Zero-knowledge service
{{not to be confused|zero-knowledge proof}}
In cloud computing, the term zero-knowledge (or occasionally no-knowledge or zero access) is a commonly-used term for online services that store, transfer or manipulate data with a high level of confidentiality, where the data is only accessible to the data's owner (the client), and not to the service provider. However, unlike "end-to-end encryption", the term "zero-knowledge" does not imply any specific threat model or security notion, and its use is commonly frowned-upon by the security community.{{cite web |last1=Soatok |title=What To Use Instead of PGP |url=https://soatok.blog/2024/11/15/what-to-use-instead-of-pgp/ |website=Dhole Moments |access-date=7 April 2025}}{{cite journal |last1=Albrecht |first1=Martin R. |last2=Paterson |first2=Kenneth G. |title=Analyzing Cryptography in the Wild: A Retrospective |journal=IEEE Security & Privacy |date=November 2024 |volume=22 |issue=6 |page=3 |doi=10.1109/MSEC.2024.3441764 |url=https://eprint.iacr.org/2024/532.pdf |access-date=7 April 2025}}
The term "zero-knowledge" was popularized by backup service SpiderOak, which later switched to using the term "no knowledge", acknowledging that the previous terminology was not technically accurate.{{cite web |last1=SpiderOak |title=Why We Will No Longer Use the Phrase Zero Knowledge to Describe Our Software |url=https://medium.com/@SpiderOak/why-we-will-no-longer-use-the-phrase-zero-knowledge-to-describe-our-software-ddef2593a489 |website=Medium |access-date=7 April 2025}}
Disadvantages
Most{{cn|date=December 2021}} cloud storage services keep a copy of the client's password on their servers, allowing clients who have lost their passwords to retrieve and decrypt their data using alternative means of authentication; but since zero-knowledge services do not store copies of clients' passwords,{{Cite book |last1=Kiefer |first1=Franziskus |last2=Manulis |first2=Mark |title=Computer Security - ESORICS 2014 |chapter=Zero-Knowledge Password Policy Checks and Verifier-Based PAKE |series=Lecture Notes in Computer Science |chapter-url=https://eprint.iacr.org/2014/242.pdf |year=2014 |volume=8713 |pages=295–312|doi=10.1007/978-3-319-11212-1_17 |isbn=978-3-319-11211-4 }} if a client loses their password then their data cannot be decrypted, making it practically unrecoverable.
Most{{cn|date=December 2021}} cloud storage services are also able to furnish access requests from law enforcement agencies for similar reasons; zero-knowledge services, however, are unable to do so, since their systems are designed to make clients' data inaccessible without the client's explicit cooperation.
References
{{reflist|
- {{Cite news |last=Kiss |first=Jemima |date=2014-07-17 |title=Snowden: Dropbox is hostile to privacy, unlike 'zero knowledge' Spideroak |language=en |work=The Guardian |url=http://www.theguardian.com/technology/2014/jul/17/edward-snowden-dropbox-privacy-spideroak |access-date=2021-05-29}}
- {{Cite web |last=O'Sullivan |first=Fergus |date=2015-08-25 |title=What Exactly is Zero-Knowledge in The Cloud and How Does it Work? |url=https://www.cloudwards.net/what-exactly-is-zero-knowledge-in-the-cloud-and-how-does-it-work/ |access-date=2021-05-29 |website=Cloudwards |language=en}}
- {{Cite news |last=Farivar |first=Cyrus |date=2016-10-04 |title=FBI demands Signal user data, but there's not much to hand over |language=en-us |work=Ars Technica |url=https://arstechnica.com/tech-policy/2016/10/fbi-demands-signal-user-data-but-theres-not-much-to-hand-over/ |access-date=2021-05-29}}
}}