Re: [Shutup] Proposed Charter for the "SMTP Headers Unhealthy To User Privacy" WG

["Christian Huitema" <huitema@huitema.net>]

On Saturday, December 5, 2015 10:52 PM, Ned Freed wrote:
> SM <sm@resistor.net> writes:
> 
> > An attack on organization is a security issue; it isn't a privacy
> > issue.  The privacy issue is about mail-related metadata which can be
> > collected by state surveillance agencies.  Will the proposed working
> > group attempt to fix that?
> 
> As I pointed out on the perpass list when the Received: field draft was
first
> posted, there are definitely privacy issues associated with Received:
fields,
> but metadata collection by state actors really isn't one of them. Why
bother
> with Received: fields when you can simply collect transaction logs from
> ISPs/MSPs.

Ned, you are basically saying, "why bother plugging one leak when the same
data can leak somewhere else." Well, I think it is actually important to
plug all the privacy leaks, much like in security it is important to plug
all the holes.

You are making the argument that authorities can commandeer data by imposing
on mail providers. They can, but in countries with decent rule of laws there
are limits, such as requesting probable cause and not going through fishing
expeditions. We have seen rogue agencies attempt to bypass these limits by
just taking the data whichever way they can, and we want to stop that. We
also worry that what these agencies can do today, organized gangs can do
tomorrow, and petty criminals after that.

The email traces are particular because they are carried to multiple places,
not just the submission site but also every relay and every mail recipient.
That multiplies the chances of compromise. My email provider has some reason
to try maintain my trust, but relays and recipients may not. For me, it
makes a great deal of difference whether the information can be obtained
from just one place or from many.

As I wrote in a previous message, we have a specific problem with the
correlation between IP address and user identity. Once that correlation is
established, it becomes possible to attribute 5-tuple traces to specific
individuals. You may think that the relation between someone's home IP
address and their identity is static, but in many case it is not. Some ISP
can provide you with addresses that deliberately vary over time. You can use
VPN. You can use Wi-Fi hot spots. That's exactly what privacy conscious
users do. And that's why I find the listing of submission IP in traces
problematic.

I understand that there are good use of the information, and that managing
email systems is hard. I also understand that the problem is complex. For
example, precise timestamp information can be used for debugging and
validation. But it can also be used to retrieve the IP address of a message
sender, by looking in the 5 tuple traces what addresses were sending packets
to the email provider at that time. We need to surface these issues, to
understand both the cost of the value of the information, and to propose
solutions.

-- Christian Huitema







> And unless I'm missing something, the generation and collection of
> transaction logs is far beyond the purview of the IETF.
> 
> 				Ned
> 
> _______________________________________________
> Shutup mailing list
> Shutup@ietf.org
> https://www.ietf.org/mailman/listinfo/shutup