CDR: Response to false statements about Zero-Knowledge

[Greg Broiles]

On Fri, Nov 10, 2000 at 02:56:03PM -0500, Austin Hill wrote:
> 
> First to set the record straight, Declan's claim that our software sales
> have been poor is completely baseless. He has reported this as fact when
> during my interview with him I clearly stated that we are pleased with our
> results for Freedom and are seeing substantial growth, so much that we are
> still hiring more engineers (adding to the already 100 we have working on
> it) and adding more features and improvements to our consumer privacy
> product.    

This is a non sequitur - the facts that "ZKS is happy with its sales" and
"ZKS is hiring more engineers" are unrelated to Declan's evaluation of
the available evidence regarding ZKS' sales. In the absence of numbers
from ZKS - which would be the best source of that information, if it
were available - people wanting to evaluate ZKS and its business must
look at less helpful information, which will likely include anecdotal
accounts which you dismiss.

Now, if the question before us were "Are the shareholders and employees
of ZKS happy with their sales?" or "Are ZKS' sales reasonably within
the projections in their business plan?" or "Is ZKS close to 
bankruptcy?", then the facts and feelings you mention above would be
responsive. Those are not, however, the questions raised about ZKS,
so your remarks don't seem to be responsive. 

It doesn't seem reasonable for you to complain about Declan writing
an article based on incomplete information, but to refuse to provide
that information so that the article could be based on better data.
I get the impression that you would prefer the article not appear 
at all - which is a reasonable thing to wish for, but not a reasonable
thing to expect. If ZKS wants press, it will have to take the bad
(or the inconvenient) along with the good.

> Because we as a private company refuse to provide Declan with actual sales &
> revenue numbers he has persisted in reporting that this is because of poor
> software sales, based on what he described as anecdotal evidence that he has
> observed in the cypherpunk community.  
> 
> Declan fails to mention that Freedom was never targeted toward Cypherpunks;
> our goal was to incorporate Cypherpunk-level cryptography and philosophies
> into a privacy tool that would empower the average Internet user to manage
> their privacy online. Cypherpunks can build privacy tools for themselves;
> our target market for Freedom is consumers who are concerned with their
> privacy. 

Sure - cypherpunks are a very small market, so it would be very difficult for
even a small business to survive on cypherpunk sales alone.

However, that doesn't mean that cypherpunk purchases and evaluations are
unimportant, or can be dismissed.

High tech marketing people discuss a "technology adoption life cycle" - 
Geoffrey Moore writes about this (in _Crossing the Chasm_, et al) but
I don't know if he was the first person to do so.

Briefly, this model suggests that new products or technology are adopted
at a rate which describes a bell curve - at the left edge, there's a
initially small adoption rate which represents the activity of 
"innovators", people who actively seek out new technologies and products,
and who frequently provide valuable unofficial marketing and support
for new products. Moving to the right, we find the "early adopters",
who are not technologists themselves (versus the innovators, who are)
but are willing to risk adoption of a technology or product not proven
on a wide scale if they see a strong benefit. Moving further to the
right, we find the "early majority" and "late majority" who make up
the bulk of the adopters of the technology, who wait until the 
product/technology has been approved and proven by the innovators and
early adopters. (Following the late majority are the "laggards",
who are a small market and unimportant to this message). 

When you describe ZKS and Freedom as "consumers who are concerned with
their privacy", I believe you are speaking of the middle of the
bell curve - as you say, cypherpunks don't need freedom, but the
non-technologists do.

What your analysis seems to miss is the role that's played by the 
innovators and the early adopters in bringing a product or a 
technology to a maturity level where it's acceptable to the much
larger middle market. For your product, cypherpunks, and wannabe-
cypherpunks are the innovators or the early adopters, in large
part - the people who will experiment with your product, and tell
their friends and families and employers and user groups about it.
If you don't meet the needs of the early people, you won't get
a chance to meet the needs of the people in the middle.

Comments on the cypherpunks list and at physical meetings seems
to suggest that Freedom is not enjoying a good adoption rate 
within what's likely a big part of that adoption curve. I've only
seen a few users of ZKS nyms on public mailing lists, which ought
to be a popular use for them; a web search with Google and
HotBot doesn't reveal any use of @freedom.net email addresses
showing up in mailing list archives. 

If you can point to concrete numbers showing adoption rates, I'm 
sure that many people would be interested - but telling us
that you (as a founder of the company) are happy with your sales
doesn't do much to tell the rest of us about what's happening
inside ZKS. My impression - from my own experience, from the
lack of apparent adoption by others, and from ZKS' reframing of
its business from stronger protection to weaker protection to
the new "privacy consulting" stuff is that ZKS is searching
for its niche in the marketplace, and hasn't found it yet.

