On Fri, Nov 10, 2000 at 02:56:03PM -0500, Austin Hill wrote:
First to set the record straight, Declan's claim that our software sales have been poor is completely baseless. He has reported this as fact when during my interview with him I clearly stated that we are pleased with our results for Freedom and are seeing substantial growth, so much that we are still hiring more engineers (adding to the already 100 we have working on it) and adding more features and improvements to our consumer privacy product.
This is a non sequitur - the facts that "ZKS is happy with its sales" and "ZKS is hiring more engineers" are unrelated to Declan's evaluation of the available evidence regarding ZKS' sales. In the absence of numbers from ZKS - which would be the best source of that information, if it were available - people wanting to evaluate ZKS and its business must look at less helpful information, which will likely include anecdotal accounts which you dismiss. Now, if the question before us were "Are the shareholders and employees of ZKS happy with their sales?" or "Are ZKS' sales reasonably within the projections in their business plan?" or "Is ZKS close to bankruptcy?", then the facts and feelings you mention above would be responsive. Those are not, however, the questions raised about ZKS, so your remarks don't seem to be responsive. It doesn't seem reasonable for you to complain about Declan writing an article based on incomplete information, but to refuse to provide that information so that the article could be based on better data. I get the impression that you would prefer the article not appear at all - which is a reasonable thing to wish for, but not a reasonable thing to expect. If ZKS wants press, it will have to take the bad (or the inconvenient) along with the good.
Because we as a private company refuse to provide Declan with actual sales & revenue numbers he has persisted in reporting that this is because of poor software sales, based on what he described as anecdotal evidence that he has observed in the cypherpunk community.
Declan fails to mention that Freedom was never targeted toward Cypherpunks; our goal was to incorporate Cypherpunk-level cryptography and philosophies into a privacy tool that would empower the average Internet user to manage their privacy online. Cypherpunks can build privacy tools for themselves; our target market for Freedom is consumers who are concerned with their privacy.
Sure - cypherpunks are a very small market, so it would be very difficult for even a small business to survive on cypherpunk sales alone. However, that doesn't mean that cypherpunk purchases and evaluations are unimportant, or can be dismissed. High tech marketing people discuss a "technology adoption life cycle" - Geoffrey Moore writes about this (in _Crossing the Chasm_, et al) but I don't know if he was the first person to do so. Briefly, this model suggests that new products or technology are adopted at a rate which describes a bell curve - at the left edge, there's a initially small adoption rate which represents the activity of "innovators", people who actively seek out new technologies and products, and who frequently provide valuable unofficial marketing and support for new products. Moving to the right, we find the "early adopters", who are not technologists themselves (versus the innovators, who are) but are willing to risk adoption of a technology or product not proven on a wide scale if they see a strong benefit. Moving further to the right, we find the "early majority" and "late majority" who make up the bulk of the adopters of the technology, who wait until the product/technology has been approved and proven by the innovators and early adopters. (Following the late majority are the "laggards", who are a small market and unimportant to this message). When you describe ZKS and Freedom as "consumers who are concerned with their privacy", I believe you are speaking of the middle of the bell curve - as you say, cypherpunks don't need freedom, but the non-technologists do. What your analysis seems to miss is the role that's played by the innovators and the early adopters in bringing a product or a technology to a maturity level where it's acceptable to the much larger middle market. For your product, cypherpunks, and wannabe- cypherpunks are the innovators or the early adopters, in large part - the people who will experiment with your product, and tell their friends and families and employers and user groups about it. If you don't meet the needs of the early people, you won't get a chance to meet the needs of the people in the middle. Comments on the cypherpunks list and at physical meetings seems to suggest that Freedom is not enjoying a good adoption rate within what's likely a big part of that adoption curve. I've only seen a few users of ZKS nyms on public mailing lists, which ought to be a popular use for them; a web search with Google and HotBot doesn't reveal any use of @freedom.net email addresses showing up in mailing list archives. If you can point to concrete numbers showing adoption rates, I'm sure that many people would be interested - but telling us that you (as a founder of the company) are happy with your sales doesn't do much to tell the rest of us about what's happening inside ZKS. My impression - from my own experience, from the lack of apparent adoption by others, and from ZKS' reframing of its business from stronger protection to weaker protection to the new "privacy consulting" stuff is that ZKS is searching for its niche in the marketplace, and hasn't found it yet. There's nothing wrong with that - look at AT&T, or the other long distance carriers moving away from consumer services, or the AOL/Time merger - but denying things which are readily apparent doesn't inspire confidence.
