CDR: Response to false statements about Zero-Knowledge
Declan, I would like to respond to some of the discussion and false statements being made about Zero-Knowledge. Please see my comments below and FWD: to Politech. Thank you. Regards, Austin
-----Original Message----- From: Declan McCullagh [mailto:declan@well.com] Sent: Wednesday, November 08, 2000 7:15 PM To: politech@politechbot.com Cc: shamrock@cypherpunks.to Subject: FC: Response to article on Zero Knowledge, marketing, and promises
********* A response to: http://www.politechbot.com/p-01464.html *********
Date: Wed, 01 Nov 2000 18:49:32 -0800 From: Lucky Green <shamrock@cypherpunks.to> Subject: RE: Zero Knowledge, after poor software sales, tries new gambit To: declan@well.com
Declan,
I don't believe the conclusion that Internet users are unwilling to pay for enhanced privacy is warranted given the information currently available. If anything, ZKS' poor sales show that Internet users are unwilling to pay for software that claims to protect the user's privacy but doesn't. This is a very important distinction to make. Freedom (TM) as shipping does not adequately protect the users' privacy. ZKS' marketing machine and early promises notwithstanding, in the end the market was not fooled into buying product that doesn't deliver.
First to set the record straight, Declan's claim that our software sales have been poor is completely baseless. He has reported this as fact when during my interview with him I clearly stated that we are pleased with our results for Freedom and are seeing substantial growth, so much that we are still hiring more engineers (adding to the already 100 we have working on it) and adding more features and improvements to our consumer privacy product. Because we as a private company refuse to provide Declan with actual sales & revenue numbers he has persisted in reporting that this is because of poor software sales, based on what he described as anecdotal evidence that he has observed in the cypherpunk community. Declan fails to mention that Freedom was never targeted toward Cypherpunks; our goal was to incorporate Cypherpunk-level cryptography and philosophies into a privacy tool that would empower the average Internet user to manage their privacy online. Cypherpunks can build privacy tools for themselves; our target market for Freedom is consumers who are concerned with their privacy. Declan and his editor at Wired have received a complaint regarding what we feel was irresponsible reporting, that includes a transcript of the relevant parts of the interview. As of now, they have not made any correction or retraction. Declan, I invite you to FWD: our letter to you and your Wired editor, to Politech readers so they can make up their own minds regarding the current state of our software sales and your editorial on the launch of our additional corporate privacy services. For now Declan and I have agreed to disagree about the accuracy and quality of his article. Now leaving that issue aside, Lucky Green makes the claim that we have failed to deliver what we promise. I believe this is completely baseless and false. Our promised privacy protection is detailed extensively at a very technical level in our whitepapers, http://www.freedom.net/info/freedompapers/Freedom-Architecture-Protocols.pdf http://www.freedom.net/info/freedompapers/Freedom-NymCreation.pdf http://www.freedom.net/info/freedompapers/Freedom-Security.pdf In these papers we describe every attack we protect against and more importantly every attack that we don't protect against. These whitepapers include protocols, design goals and actual results of security audits against the architecture and the code. Unfortunately, Lucky hasn't done any analysis to add to the list. To further improve our security and privacy commitment and to ensure users do not have to rely on or trust Zero-Knowledge's claims, we have also published the source code for the system, which is available at, http://opensource.zeroknowledge.com We are the only privacy company that has published whitepapers on the full protocol, security attacks against the system, and the source code. We believe that this is responsible privacy, and that it is the only way to verify and support our claims to our users. If there is _ANY_ attack, weaknesses, flaw or security bug we have invited people to review our work and inform us, and we then update our documents to reflect our continued understanding of how to design and implement the best privacy infrastructure available. Based on this, we believe we are the strongest privacy solution on the market. (In fact most other privacy companies claim that we are 'killing a fly with a bazooka' by going overboard with strong crypto and multi-hop routing).
I think it is unfortunate that ZKS' failure to deliver on their promises will now be taken as an indication that there is no market for a product that ZKS never built.
The risk that the such a, in my view erroneous, conclusion would be drawn was of course the big risk to Internet privacy worldwide that followed from ZKS' foolish gamble to ship a product
I actually believe that Lucky's false statements and accusations stem from Zero-Knowledge shipping a solution that does not include the solution to one of the original design goals, which was a traffic-analysis-resistant network. During our first attempt to build the FREEDOM infrastructure and an AnonymousIP protocol we also tried to build it to be resistant to traffic analysis and large statistical attacks. (This remains a design goal, but we think there are open research issues to be solved before we (or anyone) can ship a system that meets this design goal). The techniques we attempted to use to facilitate this were: -Constant packet sizing -Link padding -Traffic shaping (introducing extra bogus traffic or limiting traffic to disguise the actual amount of traffic being sent through the network) During our tests of the first alpha versions of FREEDOM, we found a number of problems with this including: 1. Speed & performance degradation that made the system unusable 2. Huge costs increases in operating the backbone infrastructure (Packets were being sent with a huge increase in 'stuffed' payloads and there had to be constant traffic on the network) 3. Incomplete understanding of the effect in the security and resistances to these attacks (we found there was not enough research in the area of traffic analysis to determine if the extra delays and huge costs increased gained us anything in the protection from traffic analysis. In fact, upon review we found that since the costs of doing the bare minimum padding (full link padding from the client node to the first server node) could not be supported by what we felt users were willing to pay for privacy, we reviewed our threat model and lowered the bar on the what we were trying to accomplish. We consider traffic analysis to be an area in need of basic research. We have some information-theoretical and computationally secure proposals but minimal work on secure systems with work-factors less than computationally secure. Simple things like how to define and discuss the work-factor of these systems are missing. We do not have equivalents of basic constructs like Feistel-networks, s-boxes, or chaining modes. We have easy attacks which seem very powerful, but can't judge if those attacks are the equivalent of statistical attacks on ceaser ciphers or something more powerful. We do not have powerful techniques such as differential or linear cryptanalysis, the impossible variants, or any sort of trade-off attacks. There's not a great deal of discussion of the case where flood the pipe is not an option, or where we want to limit delays. We think the situation is analogous to the state of our understanding of block cipher analysis in 1970. We had an information-theoretically secure system. But we had little or no knowledge of the Enigma breaks (Bletchly Park is not mentioned in the index of the 1967 ed. of the Codebreakers). When the NBS proposed the DES, many were at a loss as to how to critique it beyond asking for the design criteria to be published. Compare and contrast this situation with the AES competition. Our Director of Technology, Adam Shostack raised this issue in a rump session talk at the 'Design Issues in Anonymity and Unobservability' workshop, and we're looking for other ways to bring the problem to the attention of the academic community. Our users are primarily Win 95/98 users who are worried about their privacy (i.e. email address; cookies; profiling by ad networks; pseudonyms for chat rooms and Usenet). They are not worried about the NSA doing traffic analysis on their communications. We were way too ambitious with that design goal and we decided it was not a 'must have' that would prevent us from shipping our current solution. More than that, we did so publicly (see our whitepapers) and we are also working on increasing academic research in this area (we have a few scientists working on it) so that if we decide to attack this problem in the future there will be more information available to us to review. Lucky claims that there is large market demand (in terms of $$ and/or people) for traffic-analysis-resistant, completely anonymous networking. I disagree, but would invite him to take our source code and go out and build a business based on this. The published source code is the result of 3 years of engineering by more than 100 developers and we would invite him to take this start and improve on it. We would be interested in his results both technically (how to achieve traffic analysis resistant networking) and on the business side (how do you build a business to support fully traffic analysis resistant networking). We have 250+ people working very hard on privacy systems, and have taken huge steps in making sure we are accurate in our claims, transparent in our systems and are delivering privacy services that we can be very proud of. Lucky, by claiming that we are misleading our users or not protecting their privacy because of the lack of resistance to traffic analysis is irresponsible and is allowing the best to be the enemy of the good.* * For those who don't follow security debates, this refers to idealists who want to build great systems with really neat provable properties and other useful underpinnings. Unfortunately, none of those systems have ever shipped, and in the real world, we get by with good. Freedom is the strongest privacy system that's shipping. Is it as good as we would like it to be in an ideal world? Of course not. But there is a braintrust at Zero-Knowledge of really smart people who want to make it even better, so while we've decided to ship a strong and working system that offers consumers the best privacy available today, we also have 100 engineers working to continually make it better. Regards, -Austin that didn't meet market demand. A risk
that I on more than one occasion impressed upon the principals was to great to take.
