[ISN] What price privacy?

From: mea culpa (jerichoat_private)
Date: Fri Feb 19 1999 - 19:41:03 PST

  • Next message: mea culpa: "[ISN] Hacker bit by Capitalism?"

    Forwarded From: David Yee <david_yeeat_private>
    
    http://www.canadianbusiness.com/02269904.htm
    What price privacy?
    BY Anita Lahey
    February 26, 1999, Canadian Business (magazine)
    
    But extending the right to privacy to racists, pedophiles and crooks could
    be more than the market will bear
    
    In the charcoal-gray boardroom at Zero-Knowledge Systems Inc. in Montreal,
    the air is a stew, hot and brimming. President Austin Hill and his
    business partners--executive vice-president (and brother) Hamnett, and CEO
    (and father) Hammie--are feverishly describing the online revolution they
    think their Internet start-up will incite. 
    
    The gist: had their PC software "Freedom" been available sooner, the
    market-battered Philip Services Inc. might never have learned the real
    identities of the disgruntled investors who lambasted the company in a
    Yahoo chat group last year. Similarly, the United States Naval
    Investigative Services might not have learned that sailor Timothy R. 
    McVeigh was using a gay, online pseudonym called "boysrch," a discovery
    that cost McVeigh his job. 
    
    Had those surfers' pseudonyms been registered through Freedom, say the
    Hills, neither the ISP operators who complied with a court order to meet
    Philip's demands, nor the America Online worker who revealed McVeigh's
    name, could have matched pseudonyms with the people behind them. It would
    have been impossible. Because not even they would know the answer. 
    
    Sound enticing? Consider this. While the Philip and McVeigh scandals aptly
    illustrated one disturbing truth--that the popular notion of Internet
    anonymity is a myth--Zero-Knowledge's Freedom software raises another:
    that offering easy access to absolute, locksafe online privacy means
    offering access for all. In other words, if you get to be invisible, so
    does the mobster, the pedophile, the racist and the child pornographer. 
    
    Still want to buy in? The Hills have invested $1.5 million of their own
    money into Zero-Knowledge in hopes that you might. Along with the
    software, they're selling an impressive track record--brothers Austin, 25,
    and Hamnett, 27, have already co-founded and helped to build TotalNet
    Inc., Canada's third-largest Internet service provider (ISP), while
    Hammie, a CA, spent 10 years as CFO and executive vice-president at
    Forzani Group in Calgary before leaving after a heart attack in early
    1997. They've been able to raise another $1.5 million from friends and
    acquaintances, and say they have more to spend as needed. Because it's
    creating a new category in a highly contentious area, Freedom's market
    potential is hard to estimate. But some analysts say it could explode like
    Hotmail, which took the untried notion of free e-mail a few years back and
    created a wildly popular service that now boasts more than 30 million
    users. "I just see a vast, vast market for a product like this,"  says
    Rick Broadhead, co-author of the Canadian Internet Handbook and a skeptic
    by nature. "The uses are limitless. It's huge." 
    
    Here's how Freedom works. Buy it as shrink-wrap software in a store or
    download it off the Zero-Knowledge Web site (it will cost US$49.95 for the
    software and five pseudonyms ("nyms") for one year; US$9.95 per pseudonym
    each subsequent year). Once installed, use the simple, Windows-based
    program to register your nyms, choosing different identities for different
    areas of activity. Freedom then slinks into the background. To login, send
    e-mail, or surf the Web, you use your own browser or e-mail program, but
    your connection is automatically made through the Freedom network--a
    collection (or "cloud") of anonymous servers provided by partnering ISPs,
    which route all online communication through an untraceable path. At the
    same time, Freedom wraps messages to and from your nyms in layers of code.
    Upon arriving at your machine, the messages automatically decode. While
    other anonymity services exist, they are either complicated, incomplete or
    rely on their operators to keep users' data secret. Freedom is the first
    attempt to go all the way, making both who you are and what you do online
    invisible to all--even the people who sell the service. 
    
    Easy access to absolute online privacy means access for all. If you get to
    be invisible, so does the mobster, the pedophile, the racist and the child
    pornographer
    
    For the average Web surfer, that means being certain that no nosy hack at
    your ISP is reading your e-mails. It means you can join an online
    addiction support group without fear your boss will find out. It also
    means no "cookies" on your browser so that, yes, you can shop at
    Amazon.com without having the eerie feeling that you're the open book. 
    
