CDR: Zero Knowledge changes business model (press release)
From: kcory@redwhistle.com To: declan@well.com Date: Tue, 31 Oct 2000 06:55:11 -0800 Subject: Zero-Knowledge Introduces Managed Privacy Services for Businesses
Hi Declan, Today, Zero-Knowledge Systems is introducing its Managed Privacy Services (MPS) offering to solve the privacy challenges that businesses face in today's privacy-conscious business environment.
Privacy is good business. Companies in every industry are realizing they must institute the proper privacy policies, practices and infrastructures in order to succeed in today's digital economy. Zero-Knowledge Managed Privacy Services provides the tools and strategies that enable business to establish private customer relationships and earn consumer trust while ensuring legislative compliance and mitigating risk.
As companies have become aware of the privacy risks and legislative hurdles facing them, many have turned to Zero- Knowledge for advice and solutions, and the MPS offering is the natural response to companies' needs for comprehensive privacy solutions.
I've included the press release about MPS below. If you have any questions about Zero-Knowledge's Managed Privacy Services offering or would like to set up a conversation with Zero-Knowledge President Austin Hill, please give me a call at 503-552-3749.
Best regards, Kristy Cory 503-552-3749
ZERO-KNOWLEDGE SYSTEMS INTRODUCES MANAGED PRIVACY SERVICES TO SOLVE THE PRIVACY CHALLENGES OF BUSINESSES
Montreal -- October 31, 2000 -- Zero-Knowledge(R) Systems, the leading developer of privacy solutions, today introduced its new Managed Privacy Services(TM) offering to solve the privacy challenges of businesses and enable enterprise to thrive in a privacy-conscious climate. Delivering a unique combination of technology, policy and strategy expertise, Zero-Knowledge Managed Privacy Services (MPS) enables clients to turn privacy into a competitive advantage by leveraging rich data resources while building stronger and more profitable relationships with customers, employees and partners. MPS is based on responsible and ethical information management in accordance with relevant legislation and industry standards.
"Privacy is good business -- and Zero-Knowledge Systems is the company that can deliver continued privacy value to companies that want to succeed in today's digital economy," said Austin Hill, president of Zero-Knowledge Systems. "Through expert professional services and technological solutions, Zero-Knowledge Systems works with companies to leverage and develop the rich data resources they need, while ensuring that their customers' personal information will not be abused, misused or sold without their permission."
Employing a broad toolkit of privacy-enhancing technologies that control and protect data, MPS brings privacy-based services to a variety of markets for the first time. These include: financial services, health care, wireless, marketing, CRM and hosted solutions (ASPs).
The Managed Privacy Services Process Zero-Knowledge MPS fuses sophisticated infrastructure design, advanced cryptographic systems and world-class privacy expertise to deliver strong privacy integration to a wide variety of business processes and system designs. Following a period of assessment and design, MPS culminates in the deployment of a tailored privacy layer that integrates seamlessly with the client's existing enterprise applications.
* ASSESS AND ADVISE -- Managed Privacy Services begins with a thorough assessment of each client's data storage and usage patterns, as well as their business objectives. From this assessment, recommendations are made regarding areas where data can be better utilized through the addition of a strong privacy layer, and areas of potential privacy risk are identified.
* DESIGN AND IMPLEMENT -- The assessment stage provides the framework for all aspects of the infrastructure design, and determines which Zero-Knowledge privacy technologies are best suited to the client's needs. The result is a solution that not only secures and protects the client's data, but also allows for a wider array of data-driven activities. Professional systems integration ensures that all the client's business requirements are met, and guarantees the final design will result in the most robust and flexible system possible.
* VERIFY AND MANAGE -- Zero-Knowledge is able to manage all elements of the privacy infrastructure, allowing clients to focus on their core competencies, and providing third-party credibility to a client's privacy initiatives. Independent audits ensure that the system deployed is in compliance with stated policies, and that all controls are functioning as per the design specifications.
Zero-Knowledge is committed to deploying systems that are transparent and accountable. In keeping with this policy, MPS will incorporate third party verification and split encryption key structures, as well as provide consumers with access to white papers, independent auditors' reports or other materials that assure a company is doing what it claims. With MPS Zero-Knowledge strengthens its commitment to building responsible systems that empower consumers to control the disclosure and use of their personal information, while still enabling businesses to thrive in a data and relationship-driven marketplace.
Zero-Knowledge Systems Leads Privacy Education Zero-Knowledge Systems is also presenting the "Privacy by Design: The Future of Privacy Compliance and Business" conference sponsored by Royal Bank Financial Group, IBM, Merrill Lynch, and PricewaterhouseCoopers. Incorporating the privacy expertise of leading business, technology and privacy figures, Privacy by Design will advise attendees on how to develop, execute and market a successful privacy strategy that will avoid regulatory breaches and differentiate their business in the marketplace with a demonstrable commitment to privacy. The conference will be held at Le Chateau Montebello, Quebec from November 19 to 21, 2000. For more information on Privacy by Design, including a detailed agenda, visit the conference Web site: http://www.zeroknowledge.com/privacybydesign.html
About Zero-Knowledge Systems, Inc. Founded in 1997, Zero-Knowledge Systems (http://www.zeroknowledge.com) is laying the digital infrastructure for privacy-enabled communications and commerce between individuals, companies, governments and organizations. Zero-Knowledge creates products and services that enable privacy through advanced mathematics, cryptography and source code: the only reliable way to ensure privacy.
In December 1999, Zero-Knowledge launched Freedom(R), the only privacy system that empowers Internet users to surf the Web, send email, chat and post to newsgroups in total privacy without having to trust third parties with their personal information. Freedom can be downloaded at http://www.freedom.net and Freedom source code is available at http://opensource.zeroknowledge.com. In October 2000, Zero-Knowledge launched its Managed Privacy Services(TM) offering to provide expert consultation and privacy- enhancing solutions that enable businesses to comply with privacy legislation, maximize customer relationships and build consumer trust without violating privacy. More information about MPS can be found at http://www.zeroknowledge.com/business.
Journalists can visit the Zero-Knowledge pressroom at http://www.zeroknowledge.com/media.
(Freedom, Zero-Knowledge and Managed Privacy Services are registered trademarks of Zero-Knowledge Systems, Inc. All other names may be trademarks of their respective owners.)
For more information Dov Smith Director of Public Relations 514.350.7553 dov@zeroknowledge.com
Kristy Cory Red Whistle Communications 503.552.3749 kcory@redwhistle.com
On Tue, Oct 31, 2000 at 10:03:59AM -0500, Declan McCullagh wrote:
From: kcory@redwhistle.com To: declan@well.com Date: Tue, 31 Oct 2000 06:55:11 -0800 Subject: Zero-Knowledge Introduces Managed Privacy Services for Businesses
Hi Declan, Today, Zero-Knowledge Systems is introducing its Managed Privacy Services (MPS) offering to solve the privacy challenges that businesses face in today's privacy-conscious business environment.
Privacy is good business. Companies in every industry are realizing they must institute the proper privacy policies, practices and infrastructures in order to succeed in today's digital economy. Zero-Knowledge Managed Privacy Services provides the tools and strategies that enable business to establish private customer relationships and earn consumer trust while ensuring legislative compliance and mitigating risk.
legistlative Compliance... Guess Lew Giles or the CSE came to visit look at the following
MPS will incorporate third party verification and split encryption key structures, as well as provide consumers with access to white papers, independent auditors' reports or other materials that assure a company is doing what it claims.
third party verification and split encryption key structures, Here we get to the meat of the issue... the item that NAI tried to force down our throats...Corporate Key Escrow.. this time via key splitting... Shades of the NSA Key!! Sick em Adam!! A cypherpunk whois tiring of government schemes to shell out privacy companies. p.s. that freedom source code 2.0 for linux I was porting to BSD I guess will go into the bit bucket!! 1984 speak my ass!!
On Tue, Oct 31, 2000 at 04:07:18PM +0100, cyphrpnk wrote: | > >Privacy is good business. Companies in every industry are | > >realizing they must institute the proper privacy policies, | > >practices and infrastructures in order to succeed in | > >today's digital economy. Zero-Knowledge Managed Privacy | > >Services provides the tools and strategies that enable | > >business to establish private customer relationships and | > >earn consumer trust while ensuring legislative compliance | > >and mitigating risk. | legistlative Compliance... | Guess Lew Giles or the CSE came to visit By legislative compliance, we mean compliance with laws. There are no key escrow laws in Canada. There is a privacy law, bill C-6, and we will help companies comply with that. We also will help companies with HIPPA, GLB, the EU privacy directive, and other laws. There is also no key escrow law in the US or the EU to date, and we spend time and energy lobbying to keep it that way. | look at the following | | >MPS will incorporate third party verification and split | >encryption key structures, as well as provide consumers | >with access to white papers, independent auditors' reports | >or other materials that assure a company is doing what it | >claims. | | third party verification and split encryption key structures, | | Here we get to the meat of the issue... the | item that NAI tried to force down our throats...Corporate Key Escrow.. | this time via key splitting... Shades of the NSA Key!! Umm, so if we split a key three ways (or use three keys to sequentially encrypt a blob), then no party can decrypt without the cooperation of the others. By three keys to sequentially encrypt, I mean the stored cyphertext is (E_a(E_b(E_c(data)), not that we store (E_a(data), E_b(data), E_c(data), which would be silly. | Sick em Adam!! | A cypherpunk whois tiring of government schemes to shell out | privacy companies. | p.s. that freedom source code 2.0 for linux I was porting to BSD I guess will go | into the bit bucket!! 1984 speak my ass!! Sorry to hear that. I guess your porting the code isn't enough for you to trust it. Odd. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume
At 12:27 PM -0500 10/31/00, Adam Shostack wrote:
On Tue, Oct 31, 2000 at 04:07:18PM +0100, cyphrpnk wrote: | > >Privacy is good business. Companies in every industry are | > >realizing they must institute the proper privacy policies, | > >practices and infrastructures in order to succeed in | > >today's digital economy. Zero-Knowledge Managed Privacy | > >Services provides the tools and strategies that enable | > >business to establish private customer relationships and | > >earn consumer trust while ensuring legislative compliance | > >and mitigating risk. | legistlative Compliance... | Guess Lew Giles or the CSE came to visit
By legislative compliance, we mean compliance with laws. There are no key escrow laws in Canada. There is a privacy law, bill C-6, and we will help companies comply with that.
Let's look at the key splitting aspect. Alice has some secrets she wishes to protect with your product. Or Alice is communicating with Bob and wishes the contents kept secret. Standard stuff. Of course, she could just use conventional PKS tools. Or even Freedom, should she wish the fact of the communication itself to be protected. Standard stuff. But let us say she, for whatever reason, uses key splitting. Charles and Debby are the holders of the split keys. (If either Alice or Bob is the holder of one of the split keys, this is as if the key is not split at all, of course. Modulo some slight work factor issues.) "Ensuring legislative compliance" now talks on a meaning which is completely separate from whether key escrow laws have been passed. Charles and Debby can be suboenaed (not sure what the Canadian, or Iranian, or Baloneystan equivalents are). This subpoena may be in secret, unknown to Alice. Or Alice and Bob. And this process may not happen with just subpoenas. It will likely happen with national security agencies. Without Alice knowing. This is what happens when Alice or any other customer of your product uses "trusted third parties." GAK beats crack any day. This is the danger of building a "trusted third parties" system. And is precisely the reason the United Kingdom was campaigning for this kind of system. By building precisely the tools they and other governments would need to implement such a system, you are making such a system more likely to happen. --Tim May --Tim May -- ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, ComSec 3DES: 831-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, "Cyphernomicon" | black markets, collapse of governments.
