CDR: Re: ZKS -- the path to world domination

Wed Nov 22 23:23:36 PST 2000

On Wed, Nov 22, 2000 at 01:00:47AM -0500, Adam Back wrote:
> 
> There hasn't been as much comment (apart from Wei's comments, and some
> offlist comments from Lucky) as one might expect about technology
> choices and protocol design despite the open white papers.  I'm hoping
> the new clearer, more detailed white papers coming with 2.0 will help
> stimulate such discussion.

I think the traffic analysis stuff is important, but it's lower down
on my list of threats. My impression is, that for the average Internet
user, the most likely privacy invasions they face are:

1.	Personal information given to ISP is revealed to litigant or
law enforcement, based on identification of the subscriber's IP address,
URL, or email address.

2.	Personal information given to web-based conferencing system
is revealed to litigant or law enforcement, based on the user's system
ID; or enough information is released to allow violation (1).

3.	Personal information given to instant messaging system is
revealed to litigant or law enforcement, based on the user's system ID;
or enough information is released to allow violation (1).

4.	Personal information given to one entity is shared with another
entity contrary to statute or contract.

5.	Activity at several different websites is aggregated to form
profile of interests or purchasing patterns, which is sold or combined
with information from violation of (4).

6.	Operator of a machine sharing a network with client machine uses
packet sniffer to trap/analyze/store client's cleartext data.

7.	Operator of machine which handles user's data (like mailserver,
router, etc) uses system access to trap/analyze/store client's
cleartext data.

8.	User's system retains state regarding online activities (web
browsing data stored in cache, 'recent sites' lists; incoming and 
outgoing emails stored) which is revealed through unanticipated use
of user's system by another person.

Different end users will give each of those modalities a different
likelihood of occurrence, and weight them differently by the damage
potential - but I think they're all much more likely than more 
esoteric attacks like network-based traffic analysis.

I would be pretty excited about a system which fixed all or many of
the above exposures, even if it were vulnerable to more sophisticated
attacks - there are apparently a few people on the cpunks list who
merit full-time surveillance, but I think most of us (and most of the
people we're likely to recommend privacy systems to) need better
protection and support for security against basic attacks before we
need even meager protection against sophisticated attacks. 

> These two things mean that there are more people using freedom 1.x
> browsing than freedom 1.x mail.  So you aren't going to see an
> accurate portrayal of user base from email alone.

That's a good point. I haven't been able to think of a good way to 
measure the adoption rate of Freedom 1.x "in the wild" - my next
best guess was to comb over my own webserver's logfiles, to see if
the Freedom proxies introduce any evidence of their presence. Is
that possible? 

> Some negative experience with it's workings?  Could you elaborate?

I experienced (twice) a failure in my Windows 98 network stack after
installing the Freedom client - it apparently replaced/modified/removed
some DLL component which was important to 32-bit Winsock connections,
which meant that Eudora and web browsers stopped working. I wasn't
able to get a good answer from tech support, apparently because of
the problems with the 1.x reply blocks. Last time I mentioned this I
got a nice note from someone in the Freedom support department who
promised to help me if I end up running Windows again; after the
second installation got trashed, I gave up on Windows, and am in
no hurry to go back. In both cases, I was unable after considerable
effort to recreate a working network stack, and ended up reinstalling
Windows and all of my apps.

I don't know if it was my peculiar configuration (which wasn't wildly
peculiar, but I did run a lot of software, including the Norton
Win32 firewall thing) or Windows lameness or [..], so I'm not ready
to say that Freedom is broken - but I know that it exceeded my
personal time alloted to monkeying with it, and I didn't do well
enough with it to feel good about recommending it to people who are
less technically inclined than I am. 

> My gut feel is that email would be a popular app for pseudonymity.
> Opinions solicited of course, but I personally was usually more
> interested in pseudonymous or anonymous mail.  It does actually matter
> if you use the web to look up things you're writing about and you're
> trying to be strongly anonymous, but typically I haven't been that
> paranoid.

Same here - it's actually not so hard to get some measure of web 
anonymity, if you're willing to the free ones like LPWA. Still,
web anonymizers are going to be more interesting as more people get
fixed IP addresses for their DSL or cable modems. I didn't give
web tracking a lot of thought before, because my dialup IP's were
at least weakly nondeterministic and not very correlated; but
people with fixed IP's have more to worry about.

> This isn't a re-framing, it's phase II, and it's been planned since
> day one.  Austin has been talking about being a privacy broker between
> users and companies for years, it was part of the grand plan for
> "total world domination" since the early days.  Probably some have
> heard him speak about it at conferences over the last couple of years.

I've heard him say some about this, but didn't link it to the privacy
consulting, exactly - what I wonder about with this is where ZKS'
loyalties will appear to be. Consumers probably want to see their
privacy software vendor as "on their side"; but commercial interests
working on data collection are probably going to want to work with
people who will help them advance their own goals, sometimes at the
price of others' privacy. The closest parallel I can see is to
environmental groups, who have in some cases endorsed certain 
corporations or certain practices as "green" or "environmentally
friendly", and who have subsequently lost stature among some of
their members and peers as having "sold out". I don't know if it
will work well to be perceived as serving two masters - even if
the corporate interests pay lip service to "protecting our 
customers' privacy". 

> The section of the FAQ that covers the questions you're asking is:
> 
> http://www.freedom.net/faq/index.html?r=6#11
> 
> The short answer is no, no, and very.

Well, that sounds good - and I appreciate the pointer to the FAQ -
but I am not sure the answer is so easy. Let's say that I believe
that a Freedom user has defamed me, and I sue them, and my attorney
issues a subpoena to Freedom to get their reply block(s); and then
my attorney subpoenas the operators of the machines which hold the
keys which decrypt the reply blocks .. don't they get my email 
address? The "Freedom 1.0 Security Issues and Analysis" whitepaper
at http://www.freedom.net/info/freedompapers/Freedom-Security.pdf
seems to agree that this attack works, in sections 2 and 4.5. Are
there plans to fix this? I gather that 2.x will eliminate reply
blocks - will it also eliminate this vulnerability? 

The legal analysis behind that security analysis deserves some 
updating - in particular, a warrant isn't necessary to get at
information held by others, just a subpoena, and all it takes to
get a subpoena is filing a lawsuit, as has been demonstrated by
any number of aggrieved companies ridiculed on the Yahoo message
boards.

> I'd just like to make these two comment commitments which I'll reveal
> later when certain projects are announced to demonstrate that they
> were planned for some time.
> 
> b26ecfce97bc6c090585a254a297ba5143280cce commit
> a47d3b46da014002b34d02c3a0524a3209c3c6ae commit2

Well, that's something to look forward to. 

--
Greg Broiles gbroiles at netbox.com
PO Box 897
Oakland CA 94604