CDR: Re: Zero Knowledge changes business model (press release)

[Greg Broiles]

On Tue, Oct 31, 2000 at 05:14:49PM -0500, Declan McCullagh wrote:

> * I suggested that Freedom had been somewhat less than successful in the 
> marketplace. (Out of 3,500 cypherpunks messages I have stored here, only 
> one nym appears, and this is presumably one of the target audiences.) I 
> suggested that this is a change of strategy for ZKS in an era where 
> investors want profitability. Austin denied it, and said that over 100 
> engineers "right now" were still working on Freedom.

Sounds like he's denying the notion of a change in strategy, not your
underlying premise - that the market for Freedom isn't what they'd hoped
for. That seems difficult to deny, though I'd love to see sales figures
to the contrary. I'm one of the people who has paid for Freedom, but gave
up on it after it trashed a Win 98 installation twice, and I was unable
to get a response from ZKS tech support. 

Austin is very good at answering the questions he thinks someone should
ask, not the questions actually asked. 

> * I suggested the model they were moving toward was Andersen Consulting. 
> Austin said no, "Verisign is the better analogy." He said one difference 
> was that he anticipated ongoing licensing/fee arrangements between ZKS and 
> clients after original work is complete.

I don't know what Andersen is doing re privacy, but I know that D&T, E&Y,
and PWC are all operating privacy-consulting arms which do more or less
what ZKS seems to be describing, except that they don't get so deep into
the technical operations, as far as I know - they don't operate key shares,
etc. While I think it's really sensible for ZKS to think about this
approach - they've assembled a bunch of smart people who are apparently
working on something nobody's buying. They've got to be burning cash
pretty quickly, and it only makes sense to repurpose those people into
providing their analysis and information to other people who need it.

(And, for what it's worth, Adam, it's HIPAA, not HIPPA. :) 

> * ZKS appears to be targeting heavily-regulated areas like medical and 
> financial sectors. They will come in, set up a privacy-protective system, 
> perhaps provide some ongoing service, and (if so) collect ongoing fees. In 
> those cases, "a consumer solution like Freedom allowing anonymity doesn't 
> fit that market."

That seems like a sensible idea, but I'm a little skeptical that they'll
pull it off when competing with big well-known accounting firms - the
accounting firms have built reputations around maintaining client
confidentiality, while ZKS has been pretty aggressively and conspicuously
hiring wild-eyed cypherpunk types, who won't necessarily inspire a lot of
confidence or trust in accoutant and risk-manager types. 

Me, I'd trust the cypherpunk over the Big 5 guy, but I'm not the
customer.

Cf. the moderate and slow success enjoyed by the hackers-cum-security
consulting firms - they seem to make enough to pay themselves, which is
more than can be said for a lot of businesses, but they haven't been
as successful as firms with law enforcement and private security 
backgrounds - not because of lack of knowledge, but because the ex-cops
know how to create and maintain an image of reliability and
predictability and trustworthiness, which is harder for people who aren't
even accustomed to using an apparently "real" name.

> But Austin seems to be envisioning 
> a market in which *some* third party in the transaction, be it a business, 
> intermediary, or ZKS, possesses personal info about customers and only 
> receives what is necessary.

This does seem to be the direction they've always been going - at the cpunks
meeting prior to RSA in Jan of 2000, Austin was talking about something
I'd call "mediated pseudonymity" or "managed pseudonymity", where ZKS 
ends up as a trusted privacy intermediary. This seems to dovetail well
with Stefan Brands' ideas about privacy and anonymity.

I'm pretty skeptical that there's a real market for that - cypherpunks
won't trust it, because it's effectively a contract or reputation-based
privacy guarantee, instead of a mathematical or information-theory based
privacy guarantee. To the consumer market, it's going to look like a
prickly complicated version of those "magic wallet" things which promise
to fill out web forms for you, but only with your permission .. which 
don't really solve a compelling problem for anyone even though they're
a nice hack. To law enforcement, they'll get what they want via 
subpoenas or search warrants - I wonder how careful ZKS is about making
sure that their US operations aren't subjecting them to extra liability
or search/discovery exposure, cf. this week's news re Amex and Mastercard
forced to reveal purchase data for offshore cardholders to the IRS.
To private litigants seeking discovery, ditto. And to private or public
actors uninterested in legal rules, there's old fashioned burglary,
a la Watergate hotel and thousands of smaller less well-known examples.

This all comes back to the old Benjamin Franklin saw - "Three men can 
keep a secret, if two of them are dead." Building the kind of trust
that's needed to do the sorts of things ZKS proposes to do takes years
or decades; and maintaining good security and a good reputation across
that long period of time is very difficult, as Sun recently demonstrated
in the key compromise mentioned by Lucky. 

--
Greg Broiles gbroiles at netbox.com
PO Box 897
Oakland CA 94604