ZeroKnowledge The Story

Knowing Glances: Understanding Infrastructures of Surveillance
Chapter 2 From Freedom to the Management of Privacy Policy: A Case Study of Identity and Identification in the Surveillance Process
David J. Phillips Associate Professor of Radio-Television-Film University of Texas at Austin djp@mail.utexas.edu 8 September 2005
DRAFT ONLY! NOT FOR REVIEW OR CITATION!
From 1997 until 2001, Zero-Knowledge Systems (Zero-Knowledge), a company based in Montreal, Canada, developed and marketed identity management program called Freedom. Freedom was, at heart, an online pseudonymity an service. It enabled users to adopt persistant, unlinkable pseudonyms and to choose among them each time they used internet services, including e-mail or web browsing. Each pseudonym, or nym, became a unique entity. Each nym could be identified, and its actions monitored and analyzed. But the identity of the nym could not be linked to the identity of the nyms owner, and the actions of each nyms could not be linked to the actions of the other nyms, nor to the actions of the nyms owner. The market model and the technical design of Freedom were informed by certain ideological understandings of the relation of technology, individuality, governments, and commerce, and Zero-Knowledges founders were able to harness hype, money, and talent to embody that ideology within a complex consumer product, an international data network, and a 250-employee company. However, Zero-Knowledge was unsuccessful in its attempts to actually sell Freedom to users. Surprised, the companys leaders decided that in order to create profits, attract investment, and survive as a company, they would develop a radically different privacy product, intended to help privacy officers within companies track the flow of information held by the company, and so to monitor compliance with local and international privacy regulations. In 2001, the Freedom pseudonymity service was discontinued. The corporate information management product is still offered. This chapter chronicles the strategies and tactics of Zero-Knowledge as they negotiated these changes. In order to emphasize the ideals toward which Zero-Knowledge was striving, it begins with a snapshot of the company at the height of its vision and promise. It then backtracks to give a more chronological narrative of the context and actions that led toward and away from that zenith. During those few years, Zero-Knowledge undertook development of a number of identity or privacy services. The chapter concludes by considering each of those products as a potential resource in the negotiation of social identity. It discusses the way that each was potentially useful in mediating social power. By comparing the development and relative success
Knowing Glances, Ch 2 From Freedom to DRAFT ONLY! NOT FOR CITATION OR REVIEW!
David J. Phillips, 8 Sept 05 p. 2
of each, the paper offers insights into the processes by which power relations are entrenched in technical systems, particularly information and communication systems. 1
Zero-Knowledge in early 2000: a snapshot of promise This section is a snapshot of Zero-Knowledges operations during early 2000, when ZeroKnowledge at its height. It had more employees than at any other time, and its vision was as expansive and hopeful as it ever had been, or ever was to be. In early 2000, Freedom was Zero-Knowledges flagship product. Freedom, from the users perspective, was described briefly above. For about 50 USD a year, the user would subscribe to the Freedom service. That subscription would allow the user to establish and use up to 5 nyms. Before logging on to the internet, or sending e-mail, the user would choose which nym she wanted to appear as. For example, one might have established one nym for ones professional persona, another for ones casual persona, another for engaging in online sex, and yet another for engaging in political activities. So, in logging on, one might choose among the nyms DrPhillips, djp, Corky, or Che. While logged in as DrPhillips, all e-mail would appear to come from DrPhillips@freedom.net. Likewise, when logged in as Corky, mail would appear to come from Corky@freedom.net. Although recipients could respond seamlessly to this e-mail, no one not the recipient, not the senders or the receivers internet service provider (ISP), not the internet backbone providers, not even Zero-Knowledge itself could determine who actually had sent the e-mail. It was impossible even to determine that mail from Corky came from the same person as mail from Che. This strong pseudonymity was implemented by sending every IP packet through a remailer network a sequence of anonymizing servers. The Freedom software residing on the users computer (the client) would encrypt each packet in layers and forward it to the first server. That server would decrypt one layer of the packet, revealing the identity of the next server in the sequence, to which the packet would be forwarded. That server would decrypt the next layer of
1
Notes on method; interviews, access to documents, review by principals. quotes and Canadian dollars
the packet, revealing the next server in the chain. This would continue until the last server in the chain forwarded the packet to its final destination. Only the first server saw the origin of the packet; only the last server saw its destination. Traffic coming in to a server could not be correlated to traffic leaving the server. Thus this networked cloud of servers effectively disguised both the route and the content of messages. The route was chosen not by any central server, but by the client software on the users machine. The network servers were not operated by Zero-Knowledge. Instead, their operation was contracted out to numerous ISPs. This decentralization and distribution of the operation of the servers was essential to the security of the network as a whole. In order to corrupt the system and trace the route of a message, an eavesdropper would need to gain the cooperation of the operators of all the servers in the messages path. Ideally, those operators would be located in different political jurisdictions, and would have different political and economic motives for sustaining the network. The whole, then, and thus each message, would be secure from warrants and other forms of persuasion from any particular jurisdiction. The 50 USD per annum subscription fee was intended not only to support the operation of the network and to generate profits, but also to support research and development of other privacy services. Zero-Knowledges ambitions for these services were vast. They intended not merely to offer a profitable online pseudonymity service, but to control the privacy space. This space, as a construct, was used to attract investors, who were wooed with promises not merely of a new product, but of a new market, a new industry. The privacy space would be huge; it would touch everything. And Zero-Knowledge intended to dominate that space like ATT dominated telephony. Or, more humbly, like Dolby dominated hi-fi noise reduction systems. One Zero-Knowledge founder explained the analogy: in the 1970s, no one really knew what Dolby did, it had no competitors, it operated invisibly, but one would never buy a tape deck without a Dolby sticker on it. Likewise, in the first decade of the millennium, every internetenabled device cell phones, refrigerators, DVRs, TVs would have a Zero-Knowledge privacy label. Zero-Knowledge had conceptually mapped this space along three dimensions of identity, network, and commerce. These axes laid out the essential attributes of privacy. Securing private
identity made it impossible to determine who an actor was. Securing a private network made it impossible to determine where an actor had been or with whom she was interacting. Securing private commerce made it impossible to track the economic activity of any individual, identified or not. These axes helped structure Zero-Knowledges narrative of itself. They guided strategy as Zero-Knowledge developed not only the Freedom service (identity) but also the anonymizing cloud (network) and an anonymous electronic cash product (commerce). They helped Zero-Knowledge form a coherent identity to present to investors, analysts, and the press. At the time, the privacy space was merely an ideal. There were no institutions occupying or articulating it, no flow of money through it. And money was necessary to bootstrap the space to create and dominate it. That money was to come in part from subscriptions to Freedom, but, more importantly, from investors. In early 2000, Zero-Knowledges strategy consisted in large part of wooing those investors. They had significant resources to deploy in that courtship. Those resources included including cutting-edge and fundamental technologies. Freedom was widely recognized as the sine qua non of online anonymity2. The user interface may have been clunky and slow, but the degree of privacy it offered, the inviolability of the underlying cryptography, was generally recognized as state-of-the-art. Zero-Knowledge also controlled a set of basic cryptographic patents potentially applicable to a vast range of online transactions. Zero-Knowledge also enjoyed, and deployed, credibility and recognition, especially among cryptographers and privacy activists. They reveled in hot press. One of the founders, Austin Hill, seemed to be involved in every public discussion of internet privacy. He appeared in a panel before the U.S. Congress, in a CBS 60 Minutes feature, and in countless articles in the specialized and general press. Zero-Knowledge was a highly visible co-sponsor of the 2000 Computers, Freedom, and Privacy Conference, arguably one of the most prominent and important international venues for discussions of the intersection of information technology, policy, and civil rights. Investors were also wooed with the possibility of changing the world while getting rich. Freedom, and Zero-Knowledges hoped-for control of the privacy space, overtly embodied a
cite Rolls Royce reference
techno-libertarian ideology. The techno of techno-libertarian referred to cryptographic technique. Cryptography was fundamentally important to Zero-Knowledges products, to its ideology, and to its corporate identity. The very name of the company was both an homage to cryptography (a zero-knowledge proof is a standard cryptographic protocol3) and a promise of a specific relation between the company and its clients (Zero-Knowledge would know nothing of its clients not even who they were). No one need trust Zero-Knowledge to protect privacy; one need only trust their software. And that software was to be open to inspection. One could look at the code to see what it could or couldnt do, what Zero-Knowledge could or couldnt know. Their commitment to cryptographic technique was an extension of the founders libertarian ideology. Zero-Knowledge perceived that the internet, by facilitating the availability of data about individuals, relocated power to corporate and state collectors of data. It enabled a world where your refrigerator could rat on you to your insurance company, automatically reporting your consumption of beer, or eggs, or heavy cream.4 This threatened not only the autonomy of the individual, but social progress creativity, diversity, mutation, and evolution. But individuals, given the tools of strong pseudomyity and untraceable economic transactions, would challenge the powers both of governments and of entrenched corporate behemoths. Freedom, and other privacy products, would allow individuals to retain control of their personal information, to defend their entitlement to that data, to monetize it, to use their identity as capital. Freed of the organizing oppression of both states and big business, cyberspace would blossom as a capitalist utopia.
A zero-knowledge proof permits someone to prove that they possess certain information without revealing the information itself. Briefly, a challenger poses a series of questions, which the claimant can only answer correctly if she possesses the information she claims to possess. The cryptographic problem is to establish a set of questions which everyone can agree can only be answered with access to the secret information, whose answers can be verified without access to the secret, and whose answers dont reveal the secret itself.