On Tue, 31 Oct 2000, Tim May wrote:
And this process may not happen with just subpoenas. It will likely happen with national security agencies. Without Alice knowing.
This is what happens when Alice or any other customer of your product uses "trusted third parties." GAK beats crack any day.
This is the danger of building a "trusted third parties" system. And is precisely the reason the United Kingdom was campaigning for this kind of system.
By building precisely the tools they and other governments would need to implement such a system, you are making such a system more likely to happen.
'scuse me, but this gets a big raspberry. The tools governments would need to implement such a system are already out there, in droves and gobs. What ZKS does or does not contribute to that brew has little to do with whether broken security gets rammed down everyone's throats or not. Asking for crypto systems that cannot be used in such plans is a lot like asking for bricks that cannot be used to build unsound structures. Somebody might be able to develop such a brick: but it wouldn't be a general, flexible component, and there'd be so many *sound* structures you couldn't build with it, or had to expend a lot of head-sweat figuring out *how* to build with it, that all the construction workers would hate it and ignore it to death. I think that crypto tools ought to support whatever the hell crypto operations the people using them want. Including third party access to keys and the use of monoalphabetic substitution ciphers to encrypt correspondence if they're stupid enough to want that. There is no foolproof system, and attempting to make foolproof systems only limits the uses to which they can be put by non-fools. Alice cannot give her private info to Bob and then expect Bob not to know it in some other situation; it has passed out of her control and any policy or tool Bob has in place to "maintain privacy" is equally out of Alice's control. If Bob is trustworthy, there is no need for crypto at all because Bob will religiously *not* look at those records for any unauthorized purposes. If Bob is untrustworthy, Bob will claim to be using crypto whether or not Bob is actually using it, and claim to have a privacy policy that he follows whether or not he actually does. Either way, there is no reliable protection for Alice the consumer once she has passed her personal info in the clear to Bob. Bear
At 11:54 AM -0800 10/31/00, Ray Dillinger wrote:
On Tue, 31 Oct 2000, Tim May wrote:
By building precisely the tools they and other governments would need to implement such a system, you are making such a system more likely to happen.
'scuse me, but this gets a big raspberry. The tools governments would need to implement such a system are already out there, in droves and gobs. What ZKS does or does not contribute to that brew has little to do with whether broken security gets rammed down everyone's throats or not.
And I disagree with your big raspberry. Suppose auto makers started building in the "radio signal ignition cutoff" feature that has been discussed here, where a remote signal can disable a running vehicle. Suppose that this is done without any legal regime in place to give law enforcement access. Would it be fair to say that building this technology into a product has made it more likely that lawmakers would make such a system mandatory? I think the answer is clearly "Yes." This is why Cypherpunks were so adamantly against PGP/NAI building-in the capability for escrowing of keys.
Asking for crypto systems that cannot be used in such plans is a lot like asking for bricks that cannot be used to build unsound structures. Somebody might be able to develop such a brick: but it wouldn't be a general, flexible component, and there'd be so many *sound* structures you couldn't build with it, or had to expend a lot of head-sweat figuring out *how* to build with it, that all the construction workers would hate it and ignore it to death.
I think you are missing the point. Think in terms of the ignition cutoff example above, or similar examples involving building video surveillance into hotel rooms, or building keystroke capture and storage tools into PCs, whatever. No one is suggesting limiting research into video technology, for example, just saying it's a Very Bad Idea for hotels or apartment buildings to build-in a capability very widely which could then be mandated by law at some later time. (Loosely related to why so many folks fear gun registration: gun registration often has led to gun confiscation.)
I think that crypto tools ought to support whatever the hell crypto operations the people using them want. Including third party access to keys and the use of monoalphabetic substitution ciphers to encrypt correspondence if they're stupid enough to want that.
Yes, people and companies should be free to do as they wish. I've never claimed otherwise...nowhere have I said that ZKS should be constrained by men with guns to not develop such products! However, others of us are free to comment on the dangers of company plans and to urge changes in policies. Sounds fair to me. --Tim May -- ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, ComSec 3DES: 831-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, "Cyphernomicon" | black markets, collapse of governments.
(Loosely related to why so many folks fear gun registration: gun registration often has led to gun confiscation.)
Is there any known instance of explicit gun registration (not the back-door FBI keeping illegal records of "instant check" requests) that *hasn't* lead to at least some confiscations within 5 years of passage? -- A quote from Petro's Archives: ********************************************** "Despite almost every experience I've ever had with federal authority, I keep imagining its competence." John Perry Barlow
On Tue, 31 Oct 2000, Adam Shostack wrote:
On Tue, Oct 31, 2000 at 04:07:18PM +0100, cyphrpnk wrote:
| p.s. that freedom source code 2.0 for linux I was porting to BSD | I guess will go into the bit bucket!! 1984 speak my ass!!
Sorry to hear that. I guess your porting the code isn't enough for you to trust it. Odd.
Adam
The trust issue is not the code, the trust issue is the company. If he doesn't feel that the company is committed to maintaining appropriate levels of privacy, he chooses not to expend labor in support of the company's software. And he may trust version 2, without trusting the company to produce a version 3 that he can in good conscience recommend to anyone to use. I have designed and built code for free for people who told me they were going to use it one way -- and sent it to /dev/null when I discovered that they intended to use it another. It's as simple as that. These days, I tend to restrict my coding-for-free effort to projects that will be useful *only* in the ways I think are beneficial to society at large, or to projects that, used by everyone according to their own whim, will at least cause society more good than harm. (Note, I did not say "nations" or "governments" or "businesses" or even "citizens" -- I have a peculiar idea of society and what is beneficial to it). Bear
On Tue, 31 Oct 2000, Adam Shostack wrote:
On Tue, Oct 31, 2000 at 04:07:18PM +0100, cyphrpnk wrote:
| p.s. that freedom source code 2.0 for linux I was porting to BSD | I guess will go into the bit bucket!! 1984 speak my ass!!
Sorry to hear that. I guess your porting the code isn't enough for you to trust it. Odd.
Adam
The trust issue is not the code, the trust issue is the company. If he doesn't feel that the company is committed to maintaining appropriate levels of privacy, he chooses not to expend labor in support of the company's software. And he may trust version 2, without trusting the company to produce a version 3 that he can in good conscience recommend to anyone to use.
I have designed and built code for free for people who told me they were going to use it one way -- and sent it to /dev/null when I discovered that they intended to use it another. It's as simple as that. These days, I tend to restrict my coding-for-free effort to projects that will be useful *only* in the ways I think are beneficial to society at large, or to projects that, used by everyone according to their own whim, will at least cause society more good than harm. (Note, I did not say "nations" or "governments" or
"The street finds it's own uses for things". -- "You have the right to remain helpless. Should you choose to waive this right, anything you do may be used against you in a court of law. You have the right to an assailant. If you cannot find one for yourself, the court will release one for you." --Steve Munden.
At 10:03 AM -0500 10/31/00, Declan McCullagh wrote:
ZERO-KNOWLEDGE SYSTEMS INTRODUCES MANAGED PRIVACY SERVICES TO SOLVE THE PRIVACY CHALLENGES OF BUSINESSES
Montreal -- October 31, 2000 -- Zero-Knowledge(R) Systems, the leading developer of privacy solutions, today introduced its new Managed Privacy Services(TM) offering to solve the privacy challenges of businesses and enable enterprise to thrive in a privacy-conscious climate. Delivering a unique combination of technology, policy and strategy expertise, Zero-Knowledge Managed Privacy Services (MPS) enables clients to turn privacy into a competitive advantage by leveraging rich data resources while building stronger and more profitable relationships with customers, employees and partners. MPS is based on responsible and ethical information management in accordance with relevant legislation and industry standards.
"Relevant legislation"? In Canada, in Iran, in Denmark, where? Surely ZKS is not claiming that they will be somehow targetting each instance of their product to specific countries. If not, if the product is a general one, then just _whose_ "relevant legislation" applies? (I presume this is related to their split key/key escrow/"trusted third parties" nonsense.)
* ASSESS AND ADVISE -- Managed Privacy Services begins with a thorough assessment of each client's data storage and usage patterns, as well as their business objectives. From this assessment, recommendations are made regarding areas where data can be better utilized through the addition of a strong privacy layer, and areas of potential privacy risk are identified.
This is beginning to sound like ZKS is restructuring itself as a consulting company, a la Arthur Anderson or the (now in the process of divorce) Kroll-O'Gara outfit.
Zero-Knowledge is committed to deploying systems that are transparent and accountable. In keeping with this policy, MPS will incorporate third party verification and split encryption key structures
Split encryption key. I think that says it all.
, as well as provide consumers with access to white papers, independent auditors' reports or other materials that assure a company is doing what it claims. With MPS Zero-Knowledge strengthens its commitment to building responsible systems that empower consumers to control the disclosure and use of their personal information, while still enabling businesses to thrive in a data and relationship-driven marketplace.
"Empower consumers"? "Responsible systems"? "Strengthens its commitment"? How about: -- no key escrow, no split keys, no trusted third parties -- public key crypto With strong crypto widely available, what business (or knowledgeable private person) is going to want or need this "ASSESS AND ADVISE" and "COMMIT AND CAPITULATE" (ok, I'm changing their stages) stuff/ I can't see how a large company, like an Intel or an Amgen, is going to move away from mathematically robust PKS systems and adopt some throwback to the 1940s, some kind of split key or key escrow system. And I can't see how Joe Consumer is going to pay for the (apparent) "review" of his (presumed) needs and then get some key escrow package tailored to his (presumed) needs. So, what sort of customer is this product tailored for? Some middle-sized company which is clueless on crypto and which wants hand-holding? Some company in a country which _requires_ key escrow? Is ZKS setting itself up to be the premier supplier of key escrow and LEAF tools? Sounds like it. The "relevant legislation" language is the real kicker. Sounds like the many former government types working at ZKS got the focus shifted from truly secure systems to basically uninteresting--and even pernicious!--systems which "meet the legitimate needs of law enforcement." Key escrow, in other words. "Big Brother Inside" Whew. --Tim May -- ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, ComSec 3DES: 831-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, "Cyphernomicon" | black markets, collapse of governments.
