Zero-Knowledge bags anonymity service

So long and thanks for all the quips

  • alert
  • submit to reddit

Combat fraud and increase customer satisfaction

Zero-Knowledge Systems' Freedom Network, an Internet privacy service that many believed would make on-line eavesdropping all but impossible, will cease to exist 22 October, the company announced Thursday.

The Montreal-based privacy and security company notified its subscribers of the change in a curt support notice on the Freedom Web site. The company will continue to supply other privacy tools to corporations and consumers, however, including personal firewall and e-wallet software.

The sudden suspension may have come as a shock, but not a surprise. Privacy mavens contacted by SecurityFocus said they saw little evidence that Freedom was being used.

"I get only a few hits from ZKS, but I get only a few hits from anonymizers of any kind," said John Young, a New York City architect who operates Cryptome, a site dedicated to airing documents that deal with the world intelligence community. "What most of us were concerned about was how long they could keep it up."

ZKS co-founder Austin Hill conceded that Freedom never really took off.

"This was purely a business decision," Hill said. "Initially we got incredible response for the premium services, but we knew we were dealing with early adopters. But soon we saw the transfer into the mass market just didn't carry over. The subscription rates really plunged."

Hill declined to disclose subscriber numbers.

ZKS made a huge splash in the world of privacy-aware Netizens when it announced Freedom in 1998. Back then, the Internet was still riding high. High, too, was anxiety over unscrupulous governments and corporations that might monitor Internet users' every click and keystroke. The looming combination of Web cookies, server logs and purchase histories, many feared, would lead to the compilation not just of what people bought, but what they wrote, what they read, and every aspect of their on-line identity.

Product had cypherpunk credibility

To some, ZKS' Freedom seemed to be the answer. To prevent others from tying tell-tale data left by PCs back to individuals, Freedom used powerful data-scrambling technology to make that data unreadable, and users virtually untraceable. Customers paid about $50.00 per year for the service.

Adding to the buzz was ZKS' solid cypherpunk pedigree. Company executives signed up a passel of renowned security experts to design Freedom, including Ian Goldberg, who first won fame by exposing security flaws in the Netscape browser. If people like civil libertarian Goldberg and fellow cryptographer Adam Shostack designed the system, the reasoning went, it had to be good.

Special servers that resided on the Internet functioned as privileged gateways for Freedom users. Instead of broadcasting their data to their ISPs and the rest of the world, PCs with the ZKS software installed talked only to Freedom servers through a series of specially encrypted packets.

Users could pass their Web traffic through one, two or three separate Freedom servers before landing at the Web site they wanted to browse. When their requests touched down at a target site, the server there saw only that it came from a Freedom user. Because Freedom never left any other information that could be traced to the user, the target Web site had no way of tying, say, a user's numeric IP address to the name he might leave behind on an order form.

And since the service encrypted traffic as it passed from the user to Freedom server and back again, would-be eavesdroppers never had a chance to figure out what John Q. Netizen saw on the Web. The Freedom network would even run traffic through two or three such servers if a user feared that cyber spies could somehow correlate their Web requests to activities on a given server.

The technology was almost too good to be true, and, some said, too costly to last.

"The business was awfully expensive," said Lance Cottrell, president of Anonymizer.com, a Web-based privacy service that has survived in part because it does not go to the same lengths -- extreme lengths, some say -- to protect its users.

The Freedom network came with performance costs, in part because it generated many packets that served only to make snooping on subscribers more difficult. The proportion of excess traffic declined as more users signed up, but the system would always use much more bandwidth than the unprotected Internet did. Many users noticed a visible slowing in their Net connections as a result.

Too much privacy?
Greg Broiles, a lawyer and cryptographer who advises companies on issues of security and e-commerce, said he didn't think there would ever be enough users to justify the expense of the network. "I just don't see how it could work," said Broiles. "It makes it hard to get out of bootstrap mode."

The system also required users to operate a separate toolbar.

"It was more than what the market wants," Cottrell said. "We're down to the point that you download this teeny little button, and you click it on and you're off. That's it."

Observers said the timing of the announcement -- just weeks after terrorist attacks in New York, Washington and Pennsylvania -- was sure to generate conspiracy theories about law-enforcement pressure to kill anonymity throughout the world.

But even Broiles, a long-time opponent of federal restrictions on privacy technologies, said anyone who needed the extreme privacy protection Freedom offered, probably has many more things to worry about.

"I don't imagine there's anyone out there especially interested in knowing which Web pages I have read," said Broiles. "But if I did, I would also worry about whether they had broken into my house and installed an (eavesdropping device) on my machine."

"The only people who have to worry about the NSA spending $100,000 to go after them just aren't the people we want as customers," said Anonymizer.com's Cottrell. "That's a pretty scary group."

Cryptome's Young wonders how much of a future anonymzing services have left. Although some privacy-aware people like them, others simply choose large, national ISPs on the theory that only a formal criminal investigation will likely divulge what they have been doing. And even then, he adds, using anonymity services poses risks to people whose best defense may be simply to blend in.

"Using anonymizers at all raises all sorts of red flags," Young said. "Most of us now are using things other than anonymizers. Staying on the move, not using one system for very long, is what I tell people to do."

© 2001 SecurityFocus.com, all rights reserved.

3 Big data security analytics techniques

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Kingston DataTraveler MicroDuo: Turn your phone into a 72GB beast
USB-usiness in the front, micro-USB party in the back
AMD's 'Seattle' 64-bit ARM server chips now sampling, set to launch in late 2014
But they won't appear in SeaMicro Fabric Compute Systems anytime soon
Microsoft's Nadella: SQL Server 2014 means we're all about data
Adds new big data tools in quest for 'ambient intelligence'
BOFH: Oh DO tell us what you think. *CLICK*
$%%&amp Oh dear, we've been cut *CLICK* Well hello *CLICK* You're breaking up...
prev story


Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.