CDR: ZKS goes GAK

Tim May tcmay at got.net
Tue Oct 31 09:40:43 PST 2000 

At 11:06 AM -0500 10/31/00, Trei, Peter wrote:
>
>I don't want to be 'assured that a company is doing what it
>claims' (with my personal information). Companies change
>policies at whim. What a firm's founder may fervently
>believe could become a curio of corporate history after the
>next board meeting. Look at Amazon's recent policy
>change, for example. Also, data in the possession of a
>corporation and me is always less secure than information
>possessed only by me.

And sensitive data held by "trusted third parties" is always subject 
to subpoena by authorities, litigants (in some cases), and by 
national security access. (Not surprisingly, this is precisely why 
the U.K. was pushing "trusted third parties" so strongly.)

In the United States, for example, the holder of information 
generally has less power to assert Fourth Amendment protections than 
the actual owner of that information has. (That is, if Alice the 
Storage Company is holding stuff for Bob, Alice cannot assert Fourth 
Amendment rights on behalf of Bob. Greg Broiles, IIRC, wrote up some 
nice stuff on this a few years ago.) A bank may disclose financial 
records of a customer subject to the banking laws, not subject to the 
Fourth and other such amendments.

Wanna bet that the "trusted third parties" being talked about in 
Britain, Europe, and other countries will be treated in this light? 
In France and Iran for sure, and probably in the U.S.

Will a company like Intel feel secure knowing that "trusted third 
parties" have the ability to access its most important secrets? Gimme 
a fucking break.

Any such key sharing, key splitting, key escrow, GAK, trusted third 
parties, or "legitmate needs of law enforcement" completely guts the 
underlying crypto. Why bother trying to break a 128-bit key when 
court orders--often delivered secretly, as with banks, naational 
security concerns, etc.--will do the trick?

GAK beats crack.

(Carl Ellison's term for "government access to keys")

>
>Instead of being assured that the company is acting in
>accordance with their stated policy du jour (or at least,
>their lawyers' spin on it), I want to know that they CAN'T
>abuse my personal data, because the don't have any.
>That is the confidence which ZK's original scheme was
>intended to produce, and which the introduction of this
>plan seems to seems to suggest is no longer considered
>a high priority at ZKS.

If the original Freedom product is:

a. as unbreakable/untraceable as was originally planned (verdict is out, IMO)

and

b. is continued to be supported and distributed

then why would the new "trusted third parties" system be needed?

Unless mandated by law, why would any company or organization place 
its secrets in the hands of others?

Which may explain the language in the ZKS release about "in accord 
with relevant legislation."

Of course, if local relevant legislation requires third party key 
escrow, what happens to the legality of the Freedom product? Hmmmhhh.



>
>It may be that the ZK's product 'Freedom' is proving a
>financial bust (I won't use it until I can buy nyms
>for cash at CompUSA). I understand the drive to meet
>payroll and pay off VCs, but I can't help but be
>saddened.

I'm saddened as well. Many fine folks work for ZKS, including some 
folks I count as friends. And Austin Hill is a fine person, from what 
I have seen (one face-to-face meeting a couple of years ago, one long 
phone conversation, a few e-mails).

Freedom was a sort of interesting product, though the "terms and 
conditions" for cancelling the prepaid nyms were unacceptable to me. 
I'm not shelling out $50 for a nym only to find it cancelled because 
I said something banned by Canada's laws about hate speech, as just 
one example. The requirement to buy with a credit card or other 
noncash instrument bothered me, as it bothers Peter. Lastly, the Mac 
issue.



It may be that this new product is just being floated as a trial 
balloon, that Freedom and other "unbreakable" (so to speak) products 
will be their main focus.

History shows that such trial balloons in the direction of key 
escrow, GAK, and key-splitting will be devastating. Recall how PGP 
got sidetracked into discussions of its limited key escrow feature 
set, with many people speaking out against the GAKware aspects; 
whether this contributed to what happened to the commercial prospects 
for PGP is unclear. I know that most of the Cypherpunks folks drifted 
away from Network Associates.

If ZKS is seen as "building in Big Brother," then the PR consequences 
for them will be devastating.


--Tim May
-- 
---------:---------:---------:---------:---------:---------:---------:----
Timothy C. May              | Crypto Anarchy: encryption, digital money,
ComSec 3DES:   831-728-0152 | anonymous networks, digital pseudonyms, zero
W.A.S.T.E.: Corralitos, CA  | knowledge, reputations, information markets,
"Cyphernomicon"             | black markets, collapse of governments.

More information about the cypherpunks-legacy mailing list