    Are these real concerns for most people? A recent Lou Harris & Associates
    study found 81% of Internet users are concerned about privacy violations,
    while a BusinessWeek poll last spring found privacy to be the No. 1 issue
    keeping others off-line. Toss in everything from the Philip controversy to
    China's prosecution of pro-democracy dissidents who put their views on the
    Web, and it's no wonder Freedom is garnering plenty of attention. 
    
    A pre-commercial unveiling of Freedom was scheduled for Feb. 8 at Demo 99
    in Indian Wells, Calif., an exclusive, invitation-only show run by IDG,
    where Zero-Knowledge planned to give away 1,000 copies of a preview
    version of the software. A 7,000-user beta test is scheduled for the
    beginning of March, and sometime this spring anyone will be able to
    download a final version of Freedom for a free 45-day trial or buy it
    outright. All of this should add to the buzz that began last fall when
    Freedom was covered in Wired, Red Herring and ZD Net. It was also talked
    up at another exclusive event, Red Herring Communications' Venture Market
    East venture capital show in Cambridge, Mass., where, says managing editor
    of events John Mecklenburg, "They were a runaway hit."  The concept has
    also drawn some of the most-respected brains in the business. Ian
    Goldberg, a Montreal-born Berkeley PhD student who made headlines breaking
    the codes of high-profile products such as Netscape's browser and GSM
    digital phones, is the chief scientist behind Freedom's design. And crypto
    guru Bruce Schneier, author of industry bible Applied Cryptography, will
    audit the final product. The team, the product and the Hills themselves
    have convinced Warren Packard, a venture capitalist with Draper Fisher
    Jurvetson of Redwood City, Calif., that Zero-Knowledge has the ability to
    dominate privacy on the Internet. "My hunch right now is yes, they can." 
    
    Still, that sinister dark side could be an incredible hurdle. What
    happens, for example, the day it's learned that a nym is maliciously
    slandering a company and they can offer no recourse? What happens if
    terrorists use pseudonyms to plan an attack and authorities have no way to
    find and stop them? The prospect has some ISPs already saying they won't
    touch it. Rob Hall, president of Echelon Internet in Ottawa, and
    vice-chairman of the Canadian Association of Internet Providers, finds
    even the idea of Freedom offensive. "I wouldn't do it. Absolutely not. I
    respect the privacy of my clients, but I don't respect anonymity at all
    costs." 
    
    What sets the Hills apart on this issue is also what steels their resolve.
    They do respect anonymity at all costs. To them, Freedom is as much a
    crusade as it is a business opportunity. And their office is stocked with
    26 equally committed, full-time staff who all took pay cuts to work there.
    But don't be fooled. The Hills' entrepreneurial instincts also tell them
    "the bad"--and its role in the increasingly explosive nature of the
    Internet privacy debate--is likely to serve them well as they face the
    many obstacles before them. And they aren't afraid to use it. 
    
    Austin Hill, a broad imposing figure with a surprisingly babyish face, was
    11 years old and running his own bulletin board on an original Mac when he
    first began to grasp the awesome power and potential of digital
    communication. The year was 1984. "I was the 'sys op,' " he says. 
    "Everyone took me seriously." By 15 he harbored grand plans to create a
    master bulletin board for all of Canada. 
    
    He came by this urge for large-scale ventures honestly. Austin and
    Hamnett, the eldest of seven children growing up in Calgary, were raised
    on entrepreneurial risk. Hammie would talk business with his sons at the
    dinner table, and helped them invest in penny mining stocks as tykes. "I
    was the only 10-year-old I knew tracking his portfolio," says Austin. At
    21, he entered the wildly competitive Internet market in Montreal with an
    ISP called Infobahn. He enlisted Hammie as a chief investor (along with
    his former boss at a computer shop) and Hamnett as CFO. Within six months,
    they merged Infobahn with Accent Internet to create TotalNet, which was
    sold in March 1997 to MPACT Immedia Inc. for about $6.4 million (the Hills
    had a 12% share). 
    
