ZeroKnowledge to Discontinue Anonymity Service

VulgarBoatman writes: "ZeroKnowledge, providers of Freedom.net and Freedom privacy software, have abruptly decided to stop providing anonymous web browsing and private, encrypted, untraceable email for its customers. They give users 7 days before the system is shut down and all untraceable email addresses are disabled. They also say that your "secret" identity may not remain a secret for long." Well, note that that last link is a warning about using the service during the shutdown period, not a warning that they plan to compromise nyms in general. At least they're offering a refund. Update: 10/04 19:00 GMT by M : ZKS has a statement in the comments below.

Bad business model

[Quasar1999]

My question is, how did billing for the service work in the first place?

Umm, account #12344234 owes us $300... but we don't know who it is, or where he lives...

I think their business model didn't work... the collections department had nothing to do...

Re:This is an opportunity

[malkavian]

Secondly, the closing of another anonymity service will make it harder for terrorists to operate on the internet.

But, as just about all the security agencies with a clue keep admitting, terrorists don't use the internet because it's just too insecure.
So closing down all the privacy sites does nothing to hinder the Bad Guys(TM), it just bugs the ordinary guy.

Malk

whew! when I read that, I thought...

holy smokes, when i read that a zero knowledge system was discontinuing anonymity, I thought
that it meant that slashdot was going to stop
posting by AC's!

Easy, no billing

No collections department, you paid in advance for a year's service. If you wanted to ensure anonymity, you could sign up online, get an account number, and write that on an money order. You could also pay by credit card - they claimed to have an internal system to remove the linkage between the payment and the account.

Re:Alternatives?

[matrix0040]

as ppl have pointed out .. one is safeweb.com another alternative is idzap.com

Surprise to the staff as well?

[Pituritus+Ani]

Yesterday, I received the following message in response to questions about upcoming changes in services and offshore servers (emphasis mine):

Date: Wed, 3 Oct 2001 09:56:46 -0400 (EDT)
From: InfoReplies@zeroknowledge.com
To: @freedom.net
Subject: Ref: "New anonymous browsing service"

Hello,

Thank you for your interest in Freedom. Currently, we are unable to release specific details about our upcoming privacy services; I wish I could provide you with more information. :(

As for the servers, the upgrades should be completed shortly, and more servers should appear on the network. We apologize for the inconvenience.

Regards,

Freedom Support Team

Have a question? Looking for answers? Visit our Knowledge Center for up-to-date solutions to common problems.
http://www.freedom.net/support/knowledge.html

Lets have a US government anonymizing service

[DumbSwede]

I will probably get flamed for this one, and I must admit my views on privacy and security are in flux right now.

It seems to me the government should offer a free anonymizer service, with the proviso that detection of verifiable illegal activities transacted through same would lead to the immediate disclosure of the sender's identity (or at least location) to the appropriate legal agency. Private anonymizer services should not be allowed (at least within US borders).

This would then be a way for whistle blowers and others not engaged in illegal activities to easily, and with better legal shielding, submit their disclosures or air their personal political views. Mailing death threats, circulating child pornography, arranging for killings, or setting up drug drops shouldn't have any kind of guarantee of hiding the sender's identity.

I can already hear the big sucking sound from civil libertarians -- "HOW CAN YOU POSSIBLY TRUST THE GOVERNMENT WITH THIS?"

It would seem trusting private individuals with this isn't much better (and the government gets what they want eventually anyway). Perhaps using a private anonymizing service shouldn't imply that someone has something to hide, but in the minds of many, it does.

Being intractable on this issue will hurt the IT community more in the long run, because it closely associates it with the ability to conduct illicit and untraceable activities. I am more worried about being being prevented from using cryptography, or being forced to register the keys with a government agencies. Here is where the battle should be fought, because it will lead to the real government oversight of the flow of sensitive information.

Yes this probably comes as result of 9-11-2001. Stop burying your heads in the sand and telling yourselves the world isn't any different now.

Re:Lets have a US government anonymizing service

[swordgeek]

"Stop burying your heads in the sand and telling yourselves the world isn't any different now."

I take offense to this remark. The world isn't really any different now than it was a month ago, and my saying that isn't an indication of me "burying my head in the sand." The only real difference is that some of you (mostly in the US) have pulled your heads _out_ of the sand and started to realise what's going on in the world.

As for your idea of a government run anonymizer service, there's just one problem: It won't work! It's exactly like banning secure encryption in the US now--the genie is already out of the bottle, and you can't put it back in. Criminals will always find ways around security, surveillance, and general watchfulness. By forcing bcakdoors on systems, you're only affecting (persecuting, in fact) the law-abiding citizens who will use them.

