Alexis Roussel: "Metadata is one of the great battles of the 21st century"

Premium
Cybersecurity
Deeply involved in the Bitcoin ecosystem, Alexis Roussel now heads the operations of Swiss start-up Nym Technologies. For The Big Whale, he looks back at the risk of widespread surveillance and the tools developed by Nym to address it.

The Big Whale: Why is it important to protect the metadata of our communications?

Alexis Roussel: The reason is quite simple. Even when we don't know the content of a communication, we can get a lot of information about it by analyzing its metadata (the time it took place, the geographical position, the interacting IP addresses, ed.)

To achieve optimal privacy protection, it is important to hide the content but especially to hide the data surrounding the communication. This is a fundamental issue.

As you say, we're just talking about the data surrounding a communication and not the content itself... Is this really an infringement of freedoms?

The whole economy of what is called surveillance capitalism is based on this metadata, not on the content of the discussions themselves. It's one of the great battles of the 21st century.

What techniques are used to identify someone from metadata?

By using the Internet, everyone creates a "digital footprint". The hardware we use to connect provides a certain amount of information to the server, such as screen size, operating system, time zone, phone model, etc. This is called fingerprinting. This is called "fingerprinting".

This information, if there is enough of it, can be used to distinguish between individuals and track them, just as we do with cookies on websites. That's why we get extremely well-targeted ads after talking about a topic with friends or doing an online search. And it works even if you've opted out of tracking.

With Nym, we propose a tool which allows to hide the IP address but also the whole metadata around the communication.

Do you want to read more?

Only premium subscribers have access to this article!
Sign up to access the best content, get exclusive info and join the whale community. 🐳

Have you considered that a police investigation is blocked because the wanted person used Nym?

Yes, of course, and the authorities will have to find another lead. There are plenty of other ways to catch a guilty person. I remember a manager of an illegal darknet platform who ended up getting caught because he left a Yahoo email address with his real name on it. And yet he was using Tor... Criminals always make a human mistake, and honest people have the right to protect their privacy.

How is VPN software, which allows to change the IP address of an Internet user, not protective enough?

A VPN manages to hide the IP address of an Internet user. The problem is that it is managed by a centralized actor who sees all connections. This means that the authorities can force it to provide information about an Internet user. It can also be compromised by hackers.

Finally, a VPN does not protect against "fingerprinting", because the IP address is only one element among others that make up your digital footprint. Thanks to this technique, we can even find your original IP address.

In my opinion, using VPN is effective for overriding geolocation blocks, such as for viewing the Netflix catalog from another country. But it's not a very effective privacy tool.

What are the limitations of Tor?

Tor was designed to hide the IP address of the server receiving a user's connection, and it works. However, the tool is not able to resist attempts to de-anonymize it by those who wish to observe the network. Why is that? Because it doesn't cost anything to attack it, you just need to connect a lot of servers.

Attackers can calculate the connection time between different locations on the network and launch what is called a "timing attack". This can be traced back to the targeted person.

Nym was designed to resist this kind of attack. This would be very expensive (about 40 million dollars at the moment, editor's note). Finally, Nym randomly slows down communication packets, which further confuses the issue.

Tor received U.S. government funding in its early days. Can we doubt the integrity of this network?

No, I don't think so, because governments also need it. Even though they monitor the Internet, they also need to communicate discreetly, especially to get in touch with people in hostile countries. For years, Tor was used for this by the U.S. military. This would not have been possible with the traditional Internet or with satellites...

The problem is that Tor is not robust enough. U.S. agencies and private surveillance companies now have the capabilities to punctually take control over the network and deanonymize exchanges.‍

The mixnet idea, which is at the heart of Nym, is 40 years old. Why would it work now?

Mixnets have not been successful so far, because the system was not economically viable. Like Tor, if someone puts a lot of machines on the network, they can see all the traffic and reconstruct the communications. Nym proposes an economic incentive system, via the NYM token, which helps secure the network.

How is Nym decentralized?

The Nym network is not maintained by the company Nym Technologies. It is maintained by the community and their different nodes (250 currently). Of course, 99% of the code is currently written by employees of Nym Technologies, but this share will decrease with time.

Soon, we will be able to offer governance with a second token (the NYX).

Why did you choose to use the Cosmos protocol to develop Nym?

We didn't want to spend our energy building a new blockchain from scratch. Our role is to build a mixnet. We tested different protocols like Ethereum or Liquid, but we chose Cosmos because there was a ready-made SDK.

We may have worked for two months to launch our blockchain, but no more. So we were able to focus on our real added value.

