May 26, 2017

Mesh Networks Won't Fix Internet Security

There’s no doubt that the quality of tech reporting in major newspapers has improved in recent years. It’s rare these days to see a story in, say, the New York Times whose fundamental technical premise is wrong. Still, it does happen occasionally—as it did yesterday.

Yesterday’s Times ran a story gushing about mesh networks as an antidote to Internet surveillance. There’s only one problem: mesh networks don’t do much to protect you from surveillance. They’re useful, but not for that purpose.

A mesh network is constructed from a bunch of nodes that connect to each other opportunistically and figure out how to forward packets of data among themselves. This is in constrast to the hub-and-spoke model common on most networks.

The big advantage of mesh networks is availability: set up nodes wherever you can, and they’ll find other nearby nodes and self-organize to route data. It’s not always the most efficient way to move data, but it is resilient and can provide working connectivity in difficult places and conditions. This alone makes mesh networks worth pursing.

But what mesh networks don’t do is protect your privacy. As soon as an adversary connects to your network, or your network links up to the Internet, you’re dealing with the same security and privacy problems you would have had with an ordinary connection.

To its credit, the project being hyped in the Times, called Commotion, doesn’t seem to be making inflated security claims. Commotion’s own site says that it “can not hide your identity”, “does not prevent monitoring of internet traffic”, and “does not provide strong security against monitoring over the mesh”.

The Times article follows a pattern common in overhyped security stories: it talks about a security problem, points to an exciting new technology, and offers quotes about how useful it would be to solve the security problem. What it doesn’t do is explain how the exciting new technology actually solves the security problem. And the quotes, unsurprisingly, are not from security experts.

Our government has apparently spent millions on the development of Commotion. That may be justified, given that the availability and resilience of mesh networks do help to foster freedom of expression by making it harder for governments to cut off their citizens from independent information sources.

But if government wants to invest in security for Internet users in challenging places, it would be better off putting the money elsewhere. To give just one example, the money spent on mesh networks could probably have paid for security audits for OpenSSL and other critical components that hundreds of millions of people around the world rely on every day.


  1. Australian says:

    “if government wants to invest in security for Internet users” – uh? I’m still trying to parse that sentence. I do not think that can mean what you appear to be trying to say…

  2. Ben the Pyrate says:

    To be fair, the term “mesh network” tends to get thrown around quite loosely these days and can mean different things in different contexts.

    The mesh technology in Commotion doesn’t do much to protect you from surveillance, however technologies like CJDNS, Tor, and I2P (which are often described as “mesh”, particularly by redditors) do make claims about protecting you from surveillance.

    Theoretically, mesh networking like that found in Commotion could provide you some (weak) protections against surveillance of communication within your local community. Since the infrastructure is distributed and ad-hoc, as opposed to centralized at a single ISP, it may make it somewhat harder or at least more expensive for three letter agencies to monitor all of the communications within the mesh network. However, layer-3 mesh networking protocols are inherently trusting, so they can be weak against bad actors who want to disrupt the network.

    Despite it’s age, mesh networking is still an immature technology for the kinds of use cases people wish to apply it to.