Analysis of Nym VPN and its "guaranteed" privacy

I decided to create a new, more direct thread based on the following:
https://discuss.privacyguides.net/t/nymvpn-nym/25085/46

The point here is that I can’t find any real-world evidence backing up the company’s claims regarding their 5 nodes against high-level adversaries. I don’t want whitepapers or lab results; what I want is proof based on reality.

Does anyone in the community have this evidence so we can analyze it?

I left 5 questions for their support team on Telegram. No one has replied to my message, and I gave them a reasonable 5-day window so this wouldn’t drag on forever. If they don’t respond, it’s because they are hiding something.

A warning to those without experience: be careful with pretty words that lack any irrefutable backing.

ANALYZING NYM’S ARGUMENTS

A brief report citing public information.

1 - Basic patterns detected:

While our encryption standards are already extremely strong, we aim to make them post-quantum secure, staying ahead of emerging threats and ensuring digital privacy even in the face of evolving technology.
Source: https://nym.com/nymvpn-litepaper

-> The company trusts its encryption against new emerging threats, but forgets that high-level adversaries possess undisclosed, covert weapons.

c. not to engage in any actions aimed at manipulating network responses in a manner that could compromise the integrity and security of the Nym Mixnet or Nyx Blockchain.
Source: https://nym.com/operators-validators-terms

-> Asking node operators to comply with this is positive, but the NSA, for example, just laughs at Nym. Malicious actors (the NSA, the mafia, etc.) will ignore these rules and infiltrate the network, or are already infiltrated; each will operate according to their own agenda.

2 - Advanced patterns detected:

-> Not applicable. It is not fundamental to this service.

3 - Emerging dangers:

Two words - Privacy “guaranteed”.

-> There are high-level risks in placing blind trust in the Nym service without questioning it. People like me have absolute distrust toward Nym. What does this mean? The word “guaranteed” implies that privacy, in this context, is ensured 24/7, year-round, invisibly, just as Nym claims: “anonymous” based on 5 nodes. However, they forget that with even a single minor error, they will be held fully liable, directly contradicting their own Terms of Service.

Nodes run by “volunteers”.

-> Nym pays people for their work and for operating their nodes so that users can obtain privacy benefits. However, this is an open invitation to greater risks from veteran hackers, the mafia, etc., not only to get easy money but also to carry out operations of higher interest. Even if the network is difficult for attackers or unfamiliar to them at first, they will learn how it works if it’s something new, and will stealthily counterattack.

4 - Deep, multi-level reasoning:

-> Not applicable. It is not worth applying a higher level of analysis to this service.

-– —

I have not been able to find any real evidence backing up their use of the word “guaranteed” that proves the reality of their claims. Without actual, verifiable proof against high-level adversaries, such as those mentioned above, their arguments collapse under their own weight.

Warning: Any company that uses arguments like → “guaranteed privacy”, “guaranteed math”, “we guarantee you…”, etc., and similar phrases, is just using marketing with no basis in real-world facts.

So far, no one has replied to my message on Telegram, but they haven’t deleted it either. The CEO is right there answering basic messages from other people.

Am I the only one or do others feel this post is very passive aggressive and that OP is writing this as saying (claiming) all that they are as if they’re the authority on the subject matter?

If you are the authority, then you’d have the maturity to even better and fully explain your claims and statements with how the tech works in more simpler ways as one who is trying to educate and not one who is trying to “get” a company in a lie without proper and more detailed explanation.

There’s an etiquette involved here which I feel you’re ignoring willingly or unknowingly.

What “proof” are you even expecting?

Based on your comments in the other thread, you seem to be expecting some miracle solution that is both capable of providing anonymity while also being very fast. Like, transferring an 8 GB file over any network like this is gonna be slow.

Also, if this is how you wrote to their support, I’m not surprised they’re ignoring you.

I came here expecting an exciting write up about cryptography. I got a rant instead. I’m disappointed.

It reads like OP has made up their mind and is just looking for confirmation. I would call this ‘adversarial skepticism’.

@anon7180143 :

Are you attacking me personally, or are you trying to figure out if Nym is lying or not?
If I were to explain it in deep, exhaustive detail, who would even read it? They’d ask for a summary, and I don’t do summaries.

@byesun :

So, you’re basically proving my point. If Nym can’t back it up when it’s a matter of life and death, their use of the word “guaranteed” is just hot air. Besides, it’s completely valid to ask tough questions, and they’re entirely justified because fear isn’t an option. And the fact that I was direct about it in public so everyone could see it isn’t something I just made up.

@Shampoo :

The one who has to prove it based on real-world facts is the company Nym, not me, since they’re the ones claiming it’s “guaranteed.”

This isn’t a “tough question,” it’s a meaningless question. “What if I need to send 3 TB to someone in 5 seconds? I thought my privacy was GUARANTEED! ! !”

In any case, the performance of the mixnet is poor. They’ve stated this themselves many times, and it’s something they’re working on improving. That does not mean it’s somehow not private. If you yourself choose to swap from the mixnet to the two-hop WireGuard setting, you are the one choosing to reduce your privacy in exchange for a faster transfer rate.

Whether there are enough nodes and whether they are decentralized enough is another story. Maybe they are, maybe they aren’t. But the way you’ve gone about this is ridiculous.

Burden of proof is on the accuser. Even more so in situations like this.

Well, in a sense, they guarantee that they use cutting-edge technologies: far more advanced than those listed in the Privacy Guides’ recommendations (for example, the Amnezia 2.0 protocol). The fact that the NSA can control most nodes doesn’t depend specifically on this provider; it affects all market participants. Don’t use nodes in jurisdictions that are easily controlled from the U.S.