--Lucky Green <shamrock@cypherpunks.to>
"Anytime you decrypt... its against the law". Jack Valenti, President, Motion Picture Association of America in a sworn deposition, 2000-06-06
_________________________________________________________________________ Austin Hill Zero-Knowledge Systems Inc. President Montreal, Quebec Phone: 514.286.2636 Fax: 514.286.2755 mailto:a_hill@zeroknowledge.com http://www.zeroknowledge.com Are you fast enough? Are you smart enough? We are hiring those who are! http://www.zeroknowledge.com/jobs/ PGP Fingerprints RSA = 7BDB A72C 1130 BC09 CD5A 2712 F51D 72AC DH/DSS = F783 7187 E174 0C5C DD4C B1FA 0392 C7DC AF5A 1FAB _________________________________________________________________________ -- Resistance is futile! http://jobs.zeroknowledge.com
On Fri, Nov 10, 2000 at 02:56:03PM -0500, Austin Hill wrote:
First to set the record straight, Declan's claim that our software sales have been poor is completely baseless. He has reported this as fact when during my interview with him I clearly stated that we are pleased with our results for Freedom and are seeing substantial growth, so much that we are still hiring more engineers (adding to the already 100 we have working on it) and adding more features and improvements to our consumer privacy product.
This is a non sequitur - the facts that "ZKS is happy with its sales" and "ZKS is hiring more engineers" are unrelated to Declan's evaluation of the available evidence regarding ZKS' sales. In the absence of numbers from ZKS - which would be the best source of that information, if it were available - people wanting to evaluate ZKS and its business must look at less helpful information, which will likely include anecdotal accounts which you dismiss. Now, if the question before us were "Are the shareholders and employees of ZKS happy with their sales?" or "Are ZKS' sales reasonably within the projections in their business plan?" or "Is ZKS close to bankruptcy?", then the facts and feelings you mention above would be responsive. Those are not, however, the questions raised about ZKS, so your remarks don't seem to be responsive. It doesn't seem reasonable for you to complain about Declan writing an article based on incomplete information, but to refuse to provide that information so that the article could be based on better data. I get the impression that you would prefer the article not appear at all - which is a reasonable thing to wish for, but not a reasonable thing to expect. If ZKS wants press, it will have to take the bad (or the inconvenient) along with the good.
Because we as a private company refuse to provide Declan with actual sales & revenue numbers he has persisted in reporting that this is because of poor software sales, based on what he described as anecdotal evidence that he has observed in the cypherpunk community.
Declan fails to mention that Freedom was never targeted toward Cypherpunks; our goal was to incorporate Cypherpunk-level cryptography and philosophies into a privacy tool that would empower the average Internet user to manage their privacy online. Cypherpunks can build privacy tools for themselves; our target market for Freedom is consumers who are concerned with their privacy.
Sure - cypherpunks are a very small market, so it would be very difficult for even a small business to survive on cypherpunk sales alone. However, that doesn't mean that cypherpunk purchases and evaluations are unimportant, or can be dismissed. High tech marketing people discuss a "technology adoption life cycle" - Geoffrey Moore writes about this (in _Crossing the Chasm_, et al) but I don't know if he was the first person to do so. Briefly, this model suggests that new products or technology are adopted at a rate which describes a bell curve - at the left edge, there's a initially small adoption rate which represents the activity of "innovators", people who actively seek out new technologies and products, and who frequently provide valuable unofficial marketing and support for new products. Moving to the right, we find the "early adopters", who are not technologists themselves (versus the innovators, who are) but are willing to risk adoption of a technology or product not proven on a wide scale if they see a strong benefit. Moving further to the right, we find the "early majority" and "late majority" who make up the bulk of the adopters of the technology, who wait until the product/technology has been approved and proven by the innovators and early adopters. (Following the late majority are the "laggards", who are a small market and unimportant to this message). When you describe ZKS and Freedom as "consumers who are concerned with their privacy", I believe you are speaking of the middle of the bell curve - as you say, cypherpunks don't need freedom, but the non-technologists do. What your analysis seems to miss is the role that's played by the innovators and the early adopters in bringing a product or a technology to a maturity level where it's acceptable to the much larger middle market. For your product, cypherpunks, and wannabe- cypherpunks are the innovators or the early adopters, in large part - the people who will experiment with your product, and tell their friends and families and employers and user groups about it. If you don't meet the needs of the early people, you won't get a chance to meet the needs of the people in the middle. Comments on the cypherpunks list and at physical meetings seems to suggest that Freedom is not enjoying a good adoption rate within what's likely a big part of that adoption curve. I've only seen a few users of ZKS nyms on public mailing lists, which ought to be a popular use for them; a web search with Google and HotBot doesn't reveal any use of @freedom.net email addresses showing up in mailing list archives. If you can point to concrete numbers showing adoption rates, I'm sure that many people would be interested - but telling us that you (as a founder of the company) are happy with your sales doesn't do much to tell the rest of us about what's happening inside ZKS. My impression - from my own experience, from the lack of apparent adoption by others, and from ZKS' reframing of its business from stronger protection to weaker protection to the new "privacy consulting" stuff is that ZKS is searching for its niche in the marketplace, and hasn't found it yet. There's nothing wrong with that - look at AT&T, or the other long distance carriers moving away from consumer services, or the AOL/Time merger - but denying things which are readily apparent doesn't inspire confidence.
