decentralized VPN to make anonymously accessing the internet possible without having to trust a centralized third party. They want to be a better VPN, by utilizing an open-source model, so their code is easily auditable. That means there aren’t any secret backdoors into the VPN to unmask users or harvest data. They also plan to use Ethereum to enable decentralization so that there’s no single point of access from which a hacker, or government, could collect any meaningful data. Mysterium wants to be open, so anyone can participate, but also have all traffic encrypted in order to maintain a solid level of anonymity across the network. The same people who’d like to use the Mysterium VPN to connect to the Internet anonymously could also host the VPN for others on their machine.
Those familiar with internet anonymity might ask how this is any different from the Tor network. The Tor network conceals its users’ identities by separating identification from computer routing. Tor encrypts and randomly relays communications across the globe via a network of volunteers, making it hard to track where information is coming from and going to. A Mysterium team member [boomerius] answered questions on Reddit and tackled this comparison by stating:
“TOR or Decentralized VPN? Yes there [are many] similarities, probably the main differences would be: Incentivization is embedded in decentralized VPN from the start. VPN Nodes will request payment for their services, and anyone willing to use it - will have to pay. Unlike Tor and more like like with Ethereum - Mysterium Network will also have a dedicated team, developing the software, which will be completely Open Source. Incentivization and Reputation system will ensure much better performance vs Tor.”
Ethereum’s smart contract technology will be leveraged to allow VPN users and providers to exchange payments. Add to that a reputation system for users who have a good payment track record, and providers who have a quality connection; you’ve got a highly functional, anonymous network. Ethereum is actually such a solid platform to host a concept like this, that Ethereum’s creator, Vitalik Buterin, chimed in on Reddit, posting his thoughts on how a decentralized VPN could work. Vitalik said:
“This should actually not be too difficult to do in a very simple form that's roughly incentive compatible. Back when I was thinking about the problem, the design I came up with (using a shadowsocks server rather than a full VPN to make things technically easier) is:
- Every seller has a shadowsocks server
- Every seller puts their public key onto an on-chain registry
- A user can contact a seller via whisper, and the two negotiate a rate which is a 4-tuple: $X per megabyte, $Y per second, $Z seller burn, $W buyer burn
- The two parties open a payment channel, each burning their burn amounts (the burn amounts are inclusive of the transaction fee), plus an additional deposit from the buyer to cover payments. After this process, the seller reveals a key which can be used to decrypt the seller's IP address and login data (we want to do this post-payment to make it at least somewhat expensive to fish for seller IP addresses).
- The buyer connects to the seller's shadowsocks server and starts using the connection.
- Every 15 seconds, the buyer sends a channel update to pay for time and megabytes downloaded.
- If at any point the buyer is unsatisfied, the buyer immediately closes the channel and looks for someone else. If at any point the seller sees that the buyer missed a payment or paid for an insufficient amount of data, the seller closes the channel.
The burn amounts are there to make it expensive for either party to cheat; the reason why they are burns and not penalties transferred to the other party is so that there is no incentive to misuse the penalization mechanism itself. A nice side benefit is that the burn amounts can go to the VPN project's developers; one can even mandate that the burn amounts be denominated in "burn coins" that get ICO'd (or, as I prefer, Maker-style DAO kickstarted).
Something like this could probably be deployed and ‘just work’ fairly quickly.”
While Ethereum’s blockchain technology should allow for the creation of a decentralized VPN, the VPN could still be subject to regulatory issues that haven’t been fully worked out, mainly due to a lack of legal precedent.
Recently, the advisory committee on criminal rules for the Judicial Conference of the United States quietly updated Rule 41 of the Federal Rules of Criminal Procedure. Rule 41 is a statute that regulates legal search and seizure. The changes to Rule 41 allow courts under two specific circumstances to issue warrants authorizing law enforcement agencies to engage in hacking and surveillance. Basically, a judge can issue a warrant for the FBI to remotely access, search, seize, and copy digital information that’s been concealed through anonymizing software like Tor or a VPN. So, if relevant to a crime, and all constitutional and procedural steps have been followed by law enforcement officials, any computer using a VPN can legally be searched.
A major issue with the changes to Rule 41 is that victims of hacking incidents could potentially be, additionally, hacked by law enforcement during an investigation. For example, a major DNS provider was violated by a DDoS (distributed denial of service) attack via a botnet a few weeks ago, which shut down several major websites for much of the East Coast. A botnet is created when a hacker takes over hundreds, or thousands, of internet connected devices (Internet of Things), and uses them in unison for nefarious purposes. If a person’s device was hacked and used as part of a botnet, even without them knowing, the government could remotely and legally access the hacked device as well as other computers on that network. Simply because their home computer was on the same network as their hacked device (like a webcam, or printer), law enforcement may be able to obtain all of their private information.
Though that’s only possible if law enforcement can actually get to the information, which is where a decentralized VPN could potentially change things. The government couldn’t get to the data the same way they could hack a popular VPN’s server infrastructure because, with Mysterium, there is no central point of entry. As long as the Mysterium Network is fully encrypted, it would be hard to track who is doing what.
There are many legitimate reasons for wanting to stay anonymous online; Internet privacy isn’t only for criminals. A few examples of lawful VPN users are journalists communicating with sources, such as victims of domestic violence seeking legal information, employees securely accessing a corporate intranet while outside the office, people conducting personal business over a public wifi, and much more. Maybe one just believes that privacy is a right. Regardless of why someone would use a VPN, the Mysterium Network has an interesting road ahead.
For their decentralized VPN to be a success, Mysterium needs to make security airtight. Since they plan to open-source their code, bugs or backdoors could be quickly weeded out. Even though Vitalik himself said “[s]omething like this could probably be deployed and ‘just work’ fairly quickly,” that still doesn’t mean there aren’t potential legal hurdles in the future.
There aren’t many legal precedents in the decentralized blockchain ecosystem or the anonymizing software space, so it’s touch and go until a big legal problem arises. For now, until the FBI comes knocking on Mysterium’s door, a decentralized VPN is a great use-case for Ethereum. More importantly, a great use-case could actually be implemented in the very near future.