ZeroKnowledge the Story (2)
-
Upload
austin-hill -
Category
Documents
-
view
214 -
download
1
Transcript of ZeroKnowledge the Story (2)
Knowing Glances: Understanding Infrastructures of Surveillance
Chapter 2
From Freedom to the Management of Privacy Policy:
A Case Study of Identity and Identification in the Surveillance Process
David J. Phillips Associate Professor of Radio-Television-Film
University of Texas at Austin [email protected]
8 September 2005
DRAFT ONLY! NOT FOR REVIEW OR CITATION!
Knowing Glances, Ch 2 “From Freedom to…” David J. Phillips, 8 Sept 05 DRAFT ONLY! NOT FOR CITATION OR REVIEW! p. 2
From 1997 until 2001, Zero-Knowledge Systems (Zero-Knowledge), a company based in
Montreal, Canada, developed and marketed identity management program called Freedom.
Freedom was, at heart, an online pseudonymity an service. It enabled users to adopt persistant,
unlinkable pseudonyms and to choose among them each time they used internet services,
including e-mail or web browsing. Each pseudonym, or “nym,” became a unique entity. Each
nym could be identified, and its actions monitored and analyzed. But the identity of the nym
could not be linked to the identity of the nym’s owner, and the actions of each nyms could not be
linked to the actions of the other nyms, nor to the actions of the nyms’ owner.
The market model and the technical design of Freedom were informed by certain
ideological understandings of the relation of technology, individuality, governments, and
commerce, and Zero-Knowledge’s founders were able to harness hype, money, and talent to
embody that ideology within a complex consumer product, an international data network, and a
250-employee company. However, Zero-Knowledge was unsuccessful in its attempts to actually
sell Freedom to users. Surprised, the company’s leaders decided that in order to create profits,
attract investment, and survive as a company, they would develop a radically different privacy
product, intended to help privacy officers within companies track the flow of information held by
the company, and so to monitor compliance with local and international privacy regulations. In
2001, the Freedom pseudonymity service was discontinued. The corporate information
management product is still offered.
This chapter chronicles the strategies and tactics of Zero-Knowledge as they negotiated
these changes. In order to emphasize the ideals toward which Zero-Knowledge was striving, it
begins with a snapshot of the company at the height of its vision and promise. It then backtracks
to give a more chronological narrative of the context and actions that led toward and away from
that zenith. During those few years, Zero-Knowledge undertook development of a number of
identity or privacy services. The chapter concludes by considering each of those products as a
potential resource in the negotiation of social identity. It discusses the way that each was
potentially useful in mediating social power. By comparing the development and relative success
Knowing Glances, Ch 2 “From Freedom to…” David J. Phillips, 8 Sept 05 DRAFT ONLY! NOT FOR CITATION OR REVIEW! p. 3
of each, the paper offers insights into the processes by which power relations are entrenched in
technical systems, particularly information and communication systems. 1
Zero-Knowledge in early 2000: a snapshot of promise This section is a snapshot of Zero-Knowledge’s operations during early 2000, when Zero-
Knowledge at its height. It had more employees than at any other time, and its vision was as
expansive and hopeful as it ever had been, or ever was to be.
In early 2000, Freedom was Zero-Knowledge’s flagship product. Freedom, from the user’s
perspective, was described briefly above. For about 50 USD a year, the user would subscribe to
the Freedom service. That subscription would allow the user to establish and use up to 5 nyms.
Before logging on to the internet, or sending e-mail, the user would choose which nym she
wanted to appear as. For example, one might have established one nym for one’s professional
persona, another for one’s casual persona, another for engaging in online sex, and yet another for
engaging in political activities. So, in logging on, one might choose among the nyms DrPhillips,
djp, Corky, or Che. While logged in as DrPhillips, all e-mail would appear to come from
[email protected]. Likewise, when logged in as Corky, mail would appear to come from
[email protected]. Although recipients could respond seamlessly to this e-mail, no one – not
the recipient, not the sender’s or the receiver’s internet service provider (ISP), not the internet
backbone providers, not even Zero-Knowledge itself – could determine who actually had sent the
e-mail. It was impossible even to determine that mail from Corky came from the same person as
mail from Che.
This strong pseudonymity was implemented by sending every IP packet through a remailer
network – a sequence of anonymizing servers. The Freedom software residing on the user’s
computer (the “client”) would encrypt each packet in layers and forward it to the first server.
That server would decrypt one layer of the packet, revealing the identity of the next server in the
sequence, to which the packet would be forwarded. That server would decrypt the next layer of 1 Notes on method; interviews, access to documents, review by principals. quotes and Canadian dollars
Knowing Glances, Ch 2 “From Freedom to…” David J. Phillips, 8 Sept 05 DRAFT ONLY! NOT FOR CITATION OR REVIEW! p. 4
the packet, revealing the next server in the chain. This would continue until the last server in the
chain forwarded the packet to its final destination. Only the first server saw the origin of the
packet; only the last server saw its destination. Traffic coming in to a server could not be
correlated to traffic leaving the server. Thus this networked “cloud” of servers effectively
disguised both the route and the content of messages. The route was chosen not by any central
server, but by the client software on the user’s machine.
The network servers were not operated by Zero-Knowledge. Instead, their operation was
contracted out to numerous ISPs. This decentralization and distribution of the operation of the
servers was essential to the security of the network as a whole. In order to corrupt the system
and trace the route of a message, an eavesdropper would need to gain the cooperation of the
operators of all the servers in the message’s path. Ideally, those operators would be located in
different political jurisdictions, and would have different political and economic motives for
sustaining the network. The whole, then, and thus each message, would be secure from warrants
and other forms of persuasion from any particular jurisdiction.
The 50 USD per annum subscription fee was intended not only to support the operation of
the network and to generate profits, but also to support research and development of other
privacy services. Zero-Knowledge’s ambitions for these services were vast. They intended not
merely to offer a profitable online pseudonymity service, but to control “the privacy space.”
This “space,” as a construct, was used to attract investors, who were wooed with promises not
merely of a new product, but of a new market, a new industry. The privacy space would be huge;
it would touch everything. And Zero-Knowledge intended to dominate that space like ATT
dominated telephony. Or, more humbly, like Dolby dominated hi-fi noise reduction systems.
One Zero-Knowledge founder explained the analogy: in the 1970’s, no one really knew what
Dolby did, it had no competitors, it operated invisibly, but one would never buy a tape deck
without a “Dolby” sticker on it. Likewise, in the first decade of the millennium, every internet-
enabled device – cell phones, refrigerators, DVRs, TVs – would have a “Zero-Knowledge”
privacy label.
Zero-Knowledge had conceptually mapped this space along three dimensions of identity,
network, and commerce. These axes laid out the essential attributes of privacy. Securing private
Knowing Glances, Ch 2 “From Freedom to…” David J. Phillips, 8 Sept 05 DRAFT ONLY! NOT FOR CITATION OR REVIEW! p. 5
identity made it impossible to determine “who” an actor was. Securing a private network made
it impossible to determine “where” an actor had been or with whom she was interacting.
Securing private commerce made it impossible to track the economic activity of any individual,
identified or not. These axes helped structure Zero-Knowledge’s narrative of itself. They guided
strategy as Zero-Knowledge developed not only the Freedom service (identity) but also the
anonymizing cloud (network) and an anonymous electronic cash product (commerce). They
helped Zero-Knowledge form a coherent identity to present to investors, analysts, and the press.
At the time, the privacy space was merely an ideal. There were no institutions occupying or
articulating it, no flow of money through it. And money was necessary to bootstrap the space –
to create and dominate it. That money was to come in part from subscriptions to Freedom, but,
more importantly, from investors. In early 2000, Zero-Knowledge’s strategy consisted in large
part of wooing those investors. They had significant resources to deploy in that courtship. Those
resources included including cutting-edge and fundamental technologies. Freedom was widely
recognized as the sine qua non of online anonymity2. The user interface may have been clunky
and slow, but the degree of privacy it offered, the inviolability of the underlying cryptography,
was generally recognized as state-of-the-art. Zero-Knowledge also controlled a set of basic
cryptographic patents potentially applicable to a vast range of online transactions.
Zero-Knowledge also enjoyed, and deployed, credibility and recognition, especially among
cryptographers and privacy activists. They reveled in “hot press.” One of the founders, Austin
Hill, seemed to be involved in every public discussion of internet privacy. He appeared in a panel
before the U.S. Congress, in a CBS 60 Minutes feature, and in countless articles in the
specialized and general press. Zero-Knowledge was a highly visible co-sponsor of the 2000
Computers, Freedom, and Privacy Conference, arguably one of the most prominent and
important international venues for discussions of the intersection of information technology,
policy, and civil rights.
Investors were also wooed with the possibility of changing the world while getting rich.
Freedom, and Zero-Knowledge’s hoped-for control of the privacy space, overtly embodied a
2 cite “Rolls Royce” reference
Knowing Glances, Ch 2 “From Freedom to…” David J. Phillips, 8 Sept 05 DRAFT ONLY! NOT FOR CITATION OR REVIEW! p. 6
techno-libertarian ideology. The “techno” of “techno-libertarian” referred to cryptographic
technique. Cryptography was fundamentally important to Zero-Knowledge’s products, to its
ideology, and to its corporate identity. The very name of the company was both an homage to
cryptography (a “zero-knowledge proof” is a standard cryptographic protocol3) and a promise of
a specific relation between the company and its clients (Zero-Knowledge would know nothing of
its clients – not even who they were). No one need trust Zero-Knowledge to protect privacy;
one need only trust their software. And that software was to be open to inspection. One could
look at the code to see what it could or couldn’t do, what Zero-Knowledge could or couldn’t
know.