Re:Lets have a US government anonymizing service

[DumbSwede]

Well the flow of responses is as predicted, I expected this would be flamebait.

The general consensus seems to be
GOVERNMENT == BAD
Personal rights to do anything electronically and have it hidden and undecipherable == GOOD

Wake up.
You people are not helping. If you want to hold onto reasonable rights, you have to offer reasonable, effective alternatives that still allow us stop and catch the bad guys.

I choose not to believe the US government is essentially evil. I choose to believe the US government has improved its stance on human rights in general, effectively and steadily over the last 200 years. I choose to believe there are truly evil men out there that would do America harm. I believe the majority of you online rights complainers are spoiled pampered brats that have never had to sacrifice the least little thing in your lives, and don't understand that we have to help find solutions to the problems caused by unintended side-effect our electronic age has brought us.

Web surveillance and the new anti-terror law

[Everyman]

The liberals in Congress think they're sounding like civil
libertarians with their new, modified stand on Internet
surveillance. They say that the authorities should be allowed
warrantless taps to find out where you surfed, but not what you did
once you got there. The FBI has a right to know that you went to
Amazon, for example, but without a warrant they don't have a right
to know what books you bought. The legal distinction here is from
the old days: a "pen register" would record the number you dialed,
but not the conversation itself, and therefore qualified for a
looser legal standard.

But pundits don't realize that 99 percent of your Web activity can
be reconstructed from the Web's equivalent of "pen register"
information. The search terms you enter into search engines are
attached to the address itself. Do you believe that the FBI will
want this portion of the URL excluded simply because they don't
have probable cause? If and when the NSA is authorized to monitor
the backbone, do you expect that they will chop off the URL at the
question mark, so that this information is kept out of their
keyword-analysis supercomputers? Not likely.

My reading of the provisions of the new Anti-Terrorism Act of 2001
suggests that a single, one-time certification by a federal
law-enforcement official that such information is needed in a
criminal investigation, without any showing of probable cause, is
enough to require a court to issue an order allowing a pen-register
tap on any Internet service provider presented with the order,
throughout the entire U.S. The definition of this "pen-register or
trap and trace device" information has been expanded for the
Internet. It now includes "other dialing, routing, addressing, and
signaling information reasonably likely to identify the source of a
wire or electronic communication (but not including the contents of
such communication)."

For example, some federal official could conceivably serve Google,
or any other search engine, with a court order demanding log
information for all those who searched for particular persons or
particular combinations of search terms. The "query strings"
consisting of the users' search terms are, in all standard HTTP
server logs, included along with the user's domain or IP number.

One hopes that search engines would be inclined to challenge such
an order. But we may never know, because if they decide to
cooperate with the new law, their public relations office won't be
announcing this. The bottom line is that the phrase, "but not
including the contents of such communication," might be useful for
excluding the body of e-mail messages, but is mostly irrelevant for
Web surfing. This poor wording in the new law may mean that search
engines can no longer claim privacy at any level.

If someone wanted to redesign the entire Web for the express
purpose of surveillance, they couldn't do a better job than what we
already have. The profile that could be compiled if one had a list
of all the Web sites you visited, or all the search terms you've
used on Google, would be very revealing. The latter scenario is
more worrisome, because the former scenario, short of a
comprehensive backbone tap, would imply an order served locally at
your own ISP. You'd almost have to be pre-targeted by the
authorities. But a tap on a general search engine would amount to a
global sweep for information. Google currently gets about 110
million searches every day, most of which are from outside the U.S.
It would be tempting for the feds to monitor this traffic.

SAFEWEB has Javascript, CIA problems. Cool though

[billstewart]

Safeweb is one of several anonymizing services, of which the first well-known one was www.anonymizer.com. There are a couple of serious problems with it, one technical, one trust-related. On the other hand, Triangle Boy is really cool.

The technical problem is that their service uses Javascript, and doesn't work if you're not running Javascript. That means that any time you're using the system, you're vulnerable to any other JS problems on any other web page your browser encounters, until you turn JS back off. IIRC, Safeweb does attempt to clean up JS and other dangerous stuff from pages it displays to you, but it's still a risk. Also, I'm not that impressed with their Javascript, though I'm not an expert on the stuff - my problem was that under Mozilla ~0.91, they pop up windows to do the secure browsing in, and they're not really quite the shape of my screen, though that could have been Mozilla's fault. I sent email to the Safeweb folks about the fundamental "You're using Javascript" problem, and got a really prompt reply from their technical management, which was good, but they fundamentally didn't get it, which bothered me.