I think OP is looking for confirmation bias*

Glad i’m not the only one who noticed the tone and ignorance. I was going to explain the “questions” he had on the nym thread but figured i’d just be losing time considering the mindset of OP here.

@byesun :

So, you’re basically implying it yourself between the lines. Ask yourself: what is that word “guaranteed” even doing there? Do you realize the danger of that word, then? Skimming it on a surface level is all well and good, but it goes so much deeper than that. I invite you to revisit point 3 and really analyze it.

@Bumbashirovich :

If that were the case, the Nym team would have told me in under an hour on Telegram, right in their own group, just like you’re explaining its meaning to me now. Why are they still silent, then? Don’t ignore the other high-level threats, either—the NSA is one thing, but there are plenty of others in different countries. Read the context and study it.

@object2598 :

If you know the “answers,” why don’t you just say so directly? Go ahead, I’m all ears. Do you work for Nym? Post it on Telegram along with your “answers” and I’ll read it, because if you were actually on the Nym team, you would have replied to me there.

What are you talking about? I said nothing about answers — my only comment on your post was about how adversarial your tone was, which hasn’t changed in any of your replies. I’m not surprised: every time I’ve interacted with you, you seem to start hostile and become more so.

Sorry, that message wasn’t meant for you; it was for the other person. I made a mistake and I own it.

Let me fix that now.

This is a reasonable goal. Let’s see what we can do

This is a bold accusation based on no evidence of wrongdoing. I operate on zero-trust: I will assume any service provider could be compromised, but I stop short of baseless accusations

FUD. We threat model against evidence-backed threat vectors. Mitigations against undefined, hypothetical threats are not practical

Wise. This is zero-trust architecture. Assume bad actors can/will penetrate wherever possible

Disagree. Traffic analysis is an emerging threat vector. Providers like Mulvad are beginning to design mitigation techniques. I assume the intent here is similar

You argument here just seems to be a pedantic case against the word “guaranteed”. I do ultimately agree with your premise, but don’t feel it’s a meaningful indicator of their actual services

We’re back to zero-trust architecture. Good stuff. This is almost identical to issues Tor faces - users can maintain anonymity if a node is compromised, but it becomes difficult to do anything if the whole volunteer node network is assumed to be hostile

I think this is rehashing the same emerging mitigation techniques as section 2

_______

So far as ‘proof’ goes, it does looknas though they’ve been audited a couple times. For example, I found the Cure53 report here. These are probably a good starting point for assessing the tech

As the other user mentioned, the entire basis of this point is a pedantic freak out over the meaning of the word “guaranteed.” Your argument for them being untrustworthy because of this is just dumb.

Since you didn’t source where that quote comes from, it comes from their home page. It’s a section header at the bottom of the page where they list their audits. The “guaranteed” here is referring to the audits “guaranteeing” that their service does what it says it does as far as the auditors can tell.

However, they forget that with even a single minor error, they will be held fully liable, directly contradicting their own Terms of Service.

This applies to nearly every internet-facing (and often non-internet-facing) service. If they have an exploitable bug and their system is compromised, whoops, all your data has been siphoned off. It is not the insightful point you seem to believe it is.

@privacy.slouchy :

Alright, straight to the point:

1 - When you ask a company a hard-hitting question about a matter of life and death for someone being hunted, why do they stay silent?
2 - It’s not “FUB.” That’s what they want you to believe based on “lab” tests, but not in a real-world war in the world we actually live in (and that includes the digital realm).
3 - You tell me you disagree with what I said, but it turns out points 2 and 4 are different. And to top it off, point 1 and the two dangers mentioned are more than enough. There’s no need to create an exhaustive list.
4 - You dismiss a scenario as “pedantic” while simultaneously telling me you agree with me. Why the contradiction? Do you have any idea how much weight that word “guaranteed” carries? Take point 1, for example.
5 - You made a good point about zero trust, but I have a fundamental question for you: will an audit save the life of someone being hunted, like I mentioned earlier?

@byesun :

You interpret it as “panic,” but it isn’t, and it isn’t “pedantic” either. So, you’re basically proving my point—are you even aware of that? And it’s not just about what you’re saying; it applies across the board: → Privacy ← “result: guaranteed.” If there’s even the slightest security flaw while that word “guaranteed” is being thrown around, the hunted person dies trusting the tool, despite having decent OpSec. Is the company liable? The answer is yes, and the family would have every right to sue the company for false and unethical advertising. Do you get now just how heavy that word is? I invite you to play detective, to connect the dots and dig deep. Don’t just settle for the surface level—dig into the depths, and if you keep learning, you’ll understand way more than what it literally means.

A little invitation for you both: if you didn’t already know, look up a bit of history on Edward Snowden and the Lavabit email service.

My intention is simple: to protect people who lack knowledge and don’t know how to defend themselves, by demonstrating in just a few words that Nym’s company must be honest and remove the word “guaranteed” if it is truly honest.

I invite you to play detective, to connect the dots and dig deep. Don’t just settle for the surface level—dig into the depths, and if you keep learning, you’ll understand way more than what it literally means.

Amazingly condescending. As expected of someone spreading FUD.

If there’s even the slightest security flaw while that word “guaranteed” is being thrown around, the hunted person dies trusting the tool, despite having decent OpSec.

If you have decent OpSec, you would actually look into the tool you’re using rather than taking a phrase used in a random section header on a page filled with marketing speak at face value. Especially given that there are two modes, one of which is very clearly meant to be more private than the other. Literally even discussed on the same page the “privacy guaranteed” section header is located, in a more prominent section near the top of the page.