If you’re looking to increase your privacy online, you’ve probably read that using one of the best VPN services is the best way to go about it. We would know – at Ditching we always write about VPNs and recommend our favorite providers.
However, security company INVISV claims that a VPN is not the right tool from a privacy and security point of view.
That’s why it has its INVISV Relay (opens in new tab) software that it claims is a better option to protect users’ data.
But how do multi-party relays (MPRs) work in practice? And can it really completely replace your virtual private network?
The problem of trust
“We are challenging something fundamental in that space: that in order to protect our privacy we need to hand over our data to a specific company (such as a VPN provider) who will supposedly protect us,” said INVISV co-founder Barath Raghavan.
According to Raghavan and his business partner Paul Schmitt, the problem lies with the software infrastructure, which implies a degree of trust between users and software vendors. The same concept also applies to companies behind, for example, the best antivirus software or secure e-mail services.
They also believe that independent VPN audits – a growing practice in the privacy industry – cannot fully fix this security flaw either, as they still rely on a degree of user trust. While according to INVISV it is better to place the protections directly in the software architecture.
“There are so many of these third parties that they say ‘trust us, send us your details and we’ll fix your security or privacy problem,'” Raghavan told Ditching. “This isn’t really the right design for privacy.”
How do MPRs work?
Available only on Android devices, INVISV Relay is an MPR, designed on the principle that none of the parties involved can see complete user-linkable data. However, INVISV Relay is certainly not the first MPR out there. Apple Private Relay is indeed a very similar tool available for iOS.
Both apps are built on a privacy design formulated by American computer scientist David Chaum in the 1980s — something known as the Decoupling principle:.
Here the data traffic goes over two separate servers that are managed by two different organizations. Theoretically, none of the parties involved can see the full set of information, which means that it is not possible to associate the identity of users with their activities.
Tor browser, for example, is built on the same premise – described as “onion routing”. However, since it is a free software and generally uses three layers of encryption by default, Tor lacks the level of performance that most mobile users require.
“What we’ve done is create something that has the right privacy principle, but is fast,” said Raghavan, who promises that INVISV Relay can work as fast as your normal browser connection.
For this, the service uses one of the best CDN networks out there, Fast (opens in new tab), because it implements the encryption protocol known as IETF Masque, which combines TLS-encrypted HTTPS connections with reliable and fast performance. It’s also open-source, meaning anyone can check the network for vulnerabilities.
Your data leaves your device through a TLS encrypted tunnel to reach INVISV’s first server. As the company explained to us, this server can only see a stream of encrypted data going from your IP address to the next hop, which is managed by Fastly.
At this point, Fastly will decrypt your data in transit, but it will be able to see that it is coming from the INVISV server rather than a specific user. It then sends your information to your final destination.
Can MPRs Replace VPNs?
So MPRs seem to have the potential to better secure your online data without worrying about the companies involved storing or leaking your sensitive information.
However, there are still a wide range of use cases where opting for a VPN is the better bet.
First of all, both INVISV Relay and Apple Private Relay are: only available for mobile devices at the moment – Android and iOS respectively. This means that a VPN is still the best solution for surfing the web anonymously on your laptop or PC while enjoying high connection speeds.
Also a major limitation of MPRs is that they: not designed for people who want to change their IP address. So if you want to get around any kind of online restrictions – be it your school or workspace firewall or your government’s online censorship – you still need a good VPN to do it.
One of the most popular VPN applications isn’t even about security – it’s about streaming. By connecting to various servers around the world, VPN users can fake their virtual location and access streaming content that is unavailable or unaffordable in their own region. Since MPRs don’t affect your virtual location, this is off the table.
“What we’re really trying to get across is that there’s just another way to protect privacy than people.” should “We’re trying to provide something that’s practical for the average user, that just improves their privacy without having to rely on anyone’s promises.”
So for those who just want to protect their browsing and disconnect their identity from their browsing, an MPR is a good choice. However, if you’re looking for any of the other benefits traditionally offered by VPNs, an MPR won’t deliver.