The other advantage of Cosmos is that it has the IBC (Inter-blockchain communication protocol). This has allowed us to represent our tokens in ERC-20 thanks to the Gravity Bridge, to be present in other blockchains of the Cosmos universe, to write smart contracts with the Rust programming language (via CosmWasm), etc. Cosmos is really interesting!

What do you think of the cryptocurrency Monero, which is described as "anonymous"?

Monero manages to hide the transactions in the blockchain, but does not hide the IP address of the wallets. This is its main point of vulnerability.

And your opinion on Tornado Cash?

The functionality of Tornado Cash was to specifically mix money online. You would take someone's cryptos and mix them with others, before sending them to the final recipient. I don't think the way the creator was arrested is acceptable, but the project was lost in the shuffle because it was akin to a financial service.

The structure was remunerated by mixing financial transactions, so in terms of the law it had the obligation to identify users. Nym only processes electronic communications, not cryptocurrency transactions.

What is it about Monero that allows it to escape prosecution, unlike Tornado Cash?

Monero's mixing feature is active by default, so any transaction, whether good or bad, uses this feature. It is available by default.

On the Tornado Cash side, it's different. Someone who used this application necessarily wanted to anonymize his funds. If he didn't want to, he would have made a simple transaction on Ethereum.

Could Zcash, another cryptocurrency that offers anonymity, be worried?

There is a risk, because the anonymity function is not active by default. So there is a risk of prosecution. We'll see what happens.

How does Nym differ from Monero, Tornado Cash or zCash?

All of them are money blenders, while Nym is a data blender. We have nothing to do with financial services. We operate on a lower layer, which is telecommunication.

Aren't you afraid that the authorities will still be interested in Nym?

We did things the right way. Nym is one of the cleanest projects. We made the choice to set up in Switzerland by submitting to the compliance system, while respecting the American law of "foreign securities".

Concerning American users, only certain accredited structures, such as the venture capital funds that have financed us, can use Nym. The others are blocked.

So you are totally protected against possible lawsuits?

If the U.S. wants to come after us, they can. But in crypto, it's always a race thing. Regulators will go after the easiest cases to deal with first. It's only when they get more proficient that they'll go after the more complex cases. Are we clean enough in the eyes of the US regulator? I don't know for sure, but I think we are.

All the projects that are having problems have a foot in the United States. They have an office there, have sold products to individual U.S. investors, etc. They are not considered "foreign security" because they have real activities in the United States.

Don't you fear arrest as a leader?

We reduce this risk with "over-transparency". Harry Halpin and I are public figures, we don't hide. We do everything by the book and we have a long public history. If the authorities came to bother us, they would risk making us "martyrs".

Using Nym is not free (via the NYM cryptocurrency). Do you think people are willing to spend money to send a communication?

Indeed, there is a fee for using the network. But we consider that many Internet users already pay for a VPN, so there is a market for privacy. The goal is to keep the fees very low so as not to limit usage. We also think that apps like Telegram will be able to handle this expense for their users. Eventually, a lot of people might use Nym without knowing it.

Why would couriers have an interest in this?

Today, Internet services collect countless data about their customers. Many don't know what to do with it. Some resell it in the form of targeted advertisements, but others are faced with the simple cost of managing it, especially since the European RGPD regulation. The idea is that if they use Nym in the relationship with their customers, they will be able to limit themselves strictly to the information they need to provide the service. They won't have to deal with the rest.

Are there any other use cases?

I think that banks could also find an interest in this. Today your mobile operator can know a lot about you, because banking access is through a mobile application. Google or a telecom operator knows people better than their own banks. Banks could therefore use Nym to protect their customers' data from third parties and turn it into a commercial advantage. This is a bit like Apple's approach.

How did you attract VC funds to commit up to $350 million?

I think many are anticipating the shock that is coming. We're heading into a very important democratic debate about the data economy and the impact of mass surveillance. Privacy-preserving technologies are probably a hedge for some of our investors.

A US fund like Andreessen Horowitz realizes this. But it's pretty simple: they have a mandate to invest money and they invest in a diversified way to hedge. They are very pragmatic.

What does Chelsea Manning bring to the table as one of Nym's advisors?

During her years of detention, I think she had time to reflect on the impact of mass surveillance. In the US military, she had access to a lot of information in the late 2000s. But today there are 1000 times more resources to monitor people... That's why it's interesting to join a project that protects privacy.

Do you want to join the Web3 revolution?

Find the best of the crypto, NFT and DeFi news every Wednesday and Thursday in the two newsletters written by our specialised journalists Grégory Raymond and Raphaël Bloch.