The other problem is trust - in general, you always need to be concerned about whether a service like this is trustable, both because of the intent of the people running it (are they ratting you out to somebody) and the security of their systems (if their server is 0wned by CrackerZ, you're not secure.) As I mentioned, Triangle Boy is really cool - it's a sort of distributed set of volunteer-run anonymizing servers, which keep moving around to prevent blocking services from blocking them, and Safeweb announced that they were going to be using this to provide censorship-free web access for people in China, the Middle East, and other places with censorship problems. The catch - they've got funding from In-Q-Tel, the CIA venture fund. It's probably entirely legit, and certainly good enough for most purposes - but how paranoid you need to be depends on who's really out to get you. ZeroKnowledge was very upfront about what their trustability levels were (plus I knew the folks there, and they were well-connected to the cypherpunks community.)

Re:Shaver

[Mike+Shaver]

I think I left ZKS several months back (on good terms, etc., etc.).

I think that Hamnett's message says it all (they couldn't afford to keep operating the network, because of that traditional operating-cost-vs.-revenue balance).

I think that gov't pressure -- should any have actually existed; I don't recall much such pressure from when I was there -- had nothing to do the decision.

I think they picked a very hard market nut to crack, and chose a very high bar for the level of security and privacy they were going to provide.

I think the market didn't share their (our) enthusiasm for that level of service, perhaps unfortunately.

I think a lot of people have talked here and elsewhere about how the Freedom network could have been done better, from technology or marketing or whatever perspectives...

...but I think nobody has done a better job so far of that type of network service.

I think they've learned a _lot_ about protecting privacy and helping other people and organizations protect privacy.

I think there's a market for that knowledge, and good applications of it.

I think they're going to be OK.

I think you shouldn't really care what I think.

(I think Craig's still a dork.)

Instant paranoia doesn't solve problems...

[Sonicboom]

Closing an anon remailer or anon web proxy is not going to stop terrorism. Neither is putting backdoors into encryption schemes, or making National ID cards that people will be required to carry. They are great deterrents tho.

Before the internet there was terrorism... and unfortunately terrorism will continue.

A step in the right direction would be tighter immigration laws. Better security on flights, and letting the millitary do their job (no more bullshit police actions).

But closing down a remailer or web proxy won't stop anything. It's paranoia. Why can't the terrorists set up their OWN anon remailers or proxies. Hell they could revert to using RFC1149 technology with a Honeycomb Cereal invisible ink pen....

Paranoia does not solve problems...

No Great Loss (Spam, Piracy, Harassment, etc.)

[Nova+Express]

There was once a time when anonymous remailers served a purpose on the net, and where the people using them were as or more likely to contribute something to the online community as any others.

Sadly, I think that time has now passed.

On most of the Usenet groups I frequent (which, of course, is merely the tiniest fraction of those available), the people using anonymous remailers seem to be overwhelmingly: A.) Spammers, B.) Jerks who contribute nothing to the group and who cower behind anonymity for the sole purpose of flaming others free of consequences, and C.) People who not not only pirate intellectual property, but who spam newsgroups with it to show everyone how big their virtual Warezzz penis is. For example, a couple of months ago, someone spammed rec.arts.sf.written with hundreds of badly OCRed SF novels and stories, including some by people who are by no means rich.

Frankly, the people with the most urgent need for legitimate use of anonymous remailers (i.e., those in communist or otherwise oppressive countries where there is no freedom of the press) are the ones who either can't get to them anyway, or whose governments have so much of the system tapped that it would be easy to track them down.

While there are still some legitimate uses for anonymous remailers (Scientology whistle-blowers, for example), the jerks and spammers seem to outweigh legitimate uses about 100 to 1. Thus I see no real cause to mourn their passing. I wish that it were otherwise, but we must deal with the world as it is, not as we wish it were.

Re:Ian Goldberg, Bruce Schneier & Whitfield Di

[Ian+Goldberg]

Believe me, no one is more disappointed about this than I am, but right now there simply isn't enough market buy-in on the premium services to justify the network's operating costs. :-(

As a business, we are focusing on the product that customers and partners want. Here's an official Zero-Knowledge Systems statement on the matter:

With the release of Freedom 3.0 and the discontinuation of the Freedom Network (our anonymous browsing and encrypted pseudonym service) there have been a number of questions for more details about the decision to stop offering the Freedom Network services. Hopefully this will help clarify things.

When we released Freedom 1.0 close to 2 years ago we saw a significant percentage of our users subscribe to the premium Freedom Network services. This was anticipated as our early adopters were very privacy and technology aware and had expressed strong interest in the Freedom Network offering.