The internet-enabled refrigerator was an odd trope of this era. Futurists hyped the image of a busy worker, logging into his (or more likely, in this case, her) refrigerator from work, and checking its contents (one would scan the bar codes of each product when loading or unloading the fridge) before placing an order with an online grocery.
The degree to which Ayn Rand-ian crypto-libertarianism imbued Zero-Knowledge can be seen in a series of print ads developed in early 2000. These glossy 2-page ads were placed in business and industry periodicals such as Fortune, Forbes, The Industry Standard, and Wired. They were intended primarily to attract investors, and only secondarily to spur consumer sales. Each of three ads featured a photograph of a single individual against a vast landscape, and each individuals body was stamped with a bar code. To the side, the text read I am not a piece of your inventory. I am an individual and you will respect my privacy. On the Net, I am in control. There were three different ads, three different photos, and three different bar codes. When concatenated and translated from the hexidecimal, the bar codes read Who is John Galt?, a classic phrase from Rands Atlas Shrugged. While the messages were originally intended as an in-joke to other crypto-libertarians, Zero-Knowledge quickly decided to disseminate the image, revealing the message in various mainstream press stories. Libertarian politics valorization of the individual also informed Zero-Knowledges market model. Freedom was designed to be adopted and used by individual consumers. It was these masses of individual Freedom users that would instigate global changes. Yet Zero-Knowledge was aware that they, as a company, had to be vital and savvy in order to support that mass adoption. Zero-Knowledge had to succeed as a business before they could have any political effect. And so they constantly negotiated the tension between their identity as sensible and fiscally conscious business people and their identity as radical political activists. The goal of changing the world was always coupled with the goal of being a successful business. Zero-Knowledge displayed its promise to potential investors not only in the quality of its technology, but in the quality of its work force (who, of course, were producing the technology). In its heyday, Zero-Knowledge was a fabulous place to work, in large part because of the quality of the staff. During interviews, employees over and over again marveled that their co-workers, the people they brushed elbows and chatted with every day, were very, very smart, visionary, and tops in their fields. A significant number had stellar reputations outside of Zero-Knowledge, especially in the cryptographic research and privacy policy communities. Others were simply, down the line, competent, smart, and stimulating to work with.
The founders, Austin and Hamnett Hill and their father, Hammie, themselves were amazing in terms of visionary, smart business. They had their head in the right place, their goals in the right place, and their views on how a company should run and how employees should be treated all in the right place. For many, Zero-Knowledge the best company in Montreal. It had been written up in the local press for its Valley feel5 employees brought their dogs to work, the company provided masseurs, cappuccino machines, and laundry service. From the start, excellent employee relations were essential to the companys identity. They hired one human resources administrator for every 15 employees, when the industry standard was one adminstartor for every 100 employees. Moreover, their articulated vision of how to change the world didnt sound crazy, out there, or impossible. Zero-Knowledge was cool, it was hot, it was thrilling. It was Canadas shot at some actual fame. The opportunities seemed endless. If Zero-Knowledge were to be successful, it would be radically successful, wildly successful. It could change the world, as Apple had, and Netscape. There was an air of daring, irreverence, humor, and fun. Departments were given playful names, often mocking national security or police agencies. Customer Service and Information Support was abbreviated as CSIS, which was also the acronym for the Canadian Security Intelligence Service. Network Support and Administration became NSA, an acronym shared with the U.S. National Security Agency. The R&D group was referred to internally as The Evil Geniuses. In retrospect, this may seem an example of the irrational exuberance characteristic of the dot-com bubble. But at the time the fantasies seemed not out of keeping with the facts. It was the height of the internet boom; fortunes really were being made. Moreover, privacy was a salient media issue, and privacy activists seemed actually to be having an effect on corporate and governmental activities. PGP, a program to protect e-mail with strong encryption, had become available for general use, over strong governmental objections, through the efforts of individual activists backed by academic institutions. In the mid 1990s, activist cryptographers had aligned with telecommunication companies, forcing the federal government to back off of
elucidate re: silicon valley
plans to require the escrow of cryptographic keys used for secure telephony.6 Popular outrage had convinced Lotus to withdraw a product that published peoples social security numbers.7 Likewise, DoubleClick had decided to forestall plans link its databases tracking peoples online behavior with databases tracking their offline purchases.8 Not only was crypto policy was a live public topic, it was sexy. And it seemed to be smack in the middle of revolutions in commerce and governance. So, in this middle, Zero-Knowledge teetered on several pivots. They were playful and professional, radical and safe, a lucrative business and a political movement. The next section chronicles the path Zero-Knowledge took to achieve this position, and the resolution of the tensions it encountered there. Zero-Knowledge 1997-2002 Ideological beginnings In 1997, Austin Hill and Hamnett Hill, Zero-Knowledges founders, were in their mid-20s. They had just sold their interest in TotalNet, an ISP they had founded and transformed into the third largest in Canada, and were planning their next business venture. Internet companies were booming, yet little commerce was actually occurring online. Polls and pundits indicated that one of the things holding back an explosion of e-commerce was consumers fears about online privacy.9 The Hills were not privacy activists at the time, but both were free market libertarians. They were attracted, both ideologically and fiscally, to the idea of satisfying an untapped and potentially huge market demand for services which would protect the online activities of individuals from the prying eyes of governments and other large, entrenched, institutionalized interests. They saw those services especially anonymous payment systems and untraceable communications as essential components of a thriving internet-based commerce. The promise of controlling access to those essential services proved a sweet siren call.
6 7 8 9
Levy, Steven. 2001. Crypto. New York: Viking. , or Phillips secrets and trust cite cite cite
In the course of their market research, the Hills became involved in an active community of cryptographers and privacy activists. It was from these conferences, white papers, and e-mail lists that the Hills first absorbed cypherpunk crypto-libertarian techno-political philosophy. The cypherpunks, as an identifiable group, began in 1992 as a loose affiliation of technically adept computer scientists, some of whom had accrued substantial financial assets in the computing industry. Their common bond was a belief that cryptographic technology had the potential to fundamentally alter structures of power, particularly in the power of the government to monitor and discipline the economic actions in individuals. In general, they were techno-activists. That is, they tried to implement the technological structures that they believed would alter social structures. Most communication within the group was through the cypherpunks mailing list, which became one of the few generally available sources of cryptographic expertise. The list was a vital source not only for cryptographers, but for reporters, academics, and researchers covering cryptography issues.10 An important facet of cypherpunk philosophy was the repudiation of security through obscurity. No system could be trustworthy unless it was open to examination. Security software could not rely on secrecy. Instead, it had to rely on the provable robustness of its cryptographic algorithms. From the first, the Hills felt that it was essential to align with the cypherpunk community to prove themselves to that community and to enlist its support. That proof consisted of a display of knowledge of the techniques and the politics of cryptography and privacy, and especially a commitment to cryptographic software as the bedrock of privacy protection. Developing Freedom The Hills operated with a sense of abundance. In February 1998, they hired their first employee. This was a family friend with little experience in project management, and grave doubts about his suitability for the job. But the founders argued that vision, intelligence, and optimism were more important than experience, gave him dispensation for inevitable errors, and convinced him to join.
10
Levy Wired cypherpunks article; djp diss; Privacy New Landscape
They next assembled two teams of software developers, one working on the client software, the other working on the network software. Initially, the development teams strategy was to rework existing remailer systems developed in prototype by cypherpunk cryptographers. However, that strategy changed abruptly three weeks later, when Zero-Knowledge hired Ian Goldberg as Chief Scientists and Head Cypherpunk. Goldberg was nothing less than an international star of the cryptography community. 25 years old at the time, he had already twice appeared in The New York Times for discovering security flaws, first in the Netscape browser (at the time far and away the markets dominant browser)11 then in mobile phone protocols. 12 These stories were big news, appearing, respectively, on the front pages of the Times main section and its business section. In Goldbergs words, the stories ran everywhere. Goldbergs hiring had three effects. First, it gave Zero-Knowledge instant credibility in the cypherpunk and cryptography communities. Second, it irrevocably established the direction of product development along cypherpunk ideals. That is, Zero-Knowledge committed itself to developing from scratch the mother of all privacy solutions, an NSA-proof system, whose security would rely not on any secrecy in how it operated, but instead on the provable intractability of its algorithms. back months. Product development was guided by faith in the market, though not by faith in market research. There were no formal attempts to find out what consumers would be likely to buy. Instead, product development was mostly techies sitting around asking each other what cool features theyd like to create and use. This process worked very well, for a while. In October of 1998, Zero-Knowledge presented Freedom at Venture Market East, a forum sponsored by Red Herring magazine and intended to allow investors and start-up companies to become familiar with each other. Zero-Knowledge was, in the words of a Red Herring editor, a runaway hit.13 As a third, corollary effect, Goldbergs hire sent the release date
11
The New York Times September 19, 1995, Section A; Page 1; Column 1; Software Security Flaw Puts Shoppers on Internet at Risk The New York Times April 14, 1998Section D; Page 1; Column 5; Researchers Crack Code In Cell Phones JOHN MARKOFF
Lahey, Anita. 1999. What Price Privacy. Canadian Business Magazine (Feb 26)
12
13