To further improve our security and privacy commitment and to ensure users do not have to rely on or trust Zero-Knowledge's claims, we have also published the source code for the system, which is available at,
As far as I can tell, only the Linux client software and the Linux kernel modules are available - but you said yourself that the real target market is Windows. When will the Windows client be made available for inspection? When will the other server-side software be made available? (Please don't get confused between licensing terms and source code inspection - it's very nice to make software available under GPL or other terms; and it might well be economically or strategically stupid to make your Windows client available under a free license - but that doesn't mean you can't allow open audits of it for security issues, or get an outside organization to publish the results of a code review.)
We are the only privacy company that has published whitepapers on the full protocol, security attacks against the system, and the source code. We believe that this is responsible privacy, and that it is the only way to verify and support our claims to our users.
If there is _ANY_ attack, weaknesses, flaw or security bug we have invited people to review our work and inform us, and we then update our documents to reflect our continued understanding of how to design and implement the best privacy infrastructure available.
Based on this, we believe we are the strongest privacy solution on the market. (In fact most other privacy companies claim that we are 'killing a fly with a bazooka' by going overboard with strong crypto and multi-hop routing).
I think everyone agrees that ZKS has built the strongest commercially available client-side privacy system. Again, that's not the interesting question. The interesting question is "Is it strong enough?" Everyone who's looked at the question - from your accounts, inside ZKS, and outside people - seems to agree that nobody knows, or if they know they're not telling.
We have 250+ people working very hard on privacy systems, and have taken huge steps in making sure we are accurate in our claims, transparent in our systems and are delivering privacy services that we can be very proud of.
I don't think there's any question that you folks are working hard, that you are doing a good job of only saying true things, that you are moving towards releasing pieces of your infrastructure for review, or that you're providing a service equal to or better than what's currently on the market. It would be unfortunate if you lost sight of that. It would also be unfortunate if you confuse questions or concerns about ZKS with hostility towards ZKS. If I have a weird spot on my skin and I ask a doctor friend about it, I don't want them to tell me it's nothing to worry about, even if it's really malignant but they don't want me to feel bad. Similarly, if people in the cypherpunk community raise questions about ZKS, I think it's sensible to assume that they're doing it because they want to help ZKS, or because they want to help privacy generally and think you may be inadvertently harming it.
Lucky, by claiming that we are misleading our users or not protecting their privacy because of the lack of resistance to traffic analysis is irresponsible and is allowing the best to be the enemy of the good.*
This may be true - but your message was the first one that I've seen which describes clearly the changes made in Freedom's design and implementation between v1 and v2, and I'm a customer. (Not an active one, due to configuration issues, but you've got some of my $, and didn't bother to tell me that the traffic-analysis resistance I thought I paid for has been eliminated because it turned out to be difficult.) While I greatly appreciate your candor - and am confident that your analysis of the economics of the bandwidth required to foil traffic analysis was correct - I do think there's perhaps some room for improvement re keeping people up-to-date on what sort of protection they can expect from Freedom and ZKS. If you are ever in the mood to update the Freedom FAQ, I suggest that the following questions would be helpful ones to answer - Q: If I post a message critical of a big company using a Yahoo forum, and the Yahoo registration data points back to my Freedom account (email and source IP), will the big company be able to get my personal information from you with a subpoena? Q: If I post a message to a mailing list which has some source code that a big company thinks violates the DMCA, and the big company calls the FBI, will the FBI be able to get my personal information from you with a subpoena? Q: What happens if I make someone really, really angry and they come to your offices and point guns at your employees .. will they be able to get my personal information from you? Assume they shoot a few people to show they're serious. Then will you find a way to give them my personal information? What if they take your computer equipment away from you (or one of your participating ISP's) at gunpoint, and take it back to their hideout for analysis. How difficult will it be for them to get my personal information? -- Greg Broiles gbroiles@netbox.com PO Box 897 Oakland CA 94604
Austin, Thanks for your note. I respect what you're trying to do at ZKS. I think that if ZKS succeeds, the world will be a better place. Further, I have a tremendous deal of respect for some of the very excellent people you have hired. But wishing something to be true does not make it so. My statement about ZKS' sluggish Freedom sales is based on extensive conversations over the last year with folks in this industry, web searches to see how many ZKS nyms appear to be in use, ancedotal information, and conversations with other ZKS employees. As Greg says below, I was writing an article with less-than-perfectly-complete information, but information that I have and had every reason to believe is accurate. You did nothing to refute that belief, and saying "[we are] pleased with our results for Freedom" is an analytically and semantically null statement. The Subject: line of your message complains about "false statements," but you offer nothing by way of identification and refutation. As you say, you did send a note to my Wired editor demanding a retraction. You received a response yesterday saying that Wired identified no errors of fact in my article and you were welcome to submit a letter to the editor. I hope you will, and I wish you luck at ZKS. Yours, Declan At 15:10 11/10/2000 -0800, Greg Broiles wrote:
On Fri, Nov 10, 2000 at 02:56:03PM -0500, Austin Hill wrote:
First to set the record straight, Declan's claim that our software sales have been poor is completely baseless. He has reported this as fact when during my interview with him I clearly stated that we are pleased with our results for Freedom and are seeing substantial growth, so much that we are still hiring more engineers (adding to the already 100 we have working on it) and adding more features and improvements to our consumer privacy product.
This is a non sequitur - the facts that "ZKS is happy with its sales" and "ZKS is hiring more engineers" are unrelated to Declan's evaluation of the available evidence regarding ZKS' sales. In the absence of numbers from ZKS - which would be the best source of that information, if it were available - people wanting to evaluate ZKS and its business must look at less helpful information, which will likely include anecdotal accounts which you dismiss.
Now, if the question before us were "Are the shareholders and employees of ZKS happy with their sales?" or "Are ZKS' sales reasonably within the projections in their business plan?" or "Is ZKS close to bankruptcy?", then the facts and feelings you mention above would be responsive. Those are not, however, the questions raised about ZKS, so your remarks don't seem to be responsive.
It doesn't seem reasonable for you to complain about Declan writing an article based on incomplete information, but to refuse to provide that information so that the article could be based on better data. I get the impression that you would prefer the article not appear at all - which is a reasonable thing to wish for, but not a reasonable thing to expect. If ZKS wants press, it will have to take the bad (or the inconvenient) along with the good.
Because we as a private company refuse to provide Declan with actual sales & revenue numbers he has persisted in reporting that this is because of poor software sales, based on what he described as anecdotal evidence that he has observed in the cypherpunk community.
Declan fails to mention that Freedom was never targeted toward Cypherpunks; our goal was to incorporate Cypherpunk-level cryptography and philosophies into a privacy tool that would empower the average Internet user to manage their privacy online. Cypherpunks can build privacy tools for themselves; our target market for Freedom is consumers who are concerned with their privacy.
Sure - cypherpunks are a very small market, so it would be very difficult for even a small business to survive on cypherpunk sales alone.
However, that doesn't mean that cypherpunk purchases and evaluations are unimportant, or can be dismissed.
High tech marketing people discuss a "technology adoption life cycle" - Geoffrey Moore writes about this (in _Crossing the Chasm_, et al) but I don't know if he was the first person to do so.
