Re: [Shutup] [ietf-smtp] Proposed Charter for the "SMTP Headers Unhealthy To User Privacy" WG (fwd)

Chris Lewis <ietf@mustelids.ca> Thu, 03 December 2015 03:58 UTC

Return-Path: <ietf@mustelids.ca>
X-Original-To: shutup@ietfa.amsl.com
Delivered-To: shutup@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32FB71A0126; Wed, 2 Dec 2015 19:58:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.043
X-Spam-Level: ***
X-Spam-Status: No, score=3.043 tagged_above=-999 required=5 tests=[BAYES_50=0.8, FH_RELAY_NODNS=1.451, RDNS_NONE=0.793, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M-eDj4wU67s9; Wed, 2 Dec 2015 19:58:34 -0800 (PST)
Received: from stoat.mustelids.ca (unknown [174.35.246.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 402441B2EF7; Wed, 2 Dec 2015 19:58:33 -0800 (PST)
Received: from [192.168.0.6] (badger.mustelids.ca [192.168.0.6]) (authenticated bits=0) by stoat.mustelids.ca (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id tB33wUMo029190 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Wed, 2 Dec 2015 22:58:30 -0500
To: shutup@ietf.org
References: <20151130042819.10658.qmail@ary.lan> <1448858775386-ceecd236-8b11ac04-a03b4438@fugue.com> <01PTPUIP3IUK01729W@mauve.mrochek.com> <11d014e5-9a6a-4b78-92a1-8e0a1e0a905d@gulbrandsen.priv.no> <lGTaHvC8ygXWFAuu@highwayman.com> <57B818513A0069189BA3CF41@JcK-HP8200.jck.com> <1449014394167-7d2dec58-2c6a9ae8-33fc8e7a@fugue.com> <565E4CCF.3080901@mustelids.ca> <565E4FEC.2000607@cs.tcd.ie>
From: Chris Lewis <ietf@mustelids.ca>
X-Enigmail-Draft-Status: N1110
Message-ID: <565FBDE6.8020001@mustelids.ca>
Date: Wed, 2 Dec 2015 22:58:30 -0500
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.23) Gecko/20090812 Thunderbird/2.0.0.23 Mnenhy/0.7.6.666
MIME-Version: 1.0
In-Reply-To: <565E4FEC.2000607@cs.tcd.ie>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/shutup/M7cKPVce7MLWKpld9VcFH5i-ZxM>
Cc: ietf-smtp@ietf.org
Subject: Re: [Shutup] [ietf-smtp] Proposed Charter for the "SMTP Headers Unhealthy To User Privacy" WG (fwd)
X-BeenThere: shutup@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: SMTP Headers Unhealthy To User Privacy <shutup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/shutup>, <mailto:shutup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/shutup/>
List-Post: <mailto:shutup@ietf.org>
List-Help: <mailto:shutup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/shutup>, <mailto:shutup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Dec 2015 03:58:35 -0000

On 12/01/2015 08:57 PM, Stephen Farrell wrote:
>
>
> On 02/12/15 01:43, Chris Lewis wrote:
>>
>> It's far better to train them in the reality of what they need to do to
>> preserve their own privacy, than the impossibility of trying to
>> privacy-protect everything (and still have something anybody wants to use).
>
> Do you have any evidence for the above?

> But in any case, I think your argument is clearly wrong because we
> know that it is not possible to "train them" in security or privacy.
> (That leaves open the possibility that your conclusion is correct
> based on some other argument, but very much weakens confidence in
> your conclusion for me.)

You will find no person more in agreement that we cannot train 100% of 
people with PSAs and similar (the fact that 419s still flow is certainly 
proof of that), but the reality is that most people do learn such things 
one way or another.  You have and I have, otherwise, we'd not be having 
this discussion.  Did you get your knowledge from a PSA?  Your parents? 
  School?  The media?  Nope.  But you still got it.

Trying to "measure" the result of training is usually futile, because 
correctly posing the questions, and getting useful answers is equally 
complicated and fraught with definitional/terminology problems.  I groan 
whenever these surveys are published, because the questions are badly 
crafted, the answers irrelevant, the interpretation is completely out to 
lunch, and the media scrambles it unrecognizeably.

And indeed, does the fact that 1% of people are still liable to fall for 
a 419 mean that the training, education, PSAs, news media coverage of 
such things etc was all in vain?  No.  is it effective?  Somewhat. 
Perfect?  No.

The subject is mushy.  People are mushy.  Measuring things that are 
mushy in 2+ dimensions is worse. But most of us have managed to survive 
vastly more dangerous circumstances by learning how to avoid them along 
the way.  It's slow, but it happens.  Just type in "how to use email 
anonymously" into your search engine, and voila!

> IMO the onus is on us as technology developers to ensure that what
> we make allows those who deploy that to do a good enough job.

Is hiding from clauses sufficient to do that?  No, not when the people 
who use email don't understand that what they put in the bodies of the 
emails is usually FAR more revealing than a temporary IP address in an 
Internet cafe does, or the fact that my MTA's IP address indicates, at 
best, I'm "somewhere in south, maybe eastern ontario".

Nothing you can do with from clauses will affect the bad guys looking at 
you.

Only the people already conscious/understanding of personal 
safety/privacy are going understand and make the choices that they need 
to make to preserve their privacy.  A mere from clause is not going to 
it, and claiming that eliding from clauses does anything significant to 
preserve privacy is in the end a dangerous lie even just in an email 
context.

> In
> this case there is room for debate about the cumulative privacy
> exposure from many messages including MUA IP addresses (or of
> popular implementations defaulting to do so) vs. the benefits
> accruing to anti-spam techniques.

Please don't minimize it as just being "anti-spam".  I say I'm 
"anti-spam", but what that really means is anti-spam, anti-fraud, 
anti-malware.  The latter two have serious real-world consequences.  LE 
uses this to try to find people contemplating suicide, or equally, 
people making death/bomb threats or engaging in harassment.  ISPs use 
this to identify and inform customers that are infected with malware.

I (and several others here) could "document" some of what I've seen/been 
involved with where this matters, but that would in many cases (a) 
violate NDAs, (b) give the bad guys intel on how to avoid us, (c) 
probably violate privacy, and (d) since it's just me and not a vetted 
journal or something equally "reputable", some here will ignore it 
anyway as hearsay or self-serving BS.

[Which is ironic, because my work almost never involves MSA submission 
addresses, and it's not parsed let alone recorded.  I don't really have 
a horse in this race.]

This is real life too: user's savings and lives depend on some of this, 
not just a few annoying spam messages.

Yes, it would be nice for LE to say something, but the approvals 
required to say _anything_ whatsoever in public take a very long time, 
it'd probably get dismissed as self-serving hearsay, and as I've seen 
often, some people get all wobbly when LE is around.

It would also be nice for providers to say something, but the legal 
constraints of "speaking on behalf of/in public" are even worse.  When I 
did that once for a topic near to this, it took four months to get 
approvals and I had to go through a media relations course (until I 
pointed out that they didn't have to worry about be bleating out company 
future plans/finances because, unlike the senior executives normally 
taking the course, I couldn't possibly know any of that to leak).