Their presentations were standing room only.14 The Hills were triple-booked with venture capitalists. Interest was so great that, perhaps paradoxically, they decided to hold off on accepting venture capital, instead investing more of their own money, and the money of friends and acquaintances. More than merely reinforcing Zero-Knowledges faith in its own work, the interest expressed at Venture Market East changed their understanding of the product they were developing. Zero-Knowledge went into the conference with an e-mail and web anonymizer, and they came out with an identity product, a base for many services and programs. The idea of persistent pseudonymity of nyms was born at Venture Market East. The idea that identity management had potential far beyond mere private e-mail changed the way the company thought of themselves, and the way they presented themselves to investors. Development efforts redoubled. A few months later, Zero-Knowledges faith in itself was again rewarded, when they presented a pre-alpha version of Freedom at Demo 99, another conference intended to present new technologies to investors and the press. Zero-Knowledge presenters felt that Freedom was the most recognized, most well-received, most attentiongrabbing product there. The demonstration, and the welcome attention it received, was pivotal. It gave Zero-Knowledge a sense, not only that they were on the right track, but that they could compete with the best. The development process was tremendously difficult and exciting. There were no similar products for comparison (though prototypes of limited systems did exist), no established users to interview. And the design of a private network was intrinsically more difficult than, say, the design of a word processor. A buggy word processor was still a word processor, but a buggy privacy system was no longer private. It demanded attention to the edge case; weird uses and unlikely attacks were as important to design considerations as everyday use. And ZeroKnowledges growing reputation among crypto hackers, and especially their claims to be military grade, made them a sweet target for attacks. So designers constantly tried to imagine and guard against attacks both from lone geniuses and from the concerted forces of U.S. military
14
Pittsburgh Post-Gazette November 1, 1998, Pg. C-3 HOW TO FIND A VC MICHAEL NEWMAN
and intelligence agencies. Occasionally, significant effort would be spent trying to incorporate defenses against a specific type of attack, only to decide that the attack was so unlikely, and so expensive, as to be absurd. For example, originally there had been plans to account for correlations attacks, where someone observing the entire network could statistically correlate traffic in and out of servers. Such an attack reveals the routes of messages, but not the contents of messages, and requires enormous monitoring and analysis resources. Indeed, it was eventually determined that the required resources were not simply enormous, but fantastic, and the problem was abandoned as moot. The work was constant and physically exhausting. Deadlines loomed, passed unfulfilled, and loomed again, like a carrot held before a donkeys nose. Coders worked through illnesses, though nights and weekends, through threats of divorce and disownment. While software development was proceeding, ISPs had to be recruited to host the Freedom network servers. Initially, these ISPs were recruited through cypherpunk contacts and through the founders contacts from their days as ISP operators. By this time, Zero-Knowledge was receiving significant press in the industry, and many ISPs initiated contact with them. By the time of the beta test, 65 ISPs had volunteered to host servers without remuneration. After the beta, Zero-Knowledge started offering more formal contracts with ISPs. Under these contracts, the host ISPs initially paid $3000 for each Freedom server, but after that were re-imbursed at least $250 per month by Zero-Knowledge for Freedom traffic passing through the ISPs internet gateway. In addition to this monthly fee, Zero-Knowledge also offered ISP hosts a bit of market advantage, since they could advertise that they were privacy-aware, and so differentiate themselves from their competition. Ramping up: growing reputation, growing payroll Public relations was considered an essential part of the pre-release development strategy. The public relations manager was employee # 21, hired in January 1999, eleven months before the product release. Zero-Knowledge began appearing regularly in the local Montreal press, and more and more frequently in the national Canadian and U.S. press. 15 Coverage came from many
15
cites ([from lexis: business week, Internet world, MacLeans, Marketplace, weekend edition. /congressional hearings: Newsweek)
beats, including the lifestyle, policy, and technology desks. The Hills had courted recognition from established civil libertarian groups, including the Electronic Privacy Information Center, the American Civil Liberties Union, and the Electronic Frontier Foundation, and from established cryptographic and privacy policy experts. This paid off as these more established press sources referred reporters to Zero-Knowledge. They reaped great press when Ian Goldberg wrote code that could reveal the supposedly hidden unique serial number of each Intel Pentium 3 chip. This discovery was covered prominently by Newsweek and the New York Times, among other publications16. Zero-Knowledge also published high-level white papers describing the Freedom network. This early hype gave Zero-Knowledge a very strong brand image. It also locked them into that image, and forced them into being good, [being] above reproach. During summer of 1999, Zero-Knowledge closed on its first round of outside financing, when Platinum Venture Partners invested 7.5 million CAD.17 With this infusion, ZeroKnowledge ramped up hiring, and leased three floors of a newly renovated office building in downtown Montreal as well as space in Palo Alto, California. There were no definite plans for a Palo Alto office, but Zero-Knowledge management saw that eventually a presence in Silicon Valley would be essential. Demand for office space in the Valley was skyrocketing, and they figured that they could rent it out at a profit if they didnt occupy it themselves. Through late 1999 and early 2000, Zero-Knowledge actively displayed exuberance and growth. In part, this display was intended to attract investors, but it also was intended to attract visionary thought leaders to the employee rolls, and simply to have fun. Recruitment was very un-Montreal. Zero-Knowledge would poach employees from other local firms by sitting outside in a flatbed truck with a sign proclaiming Were hiring! They were later cited by The Industry Standard for their ability to hire, massively and quickly, high-quality people.18 For Zero-Knowledge was actively expanding their expertise into other areas of the privacy space. They brought aboard internationally recognized experts on privacy policy to establish a consulting practice aimed at corporations who increasingly had to acknowledge and deal with
16 17 18
cites cite prospectus The Industry Standard, May 22, 2000, Recruiting: How The Best Are Won, Deborah Giattina, (page?)
global data privacy regulations. They also radically extended their cryptographic expertise by hiring Stefan Brands and licensing several of his patents for implementing private credentials. Private credentials provide a means of disentangling the verification of the various attributes to which a credential might attest. As a general example, suppose a user, Alice, needs to be able to prove, on various occasions, her name, her age, her citizenship, and her student status. Moreover, she wishes to prove these independently, to prove her age without showing her name, for example. She would go to a commercial credential issuer, and present proof those attributes her birth certificate, say, and a University bursars receipt. The issuer would then provide her with a digital credential attesting to those attributes. When challenged regarding her age or student status, Alice would present the credential. However, she would also present a logical query regarding the embedded attributes. The challenger would receive in return a true or false response to that query. For example, suppose the public transportation system offers a 50% discount to students and to those over 65. Alice could present her credential, along with a query: Am I over 65 OR a student? The response would be yes and Alice would qualify for the discount. But the bus company would not know Alices age or her student status. They would not even know her name. Digital credentials might be implemented in various media, including smart cards, cell phones, or the internet.19 Brands had also developed a means by which credentials could be used privately only once. Presenting the same credential twice would reveal all of the information on the certificate. This could have enormous potential in anonymous electronic voting systems. Alice could use her credential to prove that she was a registered voter without revealing her name. But if she tried to vote twice, her name would be revealed, and appropriate penalties could be levied. Like Ian Goldberg, Stefan Brands was internationally renowned, and his patents were generally recognized as fundamental, basic, and applicable to a wide range of online transactions. Moreover, they seemed likely to withstand legal assault. They were legitimate, easy to defend, big spiky things you cant go near.
19
cite Brands book
While Zero-Knowledge saw in the Brands patents the future e-commerce and identity, Brands saw in Zero-Knowledge a commitment to commercialize state of the art cryptography. He was impressed both by Zero-Knowledges in-house cryptographic expertise (especially the presence of Goldberg) and by the entrepreneurial vision of Zero-Knowledges management. Once having acquired the patent rights, Zero-Knowledges research and development team (the Evil Geniuses or simply the Evils), set about to develop an electronic cash application. As with Freedom, there was no formal market analysis guiding this decision. Instead, strategic decisions were seat-of-the-pants. Other applications (air miles and other reward programs, electronic voting, highway toll systems) were just as feasible, but E-cash was interesting. It was big. It was thought to be de novo not to be built upon existing banking or payment processing infrastructures, but to be a system unto itself. It seemed like a logical extension of the Freedom model, since nyms had to be paid for, and the payment system was one potential source of surveillance within the Freedom infrastructure.20 Perhaps most importantly, though, anonymous payment systems had long been a cypherpunk project, an integral part of the crypto-libertarian ideal of a free market in cyberspace.21 And that ideal found its home within the Evil Geniuses more than anywhere else at Zero-Knowledge. The E-cash project was code-named Zorkmid, after the unit of currency in an early on-line role-playing game.22 Zorkmid got very little corporate support or attention within ZeroKnowledge outside of the Evil Geniuses group, though Zero-Knowledge did bring external collaborators into its development. A major wireless phone company was interested, as well as one of the leading smart-card manufacturers. Zero-Knowledge response was to let them in on the development process, not so much as active collaborators, but to give them access to ZeroKnowledges developments, to allow them to develop their own applications based on patents
20
Zero-Knowledge did have a process in whereby one could pay for nyms anonymously by sending cash through the mail, and a significant number of users, especially from Europe and Russia, in fact did so. But it was an awkward and kludgy process.
21
Phillips, D.J. 1998. The Social Construction of a Secure, Anonymous Electronic Payment System: Frame Alignment and Mobilization around Ecash. Journal of Information Technology 13(4): 273-283.
http://en.wikipedia.org/wiki/Zorkmid; 18 July 2005
22