Briefly, this model suggests that new products or technology are adopted at a rate which describes a bell curve - at the left edge, there's a initially small adoption rate which represents the activity of "innovators", people who actively seek out new technologies and products, and who frequently provide valuable unofficial marketing and support for new products. Moving to the right, we find the "early adopters", who are not technologists themselves (versus the innovators, who are) but are willing to risk adoption of a technology or product not proven on a wide scale if they see a strong benefit. Moving further to the right, we find the "early majority" and "late majority" who make up the bulk of the adopters of the technology, who wait until the product/technology has been approved and proven by the innovators and early adopters. (Following the late majority are the "laggards", who are a small market and unimportant to this message).
When you describe ZKS and Freedom as "consumers who are concerned with their privacy", I believe you are speaking of the middle of the bell curve - as you say, cypherpunks don't need freedom, but the non-technologists do.
What your analysis seems to miss is the role that's played by the innovators and the early adopters in bringing a product or a technology to a maturity level where it's acceptable to the much larger middle market. For your product, cypherpunks, and wannabe- cypherpunks are the innovators or the early adopters, in large part - the people who will experiment with your product, and tell their friends and families and employers and user groups about it. If you don't meet the needs of the early people, you won't get a chance to meet the needs of the people in the middle.
Comments on the cypherpunks list and at physical meetings seems to suggest that Freedom is not enjoying a good adoption rate within what's likely a big part of that adoption curve. I've only seen a few users of ZKS nyms on public mailing lists, which ought to be a popular use for them; a web search with Google and HotBot doesn't reveal any use of @freedom.net email addresses showing up in mailing list archives.
If you can point to concrete numbers showing adoption rates, I'm sure that many people would be interested - but telling us that you (as a founder of the company) are happy with your sales doesn't do much to tell the rest of us about what's happening inside ZKS. My impression - from my own experience, from the lack of apparent adoption by others, and from ZKS' reframing of its business from stronger protection to weaker protection to the new "privacy consulting" stuff is that ZKS is searching for its niche in the marketplace, and hasn't found it yet.
There's nothing wrong with that - look at AT&T, or the other long distance carriers moving away from consumer services, or the AOL/Time merger - but denying things which are readily apparent doesn't inspire confidence.
To further improve our security and privacy commitment and to ensure users do not have to rely on or trust Zero-Knowledge's claims, we have also published the source code for the system, which is available at,
As far as I can tell, only the Linux client software and the Linux kernel modules are available - but you said yourself that the real target market is Windows. When will the Windows client be made available for inspection? When will the other server-side software be made available?
(Please don't get confused between licensing terms and source code inspection - it's very nice to make software available under GPL or other terms; and it might well be economically or strategically stupid to make your Windows client available under a free license - but that doesn't mean you can't allow open audits of it for security issues, or get an outside organization to publish the results of a code review.)
We are the only privacy company that has published whitepapers on the full protocol, security attacks against the system, and the source code. We believe that this is responsible privacy, and that it is the only way to verify and support our claims to our users.
If there is _ANY_ attack, weaknesses, flaw or security bug we have invited people to review our work and inform us, and we then update our documents to reflect our continued understanding of how to design and implement the best privacy infrastructure available.
Based on this, we believe we are the strongest privacy solution on the market. (In fact most other privacy companies claim that we are 'killing a fly with a bazooka' by going overboard with strong crypto and multi-hop routing).
I think everyone agrees that ZKS has built the strongest commercially available client-side privacy system.
Again, that's not the interesting question. The interesting question is "Is it strong enough?"
Everyone who's looked at the question - from your accounts, inside ZKS, and outside people - seems to agree that nobody knows, or if they know they're not telling.
We have 250+ people working very hard on privacy systems, and have taken huge steps in making sure we are accurate in our claims, transparent in our systems and are delivering privacy services that we can be very proud of.
I don't think there's any question that you folks are working hard, that you are doing a good job of only saying true things, that you are moving towards releasing pieces of your infrastructure for review, or that you're providing a service equal to or better than what's currently on the market.
It would be unfortunate if you lost sight of that.
It would also be unfortunate if you confuse questions or concerns about ZKS with hostility towards ZKS. If I have a weird spot on my skin and I ask a doctor friend about it, I don't want them to tell me it's nothing to worry about, even if it's really malignant but they don't want me to feel bad. Similarly, if people in the cypherpunk community raise questions about ZKS, I think it's sensible to assume that they're doing it because they want to help ZKS, or because they want to help privacy generally and think you may be inadvertently harming it.
Lucky, by claiming that we are misleading our users or not protecting their privacy because of the lack of resistance to traffic analysis is irresponsible and is allowing the best to be the enemy of the good.*
This may be true - but your message was the first one that I've seen which describes clearly the changes made in Freedom's design and implementation between v1 and v2, and I'm a customer. (Not an active one, due to configuration issues, but you've got some of my $, and didn't bother to tell me that the traffic-analysis resistance I thought I paid for has been eliminated because it turned out to be difficult.)
While I greatly appreciate your candor - and am confident that your analysis of the economics of the bandwidth required to foil traffic analysis was correct - I do think there's perhaps some room for improvement re keeping people up-to-date on what sort of protection they can expect from Freedom and ZKS.
If you are ever in the mood to update the Freedom FAQ, I suggest that the following questions would be helpful ones to answer -
Q: If I post a message critical of a big company using a Yahoo forum, and the Yahoo registration data points back to my Freedom account (email and source IP), will the big company be able to get my personal information from you with a subpoena?
Q: If I post a message to a mailing list which has some source code that a big company thinks violates the DMCA, and the big company calls the FBI, will the FBI be able to get my personal information from you with a subpoena?
Q: What happens if I make someone really, really angry and they come to your offices and point guns at your employees .. will they be able to get my personal information from you? Assume they shoot a few people to show they're serious. Then will you find a way to give them my personal information? What if they take your computer equipment away from you (or one of your participating ISP's) at gunpoint, and take it back to their hideout for analysis. How difficult will it be for them to get my personal information?
-- Greg Broiles gbroiles@netbox.com PO Box 897 Oakland CA 94604
For some reason I didn't see Greg's message earlier and only recently saw Declan's forwarded snippets on politech (I'm not currently subscribed to politech). The closing remark at the bottom of Declan's post (from Declan) was "Neither Austin nor anyone at Zero Knowledge replied to the above message." My personal reason for not responding was I didn't see the message. Austin travels an awful lot, so I wouldn't take a lack of an immediate response as acquiescence or an unwillingness to respond. The following is as always my personal opinion. I'm going to skip over the reporting and speculation about sales figures discussion and the little skirmish over that.
Declan fails to mention that Freedom was never targeted toward Cypherpunks; our goal was to incorporate Cypherpunk-level cryptography and philosophies into a privacy tool that would empower the average Internet user to manage their privacy online. Cypherpunks can build privacy tools for themselves; our target market for Freedom is consumers who are concerned with their privacy.
Sure - cypherpunks are a very small market, so it would be very difficult for even a small business to survive on cypherpunk sales alone.
However, that doesn't mean that cypherpunk purchases and evaluations are unimportant, or can be dismissed.