    By then, Austin and Hamnett were already planning a bigger, better venture
    in the privacy area. TotalNet's sale set them on a six-month frenzy of
    research. At the end of it, Austin--a consummate self-directed learner who
    dropped out of high school at 15 and later crammed all but one credit into
    a single, 14-month studying binge--could talk code and human rights with
    the best of them. He and Hamnett had a clear picture of how Freedom would
    work, a company name (zero-knowledge, a mathematical term referring to the
    ability to prove something without showing the actual proof, made for a
    savvy pun), and a solid handle on their advantages in the category and
    their chief strategy for taking it over. 
    
    On a practical level, they knew they'd be well-positioned. Being based in
    Canada means Zero-Knowledge isn't subject to stringent US encryption laws,
    which restrict the export of any encryption code to weak, 56-bit
    algorithms. (The more bits, the tougher a code is to crack. Freedom uses a
    minimum of 128 bits, which is currently considered unbreakable.)  However,
    the value of the firm's Canadian status is not written in stone,
    either--mainly due to a struggle between Industry Canada and Foreign
    Affairs over what constitutes good encryption policy. While Industry
    Canada sees free encryption as good for the country's technology industry,
    Foreign Affairs, in the camp of law enforcement and international
    security, favors a more restricted approach, like that of the US. Their
    reasoning is straightforward. "People can do all kinds of things with
    this," says Brian Ford, police chief in Ottawa-Carleton.  "Drug deals,
    bank frauds, telemarketing schemes. They could plan a murder over the
    Internet, and do it with impunity." Adds a senior CSIS official: "We call
    this the file from hell." 
    
    "People can do all kinds of things with this," says Brian Ford, police
    chief in Ottawa-Carleton. "Drug deals, bank frauds, telemarketing schemes.
    They could plan a murder over the Internet,and do it with impunity" 
    
    Foreign Affairs weighed in last December when Canada signed the Wassenaar
    Arrangement, an agreement with 33 countries to curb the export of high
    technology, including encryption. Lucky for Zero-Knowledge, each country
    is free to implement the agreement as it sees fit. That means the Industry
    Canada view might still hold some sway. For example, Canada might restrict
    just the mass market distribution of encryption software, leaving products
    in the digital domain to roam free. While such a move would affect
    Zero-Knowledge's plans to sell shrink-wrap versions of Freedom, it could
    play right into the larger part of the company's strategy: a wholesale
    Internet onslaught. 
    
    As former ISP operators, the Hills have intimate understanding of both the
    commercial climate and the culture of the space they're entering.  And
    that has left them uniquely positioned to launch a "viral" marketing
    campaign for Freedom, an aggressive tactic that builds a product's profile
    through online word-of-mouth in a manner that can spiral exponentially. 
    
    Viral marketing, which was used successfully by Netscape and Eudora, is
    based on building a chain of demand and greater visibility for a product,
    starting with "early adopters" who don't need to be sold on the stuff. In
    Freedom's case these will include "cypherpunks"  (cryptographers who
    fervently support privacy rights), "coderpunks,"  privacy advocates, human
    rights workers, and yes, Hamnett admits, "hackers and perverts." With
    chief scientist Goldberg's help (a cypherpunk among cypherpunks), the
    Hills have aggressively spread word about Freedom among the core privacy
    and tech groups. Last year Austin made a presentation to 1,000 hackers at
    a conference in Las Vegas. He has sent notices to cypherpunk and anonymity
    newsgroups offering Freedom's white paper up to their scrutiny, a
    preemptive strike to help ensure such people work to improve the product
    rather than crack it. The beta test should weed out glitches, see testers
    grow attached to their pseudonyms and hopefully spread Freedom like
    gossip. Each beta user, each time he posts a message, is, in a very direct
    way, advertising Freedom; it's part of his address. 
    
    The next link in the Freedom chain will be those with specific privacy
    concerns, such as political organizations and support groups whose members
    want privacy. Among this crowd--as evidenced by the number of politically
    charged groups already promoting Freedom on their Web sites (a partnership
    deal offers a 10% cut of sales they originate)--Zero-Knowledge sees
    potential support from white supremacy groups, the IRA and the NRA. "They
    believe in good guns and good encryption," says Hamnett, showing no shame
    in wondering how many such online groups exist. 
    
