cdata
commented
2 years ago So first: thank you @erangell for starting the discussion on this important privacy topic. It has been on our minds for some time, and I would like to approach it in the spirit of scoping out the possibilities (as opposed to simply saying "it's in scope" or "we will never support this").
The layering approach we have most frequently talked about supporting is roughly this: users who wish to have network-level privacy among a set of peers can run their gateways on a (virtual or physical) private network. Since our design uses a DHT for peer discovery, ensuring privacy would mainly be a matter of restricting the peer list to those peers on your private network.
From a privacy + content availability perspective, the above described approach does raise at least one conspicuous question: what if you want to link from a note in your private sphere to content that is associated with a sphere from outside of your private peer group? We have not settled on an answer to this question at this time. If you can only route through peers in your private network, that implies that you cannot route to content outside of the private peer group. One possible solution would be to vend some kind of relay/proxy that would be the private network's agent for accessing public network content (a trade-off being that this complicates deployments for private networks).
So, what other approaches might we consider?
erangell
Comment from cdata: I wouldn't go so far as to rule it out of scope, but in-scope may mean ensuring that anonymity by layering is well supported.
Comment from erangell: At what level of the application should IP anonymity be built?
Use case: A neighborhood community of marginalized people needs to communicate privately in order to plan a protest and ensure that authorities cannot trace a social graph of IP connections to find the leader and pre-empt the protest.