Cypherpunk opinions matter as cypherpunks are privacy and crypto-anarchy related crypto technology critics -- the analog of film critics in this domain -- the punters listen to them, reporters listen to them. And in Declan's case some reporters are able technology critics themselves. Another reason would be that freedom is a popularisation and development of cypherpunk developed technologies and ideas such as cypherpunk type I and type II remailers, alpha nymservers, PipeNet, traffic shaping etc. So it is entirely expected that the opinons of the people who developed and thought about these original technologies, and had ideas about how one might progress with them are important. Indeed a number of cypherpunks who were involved in some of these implementations and discussions are currently working at ZKS. Cypherpunks also has a pretty high clue factor on privacy and anonymity technology so you'd want to listen to what is said and worry if they were saying things which couldn't be answered.
[Greg writes about the role of early adopters, etc. all good stuff]
What your analysis seems to miss is the role that's played by the innovators and the early adopters in bringing a product or a technology to a maturity level where it's acceptable to the much larger middle market.
I understand that, and offer the additional comments above. There hasn't been as much comment (apart from Wei's comments, and some offlist comments from Lucky) as one might expect about technology choices and protocol design despite the open white papers. I'm hoping the new clearer, more detailed white papers coming with 2.0 will help stimulate such discussion.
Comments on the cypherpunks list and at physical meetings seems to suggest that Freedom is not enjoying a good adoption rate within what's likely a big part of that adoption curve. I've only seen a few users of ZKS nyms on public mailing lists, which ought to be a popular use for them; a web search with Google and HotBot doesn't reveal any use of @freedom.net email addresses showing up in mailing list archives.
Let me clarify a few things about this extrapolation. - freedom 1.x mail system used reply blocks. There were a number of problems with this reliability, usability and performance wise. Some of these were inherent to reply blocks (bit rot, and server churn causes reply blocks to die), some of it implementation related (retry semantics for mail forwarding), some of it to do with relying on third parties for long term operational reliability (which reply blocks do for you). - freedom 1.x allows you to post to news but not to read news anonymously (you have to use dejanews or some other news browser). So (You could read news non-anonymously by just using your ISP NNTP server, but clearly there are problems -- an attacker could mark messages you read and correlate you to your nyms that way.) These two things mean that there are more people using freedom 1.x browsing than freedom 1.x mail. So you aren't going to see an accurate portrayal of user base from email alone. - freedom 2.x has an all new mail system, the workings of which will be described in fair detail in a white paper which will be released RSN. Those playing with the beta will have observed this mail system in action. This new mail system is much easier to use, much more reliable, and much faster. I'd also argue that the 2.x mail system is more secure as it doesn't use reply blocks which are inherently vulnerable to subpoena attack. But then I designed it, so I'll let others critique it. (There is forward secrecy at all stages in the movement of mail in the new system, with maximum of 1/2 hour key cycling.) - freedom 2.x is also much more configurable so you can route other protocols over the cloud, or existing protocols over other ports.
If you can point to concrete numbers showing adoption rates, I'm sure that many people would be interested - but telling us that you (as a founder of the company) are happy with your sales doesn't do much to tell the rest of us about what's happening inside ZKS. My impression - from my own experience,
Some negative experience with it's workings? Could you elaborate?
from the lack of apparent adoption by others,
I offer the above explanation for the large imbalance between web and email users in 1.x. It's really quite severe. My gut feel is that email would be a popular app for pseudonymity. Opinions solicited of course, but I personally was usually more interested in pseudonymous or anonymous mail. It does actually matter if you use the web to look up things you're writing about and you're trying to be strongly anonymous, but typically I haven't been that paranoid. Anyway we'll see if there is a big pick up in mail usage with freedom 2.0, which will be the proof of whether or not the freedom user base likes mail. Web is probably perceived still as "relatively anonymous" for many uses despite the realities of profiling and a fair degree of logging of IPs, logins, and caller-ID by ISPs which can relatively easily be correlated with phone records. The integration mechanism with the mail system (and web, IRC, telnet, ssh etc) works as a transparent local proxy is pretty painless, and works automatically with pretty much any mailer with no user configuration of the mailer. Much smoother integration than even emacs mail-crypt's nym support. (I haven't looked at windows stuff that much, but I'm pretty sure it's nicer than private idaho etc as you get to use your existing mailer). The linux client is nicer than premail for pseudonymity too.
and from ZKS' reframing of its business from stronger protection to weaker protection to the new "privacy consulting" stuff is that ZKS is searching for its niche in the marketplace, and hasn't found it yet.
This isn't a re-framing, it's phase II, and it's been planned since day one. Austin has been talking about being a privacy broker between users and companies for years, it was part of the grand plan for "total world domination" since the early days. Probably some have heard him speak about it at conferences over the last couple of years. In this model you're trying to build a privacy architecture in which users can conduct business privately. So clearly involving businesses is a good idea to enrich what you can do. You're just starting to see that with phase II. The press release was kind of sloppy because it had lots of "all new" claims about Managed Privacy Services (as well as the reference to "split keys", which was actually trying to talk about reply blocks). Reading it one would tend to come away with a very disjointed view. But as I said actually MPS is only "new" in the sense that phase II of the privacy architecture plan has been gearing up for a while now. But it's all part of the big privacy architecture picture that ZKS is trying to build. So this means for example people using freedom to conduct business pseudonymously and so on.
There's nothing wrong with that - look at AT&T, or the other long distance carriers moving away from consumer services, or the AOL/Time merger - but denying things which are readily apparent doesn't inspire confidence.
While the press release leaves one with a disjointed impression, it's misleading. Neither the "Zero Knowledge, after poor software sales, tries new gambit" summary and title Declan came away with after reading that press release, nor the extrapolation of users from the observed mail usage are accurate pictures as I explain above. They are probably reasonable conclusions to draw from the available information, but the available information was misleading and incomplete respectively. Austin quoted by Greg:
In fact, upon review we found that since the costs of doing the bare minimum padding (full link padding from the client node to the first server node) could not be supported by what we felt users were willing to pay for privacy, we reviewed our threat model and lowered the bar on the what we were trying to accomplish.
That's not the way I would express the effect of the changes in the protocol, though it is an accurate description of understanding about traffic analysis at the time the decision was made. More recent understanding, as we examined how to strengthen the threat model is that the existing attacks are not all prevented by the original high bandwidth overhead link padding scheme. In fact it would appear that the padding does not even offer much in the way of additional protection because a powerful attacker can with similar resources to without the padding still engage in active attacks and timing attacks to achieve similar result. Greg writes:
Based on this, we believe we are the strongest privacy solution on the market. (In fact most other privacy companies claim that we are 'killing a fly with a bazooka' by going overboard with strong crypto and multi-hop routing).
I think everyone agrees that ZKS has built the strongest commercially available client-side privacy system.
Again, that's not the interesting question. The interesting question is "Is it strong enough?"