Their commitment to cryptographic technique was an extension of the founders’ libertarian
ideology. Zero-Knowledge perceived that the internet, by facilitating the availability of data
about individuals, relocated power to corporate and state collectors of data. It enabled a world
where your refrigerator could rat on you to your insurance company, automatically reporting
your consumption of beer, or eggs, or heavy cream.4 This threatened not only the autonomy of
the individual, but social progress – creativity, diversity, mutation, and evolution. But
individuals, given the tools of strong pseudomyity and untraceable economic transactions, would
challenge the powers both of governments and of entrenched corporate behemoths. Freedom,
and other privacy products, would allow individuals to retain control of their personal
information, to defend their entitlement to that data, to monetize it, to use their identity as capital.
Freed of the organizing oppression of both states and big business, cyberspace would blossom as
a capitalist utopia.
3 A zero-knowledge proof permits someone to prove that they possess certain information without revealing the information itself. Briefly, a challenger poses a series of questions, which the claimant can only answer correctly if she possesses the information she claims to possess. The cryptographic problem is to establish a set of questions which everyone can agree can only be answered with access to the secret information, whose answers can be verified without access to the secret, and whose answers don’t reveal the secret itself. 4 The “internet-enabled refrigerator” was an odd trope of this era. Futurists hyped the image of a busy worker, logging into his (or more likely, in this case, her) refrigerator from work, and checking its contents (one would scan the bar codes of each product when loading or unloading the fridge) before placing an order with an online grocery.
Knowing Glances, Ch 2 “From Freedom to…” David J. Phillips, 8 Sept 05 DRAFT ONLY! NOT FOR CITATION OR REVIEW! p. 7
The degree to which Ayn Rand-ian crypto-libertarianism imbued Zero-Knowledge can be
seen in a series of print ads developed in early 2000. These glossy 2-page ads were placed in
business and industry periodicals such as Fortune, Forbes, The Industry Standard, and Wired.
They were intended primarily to attract investors, and only secondarily to spur consumer sales.
Each of three ads featured a photograph of a single individual against a vast landscape, and each
individual’s body was stamped with a bar code. To the side, the text read “I am not a piece of
your inventory. … I am an individual and you will respect my privacy. … On the Net, I am in
control.” There were three different ads, three different photos, and three different bar codes.
When concatenated and translated from the hexidecimal, the bar codes read “Who is John
Galt?,” a classic phrase from Rand’s Atlas Shrugged. While the messages were originally
intended as an “in-joke” to other crypto-libertarians, Zero-Knowledge quickly decided to
disseminate the image, revealing the message in various mainstream press stories.
Libertarian politics’ valorization of the individual also informed Zero-Knowledge’s market
model. Freedom was designed to be adopted and used by individual consumers. It was these
masses of individual Freedom users that would instigate global changes. Yet Zero-Knowledge
was aware that they, as a company, had to be vital and savvy in order to support that mass
adoption. Zero-Knowledge had to succeed as a business before they could have any political
effect. And so they constantly negotiated the tension between their identity as sensible and
fiscally conscious business people and their identity as radical political activists. The goal of
changing the world was always coupled with the goal of being a successful business.
Zero-Knowledge displayed its promise to potential investors not only in the quality of its
technology, but in the quality of its work force (who, of course, were producing the technology).
In its heyday, Zero-Knowledge was a fabulous place to work, in large part because of the quality
of the staff. During interviews, employees over and over again marveled that their co-workers,
the people they brushed elbows and chatted with every day, were “very, very smart,”
“visionary,” and “tops in their fields.” A significant number had stellar reputations outside of
Zero-Knowledge, especially in the cryptographic research and privacy policy communities.
Others were simply, down the line, competent, smart, and stimulating to work with.
Knowing Glances, Ch 2 “From Freedom to…” David J. Phillips, 8 Sept 05 DRAFT ONLY! NOT FOR CITATION OR REVIEW! p. 8
The founders, Austin and Hamnett Hill and their father, Hammie, themselves were
“amazing in terms of visionary, smart business.” They had “their head in the right place, their
goals in the right place, and their views on how a company should run and how employees
should be treated all in the right place.” For many, Zero-Knowledge the best company in
Montreal. It had been written up in the local press for its “Valley” feel5 – employees brought
their dogs to work, the company provided masseurs, cappuccino machines, and laundry service.
From the start, excellent employee relations were essential to the company’s identity. They hired
one human resources administrator for every 15 employees, when the industry standard was one
adminstartor for every 100 employees.
Moreover, their “articulated vision of how to change the world … didn’t sound crazy, out
there, or impossible.” Zero-Knowledge was cool, it was hot, it was thrilling. It was “Canada’s
shot at some actual fame.” The opportunities seemed endless. If Zero-Knowledge were to be
successful, it would be “radically successful, wildly successful.” It could change the world, as
Apple had, and Netscape. There was an air of daring, irreverence, humor, and fun. Departments
were given playful names, often mocking national security or police agencies. Customer Service
and Information Support was abbreviated as “CSIS,” which was also the acronym for the
Canadian Security Intelligence Service. Network Support and Administration became “NSA,” an
acronym shared with the U.S. National Security Agency. The R&D group was referred to
internally as “The Evil Geniuses.”
In retrospect, this may seem an example of the “irrational exuberance” characteristic of the
dot-com bubble. But at the time the fantasies seemed not out of keeping with the facts. It was
the height of the internet boom; fortunes really were being made. Moreover, privacy was a
salient media issue, and privacy activists seemed actually to be having an effect on corporate
and governmental activities. PGP, a program to protect e-mail with strong encryption, had
become available for general use, over strong governmental objections, through the efforts of
individual activists backed by academic institutions. In the mid 1990’s, activist cryptographers
had aligned with telecommunication companies, forcing the federal government to back off of
5 elucidate re: silicon valley
Knowing Glances, Ch 2 “From Freedom to…” David J. Phillips, 8 Sept 05 DRAFT ONLY! NOT FOR CITATION OR REVIEW! p. 9
plans to require the escrow of cryptographic keys used for secure telephony.6 Popular outrage
had convinced Lotus to withdraw a product that published people’s social security numbers.7
Likewise, DoubleClick had decided to forestall plans link its databases tracking people’s online
behavior with databases tracking their offline purchases.8 Not only was crypto policy was a live
public topic, it was “sexy.” And it seemed to be smack in the middle of revolutions in commerce
and governance.
So, in this middle, Zero-Knowledge teetered on several pivots. They were playful and
professional, radical and safe, a lucrative business and a political movement. The next section
chronicles the path Zero-Knowledge took to achieve this position, and the resolution of the
tensions it encountered there.
Zero-Knowledge 1997-2002
Ideological beginnings In 1997, Austin Hill and Hamnett Hill, Zero-Knowledge’s founders, were in their mid-20’s.
They had just sold their interest in TotalNet, an ISP they had founded and transformed into the
third largest in Canada, and were planning their next business venture. Internet companies were
booming, yet little commerce was actually occurring online. Polls and pundits indicated that one
of the things holding back an explosion of e-commerce was consumers’ fears about online
privacy.9 The Hills were not privacy activists at the time, but both were free market libertarians.
They were attracted, both ideologically and fiscally, to the idea of satisfying an untapped and
potentially huge market demand for services which would protect the online activities of
individuals from the prying eyes of governments and other large, entrenched, institutionalized
interests. They saw those services – especially anonymous payment systems and untraceable
communications – as essential components of a thriving internet-based commerce. The promise
of controlling access to those essential services proved a sweet siren call.
6 Levy, Steven. 2001. Crypto. New York: Viking. , or Phillips “secrets and trust” 7 cite 8 cite 9 cite
Knowing Glances, Ch 2 “From Freedom to…” David J. Phillips, 8 Sept 05 DRAFT ONLY! NOT FOR CITATION OR REVIEW! p. 10
In the course of their market research, the Hills became involved in an active community of
cryptographers and privacy activists. It was from these conferences, white papers, and e-mail
lists that the Hills first absorbed cypherpunk crypto-libertarian techno-political philosophy. The
cypherpunks, as an identifiable group, began in 1992 as a loose affiliation of technically adept
computer scientists, some of whom had accrued substantial financial assets in the computing
industry. Their common bond was a belief that cryptographic technology had the potential to
fundamentally alter structures of power, particularly in the power of the government to monitor
and discipline the economic actions in individuals. In general, they were techno-activists. That
is, they tried to implement the technological structures that they believed would alter social
structures. Most communication within the group was through the cypherpunks mailing list,
which became one of the few generally available sources of cryptographic expertise. The list
was a vital source not only for cryptographers, but for reporters, academics, and researchers
covering cryptography issues.10 An important facet of cypherpunk philosophy was the
repudiation of “security through obscurity.” No system could be trustworthy unless it was open
to examination. Security software could not rely on secrecy. Instead, it had to rely on the
provable robustness of its cryptographic algorithms.
From the first, the Hills felt that it was essential to align with the cypherpunk community –
to prove themselves to that community and to enlist its support. That proof consisted of a
display of knowledge of the techniques and the politics of cryptography and privacy, and
especially a commitment to cryptographic software as the bedrock of privacy protection.
