, SecurityFocus 2001-10-04
Sophisticated privacy network enjoyed cypherpunk street cred, but few customers.
The only people who have to worry about the NSA spending $100,000 to go after them just aren't the people we want as customers. That's a pretty scary group.
The Montreal-based privacy and security company notified its subscribers of the change in a curt support
The sudden suspension may have come as a shock, but not a surprise. Privacy mavens contacted by SecurityFocus said they saw little evidence that Freedom was being used.
"I get only a few hits from ZKS, but I get only a few hits from anonymizers of any kind," said John Young, a New York City architect who operates Cryptome, a site dedicated to airing documents that deal with the world intelligence community. "What most of us were concerned about was how long they could keep it up."
ZKS co-founder Austin Hill conceded that Freedom never really took off.
"This was purely a business decision," Hill said. "Initially we got incredible response for the premium services, but we knew we were dealing with early adopters. But soon we saw the transfer into the mass market just didn't carry over. The subscription rates really plunged."
Hill declined to disclose subscriber numbers.
ZKS made a huge splash in the world of privacy-aware netizens when it announced Freedom in 1998. Back then, the Internet was still riding high. High, too, was anxiety over unscrupulous governments and corporations that might monitor Internet users' every click and keystroke. The looming combination of web cookies, server logs and purchase histories, many feared, would lead to the compilation not just of what people bought, but what they wrote, what they read, and every aspect of their online identity.
To some, ZKS' Freedom seemed to be the answer. To prevent others from tying tell-tale data left by PCs back to individuals, Freedom used powerful data-scrambling technology to make that data unreadable, and users virtually untraceable. Customers paid about $50.00 per year for the service.
Adding to the buzz was ZKS' solid cypherpunk pedigree. Company executives signed up a passél of renowned security experts to design Freedom, including Ian Goldberg, who first won fame by exposing security flaws in the Netscape browser. If people like civil libertarian Goldberg and fellow cryptographer Adam Shostack designed the system, the reasoning went, it had to be good.
Special servers that resided on the Internet functioned as privileged gateways for Freedom users. Instead of broadcasting their data to their ISPs and the rest of the world, PCs with the ZKS software installed talked only to Freedom servers through a series of specially encrypted packets.
Users could pass their web traffic through one, two or three separate Freedom servers before landing at the website they wanted to browse. When their requests touched down at a target site, the server there saw only that it came from a Freedom user. Because Freedom never left any other information that could be traced to the user, the target website had no way of tying, say, a user's numeric IP address to the name he might leave behind on an order form.
And since the service encrypted traffic as it passed from the user to Freedom server and back again, would-be eavesdroppers never had a chance to figure out what John Q. Netizen saw on the net. The Freedom network would even run traffic through two or three such servers if a user feared that cyber spies could somehow correlate their web requests to activities on a given server.
The technology was almost too good to be true, and, some said, too costly to last.
"The business was awfully expensive," said Lance Cottrell, president of Anonymizer.com, a web-based privacy service that has survived in part because it does not go to the same lengths -- extreme lengths, some say -- to protect its users.
The Freedom network came with performance costs, in part because it generated many packets that served only to make snooping on subscribers more difficult. The proportion of excess traffic declined as more users signed up, but the system would always use much more bandwidth than the unprotected Internet did. Many users noticed a visible slowing in their net connections as a result.
Greg Broiles, a lawyer and cryptographer who advises companies on issues of security and e-commerce, said he didn't think there would ever be enough users to justify the expense of the network. "I just don't see how it could work," said Broiles. "It makes it hard to get out of bootstrap mode."
The system also required users to operate a separate toolbar.
"It was more than what the market wants," Cottrell said. "We're down to the point that you download this teeny little button, and you click it on and you're off. That's it."
Observers said the timing of the announcement -- just weeks after terrorist attacks in New York, Washington and Pennsylvania -- was sure to generate conspiracy theories about law-enforcement pressure to kill anonymity throughout the world.
But even Broiles, a long-time opponent of federal restrictions on privacy technologies, said anyone who needed the extreme privacy protection Freedom offered, probably has many more things to worry about.
"I don't imagine there's anyone out there especially interested in knowing which web pages I have read," said Broiles. "But if I did, I would also worry about whether they had broken into my house and installed an (eavesdropping device) on my machine."
"The only people who have to worry about the NSA spending $100,000 to go after them just aren't the people we want as customers," said Anonymizer.com's Cottrell. "That's a pretty scary group."
Cryptome's Young wonders how much of a future anonymzing services have left. Although some privacy-aware people like them, others simply choose large, national ISPs on the theory that only a formal criminal investigation will likely divulge what they have been doing. And even then, he adds, using anonymity services poses risks to people whose best defense may be simply to blend in.
"Using anonymizers at all raises all sorts of red flags," Young said. "Most of us now are using things other than anonymizers. Staying on the move, not using one system for very long, is what I tell people to do."