http://www.cryptonomicon.net/modules.php?name=News&file=print&sid=455 Cryptonomicon.Net - Anyone Remember Zero Knowledge Systems? Date: Wednesday, September 10 @ 11:15:00 EDT Topic: Commercial Operations / Services It seems that a day doesn't go by that there's new news about the RIAA suing another file swapper. First it's college students, then it's 12-year old honor students, and we hear that they're going after senior citizens next. With ISPs either volunteering or being forced to divulge subscriber information, it's a wonder that there isn't a technology to help shield user's online privacy with respect to their file swapping activities. Well... actually there is, and it's been around for a couple of years. We don't normally do commercial endorsements here, but when we see so much chatter from people on newsgroups talking about privacy protecting technology, we figured we should probably chime in. Way back in the late 90's a company called Zero Knowledge Systems was formed to develop privacy enhancing technology for the Internet. Their flagship product Freedom.Net was a giant onion-skin routing cloud with encrypted links. The idea was that someone desiring privacy would open an encrypted link with a Freedom.Net node and send it's internet requests through that node. That node in turn would encrypt the request and route it through another semi-randomly selected node using a different encryption key. This process would repeat until the request exited the cloud of encrypted packet routers and hits the target of it's destination. The response to the request would return via a similar convoluted, encrypted path. At the time, Freedom.Net was being pitched as a tool for human rights workers, whistleblowers, or even parents who don't want identifying information about their children being collected by heartless corporations intent on selling their kids the latest Anime action figures. Unfortunately, they never quite made a compelling enough argument for mass adoption of their system and eventually morphed the company into a manufacturer or more conventional privacy tools. Freedom still exists as a product, thought it is aimed at web users, only runs on Windows clients, and routes requests through proxy servers owned by Zero Knowledge Systems. It is interesting to ponder what would happen if the Freedom network were widely deployed and routing file swapping packets. One key feature of the original Freedom network was that routing nodes could (and would) be placed in different legal jurisdictions. Assuming that node operators actually logged packet traffic, organizations like the RIAA would be forced to subpoena node operators in multiple countries; a process humorously referred to as "Jurisdictional Arbitrage." Imagine a world where your file swapping software also included a Freedom-like client that routed your request through a maze of encrypting routers. The routers themselves could be placed in different countries. This could make for big headaches when the RIAA moves to subpoena logs of file swapper's activities. They couldn't get the logs from the ISPs because there's no way the ISP could peek in the traffic stream to identify offending content. They could try to put a sniffer on a US-based encrypting network node, but there's likely little information that could be gathered from this; the "payload" of a packet is encrypted with a key that the intermediate routers don't know. About the only place the RIAA could attack would be the servers. After all, all the encryption in the world won't help you if you publicize the IP address of your file store. I'm sure what keeps the record industry executives up at night is the worry that somewhere in the middle of the backwoods of Colombia or in the occupied territories of Israel / Palestine there are extra-territorial jurisdictions that can't be served with papers. Honestly, do you really want to be the process server that goes in to serve papers on FARC guerillas? The future is unclear, but while we start thinking about critical infrastructure, maybe we could think about a way to protect the record companies from financial ruin at the hands of FARC or HAMAS. Yes, I know there are several out there who would like to help destroy the RIAA and all they stand for. Yes, they are behaving in a manner indistinguishable from bastards. But they're our bastards, and if they are to be "taken down," there's a legal process for doing so. It's well known that Hollywood has much better political representation than Silicon Valley. What would happen if KaZaa or Gnutella or Sharmin Networks started operating an encrypted network? Would the RIAA move to outlaw encryption? Maybe the entertainment companies would buy the ISPs and block encrypted content from traversing their network. In any event, we see a whole new chapter in the privacy wars brewing. Don't say you weren't warned. This article comes from Cryptonomicon.Net http://www.cryptonomicon.net/ The URL for this story is: http://www.cryptonomicon.net//modules.php?name=News&file=article&sid=455 -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'