Developing Freedom The Hills operated with a sense of abundance. In February 1998, they hired their first
employee. This was a family friend with little experience in project management, and grave
doubts about his suitability for the job. But the founders argued that vision, intelligence, and
optimism were more important than experience, gave him “dispensation” for inevitable errors,
and convinced him to join.
10 Levy Wired cypherpunks article; djp diss; Privacy New Landscape
Knowing Glances, Ch 2 “From Freedom to…” David J. Phillips, 8 Sept 05 DRAFT ONLY! NOT FOR CITATION OR REVIEW! p. 11
They next assembled two teams of software developers, one working on the client software,
the other working on the network software. Initially, the development teams’ strategy was to
rework existing remailer systems developed in prototype by cypherpunk cryptographers.
However, that strategy changed abruptly three weeks later, when Zero-Knowledge hired Ian
Goldberg as “Chief Scientists and Head Cypherpunk.” Goldberg was nothing less than an
international star of the cryptography community. 25 years old at the time, he had already twice
appeared in The New York Times for discovering security flaws, first in the Netscape browser (at
the time far and away the market’s dominant browser)11 then in mobile phone protocols. 12
These stories were big news, appearing, respectively, on the front pages of the Times’ main
section and its business section. In Goldberg’s words, the stories ran “everywhere.”
Goldberg’s hiring had three effects. First, it gave Zero-Knowledge “instant credibility” in
the cypherpunk and cryptography communities. Second, it irrevocably established the direction
of product development along cypherpunk ideals. That is, Zero-Knowledge committed itself to
developing from scratch “the mother of all privacy solutions,” an “NSA-proof” system, whose
security would rely not on any secrecy in how it operated, but instead on the provable
intractability of its algorithms. As a third, corollary effect, Goldberg’s hire sent the release date
back months.
Product development was guided by faith in the market, though not by faith in market
research. There were no formal attempts to find out what consumers would be likely to buy.
Instead, product development was mostly techies sitting around asking each other what cool
features they’d like to create and use. This process worked very well, for a while. In October of
1998, Zero-Knowledge presented Freedom at Venture Market East, a forum sponsored by Red
Herring magazine and intended to allow investors and start-up companies to become familiar
with each other. Zero-Knowledge was, in the words of a Red Herring editor, “a runaway hit.”13
11 The New York Times September 19, 1995, Section A; Page 1; Column 1; Software Security Flaw Puts Shoppers on Internet at Risk 12 The New York Times April 14, 1998Section D; Page 1; Column 5; Researchers Crack Code In Cell Phones JOHN MARKOFF 13 Lahey, Anita. 1999. “What Price Privacy.” Canadian Business Magazine (Feb 26)
Knowing Glances, Ch 2 “From Freedom to…” David J. Phillips, 8 Sept 05 DRAFT ONLY! NOT FOR CITATION OR REVIEW! p. 12
Their presentations were standing room only.14 The Hills were “triple-booked” with venture
capitalists. Interest was so great that, perhaps paradoxically, they decided to hold off on
accepting venture capital, instead investing more of their own money, and the money of friends
and acquaintances.
More than merely reinforcing Zero-Knowledge’s faith in its own work, the interest
expressed at Venture Market East changed their understanding of the product they were
developing. Zero-Knowledge went into the conference with an e-mail and web anonymizer, and
they came out with an identity product, a base for many services and programs. The idea of
persistent pseudonymity – of nyms – was born at Venture Market East. The idea that identity
management had potential far beyond mere private e-mail changed the way the company thought
of themselves, and the way they presented themselves to investors.
Development efforts redoubled. A few months later, Zero-Knowledge’s faith in itself was
again rewarded, when they presented a pre-alpha version of Freedom at Demo 99, another
conference intended to present new technologies to investors and the press. Zero-Knowledge
presenters felt that Freedom was “the most recognized, most well-received, most attention-
grabbing” product there. The demonstration, and the welcome attention it received, was pivotal.
It gave Zero-Knowledge a sense, not only that they were on the right track, but that they could
compete with the best.
The development process was tremendously difficult and exciting. There were no similar
products for comparison (though prototypes of limited systems did exist), no established users to
interview. And the design of a private network was intrinsically more difficult than, say, the
design of a word processor. A buggy word processor was still a word processor, but a buggy
privacy system was no longer private. It demanded attention to the edge case; weird uses and
unlikely attacks were as important to design considerations as everyday use. And Zero-
Knowledge’s growing reputation among crypto hackers, and especially their claims to be
“military grade,” made them a sweet target for attacks. So designers constantly tried to imagine
and guard against attacks both from lone geniuses and from the concerted forces of U.S. military
14 Pittsburgh Post-Gazette November 1, 1998, Pg. C-3 HOW TO FIND A VC MICHAEL NEWMAN
Knowing Glances, Ch 2 “From Freedom to…” David J. Phillips, 8 Sept 05 DRAFT ONLY! NOT FOR CITATION OR REVIEW! p. 13
and intelligence agencies. Occasionally, significant effort would be spent trying to incorporate
defenses against a specific type of attack, only to decide that the attack was so unlikely, and so
expensive, as to be absurd. For example, originally there had been plans to account for
correlations attacks, where someone observing the entire network could statistically correlate
traffic in and out of servers. Such an attack reveals the routes of messages, but not the contents
of messages, and requires enormous monitoring and analysis resources. Indeed, it was
eventually determined that the required resources were not simply enormous, but fantastic, and
the problem was abandoned as moot.
The work was constant and physically exhausting. Deadlines loomed, passed unfulfilled,
and loomed again, like a carrot held before a donkey’s nose. Coders worked through illnesses,
though nights and weekends, through threats of divorce and disownment.
While software development was proceeding, ISPs had to be recruited to host the Freedom
network servers. Initially, these ISPs were recruited through cypherpunk contacts and through
the founders’ contacts from their days as ISP operators. By this time, Zero-Knowledge was
receiving significant press in the industry, and many ISPs initiated contact with them. By the
time of the beta test, 65 ISPs had volunteered to host servers without remuneration. After the
beta, Zero-Knowledge started offering more formal contracts with ISPs. Under these contracts,
the host ISPs initially paid $3000 for each Freedom server, but after that were re-imbursed at
least $250 per month by Zero-Knowledge for Freedom traffic passing through the ISP’s internet
gateway. In addition to this monthly fee, Zero-Knowledge also offered ISP hosts a bit of market
advantage, since they could advertise that they were privacy-aware, and so differentiate
themselves from their competition.
Ramping up: growing reputation, growing payroll
Public relations was considered an essential part of the pre-release development strategy.
The public relations manager was employee # 21, hired in January 1999, eleven months before
the product release. Zero-Knowledge began appearing regularly in the local Montreal press, and
more and more frequently in the national Canadian and U.S. press. 15 Coverage came from many
15 cites ([from lexis: business week, Internet world, MacLeans, Marketplace, weekend edition. /congressional hearings: Newsweek)
Knowing Glances, Ch 2 “From Freedom to…” David J. Phillips, 8 Sept 05 DRAFT ONLY! NOT FOR CITATION OR REVIEW! p. 14
beats, including the lifestyle, policy, and technology desks. The Hills had courted recognition
from established civil libertarian groups, including the Electronic Privacy Information Center,
the American Civil Liberties Union, and the Electronic Frontier Foundation, and from
established cryptographic and privacy policy experts. This paid off as these more established
press sources referred reporters to Zero-Knowledge. They reaped great press when Ian Goldberg
wrote code that could reveal the supposedly hidden unique serial number of each Intel Pentium 3
chip. This discovery was covered prominently by Newsweek and the New York Times, among
other publications16. Zero-Knowledge also published high-level white papers describing the
Freedom network. This early hype gave Zero-Knowledge a very strong brand image. It also
“locked them into” that image, and forced them into “being good, [being] above reproach.”
During summer of 1999, Zero-Knowledge closed on its first round of outside financing,
when Platinum Venture Partners invested 7.5 million CAD.17 With this infusion, Zero-
Knowledge ramped up hiring, and leased three floors of a newly renovated office building in
downtown Montreal as well as space in Palo Alto, California. There were no definite plans for a
Palo Alto office, but Zero-Knowledge management saw that eventually a presence in Silicon
Valley would be essential. Demand for office space in the Valley was skyrocketing, and they
figured that they could rent it out at a profit if they didn’t occupy it themselves.
Through late 1999 and early 2000, Zero-Knowledge actively displayed exuberance and
growth. In part, this display was intended to attract investors, but it also was intended to attract
“visionary thought leaders” to the employee rolls, and simply to have fun. Recruitment was very
“un-Montreal.” Zero-Knowledge would poach employees from other local firms by sitting
outside in a flatbed truck with a sign proclaiming “We’re hiring!” They were later cited by The
Industry Standard for their ability to hire, massively and quickly, high-quality people.18
For Zero-Knowledge was actively expanding their expertise into other areas of the “privacy
space.” They brought aboard internationally recognized experts on privacy policy to establish a
consulting practice aimed at corporations who increasingly had to acknowledge and deal with 16 cites 17 cite prospectus 18 The Industry Standard, May 22, 2000, Recruiting: How The Best Are Won, Deborah Giattina, (page?)
Knowing Glances, Ch 2 “From Freedom to…” David J. Phillips, 8 Sept 05 DRAFT ONLY! NOT FOR CITATION OR REVIEW! p. 15
global data privacy regulations. They also radically extended their cryptographic expertise by
hiring Stefan Brands and licensing several of his patents for implementing “private credentials.”
