CDR: Re: Response to false statements about Zero-Knowledge

[Declan McCullagh]

Austin,

Thanks for your note. I respect what you're trying to do at ZKS. I think 
that if ZKS succeeds, the world will be a better place. Further, I have a 
tremendous deal of respect for some of the very excellent people you have 
hired.

But wishing something to be true does not make it so. My statement about 
ZKS' sluggish Freedom sales is based on extensive conversations over the 
last year with folks in this industry, web searches to see how many ZKS 
nyms appear to be in use, ancedotal information, and conversations with 
other ZKS employees.

As Greg says below, I was writing an article with 
less-than-perfectly-complete information, but information that I have and 
had every reason to believe is accurate. You did nothing to refute that 
belief, and saying "[we are] pleased with our results for Freedom" is an 
analytically and semantically null statement. The Subject: line of your 
message complains about "false statements," but you offer nothing by way of 
identification and refutation.

As you say, you did send a note to my Wired editor demanding a retraction. 
You received a response yesterday saying that Wired identified no errors of 
fact in my article and you were welcome to submit a letter to the editor. I 
hope you will, and I wish you luck at ZKS.

Yours,
Declan


At 15:10 11/10/2000 -0800, Greg Broiles wrote:
>On Fri, Nov 10, 2000 at 02:56:03PM -0500, Austin Hill wrote:
> >
> > First to set the record straight, Declan's claim that our software sales
> > have been poor is completely baseless. He has reported this as fact when
> > during my interview with him I clearly stated that we are pleased with our
> > results for Freedom and are seeing substantial growth, so much that we are
> > still hiring more engineers (adding to the already 100 we have working on
> > it) and adding more features and improvements to our consumer privacy
> > product.
>
>This is a non sequitur - the facts that "ZKS is happy with its sales" and
>"ZKS is hiring more engineers" are unrelated to Declan's evaluation of
>the available evidence regarding ZKS' sales. In the absence of numbers
>from ZKS - which would be the best source of that information, if it
>were available - people wanting to evaluate ZKS and its business must
>look at less helpful information, which will likely include anecdotal
>accounts which you dismiss.
>
>Now, if the question before us were "Are the shareholders and employees
>of ZKS happy with their sales?" or "Are ZKS' sales reasonably within
>the projections in their business plan?" or "Is ZKS close to
>bankruptcy?", then the facts and feelings you mention above would be
>responsive. Those are not, however, the questions raised about ZKS,
>so your remarks don't seem to be responsive.
>
>It doesn't seem reasonable for you to complain about Declan writing
>an article based on incomplete information, but to refuse to provide
>that information so that the article could be based on better data.
>I get the impression that you would prefer the article not appear
>at all - which is a reasonable thing to wish for, but not a reasonable
>thing to expect. If ZKS wants press, it will have to take the bad
>(or the inconvenient) along with the good.
>
> > Because we as a private company refuse to provide Declan with actual 
> sales &
> > revenue numbers he has persisted in reporting that this is because of poor
> > software sales, based on what he described as anecdotal evidence that 
> he has
> > observed in the cypherpunk community.
> >
> > Declan fails to mention that Freedom was never targeted toward Cypherpunks;
> > our goal was to incorporate Cypherpunk-level cryptography and philosophies
> > into a privacy tool that would empower the average Internet user to manage
> > their privacy online. Cypherpunks can build privacy tools for themselves;
> > our target market for Freedom is consumers who are concerned with their
> > privacy.
>
>Sure - cypherpunks are a very small market, so it would be very difficult for
>even a small business to survive on cypherpunk sales alone.
>
>However, that doesn't mean that cypherpunk purchases and evaluations are
>unimportant, or can be dismissed.
>
>High tech marketing people discuss a "technology adoption life cycle" -
>Geoffrey Moore writes about this (in _Crossing the Chasm_, et al) but
>I don't know if he was the first person to do so.
>
>Briefly, this model suggests that new products or technology are adopted
>at a rate which describes a bell curve - at the left edge, there's a
>initially small adoption rate which represents the activity of
>"innovators", people who actively seek out new technologies and products,
>and who frequently provide valuable unofficial marketing and support
>for new products. Moving to the right, we find the "early adopters",
>who are not technologists themselves (versus the innovators, who are)
>but are willing to risk adoption of a technology or product not proven
>on a wide scale if they see a strong benefit. Moving further to the
>right, we find the "early majority" and "late majority" who make up
>the bulk of the adopters of the technology, who wait until the
>product/technology has been approved and proven by the innovators and
>early adopters. (Following the late majority are the "laggards",
>who are a small market and unimportant to this message).
>
>When you describe ZKS and Freedom as "consumers who are concerned with
>their privacy", I believe you are speaking of the middle of the
>bell curve - as you say, cypherpunks don't need freedom, but the
>non-technologists do.
>
>What your analysis seems to miss is the role that's played by the
>innovators and the early adopters in bringing a product or a
>technology to a maturity level where it's acceptable to the much
>larger middle market. For your product, cypherpunks, and wannabe-
>cypherpunks are the innovators or the early adopters, in large
>part - the people who will experiment with your product, and tell
>their friends and families and employers and user groups about it.
>If you don't meet the needs of the early people, you won't get
>a chance to meet the needs of the people in the middle.
>
>Comments on the cypherpunks list and at physical meetings seems
>to suggest that Freedom is not enjoying a good adoption rate
>within what's likely a big part of that adoption curve. I've only
>seen a few users of ZKS nyms on public mailing lists, which ought
