Split-trust network privacy service

Split-trust network privacy service

A split-trust network service separates the operator that sees a customer’s source IP address from the operator that sees destination-facing traffic. Neither ordinary operator should hold the complete mapping.

Obscura implements this pattern with Obscura as the entry service and Mullvad as the exit provider. Apple Private Relay uses separate relays for supported Safari traffic. Nym VPN fast mode uses a two-hop decentralized route, while its anonymous mode adds a mixnet between gateway and exit. Portmaster and SPN instead calculates onion routes per connection and integrates them with an application-aware endpoint firewall. The open market gap is a general-purpose service with open clients, independently governed operators, and explicit jurisdiction and route choices.

Product requirements

The trust split is only real when:

  • entry and exit operators have different ownership and administration
  • their logs use no shared customer identifier
  • billing and support cannot silently reconstruct the route
  • contracts prohibit routine cross-party correlation
  • independent audits test both technical and organizational separation
  • clients authenticate the intended operators
  • route selection does not silently collapse to one operator
  • collusion, timing analysis, endpoint compromise, and traffic fingerprinting are stated limits

Two servers controlled by one company do not create two independent parties.

Jurisdiction is a routing policy, not a slogan

“Outside the United States” is not a complete threat model. A useful policy asks:

  • Which law governs the subscriber relationship?
  • Which operator can receive an identity or payment demand?
  • Which operator can receive a traffic or server-seizure demand?
  • Can the two demands be coordinated across borders?
  • Are the operators economically independent?
  • Does the chosen location create blocking, latency, or abuse-handling problems?

A customer may reasonably prefer an EU or Swiss relationship, but no jurisdiction eliminates legal process or operational compromise.

Commercial path

Do not begin with a global VPN fleet. Possible wedges are:

  1. an open relay client and conformance suite
  2. a business relay pairing two existing providers
  3. a Nordic exit or entry partnership for one defined customer class
  4. an auditable broker that lets organizations choose independent operator pairs

Revenue can come from subscription margin, managed organizational routes, and conformance or audit tooling.

Risks

Network abuse, app-store distribution, support, uptime, lawful demands, and payment correlation can dominate the elegant protocol design. VPN service legal risk remains the launch gate. This is a later infrastructure bet, not the simplest way to test the privacy market.

Sources

  1. obscura.net
  2. support.apple.com
  3. rfc-editor.org
  4. nym.com
  5. docs.safing.io