Private credentials provide a means of disentangling the verification of the various attributes
to which a credential might attest. As a general example, suppose a user, Alice, needs to be able
to prove, on various occasions, her name, her age, her citizenship, and her student status.
Moreover, she wishes to prove these independently, to prove her age without showing her name,
for example. She would go to a commercial credential issuer, and present proof those attributes
– her birth certificate, say, and a University bursar’s receipt. The issuer would then provide her
with a digital credential attesting to those attributes. When challenged regarding her age or
student status, Alice would present the credential. However, she would also present a logical
query regarding the embedded attributes. The challenger would receive in return a true or false
response to that query. For example, suppose the public transportation system offers a 50%
discount to students and to those over 65. Alice could present her credential, along with a query:
“Am I over 65 OR a student?” The response would be “yes” and Alice would qualify for the
discount. But the bus company would not know Alice’s age or her student status. They would
not even know her name. Digital credentials might be implemented in various media, including
smart cards, cell phones, or the internet.19
Brands had also developed a means by which credentials could be used privately only once.
Presenting the same credential twice would reveal all of the information on the certificate. This
could have enormous potential in anonymous electronic voting systems. Alice could use her
credential to prove that she was a registered voter without revealing her name. But if she tried to
vote twice, her name would be revealed, and appropriate penalties could be levied.
Like Ian Goldberg, Stefan Brands was internationally renowned, and his patents were
generally recognized as fundamental, basic, and applicable to a wide range of online
transactions. Moreover, they seemed likely to withstand legal assault. They were “legitimate, …
easy to defend, big spiky things you can’t go near.”
19 cite Brands’ book
Knowing Glances, Ch 2 “From Freedom to…” David J. Phillips, 8 Sept 05 DRAFT ONLY! NOT FOR CITATION OR REVIEW! p. 16
While Zero-Knowledge saw in the Brands patents “the future e-commerce and identity,”
Brands saw in Zero-Knowledge a commitment to commercialize state of the art cryptography.
He was impressed both by Zero-Knowledge’s in-house cryptographic expertise (especially the
presence of Goldberg) and by the entrepreneurial vision of Zero-Knowledge’s management.
Once having acquired the patent rights, Zero-Knowledge’s research and development team
(the “Evil Geniuses” or simply the “Evils”), set about to develop an electronic cash application.
As with Freedom, there was no formal market analysis guiding this decision. Instead, strategic
decisions were seat-of-the-pants. Other applications (air miles and other reward programs,
electronic voting, highway toll systems) were just as feasible, but E-cash was interesting. It was
big. It was thought to be de novo – not to be built upon existing banking or payment processing
infrastructures, but to be a system unto itself. It seemed like a logical extension of the Freedom
model, since nyms had to be paid for, and the payment system was one potential source of
surveillance within the Freedom infrastructure.20 Perhaps most importantly, though, anonymous
payment systems had long been a cypherpunk project, an integral part of the crypto-libertarian
ideal of a free market in cyberspace.21 And that ideal found its home within the Evil Geniuses
more than anywhere else at Zero-Knowledge.
The E-cash project was code-named Zorkmid, after the unit of currency in an early on-line
role-playing game.22 Zorkmid got very little corporate support or attention within Zero-
Knowledge outside of the Evil Geniuses group, though Zero-Knowledge did bring external
collaborators into its development. A major wireless phone company was interested, as well as
one of the leading smart-card manufacturers. Zero-Knowledge response was to let them in on
the development process, not so much as active collaborators, but to give them access to Zero-
Knowledge’s developments, to allow them to develop their own applications based on patents 20 Zero-Knowledge did have a process in whereby one could pay for nyms anonymously by sending cash through the mail, and a significant number of users, especially from Europe and Russia, in fact did so. But it was an awkward and kludgy process. 21 Phillips, D.J. 1998. “The Social Construction of a Secure, Anonymous Electronic Payment
System: Frame Alignment and Mobilization around Ecash.” Journal of Information Technology 13(4): 273-283.
22 http://en.wikipedia.org/wiki/Zorkmid; 18 July 2005
Knowing Glances, Ch 2 “From Freedom to…” David J. Phillips, 8 Sept 05 DRAFT ONLY! NOT FOR CITATION OR REVIEW! p. 17
which Zero-Knowledge controlled, thereby facilitating a future source of revenue. Zero-
Knowledge pursued a similar strategy as it released the some of Freedom’s source code.
Hopefully, access to the source would encourage third-party developers to produce applications
that would rely on, and pay fees for, access to the Freedom network. [DJP: promote this as a
significant corporate strategy]
These were heady times at Zero-Knowledge. Words like “awesome”, “overwhelming”,
“charismatic”, “risky”, and “exciting” were frequently used to describe this period. The
possibility for global change seemed palpable, and some employees could hardly sleep with
excitement. Zero-Knowledge took themselves seriously, and management took seriously the
importance of a fun, vital, and creative workplace, aware of long term goals yet focused on
action here and now. Happy and committed employees were considered an essential resource.
As the company grew from 45 employees in July 2000 to over 250 employees a year later, the
founders wanted to ensure that the company would always have the vitality of a start-up. They
instituted a “Newbie University” for all new employees – a three day intensive workshop
inculcating newbies into Zero-Knowledge’s philosophies, strategies, culture, and products. They
commissioned a “cultural snapshot” from a consulting company, who conducted focus groups
and interviews to identify the workplace’s “key enablers” as well as “potential barriers” to
meeting Zero-Knowledge’s goals.
This exuberance, expansion, and growth was gratified and renewed in December 1999 when
Zero-Knowledge closed another round of institutional investment, this time for 37 million
CAD.23 This expansion of vision, of hiring, of patent acquisition, of financing began before and
continued past the Freedom release. It was not based on Freedom’s relation to the market, which,
as we shall see, was never really robust.
The Launch of Freedom In December 1999, after several months of beta-testing, Zero-Knowledge launched
Freedom 1.0. The developers and the management thought they had changed the internet forever.
23 prospectus
Knowing Glances, Ch 2 “From Freedom to…” David J. Phillips, 8 Sept 05 DRAFT ONLY! NOT FOR CITATION OR REVIEW! p. 18
They celebrated with high-fives and beer (though “no actual tears”), and sat around exhausted,
creating nyms to populate the network.
Concurrently with the product launch, Zero-Knowledge assembled a marketing department.
Marketing immediately set out to brand both Zero-Knowledge as a company and Freedom as a
product, and to develop marketing strategies for each, selling the company to investors and
Freedom to consumers. They immediately chose a strategy of “cause related marketing.” This
is a strategy whereby the company is associated not with a product, but with an ethos or a cause.
As an examples of successful cause related marketing, the Marketing department pointed to The
Body Shop, which sold not cosmetics but female empowerment, and Benetton, which sold not
khakis but universal justice, love, and harmony. Zero-Knowledge could similarly identify
themselves with individual political rights. Indeed, Zero-Knowledge could do this more
naturally and easily than, say, Benetton, since Zero-Knowledge’s products were, in fact, directly
intended to facilitate those rights.
So as a conscious corporate strategy, Zero-Knowledge strongly and publicly endorsed
privacy advocacy and the political rights of the individual, hoping this would give them “the
credibility to garner [the] evangelical devotion” of employees, investors, and customers. The
moral high road would also inoculate Zero-Knowledge against backlash when, as was inevitable,
someone used Freedom in the course of a crime. When such an event drove critical media to the
Zero-Knowledge site, they would find there “an unambiguous and principled defense of privacy
rights.” In a sense, this branding strategy simply re-affirmed and built upon the public relations
strategy that Zero-Knowledge had been pursuing since its inception.
Branding Freedom as a product was more difficult than branding Zero-Knowledge as a
company. First, the name “Freedom” was chosen long before the marketing department was part
of the Zero-Knowledge organization, and, from a marketing perspective, the choice had been
unfortunate. The name did not indicate what the product did. As an evocative signifier,
“Freedom” might be attached to any product “from a brassiere to a missile guidance system.” So
marketing developed images to suggest what it was that Freedom would allow users to enjoy.
While Zero-Knowledge’s image was to be of sober, principled advocacy, Freedom was to be
Knowing Glances, Ch 2 “From Freedom to…” David J. Phillips, 8 Sept 05 DRAFT ONLY! NOT FOR CITATION OR REVIEW! p. 19
presented as footloose, childish, and empowering. Suggestive visuals might include pictures of
girls laughing as they whispered secrets.
The Freedom home page in January 2000 reflected these branding decisions. The dominant
image was of a person of indeterminate gender, looking through a telescope, wearing a strange
expression of surprise, shock, or repellent fascination. Freedom was touted as offering “absolute
privacy protection,” and the reader was exhorted to “Get the headlines,” “Explore the issues,”
“Understand the technology’” and “Learn what’s at stake.” Clicking any of these would lead the
reader to a news service, where current off-site articles were indexed under five categories:
“General,” “Families,” Human rights,” “Technology,” and “Law enforcement.” The sight also
included an employee recruitment notice, asking “Have you got what it takes to be a Zero-
Knowledge Internet Freedom fighter?”
The initial marketing strategy was to “viralize” the product – to spread the good word that
Freedom had arrived. If people knew about it, they would buy it. The marketing team referred
to themselves as “evangelists,” zealously spreading a revolutionary message. The team targeted
several “vertical markets” whose participants would be most likely to adopt Freedom. These
markets were understood as organized around interests, since the team inferred that those
interested in certain topics or activities would have a “natural” interest in privacy as well. The
initial interest-oriented markets to be targeted were “gay and lesbian,” “health,” “financial,”
“political,” and “family.”