which Zero-Knowledge controlled, thereby facilitating a future source of revenue. ZeroKnowledge pursued a similar strategy as it released the some of Freedoms source code. Hopefully, access to the source would encourage third-party developers to produce applications that would rely on, and pay fees for, access to the Freedom network. [DJP: promote this as a significant corporate strategy] These were heady times at Zero-Knowledge. Words like awesome, overwhelming, charismatic, risky, and exciting were frequently used to describe this period. The possibility for global change seemed palpable, and some employees could hardly sleep with excitement. Zero-Knowledge took themselves seriously, and management took seriously the importance of a fun, vital, and creative workplace, aware of long term goals yet focused on action here and now. Happy and committed employees were considered an essential resource. As the company grew from 45 employees in July 2000 to over 250 employees a year later, the founders wanted to ensure that the company would always have the vitality of a start-up. They instituted a Newbie University for all new employees a three day intensive workshop inculcating newbies into Zero-Knowledges philosophies, strategies, culture, and products. They commissioned a cultural snapshot from a consulting company, who conducted focus groups and interviews to identify the workplaces key enablers as well as potential barriers to meeting Zero-Knowledges goals. This exuberance, expansion, and growth was gratified and renewed in December 1999 when Zero-Knowledge closed another round of institutional investment, this time for 37 million CAD.23 This expansion of vision, of hiring, of patent acquisition, of financing began before and continued past the Freedom release. It was not based on Freedoms relation to the market, which, as we shall see, was never really robust. The Launch of Freedom In December 1999, after several months of beta-testing, Zero-Knowledge launched Freedom 1.0. The developers and the management thought they had changed the internet forever.
23
prospectus
They celebrated with high-fives and beer (though no actual tears), and sat around exhausted, creating nyms to populate the network. Concurrently with the product launch, Zero-Knowledge assembled a marketing department. Marketing immediately set out to brand both Zero-Knowledge as a company and Freedom as a product, and to develop marketing strategies for each, selling the company to investors and Freedom to consumers. They immediately chose a strategy of cause related marketing. This is a strategy whereby the company is associated not with a product, but with an ethos or a cause. As an examples of successful cause related marketing, the Marketing department pointed to The Body Shop, which sold not cosmetics but female empowerment, and Benetton, which sold not khakis but universal justice, love, and harmony. Zero-Knowledge could similarly identify themselves with individual political rights. Indeed, Zero-Knowledge could do this more naturally and easily than, say, Benetton, since Zero-Knowledges products were, in fact, directly intended to facilitate those rights. So as a conscious corporate strategy, Zero-Knowledge strongly and publicly endorsed privacy advocacy and the political rights of the individual, hoping this would give them the credibility to garner [the] evangelical devotion of employees, investors, and customers. The moral high road would also inoculate Zero-Knowledge against backlash when, as was inevitable, someone used Freedom in the course of a crime. When such an event drove critical media to the Zero-Knowledge site, they would find there an unambiguous and principled defense of privacy rights. In a sense, this branding strategy simply re-affirmed and built upon the public relations strategy that Zero-Knowledge had been pursuing since its inception. Branding Freedom as a product was more difficult than branding Zero-Knowledge as a company. First, the name Freedom was chosen long before the marketing department was part of the Zero-Knowledge organization, and, from a marketing perspective, the choice had been unfortunate. The name did not indicate what the product did. As an evocative signifier, Freedom might be attached to any product from a brassiere to a missile guidance system. So marketing developed images to suggest what it was that Freedom would allow users to enjoy. While Zero-Knowledges image was to be of sober, principled advocacy, Freedom was to be
presented as footloose, childish, and empowering. Suggestive visuals might include pictures of girls laughing as they whispered secrets. The Freedom home page in January 2000 reflected these branding decisions. The dominant image was of a person of indeterminate gender, looking through a telescope, wearing a strange expression of surprise, shock, or repellent fascination. Freedom was touted as offering absolute privacy protection, and the reader was exhorted to Get the headlines, Explore the issues, Understand the technology and Learn whats at stake. Clicking any of these would lead the reader to a news service, where current off-site articles were indexed under five categories: General, Families, Human rights, Technology, and Law enforcement. The sight also included an employee recruitment notice, asking Have you got what it takes to be a ZeroKnowledge Internet Freedom fighter? The initial marketing strategy was to viralize the product to spread the good word that Freedom had arrived. If people knew about it, they would buy it. The marketing team referred to themselves as evangelists, zealously spreading a revolutionary message. The team targeted several vertical markets whose participants would be most likely to adopt Freedom. These markets were understood as organized around interests, since the team inferred that those interested in certain topics or activities would have a natural interest in privacy as well. The initial interest-oriented markets to be targeted were gay and lesbian, health, financial, political, and family. To reach the members of these markets, Zero-Knowledge marketers hoped to co-brand offerings with interest-based internet portals. For example, gay portals such as gay.com and PlanetOut were approached with the opportunity of sponsoring co-branded e-mail, so that every message sent by the portals subscribers would be pseudonymized, and carry not only a Freedom tag but also a gay.com or PlanetOut tag. Some of the Zero-Knowledge evangelists had enough experience to have developed relationships and contacts within the targeted markets, but usually the approached potential partners through cold calls, sending informational packets and Zero-Knowledge branded trinkets (key-rings, retractable phone cords, t-shirts, mouse pads, baseball hats, ), and following up with a phoned pitch.
Sales were disappointing, at best. In February 2000, product management was planning for a network accommodating 2.5 million users by end of 2000.24 Yet by July 2000, there were only 12 thousand active nyms.25 To make matters much, much worse, the dot com bust occurred within a few months after Freedoms release. Investment dried up, and companies involved in ecommerce, who may have had an institutional interest in online privacy, folded. [Need a few more sentences describing the bust] So through most of 2000, Zero-Knowledge was constantly re-evaluating their environment, strategies and tactics. Their initial corporate strategy had been to attain first-mover control of an emerging space. This control was to be financed by investments and by revenue from Freedom. But Freedom sales were little better than dreadful, and investors could no longer be enticed by promise. They had to see revenue. In response to these conditions, Zero-Knowledge developed a two pronged strategy of revenue generation. The first prong was to re-evaluate the design and marketing of Freedom. The second was to develop products and services to appeal to corporate clients. Reconsidering, revamping The design of version 2.0, which began almost immediately after the release of 1.0, was increasingly influenced by the knowledge of 1.0s poor sales record. The development of Freedom 1.0 had been guided only by the developers imaginary user, who looked a lot like the developers themselves. In developing Freedom 2.0, Zero-Knowledge attempted to satisfy not only its techie constituency, but to discover and satisfy the desires of potential non-techie users. Version 2.0 incorporated two major technological changes to the Freedom service. First, the method of encrypting and delivering e-mail was completely revised. 1.0 had delivered encrypted e-mail to the users ISP, along with a reply bock that would contain the return address, encrypted in layers. The users client would use the reply block to set up the return path for responses. This was a cool trick, cryptographically, but awkward to implement, slow, and likely to fail. Instead, 2.0 sent all mail to a POP server hosted by Zero-Knowledge. Login to
24 25
roadmap nymsats.htm
that server was anonymous, and all mail to and from it was sent through the same anonymizing server network as in previous versions. It had the same level of security as the previous version, but was much simpler to operate. Also, to improve latency, the network was reconfigured to have fewer servers, and to have those servers closer to the internet backbone. The security of distributed operations could be maintained by scattering the servers among different backbone network providers MCI or Qwest, for example rather than at the level of ISPs. Like the abandonment of the reply blocks, this change reduced latency and increased robustness. It also alleviated the expense of ZeroKnowledges deals with ISP hosts. Zero-Knowledges attempts to find the user for Freedom included the marketing and the development teams. However, coordination between these teams was ad hoc, at best. The client development team began work on version 2.0 almost immediately after the release of 1.0. In order to define the functionality of the 2.0 client, in order to think about what it should do, the software team developed a book of user stories. Each story was a short profile of how an archetypal user would interact with the client. Alice, for example, wanted an anonymous email service for which registration would be simple and wouldnt require her to divulge personal information. Each developer would invent a pet user, and submit the users profile to the team for review. A profile went into the book if a majority of the developers liked it. Coders were at this for a month, not coding, getting antsy, feeling uncertain of their competence, and trying to get other departments involved. The team leader especially needed the buy-in of the top management and the sales team, warning them not to complain later if the team developed a product that couldnt be sold, pleading with the marketing and sales departments to be told what sort of features would be sellable. The marketing team was, of course, trying to find answers to those questions. But this was extremely difficult. It was a new market; no one had ever tried to sell such a service before. And it was a market where the buyers were, by definition, concerned with privacy and not forthcoming with information about themselves. Moreover, Zero-Knowledges whole persona was based on the premise that users neednt and shouldnt trust anyone, including ZeroKnowledge.