There's nothing wrong with that - look at AT&T, or the other
long distance carriers moving away from consumer services, or
the AOL/Time merger - but denying things which are readily 
apparent doesn't inspire confidence.

> To further improve our security and privacy commitment and to ensure users
> do not have to rely on or trust Zero-Knowledge's claims, we have also
> published the source code for the system, which is available at,
> 
> http://opensource.zeroknowledge.com

As far as I can tell, only the Linux client software and the Linux
kernel modules are available - but you said yourself that the
real target market is Windows. When will the Windows client be made
available for inspection? When will the other server-side software
be made available?

(Please don't get confused between licensing terms and source code
inspection - it's very nice to make software available under GPL
or other terms; and it might well be economically or strategically
stupid to make your Windows client available under a free license -
but that doesn't mean you can't allow open audits of it for
security issues, or get an outside organization to publish the
results of a code review.)

> We are the only privacy company that has published whitepapers on the full
> protocol, security attacks against the system, and the source code. We
> believe that this is responsible privacy, and that it is the only way to
> verify and support our claims to our users.
> 
> If there is _ANY_ attack, weaknesses, flaw or security bug we have invited
> people to review our work and inform us, and we then update our documents to
> reflect our continued understanding of how to design and implement the best
> privacy infrastructure available.
> 
> Based on this, we believe we are the strongest privacy solution on the
> market. (In fact most other privacy companies claim that we are 'killing a
> fly with a bazooka' by going overboard with strong crypto and multi-hop
> routing).

I think everyone agrees that ZKS has built the strongest commercially
available client-side privacy system.

Again, that's not the interesting question. The interesting question is
"Is it strong enough?" 

Everyone who's looked at the question - from your accounts, inside ZKS,
and outside people - seems to agree that nobody knows, or if they know
they're not telling. 

> We have 250+ people working very hard on privacy systems, and have taken
> huge steps in making sure we are accurate in our claims, transparent in our
> systems and are delivering privacy services that we can be very proud of.

I don't think there's any question that you folks are working hard, that
you are doing a good job of only saying true things, that you are moving
towards releasing pieces of your infrastructure for review, or that you're
providing a service equal to or better than what's currently on the market.

It would be unfortunate if you lost sight of that.

It would also be unfortunate if you confuse questions or concerns about
ZKS with hostility towards ZKS. If I have a weird spot on my skin and I
ask a doctor friend about it, I don't want them to tell me it's nothing
to worry about, even if it's really malignant but they don't want me
to feel bad. Similarly, if people in the cypherpunk community raise
questions about ZKS, I think it's sensible to assume that they're doing
it because they want to help ZKS, or because they want to help privacy
generally and think you may be inadvertently harming it. 

> Lucky, by claiming that we are misleading our users or not protecting their
> privacy because of the lack of resistance to traffic analysis is
> irresponsible and is allowing the best to be the enemy of the good.*

This may be true - but your message was the first one that I've seen which
describes clearly the changes made in Freedom's design and implementation
between v1 and v2, and I'm a customer. (Not an active one, due to
configuration issues, but you've got some of my $, and didn't bother
to tell me that the traffic-analysis resistance I thought I paid for
has been eliminated because it turned out to be difficult.) 

While I greatly appreciate your candor - and am confident that your
analysis of the economics of the bandwidth required to foil traffic
analysis was correct - I do think there's perhaps some room for 
improvement re keeping people up-to-date on what sort of protection
they can expect from Freedom and ZKS.

If you are ever in the mood to update the Freedom FAQ, I suggest that
the following questions would be helpful ones to answer -

Q:	If I post a message critical of a big company using a Yahoo
forum, and the Yahoo registration data points back to my Freedom
account (email and source IP), will the big company be able to get
my personal information from you with a subpoena?

Q:	If I post a message to a mailing list which has some 
source code that a big company thinks violates the DMCA, and the
big company calls the FBI, will the FBI be able to get my
personal information from you with a subpoena? 

Q:	What happens if I make someone really, really angry and
they come to your offices and point guns at your employees ..
will they be able to get my personal information from you? Assume
they shoot a few people to show they're serious. Then will
you find a way to give them my personal information? What if they
take your computer equipment away from you (or one of your
participating ISP's) at gunpoint, and take it back to their
hideout for analysis. How difficult will it be for them to
get my personal information? 

--
Greg Broiles gbroiles at netbox.com
PO Box 897
Oakland CA 94604