My short writeup of the NymIP effort

[auto110413 at hushmail.com]

Now I’m confused – REALLY confused. For a second there, I thought ZKS was 
actually executing a turnaround to become a “real” privacy company, what 
with their recent repositioning towards “managed privacy services” and all. 
Companies out there need privacy solutions, and the field is wide open for 
the taking right now.. There aren’t many other companies out there with 
shipping products for the enterprise space yet .. in addition to ZKS (which 
I’m not sure if they REALLY have a product for the enterprise space? although 
they seem to like to talk about it??) there’s PrivacyRight and Privada out 
in California, and then that’s about it.. and from what I can tell, the 
enterprise market is more than large enough for 3 companies right now.. 
I mean, if ZKS ever got their head screwed on right (read: fired Austin 
Hill??), they MIGHT stand a sliver of a chance of actually making some money 
--

But NOW, ZKS turns around and pulls a “NymIP” project for the IETF? What 
does this have to do w/ anything? (or at least, what does it have to do 
w/ the ZKS repositioning to become a genuine privacy company?) It seems 
this has more in line w/ what I’ve been saying all along: the ZKS is really 
a free speech company, not a privacy company. I’ve perused the (so far short) 
NymIP mailing lists and even the members agree that the NymIP project shares 
more in common w/ Fling (http://fling.sourceforge.net/), a free-speech system 
for the Internet, than it does w/ anything privacy related..

First, I’ll go over all the obvious technical flaws w/ NymIP. For this protocol 
to have any practical applicability, we have to believe the ZKS mantra that 
IP addresses somehow represents “personally identifiable information” (PII) 
that is highly sensitive, and therefore must be encrypted… We are asked 
to believe, in other words, that 1 IP address < == > 1 person.. Notwithstanding 
the obvious fact that today 60% of the Internet population logs on through 
AOL where 10,000 users share one IP address at the same time, I’d like to 
ask the NymIP team what they plan to do once IPv6 is rolled out?? The 1 
IP address < == > 1 person concept is highly tenuous under IPv4, and altogether 
laughable under IPv6..

Reading of the Goals of NymIP draft, the project lacks clear definition 
– apparently they want to throw a bunch of academics in a room and see if 
they can come up w/ some vacuous concept called “controlled nymity” (< -
- what the hell does that mean??) all w/o attempting to set any concrete 
benchmarks or milestones? The draft also stresses PKI.. I’m wondering how 
much trust ZKS in general places in PKI? Have they read Schneier’s 10 risks 
of PKI?:
http://www.counterpane.com/pki-risks-ft.txt

You have to wonder about IETF adoption too .. I checked out the agenda for 
the San Diego meeting and there is no mention of NymIP:
http://www.ietf.org/meetings/IETF-49.html

Also, just run through the standards that the IETF really does back: LDAP,
 Kerberos, IP telephony, VoIP, IPSec, and on and on.. these are real applications 
for have real business uses for enterprises and individuals. That’s why 
they have the support of the IEFT.. Where’s the “real” use for nyms? How 
many people have downloaded Freedom and are using? (I never see anyone I 
know on the Internet using @freedom.net addresses..) How many businesses 
are using ZKS? (if in fact they even have a product for businesses?) If 
nyms were a “real” thing, technologically + economically, they would have 
happened by now, but they haven’t..

(YES – I’m using a nym to write this email, but I don’t use one nym to purchase 
computer books on Amazon, use a different nym to buy porno books on Amazon,
 etc.. and THAT is the economic reality that would have to be occurring 
for ZKS-style nyms to have any real traction – yet it does NOT occur..)

What irritates me more than anything about ZKS is their belief that cryptography 
can solve all the worlds privacy problems.. any sophisticated security professional 
will tell you that cryptography barely solves any security problems, and 
although good privacy starts w/ good security (since w/o security, information 
will tend to leak around where you don’t want it to), privacy is vastly 
more complex than security..

10 years ago you had people like Schneier talking about the role of cryptography 
in security. Since then, these people have moved beyond the algorithms and 
protocols, into the products, then into the policies and procedures, and 
today you have people like Schneier basically advising companies to just 
buy insurance to cover computer security risks – after all, the whole security 
game is just a risk management game, and what better way to manage risk 
than via insurance?