To reach the members of these markets, Zero-Knowledge marketers hoped to co-brand
offerings with interest-based internet portals. For example, gay portals such as gay.com and
PlanetOut were approached with the opportunity of sponsoring co-branded e-mail, so that every
message sent by the portal’s subscribers would be pseudonymized, and carry not only a
“Freedom” tag but also a “gay.com” or “PlanetOut” tag. Some of the Zero-Knowledge
evangelists had enough experience to have developed relationships and contacts within the
targeted markets, but usually the approached potential partners through cold calls, sending
informational packets and “Zero-Knowledge” branded trinkets (key-rings, retractable phone
cords, t-shirts, mouse pads, baseball hats, …), and following up with a phoned pitch.
Knowing Glances, Ch 2 “From Freedom to…” David J. Phillips, 8 Sept 05 DRAFT ONLY! NOT FOR CITATION OR REVIEW! p. 20
Sales were disappointing, at best. In February 2000, product management was planning for
a network accommodating 2.5 million users by end of 2000.24 Yet by July 2000, there were only
12 thousand active nyms.25 To make matters much, much worse, the “dot com bust” occurred
within a few months after Freedom’s release. Investment dried up, and companies involved in e-
commerce, who may have had an institutional interest in online privacy, folded. [Need a few
more sentences describing the bust]
So through most of 2000, Zero-Knowledge was constantly re-evaluating their environment,
strategies and tactics. Their initial corporate strategy had been to attain first-mover control of an
emerging space. This control was to be financed by investments and by revenue from Freedom.
But Freedom sales were little better than dreadful, and investors could no longer be enticed by
promise. They had to see revenue. In response to these conditions, Zero-Knowledge developed a
two pronged strategy of revenue generation. The first prong was to re-evaluate the design and
marketing of Freedom. The second was to develop products and services to appeal to corporate
clients.
Reconsidering, revamping
The design of version 2.0, which began almost immediately after the release of 1.0, was
increasingly influenced by the knowledge of 1.0’s poor sales record. The development of
Freedom 1.0 had been guided only by the developers’ imaginary user, who looked a lot like the
developers themselves. In developing Freedom 2.0, Zero-Knowledge attempted to satisfy not
only its techie constituency, but to discover and satisfy the desires of potential non-techie users.
Version 2.0 incorporated two major technological changes to the Freedom service. First, the
method of encrypting and delivering e-mail was completely revised. 1.0 had delivered encrypted
e-mail to the user’s ISP, along with a “reply bock” that would contain the return address,
encrypted in layers. The user’s client would use the reply block to set up the return path for
responses. This was a “cool trick,” cryptographically, but awkward to implement, slow, and
likely to fail. Instead, 2.0 sent all mail to a POP server hosted by Zero-Knowledge. Login to
24 “roadmap” 25 “nymsats.htm”
Knowing Glances, Ch 2 “From Freedom to…” David J. Phillips, 8 Sept 05 DRAFT ONLY! NOT FOR CITATION OR REVIEW! p. 21
that server was anonymous, and all mail to and from it was sent through the same anonymizing
server network as in previous versions. It had the same level of security as the previous version,
but was much simpler to operate.
Also, to improve latency, the network was reconfigured to have fewer servers, and to have
those servers “closer” to the internet backbone. The security of distributed operations could be
maintained by scattering the servers among different backbone network providers – MCI or
Qwest, for example – rather than at the level of ISPs. Like the abandonment of the reply blocks,
this change reduced latency and increased robustness. It also alleviated the expense of Zero-
Knowledge’s deals with ISP hosts.
Zero-Knowledge’s attempts to find the user for Freedom included the marketing and the
development teams. However, coordination between these teams was ad hoc, at best. The client
development team began work on version 2.0 almost immediately after the release of 1.0. In
order to define the functionality of the 2.0 client, in order to think about what it should do, the
software team developed a “book” of user stories. Each story was a short profile of how an
archetypal user would interact with the client. “Alice”, for example, wanted an anonymous e-
mail service for which registration would be simple and wouldn’t require her to divulge personal
information. Each developer would invent a “pet” user, and submit the user’s profile to the team
for review. A profile went into the book if a majority of the developers liked it.
Coders were at this for a month, not coding, getting antsy, feeling uncertain of their
competence, and trying to get other departments involved. The team leader especially needed
the buy-in of the top management and the sales team, warning them not to complain later if the
team developed a product that couldn’t be sold, pleading with the marketing and sales
departments to be told what sort of features would be sellable.
The marketing team was, of course, trying to find answers to those questions. But this was
extremely difficult. It was a new market; no one had ever tried to sell such a service before. And
it was a market where the buyers were, by definition, concerned with privacy and not
forthcoming with information about themselves. Moreover, Zero-Knowledge’s whole persona
was based on the premise that users needn’t and shouldn’t trust anyone, including Zero-
Knowledge.
Knowing Glances, Ch 2 “From Freedom to…” David J. Phillips, 8 Sept 05 DRAFT ONLY! NOT FOR CITATION OR REVIEW! p. 22
However, Freedom users were regularly in contact with Zero-Knowledge through the
department of Customer Service and Information Support (CSIS), which operated the help desk.
The marketing team requested customer service records from CSIS. They also requested the
nyms of users who had had contact with CSIS, so that marketing could send them questionnaires.
CSIS resisted both of those requests on privacy grounds. However, CSIS did provide marketing
with aggregate records from their database, describing, for example, the types of features callers
had requested. This aggregate, de-personalized knowledge became a “treasure of information” in
the development of 2.0. The marketing department also conducted a user survey, distributing it
through the Zero-Knowledge web site, advertising it through the sales team’s personal contacts,
and offering t-shirts and video store gift certificates as incentives for participation.
In these efforts, marketing was focused not only on 2.0 development. They were also
looking at Zero-Knowledge’s overall sales strategies, at the true viability of the privacy space,
and at Zero-Knowledge’s brand perception.
The initial sales strategy had been to approach customers in interest-based markets (like
health care, women, gay and lesbian interest, financial) by developing partnerships with big
properties in each segment – portals like gay.com or i-village. In its research, marketing
discovered several reasons for the failure of this strategy. Unsophisticated users had difficulty
installing and using Freedom. Many potential users got their internet access through America
Online (AOL), and Freedom was incompatible with AOL software.26 Freedom slowed
communications considerably, and more sophisticated users, habituated to high-quality service,
were unwilling to put up with this latency. And while Freedom’s flaws were readily apparent in
use, its virtues were invisible. When it worked well, nothing happened. The typical user that
Zero-Knowledge was able to attract was a 25-34 year old male, working in the tech industry, and
already interested in internet privacy. There was no correlation between the interest-based
market segment and the likelihood of uptake. That is, it didn’t matter whether the user was
interested in health care or financial issues; what mattered was whether he was technically adept
and interested in privacy. This was a niche market, not a mass market. In response to this new
26 note re: cultural gap between techies and the masses; contempt for AOL.
Knowing Glances, Ch 2 “From Freedom to…” David J. Phillips, 8 Sept 05 DRAFT ONLY! NOT FOR CITATION OR REVIEW! p. 23
knowledge, the marketing team changed its strategy to target early adopters rather than market
segments.
The “early adopter” strategy was based on a well-established model of technological
diffusion. According to this model27, new technologies are taken up by various groups in turn.
“Innovators” are the first to take it up, followed by “early adopters,” “early majority,” “late
majority,” and “non-adopters.” Members of these categories share certain characteristics. Early
adopters, for example, tend to have high socio-economic status, and to be young, mobile,
creative, and open to contact by sales people. Zero-Knowledge’s marketing department now
sought to narrow their consumer outreach by targeting only those groups with privacy interests
that also shared the demographics of “early adopters.” They identified and ranked eight such
interest groups: “techies,” “gay and lesbian,” “activists,” “students,” “internet relay chat users,”
“broadband users,” “adult entertainment enthusiasts,” and “discussion group users.”
Zero-Knowledge’s new marketing strategy focused on the first four of these groups. The
strategy was three-fold – first to drive awareness within those groups that Freedom was
“privacy-enabling, then to drive traffic from those groups to Freedom’s web site, and from there
to drive downloads and sales. Awareness was to be driven by attending events for each interest
group (like the Geek Pride Festival or gay pride parades), by getting the endorsement of opinion
leaders in each community, by increased visibility of “freedom.net” email addresses in
discussion lists, and by banner ads on portals and web sites. This marketing strategy was not so
different from the initial “viral” strategy, but it recognized that, at least until version 2.0
improved Freedom’s usability, the target of the viral campaign had to be more precisely
circumscribed.
The marketing department set out also to try to address growing concerns within the
company that they had entirely misjudged public attitudes toward privacy. As Austin Hill put it,
“everyone says they care about privacy, but people would give a DNA sample for a ‘free’ Big
Mac.” Privacy seemed to be an issue rather than a problem, or a problem from which no one
“suffered.” People within the company echoed others in the privacy activist community and
27 cite
Knowing Glances, Ch 2 “From Freedom to…” David J. Phillips, 8 Sept 05 DRAFT ONLY! NOT FOR CITATION OR REVIEW! p. 24
wondered how the privacy movement could attain the same cultural salience that the
environmental movement had reached in the 1960’s. What sort of “privacy Chernobyl” would be
necessary to wake people up? If the FBI decided require every ISP to record every packet
flowing through their servers, would that stimulate resistance? Would that demonstrate a real
need for Zero-Knowledge’s product?