>to be a popular use for them; a web search with Google and
>HotBot doesn't reveal any use of @freedom.net email addresses
>showing up in mailing list archives.
>
>If you can point to concrete numbers showing adoption rates, I'm
>sure that many people would be interested - but telling us
>that you (as a founder of the company) are happy with your sales
>doesn't do much to tell the rest of us about what's happening
>inside ZKS. My impression - from my own experience, from the
>lack of apparent adoption by others, and from ZKS' reframing of
>its business from stronger protection to weaker protection to
>the new "privacy consulting" stuff is that ZKS is searching
>for its niche in the marketplace, and hasn't found it yet.
>
>There's nothing wrong with that - look at AT&T, or the other
>long distance carriers moving away from consumer services, or
>the AOL/Time merger - but denying things which are readily
>apparent doesn't inspire confidence.
>
> > To further improve our security and privacy commitment and to ensure users
> > do not have to rely on or trust Zero-Knowledge's claims, we have also
> > published the source code for the system, which is available at,
> >
> > http://opensource.zeroknowledge.com
>
>As far as I can tell, only the Linux client software and the Linux
>kernel modules are available - but you said yourself that the
>real target market is Windows. When will the Windows client be made
>available for inspection? When will the other server-side software
>be made available?
>
>(Please don't get confused between licensing terms and source code
>inspection - it's very nice to make software available under GPL
>or other terms; and it might well be economically or strategically
>stupid to make your Windows client available under a free license -
>but that doesn't mean you can't allow open audits of it for
>security issues, or get an outside organization to publish the
>results of a code review.)
>
> > We are the only privacy company that has published whitepapers on the full
> > protocol, security attacks against the system, and the source code. We
> > believe that this is responsible privacy, and that it is the only way to
> > verify and support our claims to our users.
> >
> > If there is _ANY_ attack, weaknesses, flaw or security bug we have invited
> > people to review our work and inform us, and we then update our 
> documents to
> > reflect our continued understanding of how to design and implement the best
> > privacy infrastructure available.
> >
> > Based on this, we believe we are the strongest privacy solution on the
> > market. (In fact most other privacy companies claim that we are 'killing a
> > fly with a bazooka' by going overboard with strong crypto and multi-hop
> > routing).
>
>I think everyone agrees that ZKS has built the strongest commercially
>available client-side privacy system.
>
>Again, that's not the interesting question. The interesting question is
>"Is it strong enough?"
>
>Everyone who's looked at the question - from your accounts, inside ZKS,
>and outside people - seems to agree that nobody knows, or if they know
>they're not telling.
>
> > We have 250+ people working very hard on privacy systems, and have taken
> > huge steps in making sure we are accurate in our claims, transparent in our
> > systems and are delivering privacy services that we can be very proud of.
>
>I don't think there's any question that you folks are working hard, that
>you are doing a good job of only saying true things, that you are moving
>towards releasing pieces of your infrastructure for review, or that you're
>providing a service equal to or better than what's currently on the market.
>
>It would be unfortunate if you lost sight of that.
>
>It would also be unfortunate if you confuse questions or concerns about
>ZKS with hostility towards ZKS. If I have a weird spot on my skin and I
>ask a doctor friend about it, I don't want them to tell me it's nothing
>to worry about, even if it's really malignant but they don't want me
>to feel bad. Similarly, if people in the cypherpunk community raise
>questions about ZKS, I think it's sensible to assume that they're doing
>it because they want to help ZKS, or because they want to help privacy
>generally and think you may be inadvertently harming it.
>
> > Lucky, by claiming that we are misleading our users or not protecting their
> > privacy because of the lack of resistance to traffic analysis is
> > irresponsible and is allowing the best to be the enemy of the good.*
>
>This may be true - but your message was the first one that I've seen which
>describes clearly the changes made in Freedom's design and implementation
>between v1 and v2, and I'm a customer. (Not an active one, due to
>configuration issues, but you've got some of my $, and didn't bother
>to tell me that the traffic-analysis resistance I thought I paid for
>has been eliminated because it turned out to be difficult.)
>
>While I greatly appreciate your candor - and am confident that your
>analysis of the economics of the bandwidth required to foil traffic
>analysis was correct - I do think there's perhaps some room for
>improvement re keeping people up-to-date on what sort of protection
>they can expect from Freedom and ZKS.
>
>If you are ever in the mood to update the Freedom FAQ, I suggest that
>the following questions would be helpful ones to answer -
>
>Q:      If I post a message critical of a big company using a Yahoo
>forum, and the Yahoo registration data points back to my Freedom
>account (email and source IP), will the big company be able to get
>my personal information from you with a subpoena?
>
>Q:      If I post a message to a mailing list which has some
>source code that a big company thinks violates the DMCA, and the
>big company calls the FBI, will the FBI be able to get my
>personal information from you with a subpoena?
>
>Q:      What happens if I make someone really, really angry and
>they come to your offices and point guns at your employees ..
>will they be able to get my personal information from you? Assume
>they shoot a few people to show they're serious. Then will
>you find a way to give them my personal information? What if they
>take your computer equipment away from you (or one of your
>participating ISP's) at gunpoint, and take it back to their
>hideout for analysis. How difficult will it be for them to
>get my personal information?
>
>--
>Greg Broiles gbroiles at netbox.com
>PO Box 897
>Oakland CA 94604