On Tue, Oct 31, 2000 at 09:11:23AM -0800, Tim May wrote: | >>Zero-Knowledge is committed to deploying systems that are | >>transparent and accountable. In keeping with this policy, | >>MPS will incorporate third party verification and split | >>encryption key structures | | Split encryption key. I think that says it all. Geez. I don't know how we ended up with that wording. Multiple key would have made more sense. The goal is to have a set of keys which are held by different entities. Thus, your data is encrypted such that each of those entities needs to be involved to decrypt it. By split key encryption, we mean: E_a(E_b(E_c(data))) where E is a strong algorithm (3des, twofish, AES), and the keys (abc) are full strength, properly generated and stored keys for the system. | >>, as well as provide consumers | >>with access to white papers, independent auditors' reports | >>or other materials that assure a company is doing what it | >>claims. With MPS Zero-Knowledge strengthens its commitment | >>to building responsible systems that empower consumers to | >>control the disclosure and use of their personal | >>information, while still enabling businesses to thrive in a | >>data and relationship-driven marketplace. | | "Empower consumers"? "Responsible systems"? "Strengthens its commitment"? | | How about: | | -- no key escrow, no split keys, no trusted third parties Ok. No key escrow. No split keys in that (a,b) is used as the encryption key for a single encrypt, where Alice and Bob each have half the key. Multiple key systems, as I explained above. Given that we're doing this for businesses that are collecting data now, if you consider those parties 'trusted third parties,' then we're increasing the assurance that surrounds them. We consider them 'merchants,' 'shipping companes' and other such businesses who today get data from you. They're not trusted third parties in the Clipper chip sense, but they are parties who store information about you, often in very insecure and unprivate ways, as MCI, CDnow, and others have found out. | -- public key crypto Sure. | With strong crypto widely available, what business (or knowledgeable | private person) is going to want or need this "ASSESS AND ADVISE" and | "COMMIT AND CAPITULATE" (ok, I'm changing their stages) stuff/ | | I can't see how a large company, like an Intel or an Amgen, is going | to move away from mathematically robust PKS systems and adopt some | throwback to the 1940s, some kind of split key or key escrow system. | And I can't see how Joe Consumer is going to pay for the (apparent) | "review" of his (presumed) needs and then get some key escrow package | tailored to his (presumed) needs. We can't either. | So, what sort of customer is this product tailored for? Some | middle-sized company which is clueless on crypto and which wants | hand-holding? Some company in a country which _requires_ key escrow? | Is ZKS setting itself up to be the premier supplier of key escrow and | LEAF tools? Sounds like it. This isn't primarily a crypto solution, its an integrated set of things, including an understanding of what data a company ought to collect, what the advantages of minimization are, and then help implementing it. We are not selling any key escrow, leaf, GAK, clipper, capstone, redcreek, or other such trust-me solution. We see a huge market in companies which are discovering that policies are not enough. We see them hiring CPOs, and looking for assistance. We're not abandoning Freedom--we think that controlling information about yourself is still the best approach. But we do get regular requests from businesses for something else, and we're going to provide it. We fully intend to provide explanations of what we build for each customer, a fair assessment of what we've built, and source where we can. We see those as essential for building trust in the system. We intend to build systems which we can be proud of. | The "relevant legislation" language is the real kicker. Sounds like | the many former government types working at ZKS got the focus shifted | from truly secure systems to basically uninteresting--and even | pernicious!--systems which "meet the legitimate needs of law | enforcement." We are meeting the needs of law enforcement the same way we always have. By building systems that protect people's privacy. By telling the world what we've built. And explaining, in great detail, why we think that key escrow, et cetera ad nauseum, is a mistake, and that we don't build it, don't ship it, don't support it. | Key escrow, in other words. | | | "Big Brother Inside" | | | Whew. | | | --Tim May | -- | ---------:---------:---------:---------:---------:---------:---------:---- | Timothy C. May | Crypto Anarchy: encryption, digital money, | ComSec 3DES: 831-728-0152 | anonymous networks, digital pseudonyms, zero | W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, | "Cyphernomicon" | black markets, collapse of governments. -- "It is seldom that liberty of any kind is lost all at once." -Hume
At 1:06 PM -0500 10/31/00, Adam Shostack wrote:
On Tue, Oct 31, 2000 at 09:11:23AM -0800, Tim May wrote: | >>Zero-Knowledge is committed to deploying systems that are | >>transparent and accountable. In keeping with this policy, | >>MPS will incorporate third party verification and split | >>encryption key structures | | Split encryption key. I think that says it all.
Geez. I don't know how we ended up with that wording. Multiple key would have made more sense. The goal is to have a set of keys which are held by different entities. Thus, your data is encrypted such that each of those entities needs to be involved to decrypt it.
By split key encryption, we mean: E_a(E_b(E_c(data))) where E is a strong algorithm (3des, twofish, AES), and the keys (abc) are full strength, properly generated and stored keys for the system.
Let's stipulate that the split keys are as strong as one can imagine. OK, let's set the stage with some players: * Alice, a consumer or customer * Bobco, a giant corporation dealing with Alice, collecting information on her, and all the usual stuff involving corporations dealing online with consumers like Alice. * Chuck and Debby, the holders of the "split encryption key," aka the "trusted third parties." (Extending the set to 3 or 4 or N such trusted third parties does not alter the basic discussion. Nor, by the way, does just having a _single_ trusted third party alter the basics of the legal/GAK structure: if the legal or national security system can force two parties to disclose, forcing one is easier, forcing 3 is slightly easier, and so on. But these are "polynomial" issues, so to speak.) I want to set the state so I can better understand just how and where this new ZKS system might be useful (to Alice, to Bobco, to governments).
Given that we're doing this for businesses that are collecting data now, if you consider those parties 'trusted third parties,' then we're increasing the assurance that surrounds them.
This business is what I called Bobco above. Now, suppose Bobco is using the ZKS system. I can see three regimes for any use of a crypto product: -- storage, at either Alice's or Bobco's site -- transit, between Alice and Bobco -- unlinkability: something to do with the linkage of purchase information with identity; how Bobco collects and disseminates information about customers like Alice The first two are conventional crypto issues, and don't need a new system. Both Alice and Bobco are responsible for securing their own data. Should laws require Bobco to secure Alice's data in some specific way, split key systems are still a poor solution. As near as I can tell, your concern about "privacy laws" has something to with the third main use for crypto: unlinkability. Am I right? Before I proceed further, let's see if this is where we're going.
We consider them 'merchants,' 'shipping companes' and other such businesses who today get data from you. They're not trusted third parties in the Clipper chip sense, but they are parties who store information about you, often in very insecure and unprivate ways, as MCI, CDnow, and others have found out.
This sounds like the unlinkability again. If so, this is a tough, tough nut to crack. If Bobco is shipping products to Alice, Bobco knows her address and what she is buying. Fill in whatever examples one wishes. And if Alice answers a questionnaire about her buying preferences, her income, her age, etc., then Bobco will have this information. Hard to imagine how adding Charles and Debby to the system as trusted third parties helps things. Now, if Alice goes through a complicated procedure of dealing with Charles and Debby to only selectively reveal her preferences, or if Charles or Debby act as "third party shipping agents," so that Bobco doesn't know who he shipped a product to, then some unlinkability has been gotten. Anyway, I could ramble on about whether or not this makes for an interesting and profitable market niche, but it doesn't seem to be the thrust of where ZKS is going with this new product. Fact is, third party secrets are not interesting IF Bobco can aggregate the secret information AT ANY TIME. Unless some kind of unlinkability or blinding (a la Joan Feigenbaum's work on "computing with encrypted instances") is done, the trusted third parties don't serve much purpose that I can see. Maybe I'm missing something. How will Alice's privacy be protected from Bobco by having Charles and Debby (or just Charles, or Charles, Debby, Edward, Fred, and Greta, etc.) hold split keys? Wouldn't a better approach be for Alice to protect her own privacy? --Tim May -- ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, ComSec 3DES: 831-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, "Cyphernomicon" | black markets, collapse of governments.
I spent perhaps half an hour on the phone with Austin Hill this afternoon. Here's what we discussed. * I suggested that Freedom had been somewhat less than successful in the marketplace. (Out of 3,500 cypherpunks messages I have stored here, only one nym appears, and this is presumably one of the target audiences.) I suggested that this is a change of strategy for ZKS in an era where investors want profitability. Austin denied it, and said that over 100 engineers "right now" were still working on Freedom. * I suggested the model they were moving toward was Andersen Consulting. Austin said no, "Verisign is the better analogy." He said one difference was that he anticipated ongoing licensing/fee arrangements between ZKS and clients after original work is complete. * ZKS will offer to store keys. "That includes us holding encryption keys." Austin described the key-splitting the same way Adam has here. He refused to say whether or not a third-party (Joe's Escrow Service) would ever hold keys. * ZKS appears to be targeting heavily-regulated areas like medical and financial sectors. They will come in, set up a privacy-protective system, perhaps provide some ongoing service, and (if so) collect ongoing fees. In those cases, "a consumer solution like Freedom allowing anonymity doesn't fit that market." * Austin mentioned cell phones/wireless as a major area. He envisions services such as if you call 911, your info is revealed, but not when phoning other numbers. * Tim below suggests that "Wouldn't a better approach be for Alice to protect her own privacy?" The answer, generally, is yes. I suspect the Brands patents can do much to that end. But Austin seems to be envisioning a market in which *some* third party in the transaction, be it a business, intermediary, or ZKS, possesses personal info about customers and only receives what is necessary. I welcome responses. -Declan At 10:30 10/31/2000 -0800, Tim May wrote:
At 1:06 PM -0500 10/31/00, Adam Shostack wrote:
On Tue, Oct 31, 2000 at 09:11:23AM -0800, Tim May wrote: | >>Zero-Knowledge is committed to deploying systems that are | >>transparent and accountable. In keeping with this policy, | >>MPS will incorporate third party verification and split | >>encryption key structures | | Split encryption key. I think that says it all.
Geez. I don't know how we ended up with that wording. Multiple key would have made more sense. The goal is to have a set of keys which are held by different entities. Thus, your data is encrypted such that each of those entities needs to be involved to decrypt it.
By split key encryption, we mean: E_a(E_b(E_c(data))) where E is a strong algorithm (3des, twofish, AES), and the keys (abc) are full strength, properly generated and stored keys for the system.
Let's stipulate that the split keys are as strong as one can imagine.
OK, let's set the stage with some players:
* Alice, a consumer or customer
* Bobco, a giant corporation dealing with Alice, collecting information on her, and all the usual stuff involving corporations dealing online with consumers like Alice.
* Chuck and Debby, the holders of the "split encryption key," aka the "trusted third parties." (Extending the set to 3 or 4 or N such trusted third parties does not alter the basic discussion. Nor, by the way, does just having a _single_ trusted third party alter the basics of the legal/GAK structure: if the legal or national security system can force two parties to disclose, forcing one is easier, forcing 3 is slightly easier, and so on. But these are "polynomial" issues, so to speak.)
I want to set the state so I can better understand just how and where this new ZKS system might be useful (to Alice, to Bobco, to governments).
Given that we're doing this for businesses that are collecting data now, if you consider those parties 'trusted third parties,' then we're increasing the assurance that surrounds them.
This business is what I called Bobco above.
Now, suppose Bobco is using the ZKS system. I can see three regimes for any use of a crypto product:
-- storage, at either Alice's or Bobco's site
-- transit, between Alice and Bobco
-- unlinkability: something to do with the linkage of purchase information with identity; how Bobco collects and disseminates information about customers like Alice
The first two are conventional crypto issues, and don't need a new system. Both Alice and Bobco are responsible for securing their own data. Should laws require Bobco to secure Alice's data in some specific way, split key systems are still a poor solution.
As near as I can tell, your concern about "privacy laws" has something to with the third main use for crypto: unlinkability. Am I right?
