The “P” in VPN stands for “private”, but what exactly does private mean, and whose responsibility is it?
There are many layers to the Internet Innovation stack. I suspect many more than I can keep track of. Should there be a privacy architecture across all the layers? Should each layer ensure privacy independently?
If I was building a strategy for the Internet ecosystem, and I was the Internet dictator, I would keep it simple. Whatever owns, creates, stores, uses, and sends the data is responsible for privacy, end-to-end: disk drive to disk drive, server-to-server, handset-to-handset. In a nutshell, the application layer. Only the application layer can guarantee privacy end-to-end, and if some people are going to do end-to-end privacy anyway, because they don’t trust network operators for example, why put the complexity of it in other layers? When I say “application”, I don’t mean Facebook, Google, Twitter, Instagram, Amazon, Azure, Salesforce, etc., per se, I just mean that layer of existing applications, and more likely, a new generation of distributed apps with a very different approach to privacy.
I am not Internet dictator, have no ambitions to be Internet dictator, and I don’t know where to apply anyway. If there is one resounding characteristic of the Internet, it is that there is no dictator. Herding cats? 70,000 BGP autonomous systems, tens of thousands of public companies, hundreds of millions of entrepreneurs, and billions of people. Herding those numbers takes some pretty good people and organizational skills. That’s not going to happen of course, so the market will experiment with approaches until it finds one most people can live with.
Then there is layer 8, as we say in the biz, politics.
The success of “The Social Dilemma”, the latest hit on Netflix, implies there is broad interest in regulating the Internet, as there is in regulating other parts of life. GPDR and CCPA demonstrate governments have already decided they need to be industry actors, and act. Entrepreneurs are diving into the privacy issue as well, especially in distributed apps . There are some interesting ideas in development. There is also the trend towards SD-WAN with integrated security, SASE, Zero touch, etc., where the overlay network has security. Then there is you and me. George Washington said in his first inaugural that “…the preservation of the sacred fire of liberty and the destiny of the republican model of government are justly considered, perhaps, as deeply, as finally, staked on the experiment entrusted to the hands of the American people.” Entrusted to the hands of the people. Whether you are American or not, you would know, that in any distributed system, outcomes depend on the leafs as well, not just the spines.
The political momentum to address privacy issues is mounting. I suspect it will result in every enterprise, every institution entrusted with public carriage, as network operators are, putting their hand up, to articulate what contribution they are going to make. I doubt this will lead to cost efficient models for the industry. I doubt it will reduce already complex networking. I doubt it will lead to models that a techie would design, but it will be models that will help voters sleep better at night, and their representatives who can move on to the next issue. Politicians will want a model that works for the most Internet illiterate among us, not the most literate.
In networking, private has always meant separated from other traffic, the ability to use any address desired, and perhaps QoS as well. Virtual network, whether it be virtual LAN (VLAN), or virtual private network (VPN), has pretty much meant the same thing too, because whether you are talking about a single point to point connection or a multipoint network, private means private. Does private mean the obligation to encrypt? Does private mean the obligation to prevent usage unless authenticated (you are who you say you are) and authorized (you are allowed to use resource X)?
Questions like that may be coming at equipment vendors and network operators. With all their encryption key and other complexities. I hope not, I still believe the application layer is the right place to do it, but politics, an abundance of caution, and lack of consensus means future directions are uncertain.