anonymity

Phillip H. Zakas pzakas at toucancapital.com
Tue Feb 6 09:09:08 PST 2001 


hmmm.  Three comments about zeroknowledge's anonymous e-mail (the conclusion
is 'so what'?):

1. do they understand networks? ZK seems to implement the right kind of
encryption (ian goldberg is good at that, we assume this from his history,
[btw has he actually performed cryptanalysis in live environments?]); I
don't know who's designing the network, do you?  Does zk traffic traverse
public networks (via VPN or otherwise)?  Do these networks collect packet
data (to, say, analyse attacks)?  Do they stagger packet transmissions to
confuse origin and destination?  Do they only broadcast real data and no
masking data?  And if they properly conceal data how well do they scale?
With all the encryption of traffic, etc. ZK's adoption by isps, etc. etc. is
a scalability question.

2. is their e-mail system really anonymous? if i were a known bad actor, le
might be capturing data from my pc or my isp or my phone company directly.
why bother worming through zk networks?  oh, and if someone could respond to
you via your anonymous zk e-mail address, isn't that an
instantaneous-tag-the-sender tool for le?  Gee, let's see the recipe for
this...serve zk a search warrant, map zk address 'A' to e-mail address 'B'
and there you have it: easier than instant jello pudding.  Nice system for
anonymizing traffic to companies, bad system if you're trying to get away
with something you shouldn't.

3. questionable adoption of anonymous e-mail.  zk is in what's known in the
finance world as a 'land grab'...move as many people as possible into your
turf, shutting down the competition, then upsell your customers later.  but
zk doesn't have the cash to market anonymous e-mail to consumers directly
(most of whom don't care about this feature anyway)...and i can't think of a
reasonable business justification for a company to use such a service.  so
i'll go out on a limb and predict now that anonymous email is going to be
nearly impossible for them to sell to more than 1/2 of 1% of the world.
plus would you want to receive anonymous e-mail?  i prefer filtering my
e-mail based on sender.  though i suppose one could send a pgp key along
with the message, but that's as good as an id as you can get (better than
actual e-mail address i'd say).

4. ZK is a commercial entity, ergo cooperation with everyone.  I'm sure they
have IPO plans.  They claim IBM as a partner (actually IBM is selling them
stuff, but these days anyone who sells you equipment is a 'partner'...I see
this every day).  If a grandma in illinois is going to invest in their
company when it goes public, is she going to be happy that drug dealers,
stalkers and pedophiles use this network?  I don't think so.  I'm sure there
are contingency plans for 'revealing' activity when served with a subpeona
and/or a search warrant.  Otherwise grandma won't invest and won't allow her
pension fund to invest in the company. (see point 2 above).

5. Is ZK a spammers tool?  If truly secure and anonymous, etc. etc. etc. why
couldn't the spam king use it? If it is a spammers tool will ZK be
blackholed?  I can already imagine aol and others blocking ZK traffic to
minors, and perhaps adding it to it's 'dangerous data origins' list, meaning
it will appear on an anti-spam list.

6. If I was really concerned by received threats via zk, I would I would
simply reject all in-bound traffic from ZK.  anyway, see point 2 above
again.

I don't believe a commercial entity, especially a US-based one with IPO
plans, can market themselves as a full anonymizing service for e-mail.
Their real value, it seems to me, is enforcing privacy rights with respect
to cookies. but anonymous proxies do the job just fine for this.  They can't
anonymize e-commerce transactions (how would you buy a book?, etc.  I don't
see the business value in encrypting and anonymizing e-mail in a general
sense (where's the business model?)

I think anonymous e-mail is best achieved through a cooperative,
non-commercial program of unaffiliated individuals (with no commercial
worries, and lots of jurisdictions around the world), or by simply
purchasing pre-paid internet access, or if i were a wealthy bad actor find a
more expensive solution.

phillip


-----Original Message-----
From: owner-cypherpunks at Algebra.COM
[mailto:owner-cypherpunks at Algebra.COM]On Behalf Of
keyser-soze at hushmail.com
Sent: Tuesday, February 06, 2001 2:33 AM
To: Mac Norton; Blank Frank; dmolnar
Cc: Cypherpunks
Subject: Re: anonymity


doubtful.  they probably receive the email at the destination then alert
the
chain-of-jurisdiction for investigation. count me as a technical skeptic
of
an 'untargeted' echelon program.
phillip


-----Original Message-----
From: owner-cypherpunks at Algebra.COM
[mailto:owner-cypherpunks at Algebra.COM]On Behalf Of Mac Norton
Sent: Monday, February 05, 2001 5:12 PM
To: Blank Frank
Cc: cypherpunks at toad.com
Subject: Re: anonymity

Intercepted by the CIA?  Do they regularly pre-screen POTUS's
incoming international e-mail, or what?
MacN

>>This approach might make a good test for ZeroKnowledge resistance to
traffic
analysis.  Since chain of evidence is useless for ZKS messages (if you
believe
ZKS) only TA could finger the sender.  Any takers?

ks

More information about the cypherpunks-legacy mailing list