Before I proceed further, let's see if this is where we're going.
We consider them 'merchants,' 'shipping companes' and other such businesses who today get data from you. They're not trusted third parties in the Clipper chip sense, but they are parties who store information about you, often in very insecure and unprivate ways, as MCI, CDnow, and others have found out.
This sounds like the unlinkability again. If so, this is a tough, tough nut to crack.
If Bobco is shipping products to Alice, Bobco knows her address and what she is buying. Fill in whatever examples one wishes.
And if Alice answers a questionnaire about her buying preferences, her income, her age, etc., then Bobco will have this information.
Hard to imagine how adding Charles and Debby to the system as trusted third parties helps things. Now, if Alice goes through a complicated procedure of dealing with Charles and Debby to only selectively reveal her preferences, or if Charles or Debby act as "third party shipping agents," so that Bobco doesn't know who he shipped a product to, then some unlinkability has been gotten.
Anyway, I could ramble on about whether or not this makes for an interesting and profitable market niche, but it doesn't seem to be the thrust of where ZKS is going with this new product.
Fact is, third party secrets are not interesting IF Bobco can aggregate the secret information AT ANY TIME. Unless some kind of unlinkability or blinding (a la Joan Feigenbaum's work on "computing with encrypted instances") is done, the trusted third parties don't serve much purpose that I can see.
Maybe I'm missing something.
How will Alice's privacy be protected from Bobco by having Charles and Debby (or just Charles, or Charles, Debby, Edward, Fred, and Greta, etc.) hold split keys?
Wouldn't a better approach be for Alice to protect her own privacy?
--Tim May
-- ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, ComSec 3DES: 831-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, "Cyphernomicon" | black markets, collapse of governments.
At 5:14 PM -0500 10/31/00, Declan McCullagh wrote:
I spent perhaps half an hour on the phone with Austin Hill this afternoon. Here's what we discussed. ... * ZKS will offer to store keys. "That includes us holding encryption keys." Austin described the key-splitting the same way Adam has here. He refused to say whether or not a third-party (Joe's Escrow Service) would ever hold keys.
Except for the very specialized case of protecting against loss/forgetting of passphrases and keys, it's hard to imagine how Alice's privacy is ever enhanced by having a third party hold keys. I'm assuming there's some byzantine protocol being planned in which Alice's secrets (medical files, purchasing preferences, tax information, etc.) are somehow distributed such that various hospitals, insurance companies, etc., cannot link information to Alice. A worthy research topic. But maybe a bit ambitious for a start-up company with a (reportedly) high burn rate to be launching, it seems to me. If not this byzantine protocol, what? If Alice supplies personal information to Bobco, he has it, period. A hospital, for example, has this personal information. Hospitals leaking or selling or sharing this information is indeed a pressing concern, but one not readily solvable with technology. It's like the various schemes to delete information before it can be saved to hard disk..these schemes just don't work: if human eyes can see something, or if ears can hear it, then cameras and sound capture cards and so on can bypass the attempted erasures. Likewise, if Bob's General Hospital knows who Alice is, then the game is up. Period. Technology can't do much about it. Stuff about splitting keys or having third parties involved just doesn't change this basic ontological fact. (There are, of course, cryptographically respectable protocols for anonymous testing, for blinding of test results, etc. Some even use coin-flipping protocols. But I gather that this is not the market ZKS is seeking to enter.) I look forward to hearing more from ZKS about what, exactly, this new system is. Much of the press release was typical press release junk about privacy being important, corporations seeking to fully maximize their paradigms, etc., etc. But some of it talked about key splitting and local laws, which is usually worrisome to paranoid folks like us.
* ZKS appears to be targeting heavily-regulated areas like medical and financial sectors. They will come in, set up a privacy-protective system, perhaps provide some ongoing service, and (if so) collect ongoing fees. In those cases, "a consumer solution like Freedom allowing anonymity doesn't fit that market."
"Collect ongoing fees." I'm not knocking free enterprise, but there are often problems with business plans which seek to find ways to collect fees. The most successful companies I've seen have started with a product idea, often already in prototype form (Cisco, Sun, Intel, Apple, etc.) and have then gone very quickly into production. Having 100 engineers working on Freedom, as was claimed today, and yet having essentially no users of Freedom nyms visible a year later, suggests... And moving toward a vague focus on solving customer privacy problems... Well, I have no reason to wish them poor luck. But it doesn't sound too promising. I really do hope I'm wrong and that they provide interesting products for customer privacy and do well with them.
* Austin mentioned cell phones/wireless as a major area. He envisions services such as if you call 911, your info is revealed, but not when phoning other numbers.
A fair enough analogy. One worth pursuing. The whole CallerID situation, and various state and national laws re; 9-1-1 services, took years and years to unfold. I would expect the same thing with online ordering, except that it will take even longer, IMO. There are some interesting "credentials without identity" protocols which desperately need to be implemented. An example: a credential which someone can present to a pharmacist which allows a drug, e.g, an AIDS drug, to be picked up...without revealing identity. Alas, so many pieces need to be put together to do this that it seems almost hopeless; certainly a startup company cannot afford to spend the many years it would take to deploy this kind of system.
* Tim below suggests that "Wouldn't a better approach be for Alice to protect her own privacy?" The answer, generally, is yes. I suspect the Brands patents can do much to that end. But Austin seems to be envisioning a market in which *some* third party in the transaction, be it a business, intermediary, or ZKS, possesses personal info about customers and only receives what is necessary.
The first level of protection is for Alice to reveal as little as she wishes and to not trust others with information which may damage her. So she should not give out her passwords over the phone, or online. And she should not reveal her AIDS diagnosis by buying AIDS drugs at her local pharmacy. And she should not be ordering books on bomb-making and terrorism through Amazon. However, once Alice has given Bob this damaging information, the jig is up. Bob knows her passwords or her AIDS status or her preferences in books, whatever. And Charles may know other things. And Dave still other things. Now, can any protocol stop Bob and Charles and Dave from pooling their information they each have collected on Alice? Nope. The point is to unlink Alice's identity with the items she purchases, the medicines she needs, the books she buys. Which is why remailers, digital cash, proxies, and suchlike are interesting. Perhaps ZKS is planning to unveil robust versions of all of these things. If so, I applaud them. --Tim May -- ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, ComSec 3DES: 831-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, "Cyphernomicon" | black markets, collapse of governments.
Mr. May:
At 5:14 PM -0500 10/31/00, Declan McCullagh wrote:
I spent perhaps half an hour on the phone with Austin Hill this afternoon. Here's what we discussed. ... * ZKS will offer to store keys. "That includes us holding encryption keys." Austin described the key-splitting the same way Adam has here. He refused to say whether or not a third-party (Joe's Escrow Service) would ever hold keys.
Except for the very specialized case of protecting against loss/forgetting of passphrases and keys, it's hard to imagine how Alice's privacy is ever enhanced by having a third party hold keys.
Think of it in terms of privacy+access. Medical records are not "stateless", and are for many reasons not usually kept by the individual (or when they are, they are often kept by both the health care provider *and* the individual). Now, it I haven't thought this through all the way (and I'm not exactly a world class thinker) but I can see several possible "products" that might be marketable in a "privacy aware" marketplace: (1) A system were both the HCP key *and* one of Alice's key or TTP's key are necessary to read a medical record, but where only the hospitals key is necessary to write to the record. This would provide more privacy for Alice (or at least a combination of privacy and access logging) than exists under the current completely un-encrypted, accessible by almost anyone system that exists today. You might want the TTP to hold either a copy of Alice's key with a strong access logging system, or have a setup (If possible) were the Either Alice's or the TTP's key will decrypt/allow access for cases when you need access to Alice's information when she is unable to provide it (severe trauma or medical condition, dead, in an adversarial legal battle etc.). Medical records are not only Alice's record of what was done to her/wrong with her, but also the HCP's record of what they did. Yes, it would still be possible for someone to get the information through a print-screen or other ways. Total and complete security is a really tough nut. The goal may simply be to make it harder to leak information, or provide strong accountability to that information. (I worked in a Hospital in the early 90s. At that time it would have been trivial for me to look up anyone on the hospital computer system and order their chart, and return it with a "Oops, ordered the wrong number") (2) A system for larger HCP's like (for instance) Kaiser, or the hospital I used to work in, where a specific HCP within that system must cooperate with Alice to get *specifically* which parts of a record they need. By way of example, at a less monogamous point in my life, I was worried that I had contracted an STD (turns out I was wrong), and wanted to get it taken care of. The hospital where I worked (and had insurance) was not an option because they had one medical record on each patient, and, well, my mother worked there as a nurse in a department where I was being seen (occasionally) for a completely different problem. I wound up going somewhere else and paying out of pocket for the consultation. If there was the ability within the record keeping system for selective exposure of information, that could be handy. There is little reason for a Urologist to get access to your dental records. At least one would hope not.
If not this byzantine protocol, what? If Alice supplies personal information to Bobco, he has it, period. A hospital, for example, has this personal information. Hospitals leaking or selling or sharing this information is indeed a pressing concern, but one not readily solvable with technology. It's like the various schemes to delete information before it can be saved to hard disk..these schemes just don't work: if human eyes can see something, or if ears can hear it, then cameras and sound capture cards and so on can bypass the attempted erasures.
At least part of the goal may be to meet "Due Diligence" tests. If a HCP/Accountant/Investment Broker takes reasonable precautions in protecting privacy, then it's that much harder for them to be sued for negligence. If they provide strong accountability procedures, and enforce them, then that slows leaks down.
Much of the press release was typical press release junk about privacy being important, corporations seeking to fully maximize their paradigms, etc., etc. But some of it talked about key splitting and local laws, which is usually worrisome to paranoid folks like us.
It would be a rare company indeed that let the Techs correct the press releases.
* ZKS appears to be targeting heavily-regulated areas like medical and financial sectors. They will come in, set up a privacy-protective system, perhaps provide some ongoing service, and (if so) collect ongoing fees. In those cases, "a consumer solution like Freedom allowing anonymity doesn't fit that market."
"Collect ongoing fees."
I'm not knocking free enterprise, but there are often problems with business plans which seek to find ways to collect fees.
The most successful companies I've seen have started with a product idea, often already in prototype form (Cisco, Sun, Intel, Apple, etc.) and have then gone very quickly into production. Having 100 engineers working on Freedom, as was claimed today, and yet having essentially no users of Freedom nyms visible a year later, suggests...
And moving toward a vague focus on solving customer privacy problems...
Well, I have no reason to wish them poor luck. But it doesn't sound too promising. I really do hope I'm wrong and that they provide interesting products for customer privacy and do well with them.
While not being particularly happy with ZKS (Mac/MacOSX port public, despite repeated assurances that "it is coming" (for what, 2 years now?)), There are many services that they could legitimately provide companies, such as "privacy procedure" auditing etc., either directly for the company, or as a "consultant" to one of the Management Consluting firms (Arthur Anderson, KPMG etc.).
There are some interesting "credentials without identity" protocols which desperately need to be implemented. An example: a credential which someone can present to a pharmacist which allows a drug, e.g, an AIDS drug, to be picked up...without revealing identity. Alas, so many pieces need to be put together to do this that it seems almost hopeless; certainly a startup company cannot afford to spend the many years it would take to deploy this kind of system.