But at ZKS, they’re still living in a world where cryptography solves everything,
 completely ignoring the human element.. (which is really the most important)

(and while we're on the subject on cryptography, what exactly is wrong w/ 
SSL? And don't tell me that SSL still lets you see IP addresses (perfectly 
in line w/ the TCP/IP spec) b/c that has NOTHING to do w/ privacy)

When I look for the “human” element in a company, I look to the marketing 
department – it’s the job of these guys to make sure that what the company 
is working on actually HAS a market. As soon as I heard about the NymIP 
project, my gut instinct was to fire the marketing VP over at ZKS – it was 
like, this is the last straw – the company has completely failed to position 
itself as ANYTHING. First you’re selling this thingie called Freedom that 
is supposed to protect privacy but of course doesn’t, then you’re transitioning 
into the enterprise space, but you still leave 100 engineers working on 
Freedom on payroll, and then you start talking about being a consulting 
company even though PriceWaterhouseCooper will be better than you because 
they have actually broadened their knowledge base beyond “crypto-anarchy” 
and you haven’t and you then have Stefan Brands do a dog and pony show about 
building privacy into PKI, w/ applications in m-commerce, e-commerce, electronic 
voting, location-based services, age/gender verification, DRM, identity 
management and frequent flier miles (< -- NONE OF WHICH, by the way, are 
anything that any of the previously mentioned ZKS units are focusing on) 
and finally you come FULL CIRCLE and decide that you’re going to work on 
this NymIP thing, which most closely resembled your initial Freedom product,
 which is actually a free speech thingie anyway and not a privacy thingie..

Wow – NO FUCKING FOCUS.. and they must be burning at least $2.5 mil every 
month w/ basically nothing to show in revenues (I’m guessing Freedom just 
isn’t the cash cow they though it might be?? I mean, how many people do 
I see on the Internet using @freedom.net addresses??)

But, back to what I was talking about – I was about to recommend firing 
their marketing VP when I looked at their Web site and realized ZKS HAS 
NO MARKETING VP!! Then I thought: THAT’S THE PROBLEM!! Most “modern” high 
tech companies believe in the mantra that your customers drive your business,
 and will hire a marketing VP usually as employee, say, #3 or #4 so that 
he can go out and validate that there really IS a market for what you are 
proposing.. if not, it’s back to the drawing board until you CAN find some 
customers somewhere for what you’re peddling..

Apparently ZKS does not choose to operate in this manner (listen to customers,
 ship products to market, etc..) And that’s when I realized they likely 
have no marketing VP b/c it’s impossible to market a product as crappy as 
Freedom! Catch22..

In Silicon Valley, most VCs will not fund a company w/ market validation 
and w/o a marketing VP.. apparently this does not hold true in Canada..

I guess in the end, do I really care that much that I’m surfing anonymously? 
Do I really care that much that I’m surfing w/ a non-encrypted IP address? 
(this is, after all, how TCP/IP was designed to work). I’m still SEARCHING 
for a business case here.. SOMEBODY HELP ME.. If I fill out a form and engage 
in a commercial transaction, then yes I want all that and related information 
to remain private (between me and the merchant), but does this really mean 
that I want all my info hidden from the merchant (maybe I’m a sucker for 
frequent flier miles) and does it mean that I’ll swim against the flow and 
drop $30 million++ into trying to redesign TCP/IP from the ground up so 
it has anonymity built-in??

Declan – btw I appreciate the fact that your blurb in Wired about NymIP 
makes no mention of the word “privacy” – I think it’s incredibly important 
that the concept of “privacy” be divorced from the concept of “anonymity” 
in the popular media (where oftentimes these two concepts blur together 
into one..) .. they are clearly not even remotely similar..

And don’t get me wrong – I firmly believe the Internet should have an “anonymous 
safe haven”, so to speak, if only for free speech if nothing else – however,
 I have serious problems w/ a privacy company attempting to deliver on this,
 since it’s technically impossible, economically unmanageable and ultimately 
only confuses the an already befuddled marketplace (quite severely, in fact..)..

>http://www.wired.com/news/politics/0,1283,40582,00.html
>
>    Devising Invisible Ink
>    by Declan McCullagh (declan at wired.com)
>    2:00 a.m. Dec. 9, 2000 PST
>
>    WASHINGTON -- An ambitious effort to protect online anonymity 
>    will kick off this weekend.
>
>    A working group of about a dozen technologists, called NymIP, is
>    gathering before the Internet Engineering Task Force's meeting to take
>    the very first steps toward devising a standard that will foster
>    untraceable communications and Web browsing for Internet users.