It's as strong as we could make it. Private interactive communications are a hard problem. As Wei and I were discussing in the "PipeNet protocol" thread in the last couple of weeks, there are 4 main properties you're trying to optimise over: 1. security (resistance to traffic analysis) 2. performance 3. bandwidth efficiency (cost) 4. DoS resistance It appears pretty hard to get more than one of these properties with theoretical optimality. PipeNet gets the first one with good theoretical security, but none of the others are good. Freedom makes an engineering tradeoff which does reasonably on all 4. If anyone has anything to suggest about how freedom protocols could be improved in any of these criteria, or how one could build a hybrid based on PipeNet, freedom or dc-nets, or other new ideas, I'm always interested to discuss. Lucky had some comments in email about padding, however as I discussed with him the padding costs bandwidth without defending against similar cost attacks. The other similar cost attacks do not appear to be possible to defend against without using PipeNet or DC-net properties. I'd invite Lucky to resume this discussion publicly as he is quoted by Declan stating ZKS didn't make freedom as strong as we could have: Lucky wrote: | Freedom (TM) as shipping does not adequately protect the users' | privacy. [...] Continuing, Wei's PipeNet has some pretty nice security properties, but it's hard to deal with the performance and DoS resistance issue. PipeNet effectively deals with the traffic analysis problem by shutting down the entire network immediately if any active traffic analysis attempts are made. It doesn't appear to be possible to distinguish between active traffic analysis attempts and network congestion or modem drops, so it also would suffer from poor performance and unreliability. DC-nets are nice too but bandwidth cost is probably prohibitively high and DoS (disrupters) are a problem there too. We're working on the traffic analysis problem trying to optimise this problem.
I think everyone agrees that ZKS has built the strongest commercially available client-side privacy system.
Again, that's not the interesting question. The interesting question is "Is it strong enough?"
Everyone who's looked at the question - from your accounts, inside ZKS, and outside people - seems to agree that nobody knows, or if they know they're not telling.
I hope the above can start some discussion of strength against traffic analysis.
Lucky, by claiming that we are misleading our users or not protecting their privacy because of the lack of resistance to traffic analysis is irresponsible and is allowing the best to be the enemy of the good.*
This may be true - but your message was the first one that I've seen which describes clearly the changes made in Freedom's design and implementation between v1 and v2, and I'm a customer.
Note v2 has not shipped yet except in beta form. The white papers are being updated to ship before or with v2, including the new mail system white paper.
(Not an active one, due to configuration issues, but you've got some of my $, and didn't bother to tell me that the traffic-analysis resistance I thought I paid for has been eliminated because it turned out to be difficult.)
While I greatly appreciate your candor - and am confident that your analysis of the economics of the bandwidth required to foil traffic analysis was correct - I do think there's perhaps some room for improvement re keeping people up-to-date on what sort of protection they can expect from Freedom and ZKS.
I think we can more robustly defend the freedom protocol than that. It's pretty close to the best you can do practically with current state of the art and knowledge about defending against traffic analysis. That's a fairly aggressive statement with a practical deployed system due to all the issues that come up with engineering tradeoffs and complexities of actually developing such a complex system. So as I say it's not because we've decided not to bother, it's because when you actually look at the engineering issues, and the traffic analysis attacks, it's harder than one might predict to start with. Now I think this is a concern for everyone because with strong crypto, mathematics is on our side, and we can effectively laugh at USG's earlier attempts to put the genie back into the bottle. They lost that one. But anonymity systems, particularly interactive ones, don't appear to offer near as steep an advantage to the defender vs the attacker. So I'd encourage people to think about the above described problems, because in my view it is a problem that matters for crypto-anarchy.
If you are ever in the mood to update the Freedom FAQ, I suggest that the following questions would be helpful ones to answer -
The section of the FAQ that covers the questions you're asking is: http://www.freedom.net/faq/index.html?r=6#11 The short answer is no, no, and very. But with the caveat that this is a relatively complex system, and despite our best efforts at auditing code, and protocols, publishing protcols for peer review, hiring third party auditors (counterpane) there may be bugs. This is to my mind the most important aspect of open source -- so people can review what it does, and compare that to what the white papers say it's intended to do. I'd encourage people to help review the code in the same way that PGP was scrutinised. Also note the known issues with the protocols and with the current implementation are in the security issues white paper. This is being updated for 2.0.
Q: If I post a message critical of a big company using a Yahoo forum, and the Yahoo registration data points back to my Freedom account (email and source IP), will the big company be able to get my personal information from you with a subpoena?
Q: If I post a message to a mailing list which has some source code that a big company thinks violates the DMCA, and the big company calls the FBI, will the FBI be able to get my personal information from you with a subpoena?
Q: What happens if I make someone really, really angry and they come to your offices and point guns at your employees .. will they be able to get my personal information from you? Assume they shoot a few people to show they're serious. Then will you find a way to give them my personal information? What if they take your computer equipment away from you (or one of your participating ISP's) at gunpoint, and take it back to their hideout for analysis. How difficult will it be for them to get my personal information?
I'd just like to make these two comment commitments which I'll reveal later when certain projects are announced to demonstrate that they were planned for some time. b26ecfce97bc6c090585a254a297ba5143280cce commit a47d3b46da014002b34d02c3a0524a3209c3c6ae commit2 (They have big random nonces in them, so don't even think about guessing). Adam
On Wed, Nov 22, 2000 at 01:00:47AM -0500, Adam Back wrote:
There hasn't been as much comment (apart from Wei's comments, and some offlist comments from Lucky) as one might expect about technology choices and protocol design despite the open white papers. I'm hoping the new clearer, more detailed white papers coming with 2.0 will help stimulate such discussion.
I think the traffic analysis stuff is important, but it's lower down on my list of threats. My impression is, that for the average Internet user, the most likely privacy invasions they face are: 1. Personal information given to ISP is revealed to litigant or law enforcement, based on identification of the subscriber's IP address, URL, or email address. 2. Personal information given to web-based conferencing system is revealed to litigant or law enforcement, based on the user's system ID; or enough information is released to allow violation (1). 3. Personal information given to instant messaging system is revealed to litigant or law enforcement, based on the user's system ID; or enough information is released to allow violation (1). 4. Personal information given to one entity is shared with another entity contrary to statute or contract. 5. Activity at several different websites is aggregated to form profile of interests or purchasing patterns, which is sold or combined with information from violation of (4). 6. Operator of a machine sharing a network with client machine uses packet sniffer to trap/analyze/store client's cleartext data. 7. Operator of machine which handles user's data (like mailserver, router, etc) uses system access to trap/analyze/store client's cleartext data. 8. User's system retains state regarding online activities (web browsing data stored in cache, 'recent sites' lists; incoming and outgoing emails stored) which is revealed through unanticipated use of user's system by another person. Different end users will give each of those modalities a different likelihood of occurrence, and weight them differently by the damage potential - but I think they're all much more likely than more esoteric attacks like network-based traffic analysis. I would be pretty excited about a system which fixed all or many of the above exposures, even if it were vulnerable to more sophisticated attacks - there are apparently a few people on the cpunks list who merit full-time surveillance, but I think most of us (and most of the people we're likely to recommend privacy systems to) need better protection and support for security against basic attacks before we need even meager protection against sophisticated attacks.