In the months after the Freedom launch, the marketing department tried to generate
empirical knowledge about the “privacy space” and Zero-Knowledge’s perceived position within
it. They conducted focus groups in Boston and Toronto. What they found struck at the heart of
the company’s belief that individual consumers would understand privacy as a political problem,
and would see the purchase and use of Freedom as a viable response to that problem. They found
that potential Freedom users had vague but fatalistic attitudes toward internet privacy. Most
internet users were ignorant of the ways in which their activities were monitored, yet had
resigned themselves to that monitoring. Encryption was an unfamiliar and intimidating concept.
Moreover, they were put off by Zero-Knowledge’s seemingly grandiose claims – both the claim
to provide “total internet privacy” and the claim that such “total privacy” would cure social ills.
With this growing awareness of difficult, and perhaps intractable, problems with a reliance
on a consumer market base, Zero-Knowledge put more effort into attracting corporate “deep
pockets” clients. On one hand, they began looking to channel marketing as a distribution
technique. That is, they sought to recruit original equipment manufacturers (OEMs) to distribute
Freedom with the equipment. New computers would be configured to install Freedom on the
foirst boot; routers would come with a CD including the Freedom software. To appeal to OEMs,
Zero-Knowledge incorporated “Freedom For Free” into version 2.0. “Freedom For Free” was a
suite of security tools including an ad-blocker, a cookie manager, a firewall and a form filler. It
also allowed users to register nyms and send and receive pseudonymous e-mail. These would be
available at no charge to anyone installing the software that came with the newly purchased
computers. Anonymous web browsing via the full Freedom pseudonymity service would still be
available for subscription. In splitting up the product this way, Zero-Knowledge rejected other
options, like charging for the security tools, or stepping up development of private certificate and
e-cash products. Instead, Zero-Knowledge management hoped that by making the Freedom
client readily available as the front end for popular (and cheap) security tools, it would channel
Knowing Glances, Ch 2 “From Freedom to…” David J. Phillips, 8 Sept 05 DRAFT ONLY! NOT FOR CITATION OR REVIEW! p. 25
users toward adoption of more specialized, and eventually more profitable, privacy services,
such as private e-mail and web browsing, private or anonymous authorization, payment, and
verification services, or challenge-response spam management. But to convince OEMs to bundle
Freedom, Zero-Knowledge had to show both that there was consumer demand for their privacy
products, and that their security products offered improvements over similar products then on the
market, like those offered by Symantec and McAfee. So the development of 2.0 was coupled
with a renewed effort to drive up sales of 1.0.
Zero-Knowledge also attempted, with little success, to attract corporate clients, both through
a corporate version of Freedom, and through privacy consulting services. The business need for
anonymous browsing was not difficult to argue. More and more corporate research – market
research, investment research, patent research, surveillance of the affairs of competitors –
occurred via the web. While the web gave cheap access to lots of information, it also made the
search activities themselves more visible. So the direction and strategies of a corporate research
interests became more visible to their competitors. Anonymous web browsing through Freedom
would give businesses all of the benefits and none of the drawbacks of the web’s visibility.
Unfortunately, though, a business couldn’t adopt Freedom simply by buying nyms for all their
employees. In its standard implementation, Freedom did not work from behind a firewall, and
virtually all corporate networks had installed such firewalls. Instead, access to the anonymizing
network had to go through a gateway which had to be custom designed and installed for each
corporate client. So the costs and risks of marketing, adopting, and installing Freedom’s
corporate version were substantial.
The privacy consulting services which Zero-Knowledge offered to these “deep-pockets”
clients included analyses of regulation compliance and information management with a specific
focus on issues for multi-nationals. Zero-Knowledge did have some success marketing these
services. Indeed, from July 2000 through March 2001, “services and consulting” accounted for
over 60% of Zero-Knowledge’s revenue. 28 However, management still complained that they
were not getting the really big clients, because they themselves were not a really big operator.
They were not Anderson Consulting, for example, or IBM. 28 cite prospectus
Knowing Glances, Ch 2 “From Freedom to…” David J. Phillips, 8 Sept 05 DRAFT ONLY! NOT FOR CITATION OR REVIEW! p. 26
Enterprise solutions Zero-Knowledge’s move to attract corporate clients resulted in another stream of product
development. Shortly after the release of Freedom 1.0, Zero-Knowledge management was
approached by the management of Excite, an online profiling and advertising company.
Through the use of third party cookies, Excite collected anonymous data on individuals’ web
surfing habits. They then used that data to create profiles of users and to serve banner ads to
users based on those profiles. In their PR, they were adamant that they did not collect any
personally identifiable information (PII). However, they now were looking for a way to collect
and use PII and to amend their privacy policy without violating its spirit. This was by no means
an idle or altruist concern. One of their competitors, DoubleClick, had recently planned to merge
identified with anonymous data, and the uproar included an FTC investigation, numerous
lawsuits, and a steep, though brief, drop in their market capitalization.29
Because Zero-Knowledge had very high visibility in the nascent privacy field, Excite sought
them out for advise and possible technological solutions. The courtship between Zero-
Knowledge and Excite was brief, and nothing concrete came of it. Nevertheless, it awakened
Zero-Knowledge to a possible corporate demand for their technology. They began to see a
“common thread” of “core needs” for data blinding, for a “privacy layer” in the data
infrastructure. Data holders were very good at putting data in and taking data out, but there
were no mechanisms for fine-grained control, for using data for one thing but not another. This
was so even when companies were well-intentioned and sought to use data responsibly. A
corollary of this coarse control of consumer data was a “trust problem” between consumers and
businesses.
There were some moral qualms within Zero-Knowledge about going into corporate database
management. There were questions of whether data collection companies were intrinsically
enemies of privacy. However, consensus was quickly reached that the “privacy problem” was
not the tailoring of ads to suit each particular viewer’s interests. It was knowing what a particular
user was doing – knowing, for example, which search terms someone was using on the New
29 http://www.aef.com/06/news/data/2000/1154; 22 June 05
Knowing Glances, Ch 2 “From Freedom to…” David J. Phillips, 8 Sept 05 DRAFT ONLY! NOT FOR CITATION OR REVIEW! p. 27
York Times web site. The goal then, was privacy enabled profiling – detailed, dynamic profiles
that were not linked to any PII.
Once the decision was made, Zero-Knowledge moved quickly to develop a new service, a
database blinding engine code-named “Blind Elephant”. Database holders would agree to
encrypt, or “blind” PII fields of each data record. The blinding algorithm would be such that the
same original value would always produce the same blinded value, but it would be
mathematically impossible to compute the original value from the blinded value without access
to a cryptographic key. This key could be held by a third party, mutually trusted by database
operator and data subject.
Blind Elephant would allow database operators to profile their users more effectively, and to
engage in one-on-one communication with their users, all without direct access to any personally
identifiable information. For example, suppose BigPharmaceuticalCo wanted to know the
demographics of FabNewDrug buyers. Using Blind Elephant, they could buy that data from
pharmacies, but with the identifying field (say, the social security number) blinded.
BigPharmaceuticalCo could also buy consumer reports from credit agencies, again with the
social security numbers blinded. Since each unique social security number would blind to the
same unique value, the pharmacy records could be matched with the credit records. Thus
individuality could be established without identity, and statistics could be generated without
violating privacy. Moreover, some at Zero-Knowledge asserted that the quality and usefulness
of individual records would likely improve, since users would be more trusting, and less likely to
falsify data.
Blind Elephant would also mediate “privacy-enabled” customer relations management. As
in the above example, PII fields would be cryptographically blinded, and could only be
decrypted with a key held by a third party, say Zero-Knowledge itself. Records could then be
merged, and patterns discovered. BigPharmaceticalCo might find a particular cluster of de-
identified user records particularly interesting, and particularly attractive for a marketing
campaign. They would like to send e-mail to each of those individuals to whom the records
refer, but they don’t know who those individuals are. Instead, they would send to Zero-
Knowledge two pieces of information – the encrypted e-mail address gleaned from the subject’s
Knowing Glances, Ch 2 “From Freedom to…” David J. Phillips, 8 Sept 05 DRAFT ONLY! NOT FOR CITATION OR REVIEW! p. 28
data record, and a message to send to that individual. Zero-Knowledge would check that the
subject of the record had agreed to receive e-mail. Only then would Zero-Knowledge decrypt
the e-mail address and send the message. At no point would the merged data and the PII be
available together.30
Zero-Knowledge identified in Blind Elephant (later renamed the Privacy Rights Manager
(PRM)), three value propositions for deep-pocket clients. It would give database holders a
competitive advantage in that they would be able to advertise themselves as privacy-aware. It
would promote trust between data subjects and database holders, encouraging subjects to be
more honest and forthcoming in the provision of personal information, and allowing database
holders to create more accurate profiles. It would also facilitate compliance with a growing body
of privacy law, all of which regulated the collection and exchange of personally identifiable
information. Zero-Knowledge had little empirical data to support the first two propositions, so
they focused instead on the third. Thus the health care and financial industries, as the sectors
most subject to privacy regulation, were identified as the “low hanging fruit.”
In its targeting of institutional actors, rather than individuals, PRM was a step away from the
libertarian ideology of Freedom. That ideology did not die, however. The attention to
institutions was seen in some quarters as instrumental, as a way to get privacy to consumers yet
have someone else pay for it. Because consumers were still not buying.