    The next step, the final frontier, is the average Joe. At this level,
    because non-core users aren't going to hunt too far for a new product,
    distribution is crucial. People must not only have heard of Freedom, they
    must encounter opportunities to acquire it everywhere. Indeed,
    Zero-Knowledge's preliminary distribution plan covers every nook and
    cranny of the Internet and beyond: beta users; the banner ads
    Zero-Knowledge will run; the 218 Web site operators who've so far signed
    up to promote Freedom on their sites; retail outlets (they're approaching
    distributors such as Ingram Micro Inc. and stores like Office Depot); new
    computers (through bundling deals) and--this is key--ISPs. 
    
    Zero-Knowledge has enlisted 11 ISPs, including Mlink Internet Inc. and
    Generation.Net, both of Montreal, and XS4ALL of Amsterdam, to donate
    bandwidth to the Freedom server. While ISP support is required to create
    the "cloud" of servers that make up the Freedom network, their
    participation has a more strategic role. Banking on ISP operators'
    grassroots Internet sensibilities, Zero-Knowledge is pushing Freedom on
    them as a potential value-added service to their own customers, and
    presumably a foolproof way to differentiate by letting their clients know
    they are, without compromise, on the side of privacy. 
    
    Underlying all this practical effort to move the product is a cunning
    psychology. Zero-Knowledge--particularly Austin, the public face of the
    company--is vigorously building a reputation as a key player on the
    privacy and human rights circuit. In the past year, Austin has befriended
    people such as Dr. Patrick Ball, deputy director of science and human
    rights programs at the American Association for the Advancement of
    Science, and Dr. David Jones, president of Electronic Frontier Canada
    (EFC)--a group advocating cryptography for privacy. He increasingly
    appears in online and mainstream media as a privacy "expert," given to
    calling for strong cryptography to protect such people as Chinese
    dissidents. He's behind CIPHR '99, an international human rights and
    cryptography conference to be held in Hungary this August. The timing of
    Austin's activist "outing" may appear suspect, but human rights
    frontliners don't mind. That's because strong encryption to ease
    communication with cohorts in repressive regimes is something they've
    coveted for years. "We love it," says Ball. "He's coming out really strong
    and we appreciate it." 
    
    A number of politically charged groups are already promoting Freedom on
    their Web sites. Future candidates include white supremacy groups and the
    NRA. "They believe in good guns and good encryption," says Hamnett
    
    It's a no-holds-barred, exploit-every-opportunity approach, and it just
    might work. Critics may point to the perils of absolute privacy, but the
    Hills believe the bad press--which they expect in droves--will be their
    trump card. "The first time some bad guy does a bad thing with this
    software," says Hamnett with a guilty grin, "and we're unable to say who
    it is, that immediately will increase the faith that all of the people who
    aren't doing bad things have in how secure this privacy is." 
    
    There is a second brand of Zero-Knowledge naysayer. One whose skepticism
    has nothing to do with privacy as an issue and everything to with its
    mass-market viability. Venture capitalist Charles Lax, with Softbank
    Technology Ventures of Boston, thinks the Hills are too much part of the
    Internet culture to see the real reason no one has yet offered this level
    of privacy to average consumers: they don't want it. "Only a small segment
    of the market, the digerati, is interested in this level of privacy." 
    
    Indeed, Jones of EFC acknowledges a glaring discrepancy between what
    people say and what they do regarding privacy. "In poll after poll, if you
    ask people what they're concerned about, privacy is way up there. At the
    same time, in practice, they're not willing to do much to protect it." 
    
    His prognosis? "They'll have to make it really, really easy for people. 
    Almost free." 
    
    Freedom, though, will not be free. On this point, Austin holds firm. The
    initial US$50 fee and the subsequent annual charge has a purpose beyond
    basic cash flow. "It's important to show a value judgment with an
    identity. Even if you've paid a little money you'll think, do I want this
    pseudonym to be associated with this?" 
    
