Forwarded From: David Yee <david_yeeat_private> http://www.canadianbusiness.com/02269904.htm What price privacy? BY Anita Lahey February 26, 1999, Canadian Business (magazine) But extending the right to privacy to racists, pedophiles and crooks could be more than the market will bear In the charcoal-gray boardroom at Zero-Knowledge Systems Inc. in Montreal, the air is a stew, hot and brimming. President Austin Hill and his business partners--executive vice-president (and brother) Hamnett, and CEO (and father) Hammie--are feverishly describing the online revolution they think their Internet start-up will incite. The gist: had their PC software "Freedom" been available sooner, the market-battered Philip Services Inc. might never have learned the real identities of the disgruntled investors who lambasted the company in a Yahoo chat group last year. Similarly, the United States Naval Investigative Services might not have learned that sailor Timothy R. McVeigh was using a gay, online pseudonym called "boysrch," a discovery that cost McVeigh his job. Had those surfers' pseudonyms been registered through Freedom, say the Hills, neither the ISP operators who complied with a court order to meet Philip's demands, nor the America Online worker who revealed McVeigh's name, could have matched pseudonyms with the people behind them. It would have been impossible. Because not even they would know the answer. Sound enticing? Consider this. While the Philip and McVeigh scandals aptly illustrated one disturbing truth--that the popular notion of Internet anonymity is a myth--Zero-Knowledge's Freedom software raises another: that offering easy access to absolute, locksafe online privacy means offering access for all. In other words, if you get to be invisible, so does the mobster, the pedophile, the racist and the child pornographer. Still want to buy in? The Hills have invested $1.5 million of their own money into Zero-Knowledge in hopes that you might. Along with the software, they're selling an impressive track record--brothers Austin, 25, and Hamnett, 27, have already co-founded and helped to build TotalNet Inc., Canada's third-largest Internet service provider (ISP), while Hammie, a CA, spent 10 years as CFO and executive vice-president at Forzani Group in Calgary before leaving after a heart attack in early 1997. They've been able to raise another $1.5 million from friends and acquaintances, and say they have more to spend as needed. Because it's creating a new category in a highly contentious area, Freedom's market potential is hard to estimate. But some analysts say it could explode like Hotmail, which took the untried notion of free e-mail a few years back and created a wildly popular service that now boasts more than 30 million users. "I just see a vast, vast market for a product like this," says Rick Broadhead, co-author of the Canadian Internet Handbook and a skeptic by nature. "The uses are limitless. It's huge." Here's how Freedom works. Buy it as shrink-wrap software in a store or download it off the Zero-Knowledge Web site (it will cost US$49.95 for the software and five pseudonyms ("nyms") for one year; US$9.95 per pseudonym each subsequent year). Once installed, use the simple, Windows-based program to register your nyms, choosing different identities for different areas of activity. Freedom then slinks into the background. To login, send e-mail, or surf the Web, you use your own browser or e-mail program, but your connection is automatically made through the Freedom network--a collection (or "cloud") of anonymous servers provided by partnering ISPs, which route all online communication through an untraceable path. At the same time, Freedom wraps messages to and from your nyms in layers of code. Upon arriving at your machine, the messages automatically decode. While other anonymity services exist, they are either complicated, incomplete or rely on their operators to keep users' data secret. Freedom is the first attempt to go all the way, making both who you are and what you do online invisible to all--even the people who sell the service. Easy access to absolute online privacy means access for all. If you get to be invisible, so does the mobster, the pedophile, the racist and the child pornographer For the average Web surfer, that means being certain that no nosy hack at your ISP is reading your e-mails. It means you can join an online addiction support group without fear your boss will find out. It also means no "cookies" on your browser so that, yes, you can shop at Amazon.com without having the eerie feeling that you're the open book. Are these real concerns for most people? A recent Lou Harris & Associates study found 81% of Internet users are concerned about privacy violations, while a BusinessWeek poll last spring found privacy to be the No. 1 issue keeping others off-line. Toss in everything from the Philip controversy to China's prosecution of pro-democracy dissidents who put their views on the Web, and it's no wonder Freedom is garnering plenty of attention. A pre-commercial unveiling of Freedom was scheduled for Feb. 8 at Demo 99 in Indian Wells, Calif., an exclusive, invitation-only show run by IDG, where Zero-Knowledge planned to give away 1,000 copies of a preview version of the software. A 7,000-user beta test is scheduled for the beginning of March, and sometime this spring anyone will be able to download a final version of Freedom for a free 45-day trial or buy it outright. All of this should add to the buzz that began last fall when Freedom was covered in Wired, Red Herring and ZD Net. It