To further improve our security and privacy commitment and to ensure users do not have to rely on or trust Zero-Knowledge's claims, we have also published the source code for the system, which is available at,
As far as I can tell, only the Linux client software and the Linux kernel modules are available - but you said yourself that the real target market is Windows. When will the Windows client be made available for inspection? When will the other server-side software be made available? (Please don't get confused between licensing terms and source code inspection - it's very nice to make software available under GPL or other terms; and it might well be economically or strategically stupid to make your Windows client available under a free license - but that doesn't mean you can't allow open audits of it for security issues, or get an outside organization to publish the results of a code review.)
We are the only privacy company that has published whitepapers on the full protocol, security attacks against the system, and the source code. We believe that this is responsible privacy, and that it is the only way to verify and support our claims to our users.
If there is _ANY_ attack, weaknesses, flaw or security bug we have invited people to review our work and inform us, and we then update our documents to reflect our continued understanding of how to design and implement the best privacy infrastructure available.
Based on this, we believe we are the strongest privacy solution on the market. (In fact most other privacy companies claim that we are 'killing a fly with a bazooka' by going overboard with strong crypto and multi-hop routing).
I think everyone agrees that ZKS has built the strongest commercially available client-side privacy system. Again, that's not the interesting question. The interesting question is "Is it strong enough?" Everyone who's looked at the question - from your accounts, inside ZKS, and outside people - seems to agree that nobody knows, or if they know they're not telling.
We have 250+ people working very hard on privacy systems, and have taken huge steps in making sure we are accurate in our claims, transparent in our systems and are delivering privacy services that we can be very proud of.
I don't think there's any question that you folks are working hard, that you are doing a good job of only saying true things, that you are moving towards releasing pieces of your infrastructure for review, or that you're providing a service equal to or better than what's currently on the market. It would be unfortunate if you lost sight of that. It would also be unfortunate if you confuse questions or concerns about ZKS with hostility towards ZKS. If I have a weird spot on my skin and I ask a doctor friend about it, I don't want them to tell me it's nothing to worry about, even if it's really malignant but they don't want me to feel bad. Similarly, if people in the cypherpunk community raise questions about ZKS, I think it's sensible to assume that they're doing it because they want to help ZKS, or because they want to help privacy generally and think you may be inadvertently harming it.
Lucky, by claiming that we are misleading our users or not protecting their privacy because of the lack of resistance to traffic analysis is irresponsible and is allowing the best to be the enemy of the good.*
This may be true - but your message was the first one that I've seen which describes clearly the changes made in Freedom's design and implementation between v1 and v2, and I'm a customer. (Not an active one, due to configuration issues, but you've got some of my $, and didn't bother to tell me that the traffic-analysis resistance I thought I paid for has been eliminated because it turned out to be difficult.) While I greatly appreciate your candor - and am confident that your analysis of the economics of the bandwidth required to foil traffic analysis was correct - I do think there's perhaps some room for improvement re keeping people up-to-date on what sort of protection they can expect from Freedom and ZKS. If you are ever in the mood to update the Freedom FAQ, I suggest that the following questions would be helpful ones to answer - Q: If I post a message critical of a big company using a Yahoo forum, and the Yahoo registration data points back to my Freedom account (email and source IP), will the big company be able to get my personal information from you with a subpoena? Q: If I post a message to a mailing list which has some source code that a big company thinks violates the DMCA, and the big company calls the FBI, will the FBI be able to get my personal information from you with a subpoena? Q: What happens if I make someone really, really angry and they come to your offices and point guns at your employees .. will they be able to get my personal information from you? Assume they shoot a few people to show they're serious. Then will you find a way to give them my personal information? What if they take your computer equipment away from you (or one of your participating ISP's) at gunpoint, and take it back to their hideout for analysis. How difficult will it be for them to get my personal information? -- Greg Broiles gbroiles@netbox.com PO Box 897 Oakland CA 94604