Mesh Networks Won’t Fix Internet Security

There’s no doubt that the quality of tech reporting in major newspapers has improved in recent years. It’s rare these days to see a story in, say, the New York Times whose fundamental technical premise is wrong. Still, it does happen occasionally—as it did yesterday.

Yesterday’s Times ran a story gushing about mesh networks as an antidote to Internet surveillance. There’s only one problem: mesh networks don’t do much to protect you from surveillance. They’re useful, but not for that purpose.

A mesh network is constructed from a bunch of nodes that connect to each other opportunistically and figure out how to forward packets of data among themselves. This is in constrast to the hub-and-spoke model common on most networks.

The big advantage of mesh networks is availability: set up nodes wherever you can, and they’ll find other nearby nodes and self-organize to route data. It’s not always the most efficient way to move data, but it is resilient and can provide working connectivity in difficult places and conditions. This alone makes mesh networks worth pursing.

But what mesh networks don’t do is protect your privacy. As soon as an adversary connects to your network, or your network links up to the Internet, you’re dealing with the same security and privacy problems you would have had with an ordinary connection.

To its credit, the project being hyped in the Times, called Commotion, doesn’t seem to be making inflated security claims. Commotion’s own site says that it “can not hide your identity”, “does not prevent monitoring of internet traffic”, and “does not provide strong security against monitoring over the mesh”.

The Times article follows a pattern common in overhyped security stories: it talks about a security problem, points to an exciting new technology, and offers quotes about how useful it would be to solve the security problem. What it doesn’t do is explain how the exciting new technology actually solves the security problem. And the quotes, unsurprisingly, are not from security experts.

Our government has apparently spent millions on the development of Commotion. That may be justified, given that the availability and resilience of mesh networks do help to foster freedom of expression by making it harder for governments to cut off their citizens from independent information sources.

But if government wants to invest in security for Internet users in challenging places, it would be better off putting the money elsewhere. To give just one example, the money spent on mesh networks could probably have paid for security audits for OpenSSL and other critical components that hundreds of millions of people around the world rely on every day.