CDR: Re: ZKS -- the path to world domination

[Adam Back]

Greg Broiles wrote:
> I think the traffic analysis stuff is important, but it's lower down
> on my list of threats. My impression is, that for the average Internet
> user, the most likely privacy invasions they face are:
> 
> 1.	Personal information given to ISP is revealed to litigant or
> law enforcement, based on identification of the subscriber's IP address,
> URL, or email address.

Freedom will do that as it'll hide your IP address and ISP email
address.

> 2.	Personal information given to web-based conferencing system
> is revealed to litigant or law enforcement, based on the user's system
> ID; or enough information is released to allow violation (1).

Same.

> 3.	Personal information given to instant messaging system is
> revealed to litigant or law enforcement, based on the user's system ID;
> or enough information is released to allow violation (1).

Potentially freedom can handle this, though it depends on the system.
Freedom works with IRC, but not yet with ICQ.  The issue is that you
need a anonymizing local proxy if the protocol violates layering and
includes IP addresses in it's higher level messages.  Some protocols
require this (eg. ftp due to the announcement of the port and IP to
connect back to in the request), others don't.  As the source code is
out (for linux) people can add handlers for their favourite
applications (Quake, ICQ etc).

> 4.	Personal information given to one entity is shared with another
> entity contrary to statute or contract.

Difficult to protect against this one.  One could think about applying
some of Nick Szabo's ideas to this as it's effectively a private
contract issue -- some of things I talked about in my recent post
about "smart privacy policies"

http://www.inet-one.com/cypherpunks/dir.2000.10.30-2000.11.05/msg00189.html

Your best defense is not to give the info.  Or perhaps to give it
pseudonymously if that is possible.

> 5.	Activity at several different websites is aggregated to form
> profile of interests or purchasing patterns, which is sold or combined
> with information from violation of (4).

Freedom's approach to profiling is to let the cookies accumulate on a
cookie jar associated with each pseudonym.  You can also edit cookies.
In this way you still get advertisements more targetted than "random"
(which might be thought of as positive if the user is comfortable
being pseudonymously profiled).  Also you can use multiple persona's
to segregate your interests (financial interests, porn, etc.) which
reduces your chances of the profiler getting a unified profile -- he
gets separate profiles for each of your activities.

> 6.	Operator of a machine sharing a network with client machine uses
> packet sniffer to trap/analyze/store client's cleartext data.

That's addressed by freedom as packets are all encrypted (modulo the
traffic analysis attacks discussed in the previous post).

> 7.	Operator of machine which handles user's data (like mailserver,
> router, etc) uses system access to trap/analyze/store client's
> cleartext data.

Also protected for traffic.  Mail is protected in the new mail system
as the stored mail is encrypted by the sender, and transfers into and
out of the mail system are anonymous by being routed through the
freedom network, which uses forward secret keying.  The 1.x mail
system also protects against it as the mail is encrypted end to end,
and arrives in the ISP box encrypted.

> 8.	User's system retains state regarding online activities (web
> browsing data stored in cache, 'recent sites' lists; incoming and 
> outgoing emails stored) which is revealed through unanticipated use
> of user's system by another person.

That would be a nice thing to clean up.  The browsers keep a lot of
state, in history, pick-lists, cookies, bookmarks etc.  The whole lot
could do with storing in an encrypted per local user profile, or
having an option to wipe.

Even the machine keeps a lot of stuff -- the windows pick list, stuff
scattered all over the disk in deleted files etc.

> Different end users will give each of those modalities a different
> likelihood of occurrence, and weight them differently by the damage
> potential - but I think they're all much more likely than more 
> esoteric attacks like network-based traffic analysis.

I made a suggestion I think on cypherpunks a few months back that
freedom and anonymous systems meeting the type of requirements you
list could be thought of as legal insurance from bullshit legal
attacks.

> > These two things mean that there are more people using freedom 1.x
> > browsing than freedom 1.x mail.  So you aren't going to see an
> > accurate portrayal of user base from email alone.
> 
> That's a good point. I haven't been able to think of a good way to 
> measure the adoption rate of Freedom 1.x "in the wild" - my next
> best guess was to comb over my own webserver's logfiles, to see if
> the Freedom proxies introduce any evidence of their presence. Is
> that possible? 