    Austin is sincere. The theory that a pseudonym's intrinsic value could
    encourage responsible behavior stems from his research into the psychology
    of anonymity. It's an idea that fits neatly into the pseudonym-friendly
    society he imagines, a society that, remarkably, does not just live inside
    his own head, but inside the heads of all his staff. It's their zeal,
    flowing like a pulse through Zero-Knowledge's loft-like offices, which may
    be Freedom's greatest asset. If faith can move mountains, surely it can
    penetrate the mass market too. 
    
    "It's an idea whose time has come," says Dov Smith, director of public
    relations who left a promising job at New York's Ruder Finn Inc. to return
    to Montreal, join Zero-Knowledge, and, he hopes, help people reclaim their
    privacy. George Favvas, director of Internet propaganda--i.e. Web
    developer--worked at Infobahn, then established his own successful
    business, but it didn't take much convincing to rejoin the Hills, whom he
    calls Internet "pioneers" with an incredible gift for evangelizing staff. 
    
    There's no better example of this than the Goldberg coup, a tale that, in
    a nutshell, illustrates Austin's single-minded determination--and his
    ability to garner wholesale support for his vision from even the savviest
    minds. 
    
    Last February, Austin was determined to secure one of the best
    cryptographers in North America. He called Goldberg at his parents' place
    in Thornhill, Ont., and commenced an impassioned pitch. Goldberg
    interrupted him: "My rate's $10,000 a week and there's a two-year waiting
    list." 
    
    Austin pressed. "You don't seem to understand. We're onto something really
    big here." 
    
    "I'm sure you are," said Goldberg. 
    
    "The first time some bad guy does a bad thing with this software," "and
    we're unable to say who it is, that immediately will increase the faith
    that all our law-abiding users have in how secure this privacy is" 
    
    Alex Eberts, Zero-Knowledge vice-president of development, was sitting
    next to Austin when he hung up the phone. "Complete rejection," he says. 
    
    But darned if Austin wasn't calling back 10 minutes later to suggest that
    he and Eberts fly to Toronto and take Goldberg to dinner. The next
    afternoon, Austin and Eberts sat with Goldberg in the North York Pickle
    Barrel, a noisy family restaurant where he subjected them to an intense,
    four-hour grilling. 
    
    What did Goldberg want to know? Oh, the usual. Would they write new
    algorithms or use old standbys? How could they improve reply-block
    technology? What about authenticated headers? message bodies? key sizes? 
    Were they aware that the moment they turned this on they'd be sued by 10
    different people? 
    
    "Austin really shone," says Eberts. "He had an answer for all of Ian's
    questions." 
    
    Goldberg agreed to spend a long weekend with the Zero-Knowledge team. 
    After sizing up the crew, he was sold. He signed on for a fraction of what
    he'd first demanded, plus stock options. "They were going to make this
    happen," he says. "I wanted to be part of it." 
    
    His presence, as much as the privacy issue itself, galvanizes staff.  More
    than this, his complicity takes some edge off the shadowy side of Freedom.
    Goldberg, who is 25 years old and still has a youthful, goofy laugh, is
    brilliant enough to hold fast to his ideals. He carries a Zero-Knowledge
    business card because Austin has sold him on something pure. 
    
    Tell Goldberg these zealots at his adopted company think they're going to
    reinvent identity, that they think they're going to change the world, and
    this genius, this guy who's seen dozens of start-ups vanish within their
    own hollow prophecies, replies, without missing a beat, "Yeah.  It's gonna
    be so cool." 
    
    Austin couldn't have said it better himself. 
    
    For More Information:
    
       * Zero-Knowledge Systems Inc. [http://www.zks.net] for details on
         their Freedom software.
       * The Canadian Internet Law Resource Page
         [http://aix1.uottawa.ca/~geist/cilrp.html] for links to privacy
         agency sites; articles on Internet law; conferences and speeches;
         legislation; model privacy codes; policy papers; and organizations.
       * Electronic Frontier Canada [http://www.efc.ca], an advocacy group.
       * Industry Canada's "The Privacy Pages"
         [http://e-com.ic.gc.ca/english/privacy/632d1.htm]
       * The Wassenaar Arrangement [http://www.wassenaar.org] on Export
         Controls for Conventional Arms and Dual-Use Goods and Technologies
         Roger Clarke's introduction to information privacy issues and
         technology
         [http://www.anu.edu.au/people/Roger.Clarke/DV/intro.html]
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:19:32 PDT