On Tue, Oct 31, 2000 at 05:14:49PM -0500, Declan McCullagh wrote:
* I suggested that Freedom had been somewhat less than successful in the marketplace. (Out of 3,500 cypherpunks messages I have stored here, only one nym appears, and this is presumably one of the target audiences.) I suggested that this is a change of strategy for ZKS in an era where investors want profitability. Austin denied it, and said that over 100 engineers "right now" were still working on Freedom.
Sounds like he's denying the notion of a change in strategy, not your underlying premise - that the market for Freedom isn't what they'd hoped for. That seems difficult to deny, though I'd love to see sales figures to the contrary. I'm one of the people who has paid for Freedom, but gave up on it after it trashed a Win 98 installation twice, and I was unable to get a response from ZKS tech support. Austin is very good at answering the questions he thinks someone should ask, not the questions actually asked.
* I suggested the model they were moving toward was Andersen Consulting. Austin said no, "Verisign is the better analogy." He said one difference was that he anticipated ongoing licensing/fee arrangements between ZKS and clients after original work is complete.
I don't know what Andersen is doing re privacy, but I know that D&T, E&Y, and PWC are all operating privacy-consulting arms which do more or less what ZKS seems to be describing, except that they don't get so deep into the technical operations, as far as I know - they don't operate key shares, etc. While I think it's really sensible for ZKS to think about this approach - they've assembled a bunch of smart people who are apparently working on something nobody's buying. They've got to be burning cash pretty quickly, and it only makes sense to repurpose those people into providing their analysis and information to other people who need it. (And, for what it's worth, Adam, it's HIPAA, not HIPPA. :)
* ZKS appears to be targeting heavily-regulated areas like medical and financial sectors. They will come in, set up a privacy-protective system, perhaps provide some ongoing service, and (if so) collect ongoing fees. In those cases, "a consumer solution like Freedom allowing anonymity doesn't fit that market."
That seems like a sensible idea, but I'm a little skeptical that they'll pull it off when competing with big well-known accounting firms - the accounting firms have built reputations around maintaining client confidentiality, while ZKS has been pretty aggressively and conspicuously hiring wild-eyed cypherpunk types, who won't necessarily inspire a lot of confidence or trust in accoutant and risk-manager types. Me, I'd trust the cypherpunk over the Big 5 guy, but I'm not the customer. Cf. the moderate and slow success enjoyed by the hackers-cum-security consulting firms - they seem to make enough to pay themselves, which is more than can be said for a lot of businesses, but they haven't been as successful as firms with law enforcement and private security backgrounds - not because of lack of knowledge, but because the ex-cops know how to create and maintain an image of reliability and predictability and trustworthiness, which is harder for people who aren't even accustomed to using an apparently "real" name.
But Austin seems to be envisioning a market in which *some* third party in the transaction, be it a business, intermediary, or ZKS, possesses personal info about customers and only receives what is necessary.
This does seem to be the direction they've always been going - at the cpunks meeting prior to RSA in Jan of 2000, Austin was talking about something I'd call "mediated pseudonymity" or "managed pseudonymity", where ZKS ends up as a trusted privacy intermediary. This seems to dovetail well with Stefan Brands' ideas about privacy and anonymity. I'm pretty skeptical that there's a real market for that - cypherpunks won't trust it, because it's effectively a contract or reputation-based privacy guarantee, instead of a mathematical or information-theory based privacy guarantee. To the consumer market, it's going to look like a prickly complicated version of those "magic wallet" things which promise to fill out web forms for you, but only with your permission .. which don't really solve a compelling problem for anyone even though they're a nice hack. To law enforcement, they'll get what they want via subpoenas or search warrants - I wonder how careful ZKS is about making sure that their US operations aren't subjecting them to extra liability or search/discovery exposure, cf. this week's news re Amex and Mastercard forced to reveal purchase data for offshore cardholders to the IRS. To private litigants seeking discovery, ditto. And to private or public actors uninterested in legal rules, there's old fashioned burglary, a la Watergate hotel and thousands of smaller less well-known examples. This all comes back to the old Benjamin Franklin saw - "Three men can keep a secret, if two of them are dead." Building the kind of trust that's needed to do the sorts of things ZKS proposes to do takes years or decades; and maintaining good security and a good reputation across that long period of time is very difficult, as Sun recently demonstrated in the key compromise mentioned by Lucky. -- Greg Broiles gbroiles@netbox.com PO Box 897 Oakland CA 94604