was also talked up at another exclusive event, Red Herring Communications' Venture Market East venture capital show in Cambridge, Mass., where, says managing editor of events John Mecklenburg, "They were a runaway hit." The concept has also drawn some of the most-respected brains in the business. Ian Goldberg, a Montreal-born Berkeley PhD student who made headlines breaking the codes of high-profile products such as Netscape's browser and GSM digital phones, is the chief scientist behind Freedom's design. And crypto guru Bruce Schneier, author of industry bible Applied Cryptography, will audit the final product. The team, the product and the Hills themselves have convinced Warren Packard, a venture capitalist with Draper Fisher Jurvetson of Redwood City, Calif., that Zero-Knowledge has the ability to dominate privacy on the Internet. "My hunch right now is yes, they can." Still, that sinister dark side could be an incredible hurdle. What happens, for example, the day it's learned that a nym is maliciously slandering a company and they can offer no recourse? What happens if terrorists use pseudonyms to plan an attack and authorities have no way to find and stop them? The prospect has some ISPs already saying they won't touch it. Rob Hall, president of Echelon Internet in Ottawa, and vice-chairman of the Canadian Association of Internet Providers, finds even the idea of Freedom offensive. "I wouldn't do it. Absolutely not. I respect the privacy of my clients, but I don't respect anonymity at all costs." What sets the Hills apart on this issue is also what steels their resolve. They do respect anonymity at all costs. To them, Freedom is as much a crusade as it is a business opportunity. And their office is stocked with 26 equally committed, full-time staff who all took pay cuts to work there. But don't be fooled. The Hills' entrepreneurial instincts also tell them "the bad"--and its role in the increasingly explosive nature of the Internet privacy debate--is likely to serve them well as they face the many obstacles before them. And they aren't afraid to use it. Austin Hill, a broad imposing figure with a surprisingly babyish face, was 11 years old and running his own bulletin board on an original Mac when he first began to grasp the awesome power and potential of digital communication. The year was 1984. "I was the 'sys op,' " he says. "Everyone took me seriously." By 15 he harbored grand plans to create a master bulletin board for all of Canada. He came by this urge for large-scale ventures honestly. Austin and Hamnett, the eldest of seven children growing up in Calgary, were raised on entrepreneurial risk. Hammie would talk business with his sons at the dinner table, and helped them invest in penny mining stocks as tykes. "I was the only 10-year-old I knew tracking his portfolio," says Austin. At 21, he entered the wildly competitive Internet market in Montreal with an ISP called Infobahn. He enlisted Hammie as a chief investor (along with his former boss at a computer shop) and Hamnett as CFO. Within six months, they merged Infobahn with Accent Internet to create TotalNet, which was sold in March 1997 to MPACT Immedia Inc. for about $6.4 million (the Hills had a 12% share). By then, Austin and Hamnett were already planning a bigger, better venture in the privacy area. TotalNet's sale set them on a six-month frenzy of research. At the end of it, Austin--a consummate self-directed learner who dropped out of high school at 15 and later crammed all but one credit into a single, 14-month studying binge--could talk code and human rights with the best of them. He and Hamnett had a clear picture of how Freedom would work, a company name (zero-knowledge, a mathematical term referring to the ability to prove something without showing the actual proof, made for a savvy pun), and a solid handle on their advantages in the category and their chief strategy for taking it over. On a practical level, they knew they'd be well-positioned. Being based in Canada means Zero-Knowledge isn't subject to stringent US encryption laws, which restrict the export of any encryption code to weak, 56-bit algorithms. (The more bits, the tougher a code is to crack. Freedom uses a minimum of 128 bits, which is currently considered unbreakable.) However, the value of the firm's Canadian status is not written in stone, either--mainly due to a struggle between Industry Canada and Foreign Affairs over what constitutes good encryption policy. While Industry Canada sees free encryption as good for the country's technology industry, Foreign Affairs, in the camp of law enforcement and international security, favors a more restricted approach, like that of the US. Their reasoning is straightforward. "People can do all kinds of things with this," says Brian Ford, police chief in Ottawa-Carleton. "Drug deals, bank frauds, telemarketing schemes. They could plan a murder over the Internet, and do it with impunity." Adds a senior CSIS official: "We call this the file from hell." "People can do all kinds of things with this," says Brian Ford, police chief in Ottawa-Carleton. "Drug deals, bank frauds, telemarketing schemes. They could plan a murder over the Internet,and do it with impunity" Foreign Affairs weighed in last December when Canada signed the Wassenaar Arrangement, an agreement with 33 countries to curb the export of high technology, including encryption. Lucky for Zero-Knowledge, each country is free to implement the agreement as it sees fit. That means the Industry Canada view might still hold some sway. For example, Canada might restrict just