Re: [Shutup] [ietf-smtp] Proposed Charter for the "SMTP Headers Unhealthy To User Privacy" WG (fwd)

"Christian Huitema" <> Tue, 01 December 2015 19:50 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 4B90D1B2B04 for <>; Tue, 1 Dec 2015 11:50:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.001
X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=unavailable
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id g-T7_xt9Icc0 for <>; Tue, 1 Dec 2015 11:50:54 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C938B1B2AF6 for <>; Tue, 1 Dec 2015 11:50:54 -0800 (PST)
Received: from ([] by with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from <>) id 1a3qwv-0005Zs-JJ for; Tue, 01 Dec 2015 14:50:54 -0500
Received: (qmail 22531 invoked from network); 1 Dec 2015 19:50:52 -0000
Received: from unknown (HELO huitema2) ([]) (envelope-sender <>) by (qmail-ldap-1.03) with ESMTPA for <>; 1 Dec 2015 19:50:51 -0000
From: "Christian Huitema" <>
To: "'Martijn Grooten'" <>, <>
References: <20151130042819.10658.qmail@ary.lan> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Date: Tue, 1 Dec 2015 11:50:59 -0800
Message-ID: <07bf01d12c71$9b88b790$d29a26b0$>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQHQTY9q0QzQziT/XW3kp2qSufFoDwEVmeDFAlgyR/kCe0wEMwI7WjM7Af3kr9QCeIAPFgGJdFE5Ax3NhecBybfgpwGC/pY+nhPMF+A=
Content-Language: en-us
Archived-At: <>
Subject: Re: [Shutup] [ietf-smtp] Proposed Charter for the "SMTP Headers Unhealthy To User Privacy" WG (fwd)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: SMTP Headers Unhealthy To User Privacy <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 01 Dec 2015 19:50:56 -0000

On Tuesday, December 1, 2015 11:24 AM, Martijn Grooten wrote:
> I agree that if keeping your geolocation is a matter of life and death,
> shouldn't use email, but for me that is not a reason for the IP address to
> visible for anyone who can read the email. I think privacy matters, even
> when it's not about life and death.

I am also concerned with automated mass surveillance, including traffic
analysis. The basic traffic analysis produces "5-tupple" logs. Since a lot
of the Internet usage is now mobile, there is no direct mapping between IP
addresses and user identities. To move from traffic analysis to
surveillance, the analyzers need to restore that mapping. There are multiple
ways to do that, as explained in RFC 7624, and email headers are one of

Clearly, there are also other sources of correlation between IP address and
identity. Various IETF working groups are busy closing these other sources
as well: MAC Address randomization to suppress direct mapping of identities
to roaming devices; DHCP anonymity profile to remove the leakage of metadata
in DNS packets; or, HTTPS to prevent observation of HTTP cookies. To break
the correlation between IP address and identity, we need to also close the
leakage in the SMTP traces.

Everybody understands that there is a tension there between privacy and
fighting spam. I get the use case of the virus-infected home PC that
originates spam through the permissive SMTP relay of some local ISP. But
then many mail providers feel the need to provide privacy to their users,
which drives them to deploy their own formatting of the "received" field. We
do have a tension there, and that tension is precisely why we want to study
the alternatives and come up with a proposed recommendation. Hence the WG

-- Christian Huitema