The move toward developing business friendly products and services was accompanied by a
shift in PR. Almost immediately after the release of Freedom 1.0, Zero-Knowledge had realized
that they had to get away from the “cypherpunk, libertarian, nutsy thing,” away from being
perceived as a bunch of hackers. They had to package and communicate the privacy problem in
a way that wasn’t “scary” or “threatening.” They had to show that privacy was good for business.
They toned down their “flacktivism” and became much less “in-your-face.” For example, in June
2000, Zero-Knowledge became aware that Freedom users were unable to access some FBI web
sites. Had this happened six months earlier, Zero-Knowledge’s PR would have been
confrontational. Now, however, the PR director made efforts to downplay the entire situation, to
30 This image was the inspiration for the “Blind Elephant” name: like the proverbial elephant “seen” by a group of blind men, different parts were visible to each viewer, and no one was able to understand the whole.
Knowing Glances, Ch 2 “From Freedom to…” David J. Phillips, 8 Sept 05 DRAFT ONLY! NOT FOR CITATION OR REVIEW! p. 29
publicize the cooperation between Zero-Knowledge and the FBI as they together tried to solve
the problem.
Zero-Knowledge needed a new kind of credibility. They no longer sought the imprimatur of
cryptographers and activists. They needed “established players” – banks and telecomm
companies – to say “we are partnering with Zero Knowledge because Zero Knowledge is the
leader in the privacy space.”
Regrouping
Throughout 2000, Zero-Knowledge was trying to recruit a new CEO and management team.
In early 2001, they were successful. At the same time, Reuters invested 32 million CAD in the
company. The new team further articulated and rationalized Zero-Knowledge’s corporate goals
and strategies. The goal became simple – to turn a profit and survive. The strategies to meet that
goal were similar to those that had been developed over the previous year. They were, first, to
sell more consumer product and second, to establish a high-margin product aimed at corporate
clients. In pursuit of these strategies, the new team instituted core changes to Zero-Knowledge’s
culture and sense of itself.
Massive layoffs began in March 2001. These struck at the core of Zero-Knowledge’s self-
image and their sense that a fun, caring, and creative workplace was an essential engine of
success. Zero-Knowledge handled the layoffs with a sense of responsibility, conducting them
internally, rather than bringing in outside consultants, as was common in other corporations. The
People Department first laid off half their own, using that experience as a way to learn how to
manage it for the rest of the company. As one of the People Department managers put it, “We
hired them and made promises, we’re breaking the promise and we’ll do it ourselves.”
By Jan 2002, Zero-Knowledge’s employee roll had shrunk to about 110 from the peak of
about 255, which it had reached 18 months earlier. No longer were programs like Evil Geniuses
kept because they were “fun.” Everything was evaluated by a “must have” criteria, and
immediate revenue was the goal against which necessity was justified. With the shift to channel
marketing and distribution via OEMs, there was less need for advertisements, so the marketing
department was hit hard. After the layoffs, “performance management” was instituted in order to
get newly re-organized departments to focus on corporate goals. At this point, many, but not all
Knowing Glances, Ch 2 “From Freedom to…” David J. Phillips, 8 Sept 05 DRAFT ONLY! NOT FOR CITATION OR REVIEW! p. 30
of the departments changed their names. People Department became Human Resources, for
example, and Evil Geniuses became Zero-Knowledge Labs, though the support group remained
CSIS.
Throughout the summer of 2001, in the face of 56,000,000 CAD in losses over 3 years,
Zero-Knowledge management decided to radically cut back and reconfigure its product lines.
First, they released the rights to the Brands patents. Maintenance of these licenses and patents
had cost Zero-Knowledge nearly a million dollars a year, yet Zorkmid at its zenith was merely an
unstable Java prototype demoed at a small conference on Financial Cryptography. Not only had
the patents returned nothing in revenue, no one could see any longer who would possibly, within
the next fifteen years, license and develop them on the scale necessary to justify their
maintenance.
PRM, the corporate software product, underwent radical revision. Internal prototype
development had continued since mid-2000, and by the time the new management team was
installed in 2001, a “version 0.9” prototype was ready for demonstration to potential clients.
This prototype was “slide-ware.” It involved no code, simply a high level description of the
system’s architecture. Like Freedom before it, the prototype was developed based on a
marketing requirements document (MRD) that was developed with little formal market research
or needs analysis. It offered to clients an “end to end privacy policy and information
management solution” which would reduce risk by managing “complex linkages among
heterogeneous applications and components.”
PRM’s architecture consisted of five components:31
• PRML, a “privacy rights markup language.” This was an XML based language to
codify and rationalize privacy policies and privacy practices. It allowed for
definition of privacy objects and for declarations specifying the relations among
those objects. A set of declarations represented a company’s policy. Specifically,
“[d]eclarations specify that a role can do an operation on a data element for a
purpose if certain constraints are satisfied, and can specify that an action should be
31 Hill and Levitan “Privacy Rights Management” ppt; June 5, 2001:
Knowing Glances, Ch 2 “From Freedom to…” David J. Phillips, 8 Sept 05 DRAFT ONLY! NOT FOR CITATION OR REVIEW! p. 31
taken when this occurs and/or that the data element should be subject to
transformation before an operation can occur”32
• a privacy console, which was to act as an interface between the data and the system
operators. This console could discover and inventory personally identifiable
information, model policy in PRML, and manage and report on database events.
• a central privacy server, which would execute and monitor all required PRML
actions, and report to the privacy console.
• privacy-aware enforcement agents – software agents mediating between the privacy
server and specific privacy applications, and
• the privacy applications themselves. These were to be the actual data management
activities, permitting or denying access based on policy, anonymizing, de-identifying
and re-identifying data, or pseudonymizing transactions.
In summer of 2001, shortly after the arrival of the new management team, the PRM Center
was first demoed for a potential client, an event described as “a two-day train wreck” which left
the client “stupefied.” In reaction, the new senior management took active control of the project,
scrapping the MRD inherited from Blind Elephant and starting anew. The new MRD was
written only after extensive market research, including meetings with potential clients, and an
independently conducted market survey of fifty Chief Privacy Officers (CPOs) working in the
target segments. These target segments remained the same – the heavily regulated health and
financial industries.
What emerged from these deliberations was the Enterprise Privacy Manager (EPM), a
product of much smaller scope. Unlike the PRM Center, EPM would not interact directly with
data flow. Instead, EPM was to sit atop, or along side, site-specific data systems. because these
mission-critical database systems were too large, too specialized, and too entrenched to interfere
with. EPM would simply be a software tool to internally audit and track information flow, to
verify compliance with privacy policies. As Chief Financial Officers had spreadsheets, so CPOs
would have EPM. The sole survivor of PRM Center development was the markup language, 32 ZKS Enterprise Product Unit Business Plan Overview (ppt dated 2001, after Hevizi, Weidick, Beans hires
Knowing Glances, Ch 2 “From Freedom to…” David J. Phillips, 8 Sept 05 DRAFT ONLY! NOT FOR CITATION OR REVIEW! p. 32
PRML, which became the starting point for the development of a new language specification,
EPML.
Zero-Knowledge pursued the development of EPML in “coopetition” with IBM. IBM had
been aware of Zero-Knowledge’s work on the PRM Center, and became interested because they
and their subsidiary, Tivoli, had been engaged in a similar project. [djp: verify] According to the
Zero-Knowledge project manager, IBM was impressed with the PRM work, and asked to
continue collaborative development. Alliance with a powerful partner had, by this time, long
been keenly desired by Zero-Knowledge, so they were eager to agree. On the other hand, they
were very wary of engaging with such a powerful partner. An integral part of the development
strategy then became to establish and defend intellectual property rights in EPML so that IBM
could use it, but not own it. To that end, ZKS carefully maintained their legitimacy as a co-
developer with equal IP rights, through legal agreements and carefully scheduled joint public
releases.
The enterprise product now contained no cryptography at all. In a further and even more
radical retreat from its founding vision, Zero-Knowledge decided in August 2001 to pull the plug
on the Freedom network. No sales campaigns had been effective – neither the attempts to
viralize the product within certain consumer market segments, nor the attempts to target early
adopters across segments, nor channel marketing, nor corporate sales. The 2002 prospectus
suggests that between July 1, 1999 and July 1, 2001, Zero-Knowledge spent nearly 1.5 million
CAD on network operations alone, against nearly half a million in licensing fees from Freedom
users. Zero-Knowledge simply could no longer afford to operate the network.
On October 4, users logging in to Freedom were greeted with a message “strongly
recommending” that they visit a hot-linked URL for “a very important announcement regarding
the current status and the future of the Freedom network.” That announcement read, in part:
“I regret to inform you that Freedom Premium Services - Anonymous Web Browsing
and Private Encrypted Email - will be discontinued as of October 22nd, 2001…
“This decision was not taken lightly. It reflects the ongoing high cost and limited
returns of operating the Freedom Network - the engine that drives the encryption and
anonymity process. This is especially true since our customers and partners increasingly
Knowing Glances, Ch 2 “From Freedom to…” David J. Phillips, 8 Sept 05 DRAFT ONLY! NOT FOR CITATION OR REVIEW! p. 33
choose to purchase ready-to-use solutions that provide security and safety online - such as
personal firewall, password manager and keyword alert - rather than nym-based services.
“For the past two years we have worked very hard to develop and maintain a
sustainable private network and we thank you for all your support of our endeavor.. We
share your disappointment and we apologize for the impact this decision will have on your
online activities….”