the mass market distribution of encryption software, leaving products in the digital domain to roam free. While such a move would affect Zero-Knowledge's plans to sell shrink-wrap versions of Freedom, it could play right into the larger part of the company's strategy: a wholesale Internet onslaught. As former ISP operators, the Hills have intimate understanding of both the commercial climate and the culture of the space they're entering. And that has left them uniquely positioned to launch a "viral" marketing campaign for Freedom, an aggressive tactic that builds a product's profile through online word-of-mouth in a manner that can spiral exponentially. Viral marketing, which was used successfully by Netscape and Eudora, is based on building a chain of demand and greater visibility for a product, starting with "early adopters" who don't need to be sold on the stuff. In Freedom's case these will include "cypherpunks" (cryptographers who fervently support privacy rights), "coderpunks," privacy advocates, human rights workers, and yes, Hamnett admits, "hackers and perverts." With chief scientist Goldberg's help (a cypherpunk among cypherpunks), the Hills have aggressively spread word about Freedom among the core privacy and tech groups. Last year Austin made a presentation to 1,000 hackers at a conference in Las Vegas. He has sent notices to cypherpunk and anonymity newsgroups offering Freedom's white paper up to their scrutiny, a preemptive strike to help ensure such people work to improve the product rather than crack it. The beta test should weed out glitches, see testers grow attached to their pseudonyms and hopefully spread Freedom like gossip. Each beta user, each time he posts a message, is, in a very direct way, advertising Freedom; it's part of his address. The next link in the Freedom chain will be those with specific privacy concerns, such as political organizations and support groups whose members want privacy. Among this crowd--as evidenced by the number of politically charged groups already promoting Freedom on their Web sites (a partnership deal offers a 10% cut of sales they originate)--Zero-Knowledge sees potential support from white supremacy groups, the IRA and the NRA. "They believe in good guns and good encryption," says Hamnett, showing no shame in wondering how many such online groups exist. The next step, the final frontier, is the average Joe. At this level, because non-core users aren't going to hunt too far for a new product, distribution is crucial. People must not only have heard of Freedom, they must encounter opportunities to acquire it everywhere. Indeed, Zero-Knowledge's preliminary distribution plan covers every nook and cranny of the Internet and beyond: beta users; the banner ads Zero-Knowledge will run; the 218 Web site operators who've so far signed up to promote Freedom on their sites; retail outlets (they're approaching distributors such as Ingram Micro Inc. and stores like Office Depot); new computers (through bundling deals) and--this is key--ISPs. Zero-Knowledge has enlisted 11 ISPs, including Mlink Internet Inc. and Generation.Net, both of Montreal, and XS4ALL of Amsterdam, to donate bandwidth to the Freedom server. While ISP support is required to create the "cloud" of servers that make up the Freedom network, their participation has a more strategic role. Banking on ISP operators' grassroots Internet sensibilities, Zero-Knowledge is pushing Freedom on them as a potential value-added service to their own customers, and presumably a foolproof way to differentiate by letting their clients know they are, without compromise, on the side of privacy. Underlying all this practical effort to move the product is a cunning psychology. Zero-Knowledge--particularly Austin, the public face of the company--is vigorously building a reputation as a key player on the privacy and human rights circuit. In the past year, Austin has befriended people such as Dr. Patrick Ball, deputy director of science and human rights programs at the American Association for the Advancement of Science, and Dr. David Jones, president of Electronic Frontier Canada (EFC)--a group advocating cryptography for privacy. He increasingly appears in online and mainstream media as a privacy "expert," given to calling for strong cryptography to protect such people as Chinese dissidents. He's behind CIPHR '99, an international human rights and cryptography conference to be held in Hungary this August. The timing of Austin's activist "outing" may appear suspect, but human rights frontliners don't mind. That's because strong encryption to ease communication with cohorts in repressive regimes is something they've coveted for years. "We love it," says Ball. "He's coming out really strong and we appreciate it." A number of politically charged groups are already promoting Freedom on their Web sites. Future candidates include white supremacy groups and the NRA. "They believe in good guns and good encryption," says Hamnett It's a no-holds-barred, exploit-every-opportunity approach, and it just might work. Critics may point to the perils of absolute privacy, but the Hills believe the bad press--which they expect in droves--will be their trump card. "The first time some bad guy does a bad thing with this software," says Hamnett with a guilty grin, "and we're unable to say who it is, that immediately will increase the faith that all of the people who aren't doing bad things have in how secure this privacy is." There is a second brand of Zero-Knowledge naysayer. One whose skepticism has nothing to do with privacy as an issue