I previously wrote about Clipperz because I really think Marco and team at Clipperz have a great idea.  To summarize, Clipperz has technology for “zero-knowledge web applications” which they have applied to an online password manager as a proof of concept.  Marco writes:

“We simply meant that Clipperz knows nothing about its users and their data!

As a consequence of the “learn nothing” mantra, every zero-knowledge application should be completely anonymous, or at least it should make it impossible to relate the real name or email of a user to his data”

It seems that Richard Stallman agrees that Clipperz technology could be very useful in the cloud-based computing world that awaits us.

The guys at Clipperz and RMS have been talking about how Clipperz’s technology could provide freedom and privacy in the cloud.  To that end, they suggest (summarized from here):

  1. Choose AGPL: If your services are based on software with an AGPL license, you have to make the source code available to anyone that uses the service
  2. Add zero-knowledge sauce: The server hosting the web app could know nothing of its users, not even their usernames
  3. Build a smarter brower: We still need to provide users of web apps with an even more flexible and secure environment.

To expand on #3, Marco writes:

“Stallman suggests adding a feature to the browser allowing a user to say: “When you get URL X, use the Javascript from URL Y as if it came from URL X.” If the user does invoke this feature, he can run his copy of the Javascript and still being able to exchange data with the server hosting the web application.

A browser with such capabilities could also easily verify if the Javascript from URL X is different from the alternative Javascript stored at URL Y. If the user trusts the present release of the Javascript code from URL X, he could make a copy of it at URL Y and be alerted if any change occurs.

This solution protects the user from malicious code that could be unknowingly executed by his browser, stealing his data and destroying the whole zero-knowledge architecture. “

Personally, I think #2 and #3 are great ideas.  I’m having trouble with #1, the AGPL requirement.  From an academic standpoint, I can agree with it.  But if we’re asking Google, Amazon, Microsoft, IBM, Sun, HP, etc. to use AGPL’d code, it could become an uphill battle.

Using the AGPL’d widget (from Clipperz in this case) that enables a “zero knowledge web application” is not the problem.  However, the viral nature of the AGPL would be a concern for any vendor who intends to drive revenue from their proprietary code/application delivered via a SaaS from a Cloud.  I guess that these vendors could always license the Clipperz technology…