The problems with this aren't technical, but rather legal. Da Man insists that you present ID. Therefore the Pharmacy insists you present ID. Now, if that order were encrypted so that only you, *or* a TTP could reveal *who* picked up order # 3247834 for 60 tablets of vicodan, then you have, if not more privacy, at least a trail of accountability to who leaked it.
* Tim below suggests that "Wouldn't a better approach be for Alice to protect her own privacy?" The answer, generally, is yes. I suspect the Brands patents can do much to that end. But Austin seems to be envisioning a market in which *some* third party in the transaction, be it a business, intermediary, or ZKS, possesses personal info about customers and only receives what is necessary.
The first level of protection is for Alice to reveal as little as she wishes and to not trust others with information which may damage her. So she should not give out her passwords over the phone, or online. And she should not reveal her AIDS diagnosis by buying AIDS drugs at her local pharmacy. And she should not be ordering books on bomb-making and terrorism through Amazon.
However, once Alice has given Bob this damaging information, the jig is up. Bob knows her passwords or her AIDS status or her preferences in books, whatever. And Charles may know other things. And Dave still other things.
Now, can any protocol stop Bob and Charles and Dave from pooling their information they each have collected on Alice? Nope.
The point is to unlink Alice's identity with the items she purchases, the medicines she needs, the books she buys. Which is why remailers, digital cash, proxies, and suchlike are interesting.
Perhaps ZKS is planning to unveil robust versions of all of these things. If so, I applaud them.
Part of the problem, at least in Medical and Financial "spaces" is that it's not only Alice and the Companies desires, but also the Feds desires. To provide *better* privacy than we have now until such time as we can get the government off our backs (either through reform or other means) is a possible money maker. And if making money doing one thing allows ZKS to pay for some "R&D" that helps get the second, I'm all for that. As soon as I get a Mac Freedom client, Damn it! (And yes, I'm willing to pay, I am just not willing to move to Canada to help write it (even if I were capable of such a thing)). -- A quote from Petro's Archives: ********************************************** "Despite almost every experience I've ever had with federal authority, I keep imagining its competence." John Perry Barlow
On Tue, Oct 31, 2000 at 05:14:49PM -0500, Declan McCullagh wrote:
* I suggested that Freedom had been somewhat less than successful in the marketplace. (Out of 3,500 cypherpunks messages I have stored here, only one nym appears, and this is presumably one of the target audiences.) I suggested that this is a change of strategy for ZKS in an era where investors want profitability. Austin denied it, and said that over 100 engineers "right now" were still working on Freedom.
Sounds like he's denying the notion of a change in strategy, not your underlying premise - that the market for Freedom isn't what they'd hoped for. That seems difficult to deny, though I'd love to see sales figures to the contrary. I'm one of the people who has paid for Freedom, but gave up on it after it trashed a Win 98 installation twice, and I was unable to get a response from ZKS tech support. Austin is very good at answering the questions he thinks someone should ask, not the questions actually asked.
* I suggested the model they were moving toward was Andersen Consulting. Austin said no, "Verisign is the better analogy." He said one difference was that he anticipated ongoing licensing/fee arrangements between ZKS and clients after original work is complete.
I don't know what Andersen is doing re privacy, but I know that D&T, E&Y, and PWC are all operating privacy-consulting arms which do more or less what ZKS seems to be describing, except that they don't get so deep into the technical operations, as far as I know - they don't operate key shares, etc. While I think it's really sensible for ZKS to think about this approach - they've assembled a bunch of smart people who are apparently working on something nobody's buying. They've got to be burning cash pretty quickly, and it only makes sense to repurpose those people into providing their analysis and information to other people who need it. (And, for what it's worth, Adam, it's HIPAA, not HIPPA. :)
* ZKS appears to be targeting heavily-regulated areas like medical and financial sectors. They will come in, set up a privacy-protective system, perhaps provide some ongoing service, and (if so) collect ongoing fees. In those cases, "a consumer solution like Freedom allowing anonymity doesn't fit that market."
That seems like a sensible idea, but I'm a little skeptical that they'll pull it off when competing with big well-known accounting firms - the accounting firms have built reputations around maintaining client confidentiality, while ZKS has been pretty aggressively and conspicuously hiring wild-eyed cypherpunk types, who won't necessarily inspire a lot of confidence or trust in accoutant and risk-manager types. Me, I'd trust the cypherpunk over the Big 5 guy, but I'm not the customer. Cf. the moderate and slow success enjoyed by the hackers-cum-security consulting firms - they seem to make enough to pay themselves, which is more than can be said for a lot of businesses, but they haven't been as successful as firms with law enforcement and private security backgrounds - not because of lack of knowledge, but because the ex-cops know how to create and maintain an image of reliability and predictability and trustworthiness, which is harder for people who aren't even accustomed to using an apparently "real" name.
But Austin seems to be envisioning a market in which *some* third party in the transaction, be it a business, intermediary, or ZKS, possesses personal info about customers and only receives what is necessary.
This does seem to be the direction they've always been going - at the cpunks meeting prior to RSA in Jan of 2000, Austin was talking about something I'd call "mediated pseudonymity" or "managed pseudonymity", where ZKS ends up as a trusted privacy intermediary. This seems to dovetail well with Stefan Brands' ideas about privacy and anonymity. I'm pretty skeptical that there's a real market for that - cypherpunks won't trust it, because it's effectively a contract or reputation-based privacy guarantee, instead of a mathematical or information-theory based privacy guarantee. To the consumer market, it's going to look like a prickly complicated version of those "magic wallet" things which promise to fill out web forms for you, but only with your permission .. which don't really solve a compelling problem for anyone even though they're a nice hack. To law enforcement, they'll get what they want via subpoenas or search warrants - I wonder how careful ZKS is about making sure that their US operations aren't subjecting them to extra liability or search/discovery exposure, cf. this week's news re Amex and Mastercard forced to reveal purchase data for offshore cardholders to the IRS. To private litigants seeking discovery, ditto. And to private or public actors uninterested in legal rules, there's old fashioned burglary, a la Watergate hotel and thousands of smaller less well-known examples. This all comes back to the old Benjamin Franklin saw - "Three men can keep a secret, if two of them are dead." Building the kind of trust that's needed to do the sorts of things ZKS proposes to do takes years or decades; and maintaining good security and a good reputation across that long period of time is very difficult, as Sun recently demonstrated in the key compromise mentioned by Lucky. -- Greg Broiles gbroiles@netbox.com PO Box 897 Oakland CA 94604
At 12:13 PM 10/31/00 -0500, Tim May wrote:
How about:
-- no key escrow, no split keys, no trusted third parties
I don't see any way around the fact that some companies will want to have key escrow of some form for employees who disappear, e.g., car accident, pickpocket stole the key-carrier, etc. I think companies will want this because of the risks of financial damage to the company. Although its hazardous if done wrong [cf recent PGP problems], is tarnished by the Fedz/Denning/etc, and might have no use in a personal privacy tool (your diary dies with you), isn't it too dogmatic to rule out key escrow for tools intended for use by groups? Are there equivalent methods which don't use escrowed keys, which I am unaware of? Strong crypto means the employee can put an invincible lock on the corporate file cabinet. This might mean that invincible locks are not used in corporations. A corporation might require that any invincible physical locks be used in series, so the corp can get into the files if the first lock stays locked. That doesn't seem wrong to me; and in meatspace two locks in series is obvious and no compromise is made to either lock's design. Maybe no escrow per se, but corp. data is duplicated and each copy is encrypted by a person's bizkey and the corporate shared key for that person. Locks in series. (Now, it may be 'sad' that ZKS has changed its bizmodel to service businesses that need locks in series, but I'm only interested in whether its rational to universally denounce any locks-in-series architectures.)
The "relevant legislation" language is the real kicker.
Though this was elaborated on in a later reply, they really do need to specify what they mean exactly (re Canada & 'consumer privacy') when they say the nasty l-word in their public literature. Any mention of the law in crypto lit turns the stomache, puts the scanners on highest sensitivity.
On Wed, Nov 01, 2000 at 03:56:56PM -0500, David Honig wrote:
At 12:13 PM 10/31/00 -0500, Tim May wrote:
How about:
-- no key escrow, no split keys, no trusted third parties
I don't see any way around the fact that some companies will want to have key escrow of some form for employees who disappear, e.g., car accident, pickpocket stole the key-carrier, etc. I think companies will want this because of the risks of financial damage to the company.
Although its hazardous if done wrong [cf recent PGP problems], is tarnished by the Fedz/Denning/etc, and might have no use in a personal privacy tool (your diary dies with you), isn't it too dogmatic to rule out key escrow for tools intended for use by groups?
Are there equivalent methods which don't use escrowed keys, which I am unaware of?
I beleive it was Eric Hughes who at a Cypherpunks meeting about four years ago, said "the solution isn't key escrow, it's document escrow". Which makes sense- a business doesn't (or shouldn't) allow employees to keep a single copy of an important document on their hard drive. It should be replicated in other known places in case of disaster (drive failure, stolen computer, employee hit by bus, etc). Just because documents are encrypted doesn't mean that this practice is abandoned. One can envision a system where there's a corporate "document czar" who is regularly given docs from various employees and who then encrypts them in his own key. When and where the docs get decrypted is determined by corporate policies. No key escrow required. I don't know of any existing system like this, but formal corporate document control isn't my field. -- Eric Murray Consulting Security Architect SecureDesign LLC http://www.securedesignllc.com PGP keyid:E03F65E5
At 4:20 PM -0500 11/1/00, Eric Murray wrote:
On Wed, Nov 01, 2000 at 03:56:56PM -0500, David Honig wrote:
Are there equivalent methods which don't use escrowed keys, which I am unaware of?
I beleive it was Eric Hughes who at a Cypherpunks meeting about four years ago, said "the solution isn't key escrow, it's document escrow". Which makes sense- a business doesn't (or shouldn't) allow employees to keep a single copy of an important document on their hard drive. It should be replicated in other known places in case of disaster (drive failure, stolen computer, employee hit by bus, etc). Just because documents are encrypted doesn't mean that this practice is abandoned.
One can envision a system where there's a corporate "document czar" who is regularly given docs from various employees and who then encrypts them in his own key. When and where the docs get decrypted is determined by corporate policies. No key escrow required.
Exactly. A pity we can't easily draw pictures here in mailinglistspace. If we were at a blackboard, we could easily see that the issue of encryption is clearly partitioned thusly: * Alice's files, stored on her local computer or file repository. Maybe in plaintext, maybe in encrypted form. * Files in transit between Alice's site and Bob's site. These should at the very least be link-encrypted, and possibly end-to-end encrypted with PKS tools. Forward secrecy is also good, so that the transit keys can't be recovered. * And then of course the files at Bob's computer, in plaintext or encrypted. Or, more simply, files at sites and files in transit. Alice may have partners or bosses who have rules about how she leaves the files on her machine, encrypted or not encrypted, backed-up or not backed-up. But her storage is SEPARABLE from files in transit.
I don't know of any existing system like this, but formal corporate document control isn't my field.
