Updated on: September 7, 2024
It’s hard for everyday people like me and you to remain on top of new cybersecurity threats and complex concepts while trying to protect our data and digital rights without giving up the convenience of our favorite apps and technologies.
In this interview series by Safety Detectives, I speak with cybersecurity experts who share actionable tips, insider knowledge, and predictions for the future, helping you understand what’s really happening with your data and how you can protect your digital life more effectively—without losing your sanity.
Sebastian Bürgel is the co-founder and president of HOPR, a decentralized team working towards universal data privacy. He is also the VP of technology at GnosisDAO. Prior to that, he co-founded Validity Labs and Sonect (fintech). He holds a Ph.D. degree in Microtechnology from the Swiss Federal Institute of Technology.
HOPR (pronounced “hopper”) is a decentralized privacy-focused messaging protocol and network that enables individuals and organizations to exchange information without the risk of third-party surveillance or data breaches.
The topics we discussed:
- Why Web3 is less private than Web2
- Why data deserves more respect
- Privacy diets
- The future of data security, freedom, and regulations
Is there a particular cyber threat or vulnerability that you think is underestimated by your industry? What makes it particularly dangerous and why is it overlooked?
HOPR is building privacy infrastructures for everyone, but we all come from a web3 world and mindset. Web3 is – thankfully – obsessed with cybersecurity threats and vulnerabilities but often looks for solutions in the wrong places.
Web3 is filled with extremely smart builders, who are drawn to exciting new tech. That’s resulted in amazing cryptographic innovations like zero-knowledge proofs, which will surely transform how we do privacy in the coming decade.
However, this focus on complex and sometimes arcane solutions has led to a lack of interest in more prosaic problems which are the ones that matter right now in the real world! On-chain cryptographic wizardry is worthless if the website you’re connected to is leaking your IP address and linking all your accounts together. Two examples:
- The most popular web3 browser wallet extensions still regularly leak ALL your account addresses – which you’re probably working very hard to keep private and unlinked – before you even finish entering your password.
- Exchange front-ends leak so much metadata that we can often pinpoint your wallet address just from the calls to grab the images.
We’ve made several educational tools to highlight the scale of this problem by demonstrating metadata leaks as they happen in standard web3 interactions. This has helped raise awareness amongst users and developers, but there’s an extremely long way to go.
That’s the reality of modern web3, and it’s particularly dangerous because the on-chain security efforts give users a false sense of security.
At a more technical level, a lot of the decentralized infrastructure that powers web3 is particularly vulnerable to targeted denial of service attacks, because of the amount of information the peer-to-peer networks need to broadcast publicly. Again, this comes down to a lack of awareness of the dangers of exposing your metadata. These problems are often quite difficult and “boring” to fix, so they never are.
We’ve seen much larger-scale DoS attacks brought to bear on crypto in recent months, for potentially smaller rewards. It seems inconceivable that people wouldn’t take the opportunity to conduct a simpler, less detectable attack for higher returns.
The most obvious short-term solution is to manually protect your IP address. Good VPN hygiene is important of course, but note that this likely isn’t enough to protect you. Quite apart from the fact that many VPN business models open you up to other privacy issues, VPNs simply don’t provide enough IP address protection.
Source:
https://medium.com/hoprnet/proof-of-stake-validator-sniping-research-8670c4a88a1c
As a result, web3 is in many ways less private and secure than Web2.0. But people are starting to wake up.
How do you help address these potential risks, and what proactive steps should consumers and organizations take to stay ahead of these threats?
HOPR provides metadata-private data transfer via an incentivized mixnet. Node operators route data through the network, mixing as they go, and no user on the path sees the data or the full route. This is particularly useful for obscuring IP addresses and a huge improvement over standard VPNs.
Often an attacker doesn’t need to know your actual IP address to expose your private information or conduct a denial of service attack – as long as your IP address stays static, you’re vulnerable. HOPR can cycle IP addresses rapidly for much better protection, and you also don’t have to trust the VPN provider with your data.
For consumers, there are currently no perfect solutions available, but practicing good data hygiene will help. Don’t give up more data than you need. Have a good strong password regime. Despite the problems with current-generation VPNs, they’re still much better than nothing. You’re still getting marginally better privacy there, just much less than you might expect.
For organizations, it’s important to accept some responsibility. When it comes to data transfer, privacy and security inevitably come with trade-offs in bandwidth and latency. That can’t be avoided, but the scale of these trade-offs is definitely within our control.
In the end, it’s about treating data with respect, rather than for granted. Don’t gather more than you actually need, and don’t treat infrastructure like a free limitless resource. That’s how we’ve got ourselves into this mess. The goal of good infrastructure design is that its users rarely need to think about it. If as a regular person, you find yourself regularly thinking about the sewerage system, something’s gone wrong. But that doesn’t mean you can flush whatever you like.
Builders of privacy-respecting infrastructure like HOPR are doing their part to tackle these threats, but we need collaboration and buy-in from developers.
On a more general note, cybersecurity is seen as a constantly evolving battle against attackers. Who is winning?
The good guys have all the tools they need to win this battle, but as an industry, we’re struggling to coordinate and bring them all together. Thankfully, users are on our side here.
The size of the VPN industry is staggering: as of 2024, it is estimated that over 1.6 billion people worldwide use Virtual Private Networks (VPNs). That’s approximately 31% of all internet users and 20% of the world’s total population. Everyone knows they need to care about privacy and security, they just don’t know what to do about it. It’s our job to build simple, easy tools and provide them to users. They’ll do the rest.
What are other crucial things people should STOP or START doing today to improve the safety of their data?
I think it’s hard for people to understand the risks here because there’s a lot of scaremongering and a tendency to focus on the interesting attacks rather than the likely ones. People need to educate themselves about the ways in which they could be vulnerable and then make an assessment.
In many ways, it’s like dieting: small, maintainable steps like changing your VPN and how you’re managing passwords will work much better than a paranoid flurry of activity that you can’t keep up for more than a week.
Where do you see the biggest challenges in the next few years, and how can companies and people in your industry prepare for them? What are you doing in this regard?
One huge emerging challenge lies at the intersection between data security, user freedoms, and regulation.
There’s a risk of a counterproductive battle with governments and regulators, where both sides have unrealistic expectations of what’s possible:
- Web3 wants to operate in a decentralized way, at scale, giving users control of what data they expose.
- Regulators naturally want to acknowledge their various jurisdictions and exert a measure of control to protect their people.
These are both admirable goals, but they don’t happily coexist.
Full anonymity and freedom are pipe dreams, but so is trying to impose centuries-old legal concepts onto a globally connected world. Both sides are going to have to give some ground here. If we can’t find a compromise, there’s a good chance we’ll end up in a place where everyone loses out except the attackers.
Our industry needs to face reality and accept that regulation isn’t going away. We can either proactively bridge divides and try to educate regulators about new approaches they may not have considered, or we’ll wake up and find solutions that have been imposed upon us. HOPR is trying to bridge this gap by educating users, developers and lawmakers about the realities of this problem, not the fantasy.
If there was one key takeaway you wish our readers could bring home from our conversation, what would it be?
Data isn’t digital gold – it’s digital uranium. Useful and valuable, but extremely dangerous unless you’re properly equipped to deal with it. Unless you’re one of a handful of companies with sufficient security, infrastructure, and legal resources to hoover up data with impunity and then effectively monetize it, user data is more often a liability than an asset.
Technology like HOPR is coming to help, but it’s still everyone’s responsibility to treat user data and metadata with the respect it deserves.
How can our readers connect with you?
Website: https://hoprnet.org
X: @hoprnet