I spent perhaps half an hour on the phone with Austin Hill this afternoon. Here's what we discussed. * I suggested that Freedom had been somewhat less than successful in the marketplace. (Out of 3,500 cypherpunks messages I have stored here, only one nym appears, and this is presumably one of the target audiences.) I suggested that this is a change of strategy for ZKS in an era where investors want profitability. Austin denied it, and said that over 100 engineers "right now" were still working on Freedom. * I suggested the model they were moving toward was Andersen Consulting. Austin said no, "Verisign is the better analogy." He said one difference was that he anticipated ongoing licensing/fee arrangements between ZKS and clients after original work is complete. * ZKS will offer to store keys. "That includes us holding encryption keys." Austin described the key-splitting the same way Adam has here. He refused to say whether or not a third-party (Joe's Escrow Service) would ever hold keys. * ZKS appears to be targeting heavily-regulated areas like medical and financial sectors. They will come in, set up a privacy-protective system, perhaps provide some ongoing service, and (if so) collect ongoing fees. In those cases, "a consumer solution like Freedom allowing anonymity doesn't fit that market." * Austin mentioned cell phones/wireless as a major area. He envisions services such as if you call 911, your info is revealed, but not when phoning other numbers. * Tim below suggests that "Wouldn't a better approach be for Alice to protect her own privacy?" The answer, generally, is yes. I suspect the Brands patents can do much to that end. But Austin seems to be envisioning a market in which *some* third party in the transaction, be it a business, intermediary, or ZKS, possesses personal info about customers and only receives what is necessary. I welcome responses. -Declan At 10:30 10/31/2000 -0800, Tim May wrote:
At 1:06 PM -0500 10/31/00, Adam Shostack wrote:
On Tue, Oct 31, 2000 at 09:11:23AM -0800, Tim May wrote: | >>Zero-Knowledge is committed to deploying systems that are | >>transparent and accountable. In keeping with this policy, | >>MPS will incorporate third party verification and split | >>encryption key structures | | Split encryption key. I think that says it all.
Geez. I don't know how we ended up with that wording. Multiple key would have made more sense. The goal is to have a set of keys which are held by different entities. Thus, your data is encrypted such that each of those entities needs to be involved to decrypt it.
By split key encryption, we mean: E_a(E_b(E_c(data))) where E is a strong algorithm (3des, twofish, AES), and the keys (abc) are full strength, properly generated and stored keys for the system.
Let's stipulate that the split keys are as strong as one can imagine.
OK, let's set the stage with some players:
* Alice, a consumer or customer
* Bobco, a giant corporation dealing with Alice, collecting information on her, and all the usual stuff involving corporations dealing online with consumers like Alice.
* Chuck and Debby, the holders of the "split encryption key," aka the "trusted third parties." (Extending the set to 3 or 4 or N such trusted third parties does not alter the basic discussion. Nor, by the way, does just having a _single_ trusted third party alter the basics of the legal/GAK structure: if the legal or national security system can force two parties to disclose, forcing one is easier, forcing 3 is slightly easier, and so on. But these are "polynomial" issues, so to speak.)
I want to set the state so I can better understand just how and where this new ZKS system might be useful (to Alice, to Bobco, to governments).
Given that we're doing this for businesses that are collecting data now, if you consider those parties 'trusted third parties,' then we're increasing the assurance that surrounds them.
This business is what I called Bobco above.
Now, suppose Bobco is using the ZKS system. I can see three regimes for any use of a crypto product:
-- storage, at either Alice's or Bobco's site
-- transit, between Alice and Bobco
-- unlinkability: something to do with the linkage of purchase information with identity; how Bobco collects and disseminates information about customers like Alice
The first two are conventional crypto issues, and don't need a new system. Both Alice and Bobco are responsible for securing their own data. Should laws require Bobco to secure Alice's data in some specific way, split key systems are still a poor solution.
As near as I can tell, your concern about "privacy laws" has something to with the third main use for crypto: unlinkability. Am I right?
Before I proceed further, let's see if this is where we're going.
We consider them 'merchants,' 'shipping companes' and other such businesses who today get data from you. They're not trusted third parties in the Clipper chip sense, but they are parties who store information about you, often in very insecure and unprivate ways, as MCI, CDnow, and others have found out.
This sounds like the unlinkability again. If so, this is a tough, tough nut to crack.
If Bobco is shipping products to Alice, Bobco knows her address and what she is buying. Fill in whatever examples one wishes.
And if Alice answers a questionnaire about her buying preferences, her income, her age, etc., then Bobco will have this information.
Hard to imagine how adding Charles and Debby to the system as trusted third parties helps things. Now, if Alice goes through a complicated procedure of dealing with Charles and Debby to only selectively reveal her preferences, or if Charles or Debby act as "third party shipping agents," so that Bobco doesn't know who he shipped a product to, then some unlinkability has been gotten.
Anyway, I could ramble on about whether or not this makes for an interesting and profitable market niche, but it doesn't seem to be the thrust of where ZKS is going with this new product.
Fact is, third party secrets are not interesting IF Bobco can aggregate the secret information AT ANY TIME. Unless some kind of unlinkability or blinding (a la Joan Feigenbaum's work on "computing with encrypted instances") is done, the trusted third parties don't serve much purpose that I can see.
Maybe I'm missing something.
How will Alice's privacy be protected from Bobco by having Charles and Debby (or just Charles, or Charles, Debby, Edward, Fred, and Greta, etc.) hold split keys?
Wouldn't a better approach be for Alice to protect her own privacy?
--Tim May
-- ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, ComSec 3DES: 831-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, "Cyphernomicon" | black markets, collapse of governments.