Alexis Roussel: "Metadata is one of the great battles of the 21st century"
Published on
Published on
March 1, 2023

Alexis Roussel: "Metadata is one of the great battles of the 21st century"

Deeply involved in the Bitcoin ecosystem, Alexis Roussel now heads the operations of Swiss start-up Nym Technologies. For The Big Whale, he looks back at the risk of widespread surveillance and the tools developed by Nym to address it.

The Big Whale: Why is it important to protect the metadata of our communications?

Alexis Roussel: The reason is quite simple. Even when we don't know the content of a communication, we can get a lot of information about it by analyzing its metadata (the time it took place, the geographical position, the interacting IP addresses, ed.)

To achieve optimal privacy protection, it is important to hide the content but especially to hide the data surrounding the communication. This is a fundamental issue.

As you say, we're just talking about the data surrounding a communication and not the content itself... Is this really an infringement of freedoms?

The whole economy of what is called surveillance capitalism is based on this metadata, not on the content of the discussions themselves. It's one of the great battles of the 21st century.

What techniques are used to identify someone from metadata?

By using the Internet, everyone creates a "digital footprint". The hardware we use to connect provides a certain amount of information to the server, such as screen size, operating system, time zone, phone model, etc. This is called fingerprinting. This is called "fingerprinting".

This information, if there is enough of it, can be used to distinguish between individuals and track them, just as we do with cookies on websites. That's why we get extremely well-targeted ads after talking about a topic with friends or doing an online search. And it works even if you've opted out of tracking.

With Nym, we propose a tool which allows to hide the IP address but also the whole metadata around the communication.

Do you want to read more?

Only premium subscribers have access to this article!
Sign up to access the best content, get exclusive info and join the whale community. 🐳

Subscribe for free to read more.

Have you considered that a police investigation is blocked because the wanted person used Nym?

Yes, of course, and the authorities will have to find another lead. There are plenty of other ways to catch a guilty person. I remember a manager of an illegal darknet platform who ended up getting caught because he left a Yahoo email address with his real name on it. And yet he was using Tor... Criminals always make a human mistake, and honest people have the right to protect their privacy.

How is VPN software, which allows to change the IP address of an Internet user, not protective enough?

A VPN manages to hide the IP address of an Internet user. The problem is that it is managed by a centralized actor who sees all connections. This means that the authorities can force it to provide information about an Internet user. It can also be compromised by hackers.

Finally, a VPN does not protect against "fingerprinting", because the IP address is only one element among others that make up your digital footprint. Thanks to this technique, we can even find your original IP address.

In my opinion, using VPN is effective for overriding geolocation blocks, such as for viewing the Netflix catalog from another country. But it's not a very effective privacy tool.

What are the limitations of Tor?

Tor was designed to hide the IP address of the server receiving a user's connection, and it works. However, the tool is not able to resist attempts to de-anonymize it by those who wish to observe the network. Why is that? Because it doesn't cost anything to attack it, you just need to connect a lot of servers.

Attackers can calculate the connection time between different locations on the network and launch what is called a "timing attack". This can be traced back to the targeted person.

Nym was designed to resist this kind of attack. This would be very expensive (about 40 million dollars at the moment, editor's note). Finally, Nym randomly slows down communication packets, which further confuses the issue.

Tor received U.S. government funding in its early days. Can we doubt the integrity of this network?

No, I don't think so, because governments also need it. Even though they monitor the Internet, they also need to communicate discreetly, especially to get in touch with people in hostile countries. For years, Tor was used for this by the U.S. military. This would not have been possible with the traditional Internet or with satellites...

The problem is that Tor is not robust enough. U.S. agencies and private surveillance companies now have the capabilities to punctually take control over the network and deanonymize exchanges.‍

The mixnet idea, which is at the heart of Nym, is 40 years old. Why would it work now?

Mixnets have not been successful so far, because the system was not economically viable. Like Tor, if someone puts a lot of machines on the network, they can see all the traffic and reconstruct the communications. Nym proposes an economic incentive system, via the NYM token, which helps secure the network.

How is Nym decentralized?

The Nym network is not maintained by the company Nym Technologies. It is maintained by the community and their different nodes (250 currently). Of course, 99% of the code is currently written by employees of Nym Technologies, but this share will decrease with time.

Soon, we will be able to offer governance with a second token (the NYX).

Why did you choose to use the Cosmos protocol to develop Nym?

We didn't want to spend our energy building a new blockchain from scratch. Our role is to build a mixnet. We tested different protocols like Ethereum or Liquid, but we chose Cosmos because there was a ready-made SDK.

We may have worked for two months to launch our blockchain, but no more. So we were able to focus on our real added value.

