Every other week, some tech company announces they're "zero knowledge." It's become a marketing buzzword, right up there with "military-grade encryption" (which, by the way, just means AES-256 — the same encryption your iPhone uses).

But the concept behind zero knowledge is genuinely important. When a service is truly zero knowledge, it changes the trust equation completely. The problem is that most services claiming to be zero knowledge... aren't.

The simple explanation

Zero knowledge means the service provider has zero knowledge of your data. Not "we choose not to look." Not "we have a policy against reading your stuff." It means they cannot read your data, even if they wanted to, even if forced to by a court order, even if hackers break into every server they own.

Think of it like a lockbox analogy:

• Regular cloud storage is like renting a storage unit where the facility has a master key. They promise not to go through your stuff. But they could.
• Zero knowledge is like a storage unit where you bring your own lock, and the facility never sees your key. They can store the box, move the box, even destroy the box — but they cannot open it.

How to spot the fakes

Here are telltale signs that a service claiming "zero knowledge" probably isn't:

They can reset your password and you keep your data.

This is the #1 giveaway. If a service can reset your password and you still have access to all your files, it means the encryption key isn't derived from your password. Which means they have the key somewhere. Which means they can read your files. A truly zero-knowledge service will warn you that if you lose your password, your data is gone forever — because they can't help you.

They generate previews or thumbnails on the server.

If you upload a photo and the web interface shows a server-generated thumbnail without your browser doing the decryption, the server read your photo to make that thumbnail. Zero knowledge? No.

They offer server-side search across your files.

If you can search the contents of your encrypted documents and the search happens on the server side (not in your browser), the server can read your documents. There are exotic cryptographic techniques that might make this possible while maintaining zero knowledge (homomorphic encryption, encrypted indexes), but they're extremely rare in practice. Most services that offer search are just reading your files.

They scan for illegal content.

This is a touchy subject, but it's technically telling. If a service scans uploaded files for CSAM or copyrighted material (as required by various laws), they can read your files. You can't scan what you can't see. A true zero-knowledge service is in the unusual position of being unable to comply with content scanning requirements — which is legally complex but cryptographically honest.

Services that actually are zero knowledge

There are legitimate zero-knowledge services out there. They share some common traits:

• Encryption and decryption happen exclusively in the client (your browser or app)
• The encryption key is either generated locally, derived from your password via a KDF, or embedded in a share URL
• The server only handles encrypted blobs
• They're usually open source so you can verify the claims
• They have clear documentation explaining their encryption model
• They'll tell you upfront: if you lose your key, your data is gone

Some examples in different categories:

• Password managers: Bitwarden, 1Password (their vaults are encrypted with your master password)
• Cloud storage: Tresorit, Proton Drive
• Messaging: Signal (the gold standard)
• Email: Proton Mail (for Proton-to-Proton emails)
• File sharing: SecureTransfer (yes, us — but verify it yourself, the code is open source)

Why does this matter?

You might think this is academic. It's not. Here's why zero knowledge matters in practice:

Data breaches. In 2024, there were over 3,200 publicly reported data breaches in the US alone. When a zero-knowledge service gets breached, attackers get encrypted blobs — useless without keys they don't have. When a regular service gets breached, everything is exposed.

Insider threats. Most data leaks come from inside the organization. A disgruntled employee at a cloud storage company with database access could browse through your files — unless the service is zero knowledge, in which case they'd see garbage.

Legal demands. Governments can compel companies to hand over data. A zero-knowledge service can comply with the request and hand over encrypted data — which is useless to the requesting party. This isn't about evading law enforcement; it's about ensuring that your private data stays private even when companies are forced to hand it over.

Future-proofing. A company's privacy policy can change. Ownership can change. Laws can change. But math doesn't change. If your files are encrypted with a key the server never had, they're safe regardless of what happens to the company.

Don't trust promises. Trust math. A company that says "we won't look" is making a promise. A company that says "we can't look" is stating a mathematical fact.

How to verify zero-knowledge claims

If you want to verify whether a service is actually zero knowledge:

1. Check if it's open source. If you can read the code, you can see where encryption happens. If the key is generated in client-side code and never sent to the server, that's real.
2. Open the browser's network tab (F12 → Network) and watch what gets sent during upload. Is the raw file sent, or encrypted data?
3. Check the URL structure. If the decryption key is in the URL fragment (after #), it's never sent to the server. That's a good design.
4. Try the password reset test. If losing your password means losing your data, that's a strong indicator of true zero knowledge.
5. Read their security whitepaper. Real zero-knowledge services publish detailed technical documentation about their encryption model.

Don't take anyone's word for it — including ours. That's kind of the whole point.