Re: [Shutup] [ietf-smtp] Proposed Charter for the "SMTP Headers Unhealthy To User Privacy" WG (fwd)

Ted Lemon <mellon@fugue.com> Wed, 02 December 2015 02:55 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: shutup@ietfa.amsl.com
Delivered-To: shutup@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF0071B31AD; Tue, 1 Dec 2015 18:55:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.912
X-Spam-Level:
X-Spam-Status: No, score=-1.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3EAxuVYeLo4F; Tue, 1 Dec 2015 18:55:22 -0800 (PST)
Received: from fugue.com (mail-2.fugue.com [IPv6:2a01:7e01::f03c:91ff:fee4:ad68]) by ietfa.amsl.com (Postfix) with ESMTP id 7F1461B31A8; Tue, 1 Dec 2015 18:55:21 -0800 (PST)
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="----sinikael-?=_1-14490249146060.39559955755248666"
From: Ted Lemon <mellon@fugue.com>
To: ietf@mustelids.ca
In-Reply-To: <565E4CCF.3080901@mustelids.ca>
References: <20151130042819.10658.qmail@ary.lan> <1448858775386-ceecd236-8b11ac04-a03b4438@fugue.com> <01PTPUIP3IUK01729W@mauve.mrochek.com> <11d014e5-9a6a-4b78-92a1-8e0a1e0a905d@gulbrandsen.priv.no> <lGTaHvC8ygXWFAuu@highwayman.com> <57B818513A0069189BA3CF41@JcK-HP8200.jck.com> <1449014394167-7d2dec58-2c6a9ae8-33fc8e7a@fugue.com> <565E4CCF.3080901@mustelids.ca>
Date: Wed, 02 Dec 2015 02:55:14 +0000
Message-Id: <1449024914920-c367c12b-5b2db232-b118a379@fugue.com>
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/shutup/36J4rSDJpPO-7eKpjdYKs5kXcxM>
Cc: shutup@ietf.org, ietf-smtp@ietf.org
Subject: Re: [Shutup] [ietf-smtp] Proposed Charter for the "SMTP Headers Unhealthy To User Privacy" WG (fwd)
X-BeenThere: shutup@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: SMTP Headers Unhealthy To User Privacy <shutup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/shutup>, <mailto:shutup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/shutup/>
List-Post: <mailto:shutup@ietf.org>
List-Help: <mailto:shutup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/shutup>, <mailto:shutup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2015 02:55:24 -0000

Tuesday, Dec 1, 2015 8:43 PM Chris Lewis wrote:
> The reality is that if the user wasn't already conscious of their privacy and striving to preserve it through continuous vigilance, they've already completely outed themselves.
> 
> For example, if you're expecting to use a nicknamed gmail account, that email conversation with Amazon with your credit card info or Facebook with your real name last year, has outed that gmail account forever - gmail hides received lines remember?

I think you are misunderstanding the reasoning behind hiding the IP address in the received header.   It is not because the IP address associates the email address with your identity.   In all likelihood, the email address is very strongly associated with your identity, as you say.   One of the primary uses of email addresses _is_ to establish an identity, after all.

The purpose of obscuring the IP address is to avoid an association between the _IP address_ and your identity.   This accomplishes several useful privacy benefits:

- If you regularly post to a public mailing list, as we both do, nobody can scrape the mailing list for Received headers and figure out whether or not I am at home, in order to find an opportune time to break into my home.
- If you post to a public mailing list, that doesn't reveal information about where you live to people who might want to harass you.
- An MiTM attack on your email service provider that prevents TLS encryption of your mail will not give the attacker information linking your identity to specific IP addresses.

Whether these are issues that we need to be concerned about it certainly something we can debate.   I definitely agree that _just_ obscuring the IP address in the Received header isn't enough to protect you.   But if it's not obscured, that's definitely enough to out you.

> It's far better to train them in the reality of what they need to do to preserve their own privacy, than the impossibility of trying to privacy-protect everything (and still have something anybody wants to use).

This is literally impossible.   We don't demand that airline passengers take part in making sure that the airplane is safe to fly.   Why do we expect people with similar levels of knowledge about the operation of email to understand how to preserve their privacy?


--
Sent from Whiteout Mail - https://whiteout.io

My PGP key: https://keys.whiteout.io/mellon@fugue.com