ZeroKnowledge to Discontinue Anonymity Service
VulgarBoatman writes: "ZeroKnowledge, providers of Freedom.net and Freedom privacy software, have abruptly decided to stop providing anonymous web browsing and private, encrypted, untraceable email for its customers. They give users 7 days before the system is shut down and all untraceable email addresses are disabled. They also say that your "secret" identity may not remain a secret for long." Well, note that that last link is a warning about using the service during the shutdown period, not a warning that they plan to compromise nyms in general. At least they're offering a refund. Update: 10/04 19:00 GMT by M : ZKS has a statement in the comments below.
Yesterday, I received the following message in response to questions about upcoming changes in services and offshore servers (emphasis mine):
:(
Date: Wed, 3 Oct 2001 09:56:46 -0400 (EDT)
From: InfoReplies@zeroknowledge.com
To: @freedom.net
Subject: Ref: "New anonymous browsing service"
Hello,
Thank you for your interest in Freedom. Currently, we are unable to release specific details about our upcoming privacy services; I wish I could provide you with more information.
As for the servers, the upgrades should be completed shortly, and more servers should appear on the network. We apologize for the inconvenience.
Regards,
Freedom Support Team
Have a question? Looking for answers? Visit our Knowledge Center for up-to-date solutions to common problems.
http://www.freedom.net/support/knowledge.html
Another proud carrier of the $rtbl flag
It seems to me the government should offer a free anonymizer service, with the proviso that detection of verifiable illegal activities transacted through same would lead to the immediate disclosure of the sender's identity (or at least location) to the appropriate legal agency. Private anonymizer services should not be allowed (at least within US borders).
This would then be a way for whistle blowers and others not engaged in illegal activities to easily, and with better legal shielding, submit their disclosures or air their personal political views. Mailing death threats, circulating child pornography, arranging for killings, or setting up drug drops shouldn't have any kind of guarantee of hiding the sender's identity.
I can already hear the big sucking sound from civil libertarians -- "HOW CAN YOU POSSIBLY TRUST THE GOVERNMENT WITH THIS?"
It would seem trusting private individuals with this isn't much better (and the government gets what they want eventually anyway). Perhaps using a private anonymizing service shouldn't imply that someone has something to hide, but in the minds of many, it does.
Being intractable on this issue will hurt the IT community more in the long run, because it closely associates it with the ability to conduct illicit and untraceable activities. I am more worried about being being prevented from using cryptography, or being forced to register the keys with a government agencies. Here is where the battle should be fought, because it will lead to the real government oversight of the flow of sensitive information.
Yes this probably comes as result of 9-11-2001. Stop burying your heads in the sand and telling yourselves the world isn't any different now.
Letter To Iran
The technical problem is that their service uses Javascript, and doesn't work if you're not running Javascript. That means that any time you're using the system, you're vulnerable to any other JS problems on any other web page your browser encounters, until you turn JS back off. IIRC, Safeweb does attempt to clean up JS and other dangerous stuff from pages it displays to you, but it's still a risk. Also, I'm not that impressed with their Javascript, though I'm not an expert on the stuff - my problem was that under Mozilla ~0.91, they pop up windows to do the secure browsing in, and they're not really quite the shape of my screen, though that could have been Mozilla's fault. I sent email to the Safeweb folks about the fundamental "You're using Javascript" problem, and got a really prompt reply from their technical management, which was good, but they fundamentally didn't get it, which bothered me.
The other problem is trust - in general, you always need to be concerned about whether a service like this is trustable, both because of the intent of the people running it (are they ratting you out to somebody) and the security of their systems (if their server is 0wned by CrackerZ, you're not secure.) As I mentioned, Triangle Boy is really cool - it's a sort of distributed set of volunteer-run anonymizing servers, which keep moving around to prevent blocking services from blocking them, and Safeweb announced that they were going to be using this to provide censorship-free web access for people in China, the Middle East, and other places with censorship problems. The catch - they've got funding from In-Q-Tel, the CIA venture fund. It's probably entirely legit, and certainly good enough for most purposes - but how paranoid you need to be depends on who's really out to get you. ZeroKnowledge was very upfront about what their trustability levels were (plus I knew the folks there, and they were well-connected to the cypherpunks community.)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I think I left ZKS several months back (on good terms, etc., etc.).
I think that Hamnett's message says it all (they couldn't afford to keep operating the network, because of that traditional operating-cost-vs.-revenue balance).
I think that gov't pressure -- should any have actually existed; I don't recall much such pressure from when I was there -- had nothing to do the decision.
I think they picked a very hard market nut to crack, and chose a very high bar for the level of security and privacy they were going to provide.
I think the market didn't share their (our) enthusiasm for that level of service, perhaps unfortunately.
I think a lot of people have talked here and elsewhere about how the Freedom network could have been done better, from technology or marketing or whatever perspectives...
...but I think nobody has done a better job so far of that type of network service.
I think they've learned a _lot_ about protecting privacy and helping other people and organizations protect privacy.
I think there's a market for that knowledge, and good applications of it.
I think they're going to be OK.
I think you shouldn't really care what I think.
(I think Craig's still a dork.)