and everything to with its mass-market viability. Venture capitalist Charles Lax, with Softbank Technology Ventures of Boston, thinks the Hills are too much part of the Internet culture to see the real reason no one has yet offered this level of privacy to average consumers: they don't want it. "Only a small segment of the market, the digerati, is interested in this level of privacy." Indeed, Jones of EFC acknowledges a glaring discrepancy between what people say and what they do regarding privacy. "In poll after poll, if you ask people what they're concerned about, privacy is way up there. At the same time, in practice, they're not willing to do much to protect it." His prognosis? "They'll have to make it really, really easy for people. Almost free." Freedom, though, will not be free. On this point, Austin holds firm. The initial US$50 fee and the subsequent annual charge has a purpose beyond basic cash flow. "It's important to show a value judgment with an identity. Even if you've paid a little money you'll think, do I want this pseudonym to be associated with this?" Austin is sincere. The theory that a pseudonym's intrinsic value could encourage responsible behavior stems from his research into the psychology of anonymity. It's an idea that fits neatly into the pseudonym-friendly society he imagines, a society that, remarkably, does not just live inside his own head, but inside the heads of all his staff. It's their zeal, flowing like a pulse through Zero-Knowledge's loft-like offices, which may be Freedom's greatest asset. If faith can move mountains, surely it can penetrate the mass market too. "It's an idea whose time has come," says Dov Smith, director of public relations who left a promising job at New York's Ruder Finn Inc. to return to Montreal, join Zero-Knowledge, and, he hopes, help people reclaim their privacy. George Favvas, director of Internet propaganda--i.e. Web developer--worked at Infobahn, then established his own successful business, but it didn't take much convincing to rejoin the Hills, whom he calls Internet "pioneers" with an incredible gift for evangelizing staff. There's no better example of this than the Goldberg coup, a tale that, in a nutshell, illustrates Austin's single-minded determination--and his ability to garner wholesale support for his vision from even the savviest minds. Last February, Austin was determined to secure one of the best cryptographers in North America. He called Goldberg at his parents' place in Thornhill, Ont., and commenced an impassioned pitch. Goldberg interrupted him: "My rate's $10,000 a week and there's a two-year waiting list." Austin pressed. "You don't seem to understand. We're onto something really big here." "I'm sure you are," said Goldberg. "The first time some bad guy does a bad thing with this software," "and we're unable to say who it is, that immediately will increase the faith that all our law-abiding users have in how secure this privacy is" Alex Eberts, Zero-Knowledge vice-president of development, was sitting next to Austin when he hung up the phone. "Complete rejection," he says. But darned if Austin wasn't calling back 10 minutes later to suggest that he and Eberts fly to Toronto and take Goldberg to dinner. The next afternoon, Austin and Eberts sat with Goldberg in the North York Pickle Barrel, a noisy family restaurant where he subjected them to an intense, four-hour grilling. What did Goldberg want to know? Oh, the usual. Would they write new algorithms or use old standbys? How could they improve reply-block technology? What about authenticated headers? message bodies? key sizes? Were they aware that the moment they turned this on they'd be sued by 10 different people? "Austin really shone," says Eberts. "He had an answer for all of Ian's questions." Goldberg agreed to spend a long weekend with the Zero-Knowledge team. After sizing up the crew, he was sold. He signed on for a fraction of what he'd first demanded, plus stock options. "They were going to make this happen," he says. "I wanted to be part of it." His presence, as much as the privacy issue itself, galvanizes staff. More than this, his complicity takes some edge off the shadowy side of Freedom. Goldberg, who is 25 years old and still has a youthful, goofy laugh, is brilliant enough to hold fast to his ideals. He carries a Zero-Knowledge business card because Austin has sold him on something pure. Tell Goldberg these zealots at his adopted company think they're going to reinvent identity, that they think they're going to change the world, and this genius, this guy who's seen dozens of start-ups vanish within their own hollow prophecies, replies, without missing a beat, "Yeah. It's gonna be so cool." Austin couldn't have said it better himself. For More Information: * Zero-Knowledge Systems Inc. [http://www.zks.net] for details on their Freedom software. * The Canadian Internet Law Resource Page [http://aix1.uottawa.ca/~geist/cilrp.html] for links to privacy agency sites; articles on Internet law; conferences and speeches; legislation; model privacy codes; policy papers; and organizations. * Electronic Frontier Canada [http://www.efc.ca], an advocacy group. * Industry Canada's "The Privacy Pages" [http://e-com.ic.gc.ca/english/privacy/632d1.htm] * The Wassenaar Arrangement [http://www.wassenaar.org] on Export Controls for Conventional Arms and Dual-Use Goods and Technologies Roger Clarke's introduction to information privacy issues and technology [http://www.anu.edu.au/people/Roger.Clarke/DV/intro.html] -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:19:32 PDT