These two things mean that there are more people using freedom 1.x browsing than freedom 1.x mail. So you aren't going to see an accurate portrayal of user base from email alone.
That's a good point. I haven't been able to think of a good way to measure the adoption rate of Freedom 1.x "in the wild" - my next best guess was to comb over my own webserver's logfiles, to see if the Freedom proxies introduce any evidence of their presence. Is that possible?
Some negative experience with it's workings? Could you elaborate?
I experienced (twice) a failure in my Windows 98 network stack after installing the Freedom client - it apparently replaced/modified/removed some DLL component which was important to 32-bit Winsock connections, which meant that Eudora and web browsers stopped working. I wasn't able to get a good answer from tech support, apparently because of the problems with the 1.x reply blocks. Last time I mentioned this I got a nice note from someone in the Freedom support department who promised to help me if I end up running Windows again; after the second installation got trashed, I gave up on Windows, and am in no hurry to go back. In both cases, I was unable after considerable effort to recreate a working network stack, and ended up reinstalling Windows and all of my apps. I don't know if it was my peculiar configuration (which wasn't wildly peculiar, but I did run a lot of software, including the Norton Win32 firewall thing) or Windows lameness or [..], so I'm not ready to say that Freedom is broken - but I know that it exceeded my personal time alloted to monkeying with it, and I didn't do well enough with it to feel good about recommending it to people who are less technically inclined than I am.
My gut feel is that email would be a popular app for pseudonymity. Opinions solicited of course, but I personally was usually more interested in pseudonymous or anonymous mail. It does actually matter if you use the web to look up things you're writing about and you're trying to be strongly anonymous, but typically I haven't been that paranoid.
Same here - it's actually not so hard to get some measure of web anonymity, if you're willing to the free ones like LPWA. Still, web anonymizers are going to be more interesting as more people get fixed IP addresses for their DSL or cable modems. I didn't give web tracking a lot of thought before, because my dialup IP's were at least weakly nondeterministic and not very correlated; but people with fixed IP's have more to worry about.
This isn't a re-framing, it's phase II, and it's been planned since day one. Austin has been talking about being a privacy broker between users and companies for years, it was part of the grand plan for "total world domination" since the early days. Probably some have heard him speak about it at conferences over the last couple of years.
I've heard him say some about this, but didn't link it to the privacy consulting, exactly - what I wonder about with this is where ZKS' loyalties will appear to be. Consumers probably want to see their privacy software vendor as "on their side"; but commercial interests working on data collection are probably going to want to work with people who will help them advance their own goals, sometimes at the price of others' privacy. The closest parallel I can see is to environmental groups, who have in some cases endorsed certain corporations or certain practices as "green" or "environmentally friendly", and who have subsequently lost stature among some of their members and peers as having "sold out". I don't know if it will work well to be perceived as serving two masters - even if the corporate interests pay lip service to "protecting our customers' privacy".
The section of the FAQ that covers the questions you're asking is:
http://www.freedom.net/faq/index.html?r=6#11
The short answer is no, no, and very.
Well, that sounds good - and I appreciate the pointer to the FAQ - but I am not sure the answer is so easy. Let's say that I believe that a Freedom user has defamed me, and I sue them, and my attorney issues a subpoena to Freedom to get their reply block(s); and then my attorney subpoenas the operators of the machines which hold the keys which decrypt the reply blocks .. don't they get my email address? The "Freedom 1.0 Security Issues and Analysis" whitepaper at http://www.freedom.net/info/freedompapers/Freedom-Security.pdf seems to agree that this attack works, in sections 2 and 4.5. Are there plans to fix this? I gather that 2.x will eliminate reply blocks - will it also eliminate this vulnerability? The legal analysis behind that security analysis deserves some updating - in particular, a warrant isn't necessary to get at information held by others, just a subpoena, and all it takes to get a subpoena is filing a lawsuit, as has been demonstrated by any number of aggrieved companies ridiculed on the Yahoo message boards.
I'd just like to make these two comment commitments which I'll reveal later when certain projects are announced to demonstrate that they were planned for some time.
b26ecfce97bc6c090585a254a297ba5143280cce commit a47d3b46da014002b34d02c3a0524a3209c3c6ae commit2
Well, that's something to look forward to. -- Greg Broiles gbroiles@netbox.com PO Box 897 Oakland CA 94604
Greg Broiles wrote:
I think the traffic analysis stuff is important, but it's lower down on my list of threats. My impression is, that for the average Internet user, the most likely privacy invasions they face are:
1. Personal information given to ISP is revealed to litigant or law enforcement, based on identification of the subscriber's IP address, URL, or email address.
Freedom will do that as it'll hide your IP address and ISP email address.
2. Personal information given to web-based conferencing system is revealed to litigant or law enforcement, based on the user's system ID; or enough information is released to allow violation (1).
Same.
3. Personal information given to instant messaging system is revealed to litigant or law enforcement, based on the user's system ID; or enough information is released to allow violation (1).
Potentially freedom can handle this, though it depends on the system. Freedom works with IRC, but not yet with ICQ. The issue is that you need a anonymizing local proxy if the protocol violates layering and includes IP addresses in it's higher level messages. Some protocols require this (eg. ftp due to the announcement of the port and IP to connect back to in the request), others don't. As the source code is out (for linux) people can add handlers for their favourite applications (Quake, ICQ etc).
4. Personal information given to one entity is shared with another entity contrary to statute or contract.
Difficult to protect against this one. One could think about applying some of Nick Szabo's ideas to this as it's effectively a private contract issue -- some of things I talked about in my recent post about "smart privacy policies" http://www.inet-one.com/cypherpunks/dir.2000.10.30-2000.11.05/msg00189.html Your best defense is not to give the info. Or perhaps to give it pseudonymously if that is possible.
5. Activity at several different websites is aggregated to form profile of interests or purchasing patterns, which is sold or combined with information from violation of (4).
Freedom's approach to profiling is to let the cookies accumulate on a cookie jar associated with each pseudonym. You can also edit cookies. In this way you still get advertisements more targetted than "random" (which might be thought of as positive if the user is comfortable being pseudonymously profiled). Also you can use multiple persona's to segregate your interests (financial interests, porn, etc.) which reduces your chances of the profiler getting a unified profile -- he gets separate profiles for each of your activities.
6. Operator of a machine sharing a network with client machine uses packet sniffer to trap/analyze/store client's cleartext data.
That's addressed by freedom as packets are all encrypted (modulo the traffic analysis attacks discussed in the previous post).
7. Operator of machine which handles user's data (like mailserver, router, etc) uses system access to trap/analyze/store client's cleartext data.
Also protected for traffic. Mail is protected in the new mail system as the stored mail is encrypted by the sender, and transfers into and out of the mail system are anonymous by being routed through the freedom network, which uses forward secret keying. The 1.x mail system also protects against it as the mail is encrypted end to end, and arrives in the ISP box encrypted.
8. User's system retains state regarding online activities (web browsing data stored in cache, 'recent sites' lists; incoming and outgoing emails stored) which is revealed through unanticipated use of user's system by another person.