The other advantage of Cosmos is that it has the IBC (Inter-blockchain communication protocol). This has allowed us to represent our tokens in ERC-20 thanks to the Gravity Bridge, to be present in other blockchains of the Cosmos universe, to write smart contracts with the Rust programming language (via CosmWasm), etc. Cosmos is really interesting!

What do you think of the cryptocurrency Monero, which is described as "anonymous"?

Monero manages to hide the transactions in the blockchain, but does not hide the IP address of the wallets. This is its main point of vulnerability.

And your opinion on Tornado Cash?

The functionality of Tornado Cash was to specifically mix money online. You would take someone's cryptos and mix them with others, before sending them to the final recipient. I don't think the way the creator was arrested is acceptable, but the project was lost in the shuffle because it was akin to a financial service.

The structure was remunerated by mixing financial transactions, so in terms of the law it had the obligation to identify users. Nym only processes electronic communications, not cryptocurrency transactions.

What is it about Monero that allows it to escape prosecution, unlike Tornado Cash?

Monero's mixing feature is active by default, so any transaction, whether good or bad, uses this feature. It is available by default.

On the Tornado Cash side, it's different. Someone who used this application necessarily wanted to anonymize his funds. If he didn't want to, he would have made a simple transaction on Ethereum.

Could Zcash, another cryptocurrency that offers anonymity, be worried?

There is a risk, because the anonymity function is not active by default. So there is a risk of prosecution. We'll see what happens.

How does Nym differ from Monero, Tornado Cash or zCash?

All of them are money blenders, while Nym is a data blender. We have nothing to do with financial services. We operate on a lower layer, which is telecommunication.

Aren't you afraid that the authorities will still be interested in Nym?

We did things the right way. Nym is one of the cleanest projects. We made the choice to set up in Switzerland by submitting to the compliance system, while respecting the American law of "foreign securities".

Concerning American users, only certain accredited structures, such as the venture capital funds that have financed us, can use Nym. The others are blocked.

So you are totally protected against possible lawsuits?

If the U.S. wants to come after us, they can. But in crypto, it's always a race thing. Regulators will go after the easiest cases to deal with first. It's only when they get more proficient that they'll go after the more complex cases. Are we clean enough in the eyes of the US regulator? I don't know for sure, but I think we are.

All the projects that are having problems have a foot in the United States. They have an office there, have sold products to individual U.S. investors, etc. They are not considered "foreign security" because they have real activities in the United States.

Don't you fear arrest as a leader?

We reduce this risk with "over-transparency". Harry Halpin and I are public figures, we don't hide. We do everything by the book and we have a long public history. If the authorities came to bother us, they would risk making us "martyrs".

Using Nym is not free (via the NYM cryptocurrency). Do you think people are willing to spend money to send a communication?

Indeed, there is a fee for using the network. But we consider that many Internet users already pay for a VPN, so there is a market for privacy. The goal is to keep the fees very low so as not to limit usage. We also think that apps like Telegram will be able to handle this expense for their users. Eventually, a lot of people might use Nym without knowing it.

Why would couriers have an interest in this?

Today, Internet services collect countless data about their customers. Many don't know what to do with it. Some resell it in the form of targeted advertisements, but others are faced with the simple cost of managing it, especially since the European RGPD regulation. The idea is that if they use Nym in the relationship with their customers, they will be able to limit themselves strictly to the information they need to provide the service. They won't have to deal with the rest.

Are there any other use cases?

I think that banks could also find an interest in this. Today your mobile operator can know a lot about you, because banking access is through a mobile application. Google or a telecom operator knows people better than their own banks. Banks could therefore use Nym to protect their customers' data from third parties and turn it into a commercial advantage. This is a bit like Apple's approach.

How did you attract VC funds to commit up to $350 million?

I think many are anticipating the shock that is coming. We're heading into a very important democratic debate about the data economy and the impact of mass surveillance. Privacy-preserving technologies are probably a hedge for some of our investors.

A US fund like Andreessen Horowitz realizes this. But it's pretty simple: they have a mandate to invest money and they invest in a diversified way to hedge. They are very pragmatic.

What does Chelsea Manning bring to the table as one of Nym's advisors?

During her years of detention, I think she had time to reflect on the impact of mass surveillance. In the US military, she had access to a lot of information in the late 2000s. But today there are 1000 times more resources to monitor people... That's why it's interesting to join a project that protects privacy.

No items found.

Do you want to join the Web3 revolution?

Find the best of the crypto, NFT and DeFi news every Wednesday and Thursday in the two newsletters written by our specialised journalists Grégory Raymond and Raphaël Bloch.