Why don't other major corporations build Zero Knowledge systems?

Last updated

The short answer: many companies profit from your data.

In the case of Google, their business model is to build free or highly discounted products (to the end user), and then sell the combination of user attention and rich user profile information to advertisers. So building a Zero Knowledge (ZK) system is antithetical to their goals.

In other cases, there are several reasons why a company wouldn't consider it:

It Doesn't Make Sense

In this case, the nature of a system is impractical to implement in Zero Knowledge. There's no obvious way to build a "ZK Netflix," for example. Netflix relies on a large database of content, and there's not an efficient way for subscribers to consume that content without revealing their actions to the server. Google's search product would also be difficult to make ZK.

Generally the products for which a straightforward approach to building them in Zero Knowledge exists are those where the computation could all happen on the end user's device (e.g. all traditional desktop apps, like Quicken, Turbotax, Excel, etc.) and some systems that work with user supplied content (e.g. Google Docs, Google Hangouts, MS Skype, Apple's iMessage, etc.)

It's Too Difficult to Implement

Even for the types of products that are amenable to ZK designs, the biggest limiting factor is the added difficulty to design, build, and maintain over time.

An effective ZK system requires the development team to understand cryptography. The design usually requires choosing specialized data structures that fit the problem domain. Because the server cannot read the data, building new features that require unanticipated schema changes (i.e. changing the database structure, like adding extra columns or tables) are difficult. This means the initial application architecture requires a great deal more planning to anticipate future needs and make data structures extensible after the fact.

A Zero Knowledge application really needs good security review from an independent team to have assurance that there are not accidental flaws that reveal information. Security review is expensive and time consuming. Few conventional apps, even non-zero knowledge apps, bother with this level of security assurance.

Key Management is a Challenge

Lastly there's the challenge of key management. As is frequently discussed in the Apple/FBI case, cryptography is only as strong as the chain of custody for the crypto keys. For most consumer services, there's no ideal key storage solution available. Users don't like the idea that forgetting a password (which is the least common denominator for a cryptography key) may mean they are forever locked out of their account and their content is lost. Enterprise customers may need sophisticated key escrow features for regulatory compliance reasons.

Why ZK Matters to Us

Knowing all the hard work and the extra expense that it adds to our business, you might be wondering: "Why do they even bother?"

At SpiderOak, Zero Knowledge is at the core of what we do and it is precisely the value we know we're adding to our products. This extra effort is the reason why our supporters choose our products over the alternatives. ZK supports our goal to continue to provide peace of mind by creating products that protect people's privacy online.