Re: [Shutup] Proposed Charter for the "SMTP Headers Unhealthy To User Privacy" WG

"Christian Huitema" <> Sun, 06 December 2015 17:36 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 97B611A82E2 for <>; Sun, 6 Dec 2015 09:36:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.8
X-Spam-Status: No, score=0.8 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 3_C57wcnOznf for <>; Sun, 6 Dec 2015 09:36:35 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A6E8D1A854D for <>; Sun, 6 Dec 2015 09:36:35 -0800 (PST)
Received: from [] ( by with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from <>) id 1a5dEc-00039B-DJ for; Sun, 06 Dec 2015 12:36:34 -0500
Received: (qmail 7974 invoked from network); 6 Dec 2015 17:36:29 -0000
Received: from unknown (HELO huitema1) ([]) (envelope-sender <>) by (qmail-ldap-1.03) with ESMTPA for <>; 6 Dec 2015 17:36:29 -0000
From: "Christian Huitema" <>
To: "'Ned Freed'" <>, "'SM'" <>
References: <> <>
In-Reply-To: <>
Date: Sun, 6 Dec 2015 09:37:14 -0800
Message-ID: <05b301d1304c$bf6f3880$3e4da980$>
MIME-Version: 1.0
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQKN73fyxiYngre5rqmJ3KfWLrx3QgKRxoaNnTAlxOA=
Content-Language: en-us
Archived-At: <>
Subject: Re: [Shutup] Proposed Charter for the "SMTP Headers Unhealthy To User Privacy" WG
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: SMTP Headers Unhealthy To User Privacy <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 06 Dec 2015 17:36:37 -0000

On Saturday, December 5, 2015 10:52 PM, Ned Freed wrote:
> SM <> writes:
> > An attack on organization is a security issue; it isn't a privacy
> > issue.  The privacy issue is about mail-related metadata which can be
> > collected by state surveillance agencies.  Will the proposed working
> > group attempt to fix that?
> As I pointed out on the perpass list when the Received: field draft was
> posted, there are definitely privacy issues associated with Received:
> but metadata collection by state actors really isn't one of them. Why
> with Received: fields when you can simply collect transaction logs from
> ISPs/MSPs.

Ned, you are basically saying, "why bother plugging one leak when the same
data can leak somewhere else." Well, I think it is actually important to
plug all the privacy leaks, much like in security it is important to plug
all the holes.

You are making the argument that authorities can commandeer data by imposing
on mail providers. They can, but in countries with decent rule of laws there
are limits, such as requesting probable cause and not going through fishing
expeditions. We have seen rogue agencies attempt to bypass these limits by
just taking the data whichever way they can, and we want to stop that. We
also worry that what these agencies can do today, organized gangs can do
tomorrow, and petty criminals after that.

The email traces are particular because they are carried to multiple places,
not just the submission site but also every relay and every mail recipient.
That multiplies the chances of compromise. My email provider has some reason
to try maintain my trust, but relays and recipients may not. For me, it
makes a great deal of difference whether the information can be obtained
from just one place or from many.

As I wrote in a previous message, we have a specific problem with the
correlation between IP address and user identity. Once that correlation is
established, it becomes possible to attribute 5-tuple traces to specific
individuals. You may think that the relation between someone's home IP
address and their identity is static, but in many case it is not. Some ISP
can provide you with addresses that deliberately vary over time. You can use
VPN. You can use Wi-Fi hot spots. That's exactly what privacy conscious
users do. And that's why I find the listing of submission IP in traces

I understand that there are good use of the information, and that managing
email systems is hard. I also understand that the problem is complex. For
example, precise timestamp information can be used for debugging and
validation. But it can also be used to retrieve the IP address of a message
sender, by looking in the 5 tuple traces what addresses were sending packets
to the email provider at that time. We need to surface these issues, to
understand both the cost of the value of the information, and to propose

-- Christian Huitema

> And unless I'm missing something, the generation and collection of
> transaction logs is far beyond the purview of the IETF.
> 				Ned
> _______________________________________________
> Shutup mailing list