As we began to increase the distribution of Freedom into the mass market with the release of Freedom 2.0 & 2.2, we saw a disproportionately high percentage of users who subscribed to the standard features (and not Freedom Network services). The initial interest in the premium (FN) services amongst our early adopters simply didn't carry over to the mainstream and as our user numbers grew, we began to realize that the market was looking for the kind of features we are now offering in Freedom 3.0.

As we began our feature triage for Freedom 3.0 (almost 9 months ago) we heard from customers and focus groups of users, as well as channel partners, and reflected on the statistics from our existing user base, and decided that there was not enough mass market demand for the premium services to justify continuing the service.

This was entirely a market related decision. The market demand for consumer Internet security and safety tools has grown considerably in the 4 years our company has been in business. Freedom 3.0 is a strong competitor to security offerings from companies such as Symantec and McAfee and we have gotten very positive market support and a warm reception from channel partners to this new version of our suite of privacy and security tools.

There has been speculation that this decision was somehow related to government pressure or was made in the wake of the tragedies of September 11. This is simply untrue. For the past 3 months we have been beta-testing this version with partners, getting certification from Microsoft for our drivers and completing our Alpha and Beta cycles with our beta users. Support for the Freedom network offering was removed from the client code base well before the recent tragedies of September 11.

Our research team is continuing work in the area of privacy enhanced network protocols, and we are open to any suggestions the research community offers on how we can leverage the work that went into the Freedom Network design and operation to advance this area of computer science. If you have suggestions or interest in this, please contact us at corporate@zeroknowledge.com.

Zero-Knowledge continues to offer our consumer protection utility Freedom 3.0 and we are very excited by the prospects for this product. We also have a division that is addressing the market need of enterprise privacy technologies that stem from managing consumer data that require strong security and policy frameworks to adhere to privacy regulations and customer preference management (Healthcare; Financial and other consumer data that is subject to new security, privacy restrictions relating to legislation like HIPAA, GLB, PIPEDA, EU privacy directive).

Our company continues to evolve and focus our efforts on market needs and customer demands and we remain very confident of our prospects in these markets.

Re:Sealand will be next

[rdl]

ZKS ended Freedom because it doesn't make money for them; they rightly have shifted their focus to a somewhat better business model. I think ZKS was from the beginning a bit overly cypherpunk and not enough pragmatic business; it's widely known end-users DO NOT pay for privacy or anonymity and usually not for security. They are rightly focusing on what their major clients want. If the markets were doing better, ZKS could have continued subsidizing the Freedom network, and maybe more applications could have been built on top of it, but this is commercial reality -- they need to turn a profit ASAP.

HavenCo (the datacenter on Sealand) has *always* been focused on business clients, and selling services to people who receive bottom line benefits from HavenCo hosting -- a lot of our clients are chosing us at USD 1500/month where the only alternative is traditional central american offshore at USD 15k/month. That's why we have been profitable since 4 months after we started general sales. We're on-track with expansion plans, both in terms of physical sites, and related business offerings.We don't even offer a consumer web hosting or mail option because it just doesn't make money. You can feel free to criticize us for being mercenary, but that's why we'll be in business in 10 years, and companies which in effect subsidize consumer security offerings will probably not. In a recessionary market, products which can provide 1 for 1 substitution at a dramatic and immediate cost savings do well; we've had if anything an uptick since the summer.

(interestingly, at least one member of the press also claimed HavenCo would be out of business; this was in December 2000 if I recall correctly.)

Regardless of people of questionable impartiality or competence from cyberia-l, the fact is Sealand's legal claims have withstood more than 30 years of challenge by other governments; every lawyer who has written an opinion, including numerous professors of law, has recognized this, and there is substantial documentation from various government agencies, in the UK and other nations, to support.
It has always been clear that the true threat to security and privacy companies is market demand; followed perhaps by internal execution. Any threat of government action is so remote that if a company gets to the point where the government DOES shut them down, they've already won. The majority of the p2p systems in the US were forced to shut for commercial reasons (scour, aimster, etc.). Only a few of the most successful were challenged in court, and their failings were after the initial challenge primarily due to execution and lack of a real way to extract revenue, not action by the MPAA or RIAA.

That being said, I'm more than happy to run a Freedom server; I already run a mixmaster remailer (which is fairly similar technology), and there have been absolutely no serious complaints or difficulties. I know several of the executives at ZKS, and I'm sure they'll do the right thing. ZKS has always had a lot of support within the security and privacy community; they were started by and hired some of the best people, and developed technology which made no compromises on security. I'm sure their business and consulting offerings, as well as their remaining optimized client software, will do well.