There are companies doing exactly this kind of document control for large and small companies, for hospitals, for schools, etc. They offer services for back ups to vaults and repositories, for key control, for distribution, and tools for collaboration. Mentor, Oracle, Adobe, and many others are in this market. If ZKS plans to enter this market, good luck to them. --Tim May -- ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, ComSec 3DES: 831-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, "Cyphernomicon" | black markets, collapse of governments.
On Wed, 1 Nov 2000, Eric Murray wrote:
I beleive it was Eric Hughes who at a Cypherpunks meeting about four years ago, said "the solution isn't key escrow, it's document escrow". Which makes sense- a business doesn't (or shouldn't) allow employees to keep a single copy of an important document on their hard drive. It should be replicated in other known places in case of disaster (drive failure, stolen computer, employee hit by bus, etc). Just because documents are encrypted doesn't mean that this practice is abandoned.
One can envision a system where there's a corporate "document czar" who is regularly given docs from various employees and who then encrypts them in his own key. When and where the docs get decrypted is determined by corporate policies. No key escrow required.
I don't know of any existing system like this, but formal corporate document control isn't my field.
You (and apparently Eric) haven't ever heard of cron and tar? The job you're speaking of is called a 'system administrator'. There job is to archive the contents of the companies machines. Make multiple copies and then escrow at least one of those copies in another physical location. The reality is that if a company gets hit with this sort of problems (ie document loss) then they have a competancy issue of a bigger proportion. ____________________________________________________________________ He is able who thinks he is able. Buddha The Armadillo Group ,::////;::-. James Choate Austin, Tx /:'///// ``::>/|/ ravage@ssz.com www.ssz.com .', |||| `/( e\ 512-451-7087 -====~~mm-'`-```-mm --'- --------------------------------------------------------------------
On Wed, Nov 01, 2000 at 04:20:31PM -0500, Eric Murray wrote:
One can envision a system where there's a corporate "document czar" who is regularly given docs from various employees and who then encrypts them in his own key. When and where the docs get decrypted is determined by corporate policies. No key escrow required.
I don't know of any existing system like this, but formal corporate document control isn't my field.
I'm aware of one example of a similar use in a NASDAQ-listed FDA-regulated pharmaceutical company, where they have a staff of "document czars" who are the only ones empowered to produce, edit, and maintain archives of documents considered especially critical to their intellectual property and/or research and production records required to gain and keep FDA listing for their products. I get the impression that's standard practice in the industry; and probably standard practice anywhere, where the continued availability (or confidentiality) of documents can turn into gains or losses in the $100M - $10B range. See, for example, David Mamet's "The Spanish Prisoner". In any event, I think things work much better when crypto people can present a toolbox of primitive operations to ordinary businesses, and let the ordinary businesses identify which of the primitives would solve actual, existing problems - cute crypto parlor tricks going searching for real-world utility don't seem to meet an especially warm reception. (And I'm saying that as a person guilty of promoting the latter, though the futility of that behavior becomes clearer in hindsight.) -- Greg Broiles gbroiles@netbox.com PO Box 897 Oakland CA 94604
On Wed, 1 Nov 2000, Greg Broiles wrote:
I'm aware of one example of a similar use in a NASDAQ-listed FDA-regulated pharmaceutical company, where they have a staff of "document czars" who are the only ones empowered to produce, edit, and maintain archives of documents considered especially critical to their intellectual property and/or research and production records required to gain and keep FDA listing for their products. I get the impression that's standard practice in the industry; and probably standard practice anywhere, where the continued availability (or confidentiality) of documents can turn into gains or losses in the $100M - $10B range.
Document translation, especialy patent and trademark, is also especialy critical in this respect. The long term viability of such groups is based on a reputation of performance that can break over a single incident. ____________________________________________________________________ He is able who thinks he is able. Buddha The Armadillo Group ,::////;::-. James Choate Austin, Tx /:'///// ``::>/|/ ravage@ssz.com www.ssz.com .', |||| `/( e\ 512-451-7087 -====~~mm-'`-```-mm --'- --------------------------------------------------------------------
On Wed, 1 Nov 2000, Greg Broiles wrote:
I'm aware of one example of a similar use in a NASDAQ-listed FDA-regulated pharmaceutical company, where they have a staff of "document czars" who are the only ones empowered to produce, edit, and maintain archives of documents considered especially critical to their intellectual property and/or research and production records required to gain and keep FDA listing for their products. I get the impression that's standard practice in the industry; and probably standard practice anywhere, where the continued availability (or confidentiality) of documents can turn into gains or losses in the $100M - $10B range.
Document translation, especialy patent and trademark,
Also draft contracts and agreements...
On Wed, Nov 01, 2000 at 03:56:56PM -0500, David Honig wrote:
One can envision a system where there's a corporate "document czar" who is regularly given docs from various employees and who then encrypts them in his own key. When and where the docs get decrypted is determined by corporate policies. No key escrow required.
I don't know of any existing system like this, but formal corporate document control isn't my field.
Should be an easy hack to add some sort of public-key crypto to CVS or something like bitkeeper, and Presto... -- A quote from Petro's Archives: ********************************************** "Despite almost every experience I've ever had with federal authority, I keep imagining its competence." John Perry Barlow
At 3:56 PM -0500 11/1/00, David Honig wrote:
At 12:13 PM 10/31/00 -0500, Tim May wrote:
How about:
-- no key escrow, no split keys, no trusted third parties
I don't see any way around the fact that some companies will want to have key escrow of some form for employees who disappear, e.g., car accident, pickpocket stole the key-carrier, etc. I think companies will want this because of the risks of financial damage to the company.
Indeed, and this is a very good use for company attorneys! Or other company officers. If one is concerned that the company lawyer will use the key improperly, split the key. Or place it in a fireproof safe with dual-key access, then distribute the physical keys suitably. Or, more simply, drop the disks with the spare keys in an envelope, seal it, and place it in the safe of the company officers or attorneys. Off site, split, whatever. This is an old problem, solved long ago. I'm sure there is some role for privately-arranged (that is, not government-required) holding of critical keys, just as there is for critical documents stored in old mercury mines (as Intel did at the old New Almaden Mine in the Santa Cruz Mountains). As I said, well-solved.
Although its hazardous if done wrong [cf recent PGP problems], is tarnished by the Fedz/Denning/etc, and might have no use in a personal privacy tool (your diary dies with you), isn't it too dogmatic to rule out key escrow for tools intended for use by groups?
I've never said there is *no* role for safe alternate storage of keys. See above, and se my past comments on legitimate use of backup options. Most of us likely use some form of key backup. Building in transparent key escrow with "trusted third parties" is dangerous, however. Remember that the British model for "trusted third parties" did not include free choice of who those third parties were, but, rather, were limited to Officially Approved TTPs. The whole approach of the Authorities has been to mandate access to encrypted data. The ZKS plan speaks of regulatory conformance...this is what is inimical to our goals.
Strong crypto means the employee can put an invincible lock on the corporate file cabinet. This might mean that invincible locks are not used in corporations. A corporation might require that any invincible physical locks be used in series, so the corp can get into the files if the first lock stays locked. That doesn't seem wrong to me; and in meatspace two locks in series is obvious and no compromise is made to either lock's design.
Sounds fair to me. See above. What companies or individuals do is their concern, not mine, and not government's. --Tim May -- ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, ComSec 3DES: 831-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, "Cyphernomicon" | black markets, collapse of governments.
On Wed, Nov 01, 2000 at 03:56:56PM -0500, David Honig wrote: | At 12:13 PM 10/31/00 -0500, Tim May wrote: | >How about: | > | >-- no key escrow, no split keys, no trusted third parties | | I don't see any way around the fact that some companies will want to have | key escrow of some form for employees who disappear, e.g., car accident, | pickpocket stole the key-carrier, etc. I think companies will want this | because of the risks of financial damage to the company. | | Although its hazardous if done wrong [cf recent PGP problems], is | tarnished by the Fedz/Denning/etc, and might have no use in a personal | privacy tool (your diary dies with you), isn't it too dogmatic to rule out | key escrow for tools intended for use by groups? | | Are there equivalent methods which don't use escrowed keys, which I | am unaware of? Matt Blaze did some work on non-subvertable key escrow, where you escrow keys with random folks, and when you, or Uncle Sam, want the key, you announce that, and hope to get the key back. Let me be clear that this also is not what we're doing. :) | Strong crypto means the employee can put an invincible lock on the | corporate file cabinet. This might mean that invincible locks are | not used in corporations. A corporation might require that any | invincible physical locks be used in series, so the corp can get into the | files if the first lock stays locked. That doesn't seem wrong | to me; and in meatspace two locks in series is obvious and no compromise | is made to either lock's design. | | Maybe no escrow per se, but corp. data is duplicated and each copy is | encrypted by a person's bizkey and the corporate shared key for that person. | Locks in series. | | (Now, it may be 'sad' that ZKS has changed its bizmodel to service | businesses that need locks in series, but I'm only interested in | whether its rational to universally denounce any locks-in-series | architectures.) Thats not really it. We're much more focused on layered locks than series locks. I would worry a lot about the architecture you outline above being vulnerable to a whole slew of attacks on any one key, which means an N key system is at least N times as vulnerable. | >The "relevant legislation" language is the real kicker. | | Though this was elaborated on in a later reply, they really do need to | specify what they mean exactly (re Canada & 'consumer privacy') when | they say the nasty l-word in their public literature. Any mention of the | law in crypto lit turns the stomache, puts the scanners on highest | sensitivity. When we say 'nasty l-word' you can assume we're refering to CALEA, RIP, and that sort of thing. When we talk about legislative compliance, we mean complying with that whole slew of privacy laws. As to the hypothetical that Tim will ask, we'll work very hard to prevent laws requiring key escrow from coming into being. We spend time and energy maintaining relations with law enforcement in a lot of places, explaining to them why we don't build in back doors. And, suprisingly, when you go and talk to them, rather than hissing and shouting, they listen. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume
The following comments are meant as a _general_ comment on "how things are," not as any insinuation that ZKS is in league with the bad guys. At 5:59 PM -0500 11/1/00, Adam Shostack wrote:
As to the hypothetical that Tim will ask, we'll work very hard to prevent laws requiring key escrow from coming into being. We spend time and energy maintaining relations with law enforcement in a lot of places, explaining to them why we don't build in back doors. And, suprisingly, when you go and talk to them, rather than hissing and shouting, they listen.
Surprisingly? Four words: "Good cop, bad cop." Good cop: "We are interested in listening to you." Bad cop: "We could just have you run over in your parking lot one night." (Said to Jim Bidzos by an NSA guy when Bidzos said he would not comply with NSA wishes that RSADSI systems be weakened. This was relayed to me personally by Jim, many years ago, and he gave me permission to recount it to the Cypherpunks list. The NSA folks did not dispute that the words were said.) Good cop: "We seek cooperation with industry." Bad cop: "Civil forfeiture, sedition, espionage, 20 years in prison." Good cop: "Voluntary standards." Bad cop: "ITAR, crypto in a crime laws, Clipper." Good cop: "We believe in civil rights." Bad cop: "Drug laws, no knock raids, nightsticks, Diallo, raids in Seattle, build more prisons." Good cop: "The law applies to everyone." Bad cop: "Well it depends on what the definition of "is" is." I think ZKS is spending way too much time talking to the "good cops" and not nearly enough time thinking about what happens when the RCMP comes to shut them down when Freedom is used as we expect it to be. --Tim May -- ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, ComSec 3DES: 831-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, "Cyphernomicon" | black markets, collapse of governments.