The timing of the announcement, occurring as it did less than a month after the terrorist
attacks on New York and Washington DC, and around the time of the passage of the USA
PATRIOT Act, was horrendous. Still, Zero-Knowledge insisted that the attacks, and
governments’ response to them, had nothing to do with the decision to shut the network. That
decision had been made in August, before the attacks, and development of Freedom 3.0 had
proceeded since then on the assumption of the network’s closure.
Users, those who had sympathized with the Hill’s original vision, were terribly upset at
Freedom’s demise. It seemed another nail in the coffin of political, social, and economic
promise. Gone was the dream of running an international network of encryption machines
impervious to the FBI. Zero-Knowledge received poems, condolences, and diatribes mourning
the passage of Zero-Knowledge into just another Symantec or McAfee. Some customers offered
to pay up to three times the regular fees for the Freedom service, but even that came nowhere
near making up Zero-Knowledge’s shortfall.
This radical change of direction made sense from an economic perspective. However, it
produced crises in relations both within and outside of the company. Zero-Knowledge had to
engage in vital attempts to salvage their credibility, which had counted as a powerful asset in
Zero-Knowledge’s first years. The idea of Zero-Knowledge had been built on cryptography,
privacy, and really smart people, especially Stefan Brands and Ian Goldberg. Now cryptography
was gone, as were Brands and many other great employees. Zero-Knowledge faced an identity
crisis as well as a PR challenge.
The PR challenge was met by re-defining the notion of credibility. From its inception, Zero-
Knowledge had attempted to encompass contradictory publics. They had sought to attract and
resonate with the interests of communities of hackers, crypto-anarchists, venture capitalists,
Knowing Glances, Ch 2 “From Freedom to…” David J. Phillips, 8 Sept 05 DRAFT ONLY! NOT FOR CITATION OR REVIEW! p. 34
police agencies, policy makers, and financial institutions. But they had also gradually been
coming to realize that their most vital alignments were with large, entrenched governmental and
corporate institutions, rather than with grass-roots activist movements. They now embraced this
realization fully and engaged in strategic rebranding to change their image in the eyes of those
who matter, and those who mattered were entities like IBM and American Express. Zero-
Knowledge no longer attempted to embarrass “big boys” to get publicity, as they had when Ian
Goldberg developed a hack to access the Intel chip’s serial numbers. “Issue” PR ceased entirely,
replace entirely by announcements of successful business alliances. Not only did the Zero-
Knowledge home page no longer support a privacy news archive, PR assiduously avoided any
suggestion that Zero-Knowledge products had political implications. For example, the enterprise
database management product had originally been “Privacy Rights Manager,” because Zero-
Knowledge shad then seen privacy rights as a “category” that they could dominate. Now it was
clear that that category didn’t exist, nor could Zero-Knowledge create it. Further, the mention of
“rights” was just too “activist and advocate-like” for their intended clients. So the product
became an “Enterprise Privacy Manager.”
At the same time, Zero-Knowledge changed its understanding of itself. Employees who had
joined for ideological reasons left for the same reasons. Those who stayed enjoyed a new sense
of normalcy and placid humility. Workdays were shorter, more focused and more productive.
Daily and weekly cycles recurred. No longer were they trying to “create a space.” Instead, they
were integrating themselves within existing industries. Gradually, a new identity emerged – that
of a dotcom which had survived.
The standards for success were completely revamped. In 1999, the goal was a billion dollar
capitalization. By 2002, it had become a positive cash flow. In 1999, the company was to be a
visionary thought leader empowering individuals and redistributing social power by providing
cryptographic techniques. By 2002, their highest hopes were that the consumer product would
run a distant third to Symantec and McAfee, and that IBM would somehow agree to pay
licensing fees for Zero-Knowledge’s enterprise product. Management were pleased and proud at
their ability to ride out those tumultuous years. They had met challenges as they arose. In 1999,
potential investors had demanded to see the ability to ramp up quickly, to staff the help desk in
10 languages, and Zero-Knowledge had done that. In 2002, investors needed to see austerity and
Knowing Glances, Ch 2 “From Freedom to…” David J. Phillips, 8 Sept 05 DRAFT ONLY! NOT FOR CITATION OR REVIEW! p. 35
positive cash flow, and Zero-Knowledge had done that. They had been flexible enough to
change their ideas, the focus, direction, and style of their company. And it had paid off.
Eventually, the divorce from all of the political dreams with which Zero-Knowledge was
initially invested became public and final. In June 2004, Zero-Knowledge spun off the enterprise
division into a wholly owned subsidiary called Synomos. The following year, Zero-
Knowledge’s senior management changed the company’s name to Radialpoint, specifically to
distance themselves from public memories of Zero-Knowledge. This was just the recognition of
truly changed circumstances, since the new RadialPoint, whose business offering is to manage
subscriber services (such as firewalls, virus blockers and parental controls) for large and mid-size
broadband providers, no longer has any products, markets, or goals in keeping with its Zero-
Knowledge’s original incarnation.
Summing up And so Zero-Knowledge Systems did not survive as a corporate entity committed to social
change through the marketing of software-based pseudonymity services. The Freedom network
was to have been the revenue engine for Zero-Knowledge’s control of the privacy space. But in
making design decisions, Zero-Knowledge always chose cryptographic sophistication over
empirical economics or ease of use. The network was wildly expensive to operate, and the
service was initially slow and buggy. Moreover, it was unclear to the casual user, and even
sophisticated users, what one should do with a nym.33 The usefulness of strongly segregated
identities was not self-evident, nor was the interface facile enough to support experiment and
play.
The social problem that Freedom set out to solve was invisible; Freedom was “like a seat
belt for cars that don't ever crash, [or a] medicine for a disease that no one ever gets.” Because
privacy abuses happen behind the scenes: not only is one targeted based on personal profiles, one
is removed from target audiences based on those profiles. How does one know when one has
been denied an opportunity?
33 Phillips ICS
Knowing Glances, Ch 2 “From Freedom to…” David J. Phillips, 8 Sept 05 DRAFT ONLY! NOT FOR CITATION OR REVIEW! p. 36
These factors hindered adoption by individuals, and Zero-Knowledge could find no third
parties to subsidize or support consumer use. They miscalculated the interests and the power of
ISPs, who were not self-consciously political actors. Users didn’t choose ISPs according to
their politics, nor did ISPs promote themselves as political choices. Interest portals could not be
recruited, either; privacy was for their users a peripheral and vague concern.
Zero-Knowledge’s strategy had been to “change human behavior on so many levels”, to
“convince people that there was a problem that they didn’t perceive; that that problem could be
solved … by purchasing in a different way that they were used to …and using … a computer in a
different way than they’re used to.” They had expected their own fervor to be hailed and shared.
Instead, it was greeted with silence.
Private credentials and certificates, too, were developed in the context of a market model
that proved fantastic. They would have been crucial, and wildly profitable, in a world organized
to privilege and value non-identified transactions. They were a faithful child of a grandiose
vision – the development team could have tackled movie tickets or telephone service payment
processing systems as the first application. Instead, they went for e-cash, envisioning a long road
to a huge payback, betting that revenue from the Freedom network would support them. Instead,
the Freedom network and client faltered, and Zero-Knowledge chose to fall back and protect
them, believing that they were necessary vehicles for any future certificate based applications.
As the financial situation became more desperate, Zero-Knowledge simply could not spend any
money, time, or energy on hopes for the future, and dropped all interest in private credentials.
PRM was initiated in response to market forces, as potential adopters approached Zero-
Knowledge with their problems. Nevertheless Zero-Knowledge was not able to align its
products with the interests of those adopters. First, many potential clients, especially online data
collecting and ad serving companies, were in the same market bubble with Zero-Knowledge, and
had to drop their pursuit of the problem just as Zero-Knowledge needed their revenue most.
Apart from this historical happenstance, though, there were deeper conflicts. Data holders
simply had no interest in giving up control of their data. It was their data; they did not recognize
that data subjects had any property or moral right in it. Nor were they being forced into
recognizing that right by the data subjects. There was no effective consumer demand for
Knowing Glances, Ch 2 “From Freedom to…” David J. Phillips, 8 Sept 05 DRAFT ONLY! NOT FOR CITATION OR REVIEW! p. 37
privacy, no apparent competitive advantage to offering it. Data collectors were under some
pressure from regulations and laws, but those regulations, where they held at all, permitted data
holders either to de-identify information or to obtain consent from the data subject. Collectors
were much more interested in pursuing the option of obtaining and managing consent, an
application for which for which PRM was overbuilt.
The Enterprise Privacy Manager has proved successful within the terms in which it was
developed. Zero-Knowledge, after assiduously aiming for integration with the practices of those
industries subject to privacy regulation, achieved that integration. They did this, in part, by
linking themselves with the power and position of IBM. Recently, as they expected, they entered
into an intellectual property suit with IBM.34 This suit represents success – a real, resistant
relationship with a stable and enduring entity.
Despite the market research, and the selling EPM has been difficult. Zero-Knowledge (now
Synomos) have had to convince companies that they needed more than a policy and a lawyer.
They needed a tool to let that lawyer (or the CPO) discover if practice complied with policy, and
EPM was the tool they needed. Nevertheless, they have eventually been able to obtain consensus
that, unlike Freedom, EPM addressed a “problem for people who will spend money.” The
problems were real, the target customers were aware of them, and were used to spending money
to protect their interests.
34 cite suit docs