However, Freedom users were regularly in contact with Zero-Knowledge through the department of Customer Service and Information Support (CSIS), which operated the help desk. The marketing team requested customer service records from CSIS. They also requested the nyms of users who had had contact with CSIS, so that marketing could send them questionnaires. CSIS resisted both of those requests on privacy grounds. However, CSIS did provide marketing with aggregate records from their database, describing, for example, the types of features callers had requested. This aggregate, de-personalized knowledge became a treasure of information in the development of 2.0. The marketing department also conducted a user survey, distributing it through the Zero-Knowledge web site, advertising it through the sales teams personal contacts, and offering t-shirts and video store gift certificates as incentives for participation. In these efforts, marketing was focused not only on 2.0 development. They were also looking at Zero-Knowledges overall sales strategies, at the true viability of the privacy space, and at Zero-Knowledges brand perception. The initial sales strategy had been to approach customers in interest-based markets (like health care, women, gay and lesbian interest, financial) by developing partnerships with big properties in each segment portals like gay.com or i-village. In its research, marketing discovered several reasons for the failure of this strategy. Unsophisticated users had difficulty installing and using Freedom. Many potential users got their internet access through America Online (AOL), and Freedom was incompatible with AOL software.26 Freedom slowed communications considerably, and more sophisticated users, habituated to high-quality service, were unwilling to put up with this latency. And while Freedoms flaws were readily apparent in use, its virtues were invisible. When it worked well, nothing happened. The typical user that Zero-Knowledge was able to attract was a 25-34 year old male, working in the tech industry, and already interested in internet privacy. There was no correlation between the interest-based market segment and the likelihood of uptake. That is, it didnt matter whether the user was interested in health care or financial issues; what mattered was whether he was technically adept and interested in privacy. This was a niche market, not a mass market. In response to this new
26
note re: cultural gap between techies and the masses; contempt for AOL.
knowledge, the marketing team changed its strategy to target early adopters rather than market segments. The early adopter strategy was based on a well-established model of technological diffusion. According to this model27, new technologies are taken up by various groups in turn. Innovators are the first to take it up, followed by early adopters, early majority, late majority, and non-adopters. Members of these categories share certain characteristics. Early adopters, for example, tend to have high socio-economic status, and to be young, mobile, creative, and open to contact by sales people. Zero-Knowledges marketing department now sought to narrow their consumer outreach by targeting only those groups with privacy interests that also shared the demographics of early adopters. They identified and ranked eight such interest groups: techies, gay and lesbian, activists, students, internet relay chat users, broadband users, adult entertainment enthusiasts, and discussion group users. Zero-Knowledges new marketing strategy focused on the first four of these groups. The strategy was three-fold first to drive awareness within those groups that Freedom was privacy-enabling, then to drive traffic from those groups to Freedoms web site, and from there to drive downloads and sales. Awareness was to be driven by attending events for each interest group (like the Geek Pride Festival or gay pride parades), by getting the endorsement of opinion leaders in each community, by increased visibility of freedom.net email addresses in discussion lists, and by banner ads on portals and web sites. This marketing strategy was not so different from the initial viral strategy, but it recognized that, at least until version 2.0 improved Freedoms usability, the target of the viral campaign had to be more precisely circumscribed. The marketing department set out also to try to address growing concerns within the company that they had entirely misjudged public attitudes toward privacy. As Austin Hill put it, everyone says they care about privacy, but people would give a DNA sample for a free Big Mac. Privacy seemed to be an issue rather than a problem, or a problem from which no one suffered. People within the company echoed others in the privacy activist community and
27
cite
wondered how the privacy movement could attain the same cultural salience that the environmental movement had reached in the 1960s. What sort of privacy Chernobyl would be necessary to wake people up? If the FBI decided require every ISP to record every packet flowing through their servers, would that stimulate resistance? Would that demonstrate a real need for Zero-Knowledges product? In the months after the Freedom launch, the marketing department tried to generate empirical knowledge about the privacy space and Zero-Knowledges perceived position within it. They conducted focus groups in Boston and Toronto. What they found struck at the heart of the companys belief that individual consumers would understand privacy as a political problem, and would see the purchase and use of Freedom as a viable response to that problem. They found that potential Freedom users had vague but fatalistic attitudes toward internet privacy. Most internet users were ignorant of the ways in which their activities were monitored, yet had resigned themselves to that monitoring. Encryption was an unfamiliar and intimidating concept. Moreover, they were put off by Zero-Knowledges seemingly grandiose claims both the claim to provide total internet privacy and the claim that such total privacy would cure social ills. With this growing awareness of difficult, and perhaps intractable, problems with a reliance on a consumer market base, Zero-Knowledge put more effort into attracting corporate deep pockets clients. On one hand, they began looking to channel marketing as a distribution technique. That is, they sought to recruit original equipment manufacturers (OEMs) to distribute Freedom with the equipment. New computers would be configured to install Freedom on the foirst boot; routers would come with a CD including the Freedom software. To appeal to OEMs, Zero-Knowledge incorporated Freedom For Free into version 2.0. Freedom For Free was a suite of security tools including an ad-blocker, a cookie manager, a firewall and a form filler. It also allowed users to register nyms and send and receive pseudonymous e-mail. These would be available at no charge to anyone installing the software that came with the newly purchased computers. Anonymous web browsing via the full Freedom pseudonymity service would still be available for subscription. In splitting up the product this way, Zero-Knowledge rejected other options, like charging for the security tools, or stepping up development of private certificate and e-cash products. Instead, Zero-Knowledge management hoped that by making the Freedom client readily available as the front end for popular (and cheap) security tools, it would channel
users toward adoption of more specialized, and eventually more profitable, privacy services, such as private e-mail and web browsing, private or anonymous authorization, payment, and verification services, or challenge-response spam management. But to convince OEMs to bundle Freedom, Zero-Knowledge had to show both that there was consumer demand for their privacy products, and that their security products offered improvements over similar products then on the market, like those offered by Symantec and McAfee. So the development of 2.0 was coupled with a renewed effort to drive up sales of 1.0. Zero-Knowledge also attempted, with little success, to attract corporate clients, both through a corporate version of Freedom, and through privacy consulting services. The business need for anonymous browsing was not difficult to argue. More and more corporate research market research, investment research, patent research, surveillance of the affairs of competitors occurred via the web. While the web gave cheap access to lots of information, it also made the search activities themselves more visible. So the direction and strategies of a corporate research interests became more visible to their competitors. Anonymous web browsing through Freedom would give businesses all of the benefits and none of the drawbacks of the webs visibility. Unfortunately, though, a business couldnt adopt Freedom simply by buying nyms for all their employees. In its standard implementation, Freedom did not work from behind a firewall, and virtually all corporate networks had installed such firewalls. Instead, access to the anonymizing network had to go through a gateway which had to be custom designed and installed for each corporate client. So the costs and risks of marketing, adopting, and installing Freedoms corporate version were substantial. The privacy consulting services which Zero-Knowledge offered to these deep-pockets clients included analyses of regulation compliance and information management with a specific focus on issues for multi-nationals. Zero-Knowledge did have some success marketing these services. Indeed, from July 2000 through March 2001, services and consulting accounted for over 60% of Zero-Knowledges revenue. 28 However, management still complained that they were not getting the really big clients, because they themselves were not a really big operator. They were not Anderson Consulting, for example, or IBM.
28
cite prospectus
Enterprise solutions Zero-Knowledges move to attract corporate clients resulted in another stream of product development. Shortly after the release of Freedom 1.0, Zero-Knowledge management was approached by the management of Excite, an online profiling and advertising company. Through the use of third party cookies, Excite collected anonymous data on individuals web surfing habits. They then used that data to create profiles of users and to serve banner ads to users based on those profiles. In their PR, they were adamant that they did not collect any personally identifiable information (PII). However, they now were looking for a way to collect and use PII and to amend their privacy policy without violating its spirit. This was by no means an idle or altruist concern. One of their competitors, DoubleClick, had recently planned to merge identified with anonymous data, and the uproar included an FTC investigation, numerous lawsuits, and a steep, though brief, drop in their market capitalization.29 Because Zero-Knowledge had very high visibility in the nascent privacy field, Excite sought them out for advise and possible technological solutions. The courtship between ZeroKnowledge and Excite was brief, and nothing concrete came of it. Nevertheless, it awakened Zero-Knowledge to a possible corporate demand for their technology. They began to see a common thread of core needs for data blinding, for a privacy layer in the data infrastructure. Data holders were very good at putting data in and taking data out, but there were no mechanisms for fine-grained control, for using data for one thing but not another. This was so even when companies were well-intentioned and sought to use data responsibly. A corollary of this coarse control of consumer data was a trust problem between consumers and businesses. There were some moral qualms within Zero-Knowledge about going into corporate database management. There were questions of whether data collection companies were intrinsically enemies of privacy. However, consensus was quickly reached that the privacy problem was not the tailoring of ads to suit each particular viewers interests. It was knowing what a particular user was doing knowing, for example, which search terms someone was using on the New
29
http://www.aef.com/06/news/data/2000/1154; 22 June 05