At 5:59 PM -0500 11/1/00, Adam Shostack wrote:
As to the hypothetical that Tim will ask, we'll work very hard to prevent laws requiring key escrow from coming into being. We spend time and energy maintaining relations with law enforcement in a lot of places, explaining to them why we don't build in back doors. And, suprisingly, when you go and talk to them, rather than hissing and shouting, they listen.
By the way, I've been curious about this "we spend time and energy maintaining relations with law enforcement" point for a while. In numerous comments I've seen this mentioned. Why do you spend any of your valuable time talking to law enforcement/ Where I come from, law enforcement enters the picture during a criminal investigation. And then one is usually advised to say "I have nothing to say." Chatting with cops is rarely useful, and is often harmful. Ditto for lawmakers, unless one is seeking some way to get them to get out of the way. I can't speak for Mojo Nation, but I think it nearly 100% certain that Jim McCoy is not "spending time and energy maintaining relations with law enforcement." What his customers may choose to do with Mojo is not his concern...they are "agnostic" on such matters. Zero Knowledge should in fact take a "zero knowledge" point of view on what customers may choose to do with its product. How else can it be? Regrettably, the first round of criticism of Freedom, at least the first round that many of us were involved in, had to do with the "Terms and Conditions" boilerplate, with all of the many reasons ZKS will terminate a nym for (even a prepaid nym, of course, and with no refund, of course). I surmised, as did others, that Freedom would not be usable for such things as running Zundelsites, distributing porn some consider offensive, organizing cells for liberation of their countries, and so on for a thousand other such examples. Whether one agrees or disagrees with such uses, and such ideologies, this is what "free speech" is all about. Only a system where the "transport layer" is agnostic to, or unaware of, the underlying nyms is going to survive. For example, a chain of traditional encrypted remailers (closer to Chaum's mix than we've seen, but still in the same universe) is "agnostic of and unaware of" the packets passing. Think of this as "end to end pseudonymity," by analogy with "end to end encryption." A packet wends its way through multiple routings until it arrives at its destination...and is then revealed to be digitally signed by, say, "Pr0duct Cypher." The remailers along the way, scattered in many countries, have no way to decide that a packet is offensive, or violates Canadian law, or is seditious, or any of the things which I surmise ZKS will be cancelling nyms for. ZKS may have aspects of Wei Dai's PipeNet technology (though Wei Dai remains critical of what he has seen of Freedom, last I heard), but this additional layer of traffic analysis security is all for naught if the _interesting_ uses of Freedom are not possible. Even if ZKS says they wish to tolerate such uses--Zundelsites, bomb instructions, child porn, money laundering, etc.--the fact that they have an identifiable corporate nexus and can be shut down by court order or by a raid on their systems should tell us this is just not the "architecture for crypto anarchy" some had hoped for. (Actually, I raised these points before the product was released. Austin, Hammie, Lucky Green, and Jim McCoy--later of Mojo of course--heard my points. I can't speak for Lucky and Jim, but I recall they made similar points.) In short, ZKS can have all the traffic analysis defeating measures in the world, but their model is basically flawed so long as their system has an identifiable point of attack (headquarters, them, their assets) and so long as they are so apparently willing to cancel nyms. By the way, the only plausible argument for having extensive traffic padding measures, a la PipeNet, is to defeat the sniffers and such typically employed via "national technical means," i.e., NSA, GCHQ, SDECE, etc. An ordinary little girl using Freedom, the putative target candidate for Freedom, say the ads, is not going to need PipeNet-style traffic padding!!! Which leaves me once again wondering what the ZKS market is. --Tim May -- ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, ComSec 3DES: 831-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, "Cyphernomicon" | black markets, collapse of governments.
On Wed, Nov 01, 2000 at 07:08:06PM -0500, Tim May wrote: | | At 5:59 PM -0500 11/1/00, Adam Shostack wrote: | > | >As to the hypothetical that Tim will ask, we'll work very hard to | >prevent laws requiring key escrow from coming into being. We spend | >time and energy maintaining relations with law enforcement in a lot of | >places, explaining to them why we don't build in back doors. And, | >suprisingly, when you go and talk to them, rather than hissing and | >shouting, they listen. | | By the way, I've been curious about this "we spend time and energy | maintaining relations with law enforcement" point for a while. In | numerous comments I've seen this mentioned. | | Why do you spend any of your valuable time talking to law enforcement/ Because if we don't, then they get confused about what we're trying to accomplish, they forget that privacy has lots of valuable uses which are not the collapse of governments and tax revenue, and try to ban what we're doing. And then they go talk to Parliment to get laws passed. We see that as a bad thing. Having spent time on these conversations, I see it paying off. And no, its not paying off because we've added any backdoors. I think we can agree to disagree on this one, Tim. | ZKS may have aspects of Wei Dai's PipeNet technology (though Wei Dai | remains critical of what he has seen of Freedom, last I heard), but | this additional layer of traffic analysis security is all for naught | if the _interesting_ uses of Freedom are not possible. Enough of our source is out there. (The kernel bits of the AIP went out a few days ago. You can wait on the userland chunks, or write your own.) So, you don't like some aspects of what we've done, replace those parts. Feel free, if you know what the market wants. I'm curious if you'll be running a node yourself? | By the way, the only plausible argument for having extensive traffic | padding measures, a la PipeNet, is to defeat the sniffers and such | typically employed via "national technical means," i.e., NSA, GCHQ, | SDECE, etc. An ordinary little girl using Freedom, the putative | target candidate for Freedom, say the ads, is not going to need | PipeNet-style traffic padding!!! Actually, I'm unconvinced that even pipenet style padding is sufficient. Looking at the work on traffic analysis thats been done, we're in about 1970. We have one time pads (dc-nets), and some other stuff, but we don't have a DES to analyze. We have an adversary who has spent a long time learning how to do this well. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume
At 10:14 AM -0500 11/2/00, Adam Shostack wrote:
On Wed, Nov 01, 2000 at 07:08:06PM -0500, Tim May wrote:
| By the way, I've been curious about this "we spend time and energy | maintaining relations with law enforcement" point for a while. In | numerous comments I've seen this mentioned. | | Why do you spend any of your valuable time talking to law enforcement/
Because if we don't, then they get confused about what we're trying to accomplish, they forget that privacy has lots of valuable uses which are not the collapse of governments and tax revenue, and try to ban what we're doing. And then they go talk to Parliment to get laws passed. We see that as a bad thing.
Indeed. But it sort of undermines the argument we heard a few years back that the main reason ZKS was locating in Canada was because of Canada's greater freedom in crypto matters! Many of us thought this was jive, of course, as Canada was only nominally more free in certain areas involving crypto export...and this largely because it was choosing to go a different way than its usual puppetmaster to the south. Once the Canadian government decided that unfettered strong crypto was dangerous, it would likely move swiftly and without the 200+ years of First and Fourth Amendment cases to deter the outlawing of strong crypto. While Canada has not banned strong crypto, EU countries seem to be moving in that direction. And if strong crypto is not affected by law in Canada, just what does "try to ban" mean? I wonder if Jim McCoy and his associates working on Mojo Nation are being called on by legislators and cops? My guess is not. Maybe there's still time for ZKS to pull up stakes and move to the Caribbean. Or to cypherspace.
Feel free, if you know what the market wants. I'm curious if you'll be running a node yourself?
Not in the near future. I have only a 28.8 dial-up connection out where I live, in the Santa Cruz Mountains. Too far from the CO (Central Office) for DSL, though this may change next summer. No cable modem service. I looked into DirectTV/DirectPC/Gideon satellite service, but this still requires a dial-up line for half of the session, which rules out 2-way serving of pages or Freedom traffic. If I had fast Internet service, I might even be willing to buy one of the ZKS-packaged Windows or Linux machines. As you all know, I favor Macs. OS X looks like a good platform, as it is of course based on Mach/BSD/etc. (BTW, I suggest you look at current Mac OS support plans in this light.) Some friends of mine have installed the Freedom server. One of them tells me that since ZKS is unaware of the traffic flowing, as per the basic design goals, that he is working on running other traffic and still being paid for it. (I'll ask him tonight what exactly he means by this...)
Actually, I'm unconvinced that even pipenet style padding is sufficient. Looking at the work on traffic analysis thats been done, we're in about 1970. We have one time pads (dc-nets), and some other stuff, but we don't have a DES to analyze. We have an adversary who has spent a long time learning how to do this well.
I don't disagree with this. I'm not saying much more robust systems are not needed. What I'm saying is that there's a "disconnect" between which types of nyms are allowed by ZKS, in terms of the T&C and the blather about cancelling nyms for abuse, and the threat model. Little girls surfing to the Barney site are not going to face sophisticated correlation attacks. As Lucky said, there's an interesting issue of whether ZKS has missed its market. Not strong enough, or not "allowed," for the most extreme users of pseudonymity, but too strong and too expensive for the vast bulk of the target audience. I have other problems with the rate model which I hope to discuss soon in more detail. Basically, charging $50 a year for "all you can eat" is a crude model as compared to pay-per-use services. And this poor rate model arises because, naturally enough, ZKS wishes to make money. Great, but it's still a crummy rate model. Paid remailers solve the problem in more than one way. First, no prepaid nyms are needed. Only digital cash (for the tokens or "stamps") is needed. Second, those who use the services more, pay more. Third, rate competition for remailing. Fourth, no centralized infrastructure is needed. Fifth, no point of attack. Sixth, no need to "jawbone" with lawmakers in Latvia, Germany, Canada, California, Zambia, or wherever. Seventh, robustness is in the hands of those who distribute remailers. Eighth, a low-cost expansion curve. No need for a centralized company with high burn rates. Incremental addition of boxes. (Not sure if N of the remailers have been compromised? Add more hops. Hop stuff through your own controlled remailers. Use temporary fire-and-forget remailers hosted on other machines. Expand the universe of nodes. More chains, more hops.) I can't help thinking that a tiny fraction of what ZKS has spent could have ironed out the relatively small problems with paid remailers, with making Mixmaster clients more robust, etc. The key ingredient to incentivize remailer box operators has always been digital cash. Digital cash means the "buy five nyms and then use the system as much as you want" model is not needed. It means no centralized nexus is needed. Mojo Nation looks to be headed in this direction. (I assume everyone knows that Mojo can be spent on remailings?) --Tim May -- ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, ComSec 3DES: 831-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, "Cyphernomicon" | black markets, collapse of governments.
On Thu, Nov 02, 2000 at 10:14:24AM -0500, Adam Shostack wrote:
Actually, I'm unconvinced that even pipenet style padding is sufficient. Looking at the work on traffic analysis thats been done, we're in about 1970. We have one time pads (dc-nets), and some other stuff, but we don't have a DES to analyze. We have an adversary who has spent a long time learning how to do this well.
I'd prefer if people talked about PipeNet style traffic scheduling instead of PipeNet style traffic padding. What's really important to PipeNet security is that the timing of packets don't leak information, and padding is just a part of what's necessary to achieve that kind of timing. So I'd agree with you that padding by itself isn't sufficient, but I'd be interested in hearing more if you think PipeNet as a whole isn't sufficient.
