Re: [Shutup] [ietf-smtp] Proposed Charter for the "SMTP Headers Unhealthy To User Privacy" WG (fwd)

Chris Lewis <> Thu, 03 December 2015 20:13 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 70CD51A90EE; Thu, 3 Dec 2015 12:13:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 4.064
X-Spam-Level: ****
X-Spam-Status: No, score=4.064 tagged_above=-999 required=5 tests=[BAYES_50=0.8, FH_RELAY_NODNS=1.451, MISSING_HEADERS=1.021, RDNS_NONE=0.793, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id eai07cyN4-Wd; Thu, 3 Dec 2015 12:13:31 -0800 (PST)
Received: from (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 25CDA1A9105; Thu, 3 Dec 2015 12:13:31 -0800 (PST)
Received: from [] ( []) (authenticated bits=0) by (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id tB3KDTt3000788 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Thu, 3 Dec 2015 15:13:29 -0500
References: <20151130042819.10658.qmail@ary.lan> <> <> <> <> <> <> <> <> <> <>
From: Chris Lewis <>
X-Enigmail-Draft-Status: N1110
Message-ID: <>
Date: Thu, 3 Dec 2015 15:13:29 -0500
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv: Gecko/20090812 Thunderbird/ Mnenhy/
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [Shutup] [ietf-smtp] Proposed Charter for the "SMTP Headers Unhealthy To User Privacy" WG (fwd)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: SMTP Headers Unhealthy To User Privacy <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 03 Dec 2015 20:13:32 -0000

On 12/03/2015 09:44 AM, Dave Crocker wrote:
> On 12/2/2015 7:58 PM, Chris Lewis wrote:
>> You will find no person more in agreement that we cannot train 100% of
>> people with PSAs and similar (the fact that 419s still flow is certainly
>> proof of that), but the reality is that most people do learn such things
>> one way or another.

> "Most people" do not.  Not even close to most people and very nearly
> never any people consistently, since the ability of humans to perform
> real-time and nuanced monitoring reliably like this, reliably and over
> time, borders on no ability at all.

> Feel free to provide documentation to the contrary.

I'm going to appear flippant, but I think it's appropriate.

Neither you nor I have been killed by a bus.  Every time we meet I 
"document" that fact by saying "hi Dave" and chatting a bit (or do you 
want to see my passport next time?).

In fact, very few people have been killed by buses.

That success is not part of our genetic makeup, it's not wired in.  It 
required training to achieve that, it's very real-time, and requires 
nuanced monitoring ("is that thing possibly going to hit me?" to a 
degree that technology cannot make us immune).  Nor does the fact that a 
few people have been killed by a bus mean that the training didn't work.

We can build the signs, the fences, the traffic signals and so on, but, 
none of that's going to save me if I walk around the center of the city 
with my eyes closed.

The reality is that trying to retain the privacy level that some people 
think they need to have cannot be done "reliably" and still permit the 
use of the Internet in the way that most people want.  If we want to 
"nanny" privacy to this level, we really should be talking about filters 
that prevent people from giving out their phone numbers, addresses, 
pictures of pets (with geolocation in the jpgs), and vacation schedules 
in email or anywhere else.

People have to partition what they do between "what must be kept 
private" and what doesn't need to, and use measures appropriate to their 
actions at the time.

> The issue isn't whether people generally understand the general issue.
> It's whether they can develop very specific understandings and apply
> them in real time, to useful effect over extended time.

I contend that people can acquire general understandings (at least in 
this area) that requires no deep-dive into understanding the underlying 
technology to achieve the level of privacy they want, and in fact it's 
quite easy to a level far exceeding just removing "from" clauses. To 
whit: "If you want email privacy, use an anon remailer, there's lots 
listed on <search engine of choice>, and check out the reviews".

[My advice would also be "don't subscribe to IETF lists".  I've gotten 
11 spams in the few days since I created this email address to 
participate in this discussion.]

>> Trying to "measure" the result of training is usually futile, because
>> correctly posing the questions, and getting useful answers is equally
>> complicated and fraught with definitional/terminology problems.

> Right.  That should alert us all to the challenges of the training itself.

Or, alert us that our measurement methods are completely bogus, and we 
really should be measuring it some other way.

While I have no way to prove this, I should think that the success rates 
of 419s is lower than it would have been in the society of 20 years ago. 
  If not, the human race is far stupider than anyone thought and we're 
all doomed.

[I should be careful in saying that, after having one experience 
intervening with one allegedly hi-tech astute husband and wife who were 
about to fall for the exact same phish for the second time.]