York Times web site. The goal then, was privacy enabled profiling detailed, dynamic profiles that were not linked to any PII. Once the decision was made, Zero-Knowledge moved quickly to develop a new service, a database blinding engine code-named Blind Elephant. Database holders would agree to encrypt, or blind PII fields of each data record. The blinding algorithm would be such that the same original value would always produce the same blinded value, but it would be mathematically impossible to compute the original value from the blinded value without access to a cryptographic key. This key could be held by a third party, mutually trusted by database operator and data subject. Blind Elephant would allow database operators to profile their users more effectively, and to engage in one-on-one communication with their users, all without direct access to any personally identifiable information. For example, suppose BigPharmaceuticalCo wanted to know the demographics of FabNewDrug buyers. Using Blind Elephant, they could buy that data from pharmacies, but with the identifying field (say, the social security number) blinded. BigPharmaceuticalCo could also buy consumer reports from credit agencies, again with the social security numbers blinded. Since each unique social security number would blind to the same unique value, the pharmacy records could be matched with the credit records. Thus individuality could be established without identity, and statistics could be generated without violating privacy. Moreover, some at Zero-Knowledge asserted that the quality and usefulness of individual records would likely improve, since users would be more trusting, and less likely to falsify data. Blind Elephant would also mediate privacy-enabled customer relations management. As in the above example, PII fields would be cryptographically blinded, and could only be decrypted with a key held by a third party, say Zero-Knowledge itself. Records could then be merged, and patterns discovered. BigPharmaceticalCo might find a particular cluster of deidentified user records particularly interesting, and particularly attractive for a marketing campaign. They would like to send e-mail to each of those individuals to whom the records refer, but they dont know who those individuals are. Instead, they would send to ZeroKnowledge two pieces of information the encrypted e-mail address gleaned from the subjects
data record, and a message to send to that individual. Zero-Knowledge would check that the subject of the record had agreed to receive e-mail. Only then would Zero-Knowledge decrypt the e-mail address and send the message. At no point would the merged data and the PII be available together.30 Zero-Knowledge identified in Blind Elephant (later renamed the Privacy Rights Manager (PRM)), three value propositions for deep-pocket clients. It would give database holders a competitive advantage in that they would be able to advertise themselves as privacy-aware. It would promote trust between data subjects and database holders, encouraging subjects to be more honest and forthcoming in the provision of personal information, and allowing database holders to create more accurate profiles. It would also facilitate compliance with a growing body of privacy law, all of which regulated the collection and exchange of personally identifiable information. Zero-Knowledge had little empirical data to support the first two propositions, so they focused instead on the third. Thus the health care and financial industries, as the sectors most subject to privacy regulation, were identified as the low hanging fruit. In its targeting of institutional actors, rather than individuals, PRM was a step away from the libertarian ideology of Freedom. That ideology did not die, however. The attention to institutions was seen in some quarters as instrumental, as a way to get privacy to consumers yet have someone else pay for it. Because consumers were still not buying. The move toward developing business friendly products and services was accompanied by a shift in PR. Almost immediately after the release of Freedom 1.0, Zero-Knowledge had realized that they had to get away from the cypherpunk, libertarian, nutsy thing, away from being perceived as a bunch of hackers. They had to package and communicate the privacy problem in a way that wasnt scary or threatening. They had to show that privacy was good for business. They toned down their flacktivism and became much less in-your-face. For example, in June 2000, Zero-Knowledge became aware that Freedom users were unable to access some FBI web sites. Had this happened six months earlier, Zero-Knowledges PR would have been confrontational. Now, however, the PR director made efforts to downplay the entire situation, to
30
This image was the inspiration for the Blind Elephant name: like the proverbial elephant seen by a group of blind men, different parts were visible to each viewer, and no one was able to understand the whole.
publicize the cooperation between Zero-Knowledge and the FBI as they together tried to solve the problem. Zero-Knowledge needed a new kind of credibility. They no longer sought the imprimatur of cryptographers and activists. They needed established players banks and telecomm companies to say we are partnering with Zero Knowledge because Zero Knowledge is the leader in the privacy space. Regrouping Throughout 2000, Zero-Knowledge was trying to recruit a new CEO and management team. In early 2001, they were successful. At the same time, Reuters invested 32 million CAD in the company. The new team further articulated and rationalized Zero-Knowledges corporate goals and strategies. The goal became simple to turn a profit and survive. The strategies to meet that goal were similar to those that had been developed over the previous year. They were, first, to sell more consumer product and second, to establish a high-margin product aimed at corporate clients. In pursuit of these strategies, the new team instituted core changes to Zero-Knowledges culture and sense of itself. Massive layoffs began in March 2001. These struck at the core of Zero-Knowledges selfimage and their sense that a fun, caring, and creative workplace was an essential engine of success. Zero-Knowledge handled the layoffs with a sense of responsibility, conducting them internally, rather than bringing in outside consultants, as was common in other corporations. The People Department first laid off half their own, using that experience as a way to learn how to manage it for the rest of the company. As one of the People Department managers put it, We hired them and made promises, were breaking the promise and well do it ourselves. By Jan 2002, Zero-Knowledges employee roll had shrunk to about 110 from the peak of about 255, which it had reached 18 months earlier. No longer were programs like Evil Geniuses kept because they were fun. Everything was evaluated by a must have criteria, and immediate revenue was the goal against which necessity was justified. With the shift to channel marketing and distribution via OEMs, there was less need for advertisements, so the marketing department was hit hard. After the layoffs, performance management was instituted in order to get newly re-organized departments to focus on corporate goals. At this point, many, but not all
of the departments changed their names. People Department became Human Resources, for example, and Evil Geniuses became Zero-Knowledge Labs, though the support group remained CSIS. Throughout the summer of 2001, in the face of 56,000,000 CAD in losses over 3 years, Zero-Knowledge management decided to radically cut back and reconfigure its product lines. First, they released the rights to the Brands patents. Maintenance of these licenses and patents had cost Zero-Knowledge nearly a million dollars a year, yet Zorkmid at its zenith was merely an unstable Java prototype demoed at a small conference on Financial Cryptography. Not only had the patents returned nothing in revenue, no one could see any longer who would possibly, within the next fifteen years, license and develop them on the scale necessary to justify their maintenance. PRM, the corporate software product, underwent radical revision. Internal prototype development had continued since mid-2000, and by the time the new management team was installed in 2001, a version 0.9 prototype was ready for demonstration to potential clients. This prototype was slide-ware. It involved no code, simply a high level description of the systems architecture. Like Freedom before it, the prototype was developed based on a marketing requirements document (MRD) that was developed with little formal market research or needs analysis. It offered to clients an end to end privacy policy and information management solution which would reduce risk by managing complex linkages among heterogeneous applications and components. PRMs architecture consisted of five components:31 PRML, a privacy rights markup language. This was an XML based language to codify and rationalize privacy policies and privacy practices. It allowed for definition of privacy objects and for declarations specifying the relations among those objects. A set of declarations represented a companys policy. Specifically, [d]eclarations specify that a role can do an operation on a data element for a purpose if certain constraints are satisfied, and can specify that an action should be
31
Hill and Levitan Privacy Rights Management ppt; June 5, 2001:
taken when this occurs and/or that the data element should be subject to transformation before an operation can occur32 a privacy console, which was to act as an interface between the data and the system operators. This console could discover and inventory personally identifiable information, model policy in PRML, and manage and report on database events. a central privacy server, which would execute and monitor all required PRML actions, and report to the privacy console. privacy-aware enforcement agents software agents mediating between the privacy server and specific privacy applications, and the privacy applications themselves. These were to be the actual data management activities, permitting or denying access based on policy, anonymizing, de-identifying and re-identifying data, or pseudonymizing transactions. In summer of 2001, shortly after the arrival of the new management team, the PRM Center was first demoed for a potential client, an event described as a two-day train wreck which left the client stupefied. In reaction, the new senior management took active control of the project, scrapping the MRD inherited from Blind Elephant and starting anew. The new MRD was written only after extensive market research, including meetings with potential clients, and an independently conducted market survey of fifty Chief Privacy Officers (CPOs) working in the target segments. These target segments remained the same the heavily regulated health and financial industries. What emerged from these deliberations was the Enterprise Privacy Manager (EPM), a product of much smaller scope. Unlike the PRM Center, EPM would not interact directly with data flow. Instead, EPM was to sit atop, or along side, site-specific data systems. because these mission-critical database systems were too large, too specialized, and too entrenched to interfere with. EPM would simply be a software tool to internally audit and track information flow, to verify compliance with privacy policies. As Chief Financial Officers had spreadsheets, so CPOs would have EPM. The sole survivor of PRM Center development was the markup language,
32
ZKS Enterprise Product Unit Business Plan Overview (ppt dated 2001, after Hevizi, Weidick, Beans hires
PRML, which became the starting point for the development of a new language specification, EPML. Zero-Knowledge pursued the development of EPML in coopetition with IBM. IBM had been aware of Zero-Knowledges work on the PRM Center, and became interested because they and their subsidiary, Tivoli, had been engaged in a similar project. [djp: verify] According to the Zero-Knowledge project manager, IBM was impressed with the PRM work, and asked to continue collaborative development. Alliance with a powerful partner had, by this time, long been keenly desired by Zero-Knowledge, so they were eager to agree. On the other hand, they were very wary of engaging with such a powerful partner. An integral part of the development strategy then became to establish and defend intellectual property rights in EPML so that IBM could use it, but not own it. To that end, ZKS carefully maintained their legitimacy as a codeveloper with equal IP rights, through legal agreements and carefully scheduled joint public releases. The enterprise product now contained no cryptography at all. In a further and even more radical retreat from its founding vision, Zero-Knowledge decided in August 2001 to pull the plug on the Freedom network. No sales campaigns had been effective neither the attempts to viralize the product within certain consumer market segments, nor the attempts to target early adopters across segments, nor channel marketing, nor corporate sales. The 2002 prospectus suggests that between July 1, 1999 and July 1, 2001, Zero-Knowledge spent nearly 1.5 million CAD on network operations alone, against nearly half a million in licensing fees from Freedom users. Zero-Knowledge simply could no longer afford to operate the network. On October 4, users logging in to Freedom were greeted with a message strongly recommending that they visit a hot-linked URL for a very important announcement regarding the current status and the future of the Freedom network. That announcement read, in part: I regret to inform you that Freedom Premium Services - Anonymous Web Browsing and Private Encrypted Email - will be discontinued as of October 22nd, 2001 This decision was not taken lightly. It reflects the ongoing high cost and limited returns of operating the Freedom Network - the engine that drives the encryption and anonymity process. This is especially true since our customers and partners increasingly