One legitimate reason for chatting with LE is to educate them just a little so they don't overreact when the 747-bomb-attack or the sarin-gas-plans show up on Freedom. It also seems consistent with ZKS's goal to be perceived as a good corporate citizen. Finally, it's what I'd expect ZKS's financial backers would require. When you get ~$40 million in VC funds for cypherpunkly technologies, you get some strings attached too. It is a sad day when being a good corporate citizen means chatting with LE on such friendly terms, but probably many companies do it; this is not an area where I suspect ZKS is alone. -Declan On Wed, Nov 01, 2000 at 07:08:06PM -0500, Tim May wrote:
Why do you spend any of your valuable time talking to law enforcement/
Where I come from, law enforcement enters the picture during a criminal investigation. And then one is usually advised to say "I have nothing to say." Chatting with cops is rarely useful, and is often harmful. Ditto for lawmakers, unless one is seeking some way to get them to get out of the way.
I can't speak for Mojo Nation, but I think it nearly 100% certain that Jim McCoy is not "spending time and energy maintaining relations with law enforcement."
At 05:59 PM 11/1/00 -0500, Adam Shostack wrote:
Matt Blaze did some work on non-subvertable key escrow, where you escrow keys with random folks, and when you, or Uncle Sam, want the key, you announce that, and hope to get the key back. Let me be clear that this also is not what we're doing. :)
| Strong crypto means the employee can put an invincible lock on the | corporate file cabinet. This might mean that invincible locks are | not used in corporations. A corporation might require that any | invincible physical locks be used in series, so the corp can get into the | files if the first lock stays locked. That doesn't seem wrong | to me; and in meatspace two locks in series is obvious and no compromise | is made to either lock's design. | | Maybe no escrow per se, but corp. data is duplicated and each copy is | encrypted by a person's bizkey and the corporate shared key for that
person.
| Locks in series. | | (Now, it may be 'sad' that ZKS has changed its bizmodel to service | businesses that need locks in series, but I'm only interested in | whether its rational to universally denounce any locks-in-series | architectures.)
Thats not really it. We're much more focused on layered locks than series locks. I would worry a lot about the architecture you outline above being vulnerable to a whole slew of attacks on any one key, which means an N key system is at least N times as vulnerable.
I was suggesting using a split key, where it would take collaboration amongst N of M board members to assemble the second corporate-backup key. These kind of redundancy schemes are brilliant. Tolerating turncoats and car accidents. Series + parallel padlocks has interesting properties.
| >The "relevant legislation" language is the real kicker. | | Though this was elaborated on in a later reply, they really do need to | specify what they mean exactly (re Canada & 'consumer privacy') when | they say the nasty l-word in their public literature. Any mention of the | law in crypto lit turns the stomache, puts the scanners on highest | sensitivity.
When we say 'nasty l-word' you can assume we're refering to CALEA, RIP, and that sort of thing. When we talk about legislative compliance, we mean complying with that whole slew of privacy laws.
Govt "privacy" laws are a subset of what you should be doing, so more power to you, as they say.
As to the hypothetical that Tim will ask, we'll work very hard to prevent laws requiring key escrow from coming into being.
Your bodily fluids remain pure. We spend
time and energy maintaining relations with law enforcement in a lot of places, explaining to them why we don't build in back doors.
Please video and archive. Taxpayers want to know. And,
suprisingly, when you go and talk to them, rather than hissing and shouting, they listen.
Adam
Of course they do, they're adsorbing intel. Good luck, dh
BTW ZKS audiotaped my phone interview with Austin (they informed me of such before it began). If they tape conversations with journalists, they definitely should tape conversations with Feds. :) -Declan On Wed, Nov 01, 2000 at 10:45:22PM -0500, David Honig wrote:
Please video and archive. Taxpayers want to know.
places, explaining to them why we don't build in back doors. And, suprisingly, when you go and talk to them, rather than hissing and shouting, they listen.
They listen, but do they hear? -- A quote from Petro's Archives: ********************************************** "Despite almost every experience I've ever had with federal authority, I keep imagining its competence." John Perry Barlow
On Wed, Nov 01, 2000 at 05:59:56PM -0500, Adam Shostack wrote:
When we say 'nasty l-word' you can assume we're refering to CALEA, RIP, and that sort of thing. When we talk about legislative compliance, we mean complying with that whole slew of privacy laws.
As to the hypothetical that Tim will ask, we'll work very hard to prevent laws requiring key escrow from coming into being. We spend time and energy maintaining relations with law enforcement in a lot of places, explaining to them why we don't build in back doors. And, suprisingly, when you go and talk to them, rather than hissing and shouting, they listen.
Adam, I believe you. I can't see ZKS supporting CALEA/RIP/etc But ZKS appears to be all in favor of "data protection" legislation (EU data directive, Canadian legislation) that regulates business' privacy practices. This makes sense: It's apparently Austin's personal view, and the more data collection regulations companies must abide by, the more incentive they have to buy your product. You've placed yourself in the unusual position of directly benefiting from additional government regulations. I would expect that your lobbyists will step up their efforts in ths area (one lawyer who does work for you here in DC is a vocal supporter of such private-sector regulation). -Declan
Interesting take, Declan. Which highlights how most of natsec-developed technology entering the market gets the benefit of dual-use regulation. Janus the model. Self-policing is a kissing cousin of self-censorship, both pretend at keeping the fuzz out of private affairs by pretending to be doing nothing worth official attention. And both need regular contact with cops to assure that all is in order, give or take a few handovers of those who go too far, whose names just happened to pop up in this handy snitch program. Banks and telecomms been doing the snitch not nearly as long as the church, rather the state snitching to the church, depending on who's in charge of the day's inquisition. (Interesting stuff in recent books on Vatican and global intel services regular kiss-kissing.) Austin promised a few months back, I believe here, that he would keep us informed of his meetings with law enforcement officials. I must have missed those reports among the pr downpour. This is not to say that he did not report to select customers on how those briefings are going. Question is which cpunks at ZKS will be handed over to assure displeased oversighters. And who there will smile among themselves at the gullible fools' failure to see what realists always claim is obvious behind the cloak of successful wedding of business and government and foolsgold faith that it can never ever happen here, not so long as I'm around (the refrain at PGP, and others of the trusted second party). Young men and a few women die all the time for they know not what strategy considered them expendable -- in the national interest, lately, but traditionally to assure rule-makers they are quite exceptional to the rules.
At 10:29 AM 11/2/00 -0500, John Young wrote:
Banks and telecomms been doing the snitch not nearly as long as the church, rather the state snitching to the church, depending on who's in charge of the day's inquisition. (Interesting stuff in recent books on Vatican and global intel services regular kiss-kissing.)
Does anybody know if anything ever came of PGP Inc.'s attempts to get the Vatican to use PGP? (I couldn't find a PGP key on www.vatican.va, though they could be using them just internally. They do have the Secret Archives on CD-ROM now, at least for Popes from a long time ago. I guess the secrets you can find on CD-ROM aren't the real secrets....) Thanks! Bill Bill Stewart, bill.stewart@pobox.com PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
On Wed, 1 Nov 2000, David Honig wrote:
Although its hazardous if done wrong [cf recent PGP problems], is tarnished by the Fedz/Denning/etc, and might have no use in a personal privacy tool (your diary dies with you), isn't it too dogmatic to rule out key escrow for tools intended for use by groups?
Are there equivalent methods which don't use escrowed keys, which I am unaware of?
First, I think the people who've spoken about document escrow are right. A much safer approach than key escrow. But I'm going to talk about key escrow, because there *are* decent ways to do it. There are methods for key escrow that don't involve a single trusted party having all the keys. For example, you can generate a dozen random strings of bits, XOR them together, then XOR the result with your key. Take the result of that operation and it's your thirteenth string. Now you can hand the thirteen strings out to thirteen different people. Now if you get hit by a bus, or if they are *ALL* ready to subvert the protocol by working together, they can get together, XOR all the strings together, and produce your key. A reasonable protocol for a company with fourteen board members, perhaps. There would be no way to serve thirteen out of fourteen board members with subpeonas and still have the investigation of the fourteenth board member be a secret to the company. Third, there are methods for key escrow with a single escrow agent that don't allow the escrow agent access to the key while it's still live. Take your August key on August First, and use a digital timelock to put one solid month of computing between the company escrow officer and the key. Hand the escrow officer the resulting blob, and use your key with impunity until August 30. On the 30th, you encrypt everything with your September key. On September 1, if she's put the fastest available machine to work on it the whole time, the escrow agent gets your August Key. Now, if you get hit by a bus during august, the escrow officer will be able to get stuff from your drive after august -- but will never have your key while that key is still in use. Fourth, the trusted third party doesn't need access to your keys. I could set up a web service that generated complementary asymmetric key pairs and published them thirty days apart. Now when Alice wants to put her key in storage for the company escrow officer, she can come to my site, pick up the key of the day, encrypt her key with it, and hand it to Bob the escrow officer. If Bob needed to use the key, and it were more than a month later, he could come to my site and get the complementary key and decrypt Alice's key. With this setup, I'm the only one that knows the decryption key, and I don't know diddley about what's encrypted under it or where anything encrypted under it is stored. Bear
At 04:07 PM 11/1/00 -0800, Ray Dillinger wrote:
First, I think the people who've spoken about document escrow are right. A much safer approach than key escrow.
That is the Big Point I've picked up. That you can dupe docs without cloning keys or even building that into your crypto primitive-tools. "Duplication not Escrow" is almost short enough for a bumper sticker.
At 03:56 PM 11/1/00 -0500, David Honig wrote:
(Now, it may be 'sad' that ZKS has changed its bizmodel to service businesses that need locks in series, but I'm only interested in whether its rational to universally denounce any locks-in-series architectures.)
We need to be careful not to let GAKKers define our perspectives. Locks-in-series is a much different problem than locks-in-parallel, which is the usual GAK/CorporateGAK model. (Or alternatively, user-locks-in-parallel-with-(GAK-locks-in-series), so it takes two corporate officers to agree to eavesdrop.) Locks-in-series are often are solutions to increasing privacy, not decreasing it. For example, especially in the health care business, current practice is that just about anybody can get at all of customer data, and there's a real need for privacy protection technology that puts stricter controls on people getting at data they do or don't need to know. In the US, where we don't have the benefit of Canadian Health Care (:-), the US government's Medicare requirements and tax policies have pushed insurance companies to use Social Security Numbers as their customer-ID numbers, and pushed businesses to use SSNs as their interface to the insurance companies, and doctors to use SSNs since they need to deal with insurance. Even locks-in-parallel on data can provide more privacy than the current screen-doors-on-data level of protection. In spite of the usual PR behaviour that has PR people vaguely paraphrasing things that might have been technical concepts once, there are times you *really* need to let the technical people vet press releases before letting them out the door, or the crypto or privacy people will ream you badly :-) Thanks! Bill Bill Stewart, bill.stewart@pobox.com PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
participants (14)
-
Adam Shostack -
BENHAM TIMOTHY JAMES -
Bill Stewart -
cyphrpnk -
David Honig -
Declan McCullagh -
Eric Murray -
Greg Broiles -
Jim Choate -
John Young -
petro -
Ray Dillinger -
Tim May -
Wei Dai