You could probably collect a list of freedom exit node IP addresses
and look for web hits from them?  The hit rate will depend on the site
topic and the user group, so it'll still be pretty hit and miss.

> > Some negative experience with it's workings?  Could you elaborate?
> 
> I experienced (twice) a failure in my Windows 98 network stack after
> installing the Freedom client - it apparently replaced/modified/removed
> some DLL component which was important to 32-bit Winsock connections,
> which meant that Eudora and web browsers stopped working. 

Freedom's trying to do some pretty ambitious things in interfacing
with the windows stack from within the tcp stack and transparently
re-writing and redirecting packets at that level.  That area of
windows isn't the best documented.  If you were using an early version
things may have improved a lot since then.  Also I think win2000 stuff
is more amenable to the things freedom is trying to do.

> > My gut feel is that email would be a popular app for pseudonymity.
> > Opinions solicited of course, but I personally was usually more
> > interested in pseudonymous or anonymous mail.  It does actually matter
> > if you use the web to look up things you're writing about and you're
> > trying to be strongly anonymous, but typically I haven't been that
> > paranoid.
> 
> Same here - it's actually not so hard to get some measure of web 
> anonymity, if you're willing to the free ones like LPWA. Still,
> web anonymizers are going to be more interesting as more people get
> fixed IP addresses for their DSL or cable modems. I didn't give
> web tracking a lot of thought before, because my dialup IP's were
> at least weakly nondeterministic and not very correlated; but
> people with fixed IP's have more to worry about.

Well I would avoid using the web at all if I were doing something
sensitive.  That could be inconvenient.  I guess there are web2mail
gateways one could use with an alpha nymserver, but that's pretty
inconvenient.  So freedom is good for that (now that there's a linux
version).

> > This isn't a re-framing, it's phase II, and it's been planned since
> > day one.  Austin has been talking about being a privacy broker between
> > users and companies for years, it was part of the grand plan for
> > "total world domination" since the early days.  Probably some have
> > heard him speak about it at conferences over the last couple of years.
> 
> I've heard him say some about this, but didn't link it to the privacy
> consulting, exactly

The managed privacy services are technology related and pushing the
"zero-knowledge" stance.  ZKS technologies include the freedom
network, and the freedom client.

> > The section of the FAQ that covers the questions you're asking is:
> > 
> > http://www.freedom.net/faq/index.html?r=6#11
> > 
> > The short answer is no, no, and very.
> 
> Well, that sounds good - and I appreciate the pointer to the FAQ -
> but I am not sure the answer is so easy. Let's say that I believe
> that a Freedom user has defamed me, and I sue them, and my attorney
> issues a subpoena to Freedom to get their reply block(s); and then
> my attorney subpoenas the operators of the machines which hold the
> keys which decrypt the reply blocks .. don't they get my email 
> address? 

Yes they would.  Sorry to be ambiguous.  You asked the question with
"you" which sounded like ZKS, and ZKS couldn't in general decrypt the
whole reply block (it would depend how many of the hops where ZKS
nodes).  Note there are multiple reply blocks -- default 3 -- to
combat reliability and bit rot, so given the mix of ZKS nodes someone
could end up with an all ZKS reply block.

> The "Freedom 1.0 Security Issues and Analysis" whitepaper
> at http://www.freedom.net/info/freedompapers/Freedom-Security.pdf
> seems to agree that this attack works, in sections 2 and 4.5. Are
> there plans to fix this? I gather that 2.x will eliminate reply
> blocks - will it also eliminate this vulnerability? 

Yes.  I mentioned this in the previous mail as a highlight of the new
mail system in my view.  That plus recording any traffic coming frmo
the users machine is all protected by forward secret encryption with
freedom 2.x.  No keys protecting the outside layer are kept for more
than 1/2 hour, and then only in RAM.

> The legal analysis behind that security analysis deserves some 
> updating - in particular, a warrant isn't necessary to get at
> information held by others, just a subpoena, and all it takes to
> get a subpoena is filing a lawsuit, as has been demonstrated by
> any number of aggrieved companies ridiculed on the Yahoo message
> boards.

It wasn't written by legal types -- Adam Shostack & Ian wrote it.  I
take it there are some legal inaccuracies in the description of legal
process?  Perhaps one of the lawyers should review those parts.

Adam

Disclaimer: as always these are my personal comments.