choose to purchase ready-to-use solutions that provide security and safety online - such as personal firewall, password manager and keyword alert - rather than nym-based services. For the past two years we have worked very hard to develop and maintain a sustainable private network and we thank you for all your support of our endeavor.. We share your disappointment and we apologize for the impact this decision will have on your online activities. The timing of the announcement, occurring as it did less than a month after the terrorist attacks on New York and Washington DC, and around the time of the passage of the USA PATRIOT Act, was horrendous. Still, Zero-Knowledge insisted that the attacks, and governments response to them, had nothing to do with the decision to shut the network. That decision had been made in August, before the attacks, and development of Freedom 3.0 had proceeded since then on the assumption of the networks closure. Users, those who had sympathized with the Hills original vision, were terribly upset at Freedoms demise. It seemed another nail in the coffin of political, social, and economic promise. Gone was the dream of running an international network of encryption machines impervious to the FBI. Zero-Knowledge received poems, condolences, and diatribes mourning the passage of Zero-Knowledge into just another Symantec or McAfee. Some customers offered to pay up to three times the regular fees for the Freedom service, but even that came nowhere near making up Zero-Knowledges shortfall. This radical change of direction made sense from an economic perspective. However, it produced crises in relations both within and outside of the company. Zero-Knowledge had to engage in vital attempts to salvage their credibility, which had counted as a powerful asset in Zero-Knowledges first years. The idea of Zero-Knowledge had been built on cryptography, privacy, and really smart people, especially Stefan Brands and Ian Goldberg. Now cryptography was gone, as were Brands and many other great employees. Zero-Knowledge faced an identity crisis as well as a PR challenge. The PR challenge was met by re-defining the notion of credibility. From its inception, ZeroKnowledge had attempted to encompass contradictory publics. They had sought to attract and resonate with the interests of communities of hackers, crypto-anarchists, venture capitalists,
police agencies, policy makers, and financial institutions. But they had also gradually been coming to realize that their most vital alignments were with large, entrenched governmental and corporate institutions, rather than with grass-roots activist movements. They now embraced this realization fully and engaged in strategic rebranding to change their image in the eyes of those who matter, and those who mattered were entities like IBM and American Express. ZeroKnowledge no longer attempted to embarrass big boys to get publicity, as they had when Ian Goldberg developed a hack to access the Intel chips serial numbers. Issue PR ceased entirely, replace entirely by announcements of successful business alliances. Not only did the ZeroKnowledge home page no longer support a privacy news archive, PR assiduously avoided any suggestion that Zero-Knowledge products had political implications. For example, the enterprise database management product had originally been Privacy Rights Manager, because ZeroKnowledge shad then seen privacy rights as a category that they could dominate. Now it was clear that that category didnt exist, nor could Zero-Knowledge create it. Further, the mention of rights was just too activist and advocate-like for their intended clients. So the product became an Enterprise Privacy Manager. At the same time, Zero-Knowledge changed its understanding of itself. Employees who had joined for ideological reasons left for the same reasons. Those who stayed enjoyed a new sense of normalcy and placid humility. Workdays were shorter, more focused and more productive. Daily and weekly cycles recurred. No longer were they trying to create a space. Instead, they were integrating themselves within existing industries. Gradually, a new identity emerged that of a dotcom which had survived. The standards for success were completely revamped. In 1999, the goal was a billion dollar capitalization. By 2002, it had become a positive cash flow. In 1999, the company was to be a visionary thought leader empowering individuals and redistributing social power by providing cryptographic techniques. By 2002, their highest hopes were that the consumer product would run a distant third to Symantec and McAfee, and that IBM would somehow agree to pay licensing fees for Zero-Knowledges enterprise product. Management were pleased and proud at their ability to ride out those tumultuous years. They had met challenges as they arose. In 1999, potential investors had demanded to see the ability to ramp up quickly, to staff the help desk in 10 languages, and Zero-Knowledge had done that. In 2002, investors needed to see austerity and
positive cash flow, and Zero-Knowledge had done that. They had been flexible enough to change their ideas, the focus, direction, and style of their company. And it had paid off. Eventually, the divorce from all of the political dreams with which Zero-Knowledge was initially invested became public and final. In June 2004, Zero-Knowledge spun off the enterprise division into a wholly owned subsidiary called Synomos. The following year, ZeroKnowledges senior management changed the companys name to Radialpoint, specifically to distance themselves from public memories of Zero-Knowledge. This was just the recognition of truly changed circumstances, since the new RadialPoint, whose business offering is to manage subscriber services (such as firewalls, virus blockers and parental controls) for large and mid-size broadband providers, no longer has any products, markets, or goals in keeping with its ZeroKnowledges original incarnation. Summing up And so Zero-Knowledge Systems did not survive as a corporate entity committed to social change through the marketing of software-based pseudonymity services. The Freedom network was to have been the revenue engine for Zero-Knowledges control of the privacy space. But in making design decisions, Zero-Knowledge always chose cryptographic sophistication over empirical economics or ease of use. The network was wildly expensive to operate, and the service was initially slow and buggy. Moreover, it was unclear to the casual user, and even sophisticated users, what one should do with a nym.33 The usefulness of strongly segregated identities was not self-evident, nor was the interface facile enough to support experiment and play. The social problem that Freedom set out to solve was invisible; Freedom was like a seat belt for cars that don't ever crash, [or a] medicine for a disease that no one ever gets. Because privacy abuses happen behind the scenes: not only is one targeted based on personal profiles, one is removed from target audiences based on those profiles. How does one know when one has been denied an opportunity?
33
Phillips ICS
These factors hindered adoption by individuals, and Zero-Knowledge could find no third parties to subsidize or support consumer use. They miscalculated the interests and the power of ISPs, who were not self-consciously political actors. Users didnt choose ISPs according to their politics, nor did ISPs promote themselves as political choices. Interest portals could not be recruited, either; privacy was for their users a peripheral and vague concern. Zero-Knowledges strategy had been to change human behavior on so many levels, to convince people that there was a problem that they didnt perceive; that that problem could be solved by purchasing in a different way that they were used to and using a computer in a different way than theyre used to. They had expected their own fervor to be hailed and shared. Instead, it was greeted with silence. Private credentials and certificates, too, were developed in the context of a market model that proved fantastic. They would have been crucial, and wildly profitable, in a world organized to privilege and value non-identified transactions. They were a faithful child of a grandiose vision the development team could have tackled movie tickets or telephone service payment processing systems as the first application. Instead, they went for e-cash, envisioning a long road to a huge payback, betting that revenue from the Freedom network would support them. Instead, the Freedom network and client faltered, and Zero-Knowledge chose to fall back and protect them, believing that they were necessary vehicles for any future certificate based applications. As the financial situation became more desperate, Zero-Knowledge simply could not spend any money, time, or energy on hopes for the future, and dropped all interest in private credentials. PRM was initiated in response to market forces, as potential adopters approached ZeroKnowledge with their problems. Nevertheless Zero-Knowledge was not able to align its products with the interests of those adopters. First, many potential clients, especially online data collecting and ad serving companies, were in the same market bubble with Zero-Knowledge, and had to drop their pursuit of the problem just as Zero-Knowledge needed their revenue most. Apart from this historical happenstance, though, there were deeper conflicts. Data holders simply had no interest in giving up control of their data. It was their data; they did not recognize that data subjects had any property or moral right in it. Nor were they being forced into recognizing that right by the data subjects. There was no effective consumer demand for
privacy, no apparent competitive advantage to offering it. Data collectors were under some pressure from regulations and laws, but those regulations, where they held at all, permitted data holders either to de-identify information or to obtain consent from the data subject. Collectors were much more interested in pursuing the option of obtaining and managing consent, an application for which for which PRM was overbuilt. The Enterprise Privacy Manager has proved successful within the terms in which it was developed. Zero-Knowledge, after assiduously aiming for integration with the practices of those industries subject to privacy regulation, achieved that integration. They did this, in part, by linking themselves with the power and position of IBM. Recently, as they expected, they entered into an intellectual property suit with IBM.34 This suit represents success a real, resistant relationship with a stable and enduring entity. Despite the market research, and the selling EPM has been difficult. Zero-Knowledge (now Synomos) have had to convince companies that they needed more than a policy and a lawyer. They needed a tool to let that lawyer (or the CPO) discover if practice complied with policy, and EPM was the tool they needed. Nevertheless, they have eventually been able to obtain consensus that, unlike Freedom, EPM addressed a problem for people who will spend money. The problems were real, the target customers were aware of them, and were used to spending money to protect their interests.
34
cite suit docs

