SpiderOak claiming "zero knowledge" doesn't really matter, right?

The company claims "zero knowledge" but is also a US company. If the US government decided that they wanted SpiderOak to install a backdoor into their "zero knowledge" service they would be forced to either comply, and keep quiet about it (meaning they would still have to lie to the rest of us and claim to be zero knowledge), or close shop.

A friend of mine made the argument that if something like finding a backdoor ever got out then SpiderOak's reputation would be shot, and everyone would leave their service.

My response to that is that if the US government demanded a backdoor then SpiderOak would either comply, or shut down their business. The end result being that the company could stay open and continue to make money a little longer if they play ball with the government.

So, this is super paranoid, and assuming that SpiderOak is a typical evil corporation just out to make money, but it makes sense right? Maybe the "zero knowledge" aspect of the service is the zero knowledge that we have as to what the software is doing since it isn't open source... on the other hand maybe they're a great company and really want to look out for the privacy rights of individuals... but on the other hand....

 

There's a similar problem with the UK's draft Investigatory Powers Bill. In the weasel lawyer wording, it does indeed imply that UK software companies could be compelled to do such a thing, with secret orders in perpetuity with no ability to challenge it. They claim they will recompense you for your trouble, but there is no recompense for the fact that the "secret" will eventually out, ruining the company. In any case, people will rightly assume that it could be so, and will make their purchasing decisions accordingly. It doesn't matter how noble the company's intentions are, the only thing they can do in the circumstances is to shut down, which only works if there is an owner-operator (as in the Lavabit instance). In a more corporate set-up with external shareholders, the directors would be compelled to carry on pretending for the reasons you outline.

The ONLY thing you can do is to adopt multiple defences with elements of open source which you control in the mix. You could not in any case, completely trust any server-based service because it could be compromised without knowledge of the owner, or have various MitM attacks performed on it, and this applies whatever the jurisdiction.

 

Unless the software is open-source, it's not just a backdoors to that software on its own, it can include things like KSL to compromise your whole machine and any encryption you may do independently. And those things could be quite selective and stealth in their operation.

Of course, there are controls such as compartmentalisation and operation in VMs that help, but really, how many will actually do that?

 

Such "zero knowledge" guarantees are meaningless without sovereignty. Just sayin'.

 

That type of argument is fairly common. However:

1. The situation would need to become widely known. To not only current clients, but also potential future clients. Public awareness of security/privacy threats, business and government relationships that affect those, etc is extremely low. Even more so when publicity is hampered by non-disclosure agreements and/or government mandated secrecy.
   
2. There would need to be pretty solid evidence that the backdoor was a purposeful/dedicated/inexcusable backdoor. Rather than an "overlooked design flaw", a coding and/or configuration "mistake", a "feature" that happens to have mixed consequences, or something else that many people tend to (foolishly) shrug off.
   
3. A significant portion of the current and future client base would not only have to be aware of and understand the situation, but also feel strongly enough... be motivated enough... and have the time/ability to... take action. As in make whatever arrangements are necessary to dump the service and/or refrain from using the service in the future. It is incredibly hard to get substantial numbers of consumers/citizens to take action. Even in those cases that are very clear cut.
   
4. The fallout would have to be severe enough to really harm the company/owners/investors/employees. Not just short term harm that they could weather somehow and bounce back from, but long term harm that simply can't be endured and therefore risked.

Throughout our history there have been countless examples of companies and their owners/operators doing bad things... sometimes even explicitly breaking the law with no hope of defense or cover and/or physically harming if not killing people... but they managed to survive the ordeal and continue to do business. How many times over the years have you heard of a company doing something obviously bad from a security/privacy POV... and there was no reaction to speak of, or the reaction was but a brief flash in the pan and/or light financial slap on the wrist?

IOW, and again in general, the argument in question is weak. It is based on overly optimistic, hopeful, assumptions about how things would play out. Frankly, I don't think that type of argument has a place in security/privacy discussions. The focus should, must, be on more reliable means of defense.

 

@TheWindBringeth - I think you're right in terms of companies doing bad things, because, as we see in other domains, the perpetrators are long gone by the time the damage emerges, but with their bonuses and pensions secure in their mitts.

However, the corrosive effect on all providers headquartered in a foolish jurisdiction is that the market is global, and global customers will make reasonable purchasing decisions based on what might happen. So that leaves software companies with some evil choices about whether to relocate to a more rational jurisdiction. I think there will be a lot of such conversations in many boardrooms because the tiresome rhetoric seems to be increasing rather than going away.

 

Finding "safe" jurisdictions is getting harder and harder