That would be a nice thing to clean up. The browsers keep a lot of state, in history, pick-lists, cookies, bookmarks etc. The whole lot could do with storing in an encrypted per local user profile, or having an option to wipe. Even the machine keeps a lot of stuff -- the windows pick list, stuff scattered all over the disk in deleted files etc.
Different end users will give each of those modalities a different likelihood of occurrence, and weight them differently by the damage potential - but I think they're all much more likely than more esoteric attacks like network-based traffic analysis.
I made a suggestion I think on cypherpunks a few months back that freedom and anonymous systems meeting the type of requirements you list could be thought of as legal insurance from bullshit legal attacks.
These two things mean that there are more people using freedom 1.x browsing than freedom 1.x mail. So you aren't going to see an accurate portrayal of user base from email alone.
That's a good point. I haven't been able to think of a good way to measure the adoption rate of Freedom 1.x "in the wild" - my next best guess was to comb over my own webserver's logfiles, to see if the Freedom proxies introduce any evidence of their presence. Is that possible?
You could probably collect a list of freedom exit node IP addresses and look for web hits from them? The hit rate will depend on the site topic and the user group, so it'll still be pretty hit and miss.
Some negative experience with it's workings? Could you elaborate?
I experienced (twice) a failure in my Windows 98 network stack after installing the Freedom client - it apparently replaced/modified/removed some DLL component which was important to 32-bit Winsock connections, which meant that Eudora and web browsers stopped working.
Freedom's trying to do some pretty ambitious things in interfacing with the windows stack from within the tcp stack and transparently re-writing and redirecting packets at that level. That area of windows isn't the best documented. If you were using an early version things may have improved a lot since then. Also I think win2000 stuff is more amenable to the things freedom is trying to do.
My gut feel is that email would be a popular app for pseudonymity. Opinions solicited of course, but I personally was usually more interested in pseudonymous or anonymous mail. It does actually matter if you use the web to look up things you're writing about and you're trying to be strongly anonymous, but typically I haven't been that paranoid.
Same here - it's actually not so hard to get some measure of web anonymity, if you're willing to the free ones like LPWA. Still, web anonymizers are going to be more interesting as more people get fixed IP addresses for their DSL or cable modems. I didn't give web tracking a lot of thought before, because my dialup IP's were at least weakly nondeterministic and not very correlated; but people with fixed IP's have more to worry about.
Well I would avoid using the web at all if I were doing something sensitive. That could be inconvenient. I guess there are web2mail gateways one could use with an alpha nymserver, but that's pretty inconvenient. So freedom is good for that (now that there's a linux version).
This isn't a re-framing, it's phase II, and it's been planned since day one. Austin has been talking about being a privacy broker between users and companies for years, it was part of the grand plan for "total world domination" since the early days. Probably some have heard him speak about it at conferences over the last couple of years.
I've heard him say some about this, but didn't link it to the privacy consulting, exactly
The managed privacy services are technology related and pushing the "zero-knowledge" stance. ZKS technologies include the freedom network, and the freedom client.
The section of the FAQ that covers the questions you're asking is:
http://www.freedom.net/faq/index.html?r=6#11
The short answer is no, no, and very.
Well, that sounds good - and I appreciate the pointer to the FAQ - but I am not sure the answer is so easy. Let's say that I believe that a Freedom user has defamed me, and I sue them, and my attorney issues a subpoena to Freedom to get their reply block(s); and then my attorney subpoenas the operators of the machines which hold the keys which decrypt the reply blocks .. don't they get my email address?
Yes they would. Sorry to be ambiguous. You asked the question with "you" which sounded like ZKS, and ZKS couldn't in general decrypt the whole reply block (it would depend how many of the hops where ZKS nodes). Note there are multiple reply blocks -- default 3 -- to combat reliability and bit rot, so given the mix of ZKS nodes someone could end up with an all ZKS reply block.
The "Freedom 1.0 Security Issues and Analysis" whitepaper at http://www.freedom.net/info/freedompapers/Freedom-Security.pdf seems to agree that this attack works, in sections 2 and 4.5. Are there plans to fix this? I gather that 2.x will eliminate reply blocks - will it also eliminate this vulnerability?
Yes. I mentioned this in the previous mail as a highlight of the new mail system in my view. That plus recording any traffic coming frmo the users machine is all protected by forward secret encryption with freedom 2.x. No keys protecting the outside layer are kept for more than 1/2 hour, and then only in RAM.
The legal analysis behind that security analysis deserves some updating - in particular, a warrant isn't necessary to get at information held by others, just a subpoena, and all it takes to get a subpoena is filing a lawsuit, as has been demonstrated by any number of aggrieved companies ridiculed on the Yahoo message boards.
It wasn't written by legal types -- Adam Shostack & Ian wrote it. I take it there are some legal inaccuracies in the description of legal process? Perhaps one of the lawyers should review those parts. Adam Disclaimer: as always these are my personal comments.
Greg wrote earlier about ZKS' Managed Privacy services:
what I wonder about with this is where ZKS' loyalties will appear to be. Consumers probably want to see their privacy software vendor as "on their side"; but commercial interests working on data collection are probably going to want to work with people who will help them advance their own goals, sometimes at the price of others' privacy.
Well ZKS should have an interest maintaining a good reputation for acting in the interests of users privacy. Companies who use such services should also have an interest in using services of companies with good privacy reputations -- as this would tend to give better consumer confidence in the resulting systems.
The closest parallel I can see is to environmental groups, who have in some cases endorsed certain corporations or certain practices as "green" or "environmentally friendly", and who have subsequently lost stature among some of their members and peers as having "sold out". I don't know if it will work well to be perceived as serving two masters - even if the corporate interests pay lip service to "protecting our customers' privacy".
I guess the only answers are maintaining professionalism, and integrity and to maintain a strong stance on users privacy, with clear long term objectives (avoiding short-sighted small incremental improvements which may stay for a long time just because of the fact that built working systems don't get replaced as long as they continue to function). Openness would be a guiding principle too I would think -- so that users and technology critics can analyse and criticize the systems. Transparent functioning is a huge win for privacy. Adam
I experienced (twice) a failure in my Windows 98 network stack after installing the Freedom client - it apparently replaced/modified/removed some DLL component which was important to 32-bit Winsock connections, which meant that Eudora and web browsers stopped working.
Freedom's trying to do some pretty ambitious things in interfacing with the windows stack from within the tcp stack and transparently re-writing and redirecting packets at that level. That area of windows isn't the best documented. If you were using an early version things may have improved a lot since then. Also I think win2000 stuff is more amenable to the things freedom is trying to do.
In the past year considerable resources were affected to increase the ease of use and to resolve compatibility issues with Freedom. Improvements in the interoperability area, improvements in the qa testing area, and alot of refactoring has greatly improved the overall quality. So yes, it has improved alot. Any 2.0 installation woes during Beta were far and few between. Mario Disclaimer: as always these are my personal comments.
participants (5)
-
Adam Back -
Austin Hill -
Declan McCullagh -
Greg Broiles -
outlaw