ZeroKnowledge The Story

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

ZeroKnowledge The Story

Загружено:

Авторское право:

Доступные форматы

Knowing Glances: Understanding Infrastructures of Surveillance

DRAFT ONLY! NOT FOR REVIEW OR CITATION!

David J. Phillips, 8 Sept 05 p. 2

David J. Phillips, 8 Sept 05 p. 3

David J. Phillips, 8 Sept 05 p. 4

cite Rolls Royce reference

David J. Phillips, 8 Sept 05 p. 5

David J. Phillips, 8 Sept 05 p. 6

David J. Phillips, 8 Sept 05 p. 7

elucidate re: silicon valley

David J. Phillips, 8 Sept 05 p. 8

David J. Phillips, 8 Sept 05 p. 9

Levy Wired cypherpunks article; djp diss; Privacy New Landscape

David J. Phillips, 8 Sept 05 p. 10

David J. Phillips, 8 Sept 05 p. 11

David J. Phillips, 8 Sept 05 p. 12

David J. Phillips, 8 Sept 05 p. 13

David J. Phillips, 8 Sept 05 p. 14

cite Brands book

David J. Phillips, 8 Sept 05 p. 15

David J. Phillips, 8 Sept 05 p. 16

David J. Phillips, 8 Sept 05 p. 17

David J. Phillips, 8 Sept 05 p. 18

David J. Phillips, 8 Sept 05 p. 19

David J. Phillips, 8 Sept 05 p. 20

David J. Phillips, 8 Sept 05 p. 21

David J. Phillips, 8 Sept 05 p. 22

David J. Phillips, 8 Sept 05 p. 23

David J. Phillips, 8 Sept 05 p. 24

David J. Phillips, 8 Sept 05 p. 25

David J. Phillips, 8 Sept 05 p. 26

David J. Phillips, 8 Sept 05 p. 27

David J. Phillips, 8 Sept 05 p. 28

David J. Phillips, 8 Sept 05 p. 29

Hill and Levitan Privacy Rights Management ppt; June 5, 2001:

David J. Phillips, 8 Sept 05 p. 30

David J. Phillips, 8 Sept 05 p. 31

David J. Phillips, 8 Sept 05 p. 32

David J. Phillips, 8 Sept 05 p. 33

David J. Phillips, 8 Sept 05 p. 34

David J. Phillips, 8 Sept 05 p. 35

David J. Phillips, 8 Sept 05 p. 36

cite suit docs

David J. Phillips, 8 Sept 05 p. 37

Вам также может понравиться