CDR: Re: Zero Knowledge changes business model (press release)

Adam Shostack adam at homeport.org
Tue Oct 31 09:19:56 PST 2000 

On Tue, Oct 31, 2000 at 11:06:32AM -0500, Trei, Peter wrote:
| 
| I can't help but feel that this is a weakening of ZK's position
| regarding privacy. The critical paragraph is:
| 
| > >Zero-Knowledge is committed to deploying systems that are
| > >transparent and accountable. In keeping with this policy,
| > >MPS will incorporate third party verification and split
| > >encryption key structures, as well as provide consumers
| > >with access to white papers, independent auditors' reports
| > >or other materials that assure a company is doing what it
| > >claims. With MPS Zero-Knowledge strengthens its commitment
| > >to building responsible systems that empower consumers to
| > >control the disclosure and use of their personal
| > >information, while still enabling businesses to thrive in a
| > >data and relationship-driven marketplace.
| > 
| I don't want to be 'assured that a company is doing what it
| claims' (with my personal information). Companies change
| policies at whim. What a firm's founder may fervently 
| believe could become a curio of corporate history after the
| next board meeting. Look at Amazon's recent policy
| change, for example. Also, data in the possession of a
| corporation and me is always less secure than information
| possessed only by me.
|  
| Instead of being assured that the company is acting in
| accordance with their stated policy du jour (or at least, 
| their lawyers' spin on it), I want to know that they CAN'T 
| abuse my personal data, because the don't have any. 
| That is the confidence which ZK's original scheme was 
| intended to produce, and which the introduction of this 
| plan seems to seems to suggest is no longer considered 
| a high priority at ZKS.

Peter,

	You're reading too much in here.  We're still working hard on
Freedom v2, having released the linux source and install rpms, new
windows versions are coming, etc.  This is an additional business
line, not a change in our commitment to produce the coolest, strongest
privacy systems available.

| I hope that ZKS's new service doesn't simply 
| "culminate in the deployment of a tailored privacy layer that
|  integrates seamlessly with the client's existing enterprise
|  applications"....
| 
| but rather looks at their business and informs them of the
| absolute minimum of data they need to acquire, and how
| long to keep that data, if they need to keep it at all. I don't
| want to rely on a 'privacy layer' under the control of an
| entity which will profit from silently circumventing it, or
| be subject to leaks and third party seizures of data. 

	We really hope to be able to do both seamless integration and
help the business figure out what personal information it actually
needs to collect, how long they need to keep it, etc.  We also work
hard to ensure that the company doesn't have the information to leak,
for example by storing encrypted versions for which we, they, and
other parties, like auditors, need to be involved in decrypting.  This 
doesn't change the reality that we're focused on protecting the
privacy of individuals through the strongest mechanisms, it adds
additional ways that we can do that.

	If a business isn't willing to meet certain standards, then
we're not going to be able to work with them.  It would be too
damaging to us, and the trust that people place in us.  Those
standards include disclosing what the privacy systems in place are,
and what the limits of their protection is.  We don't feel that you
can put trust in a company that isn't willing to disclose those
things.

	The systems that we're going to put in place are going to be
technically solid and trustworthy.  We have a fair number of smart
people here who are dedicated to proving that you can move information
around with privacy built in, in ways that range from the Brands
credentials systems to encrypted database entries, etc.  Its hard to
talk in the abstract about this, but until we announce deals, thats
all I can do.  I can say that we will be having some of our best
security people, including Ian, Adam Back, Ulf Muller, Stefan Brands,
and myself look at the systems before they leave the design phase.
Who looks at which system depends on the design and the particular
expertise needed.  It won't be silently circumventable.

Adam

PS: Clearly, adding a new product line requires more outstanding
security folks.  We'll be happy to whisk you away from wherever you
are, and you can help ensure that we do this right. :)

-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume

More information about the cypherpunks-legacy mailing list