Re: [Shutup] Proposed Charter for the "SMTP Headers Unhealthy To User Privacy" WG

Chris Lewis <ietf@mustelids.ca> Sun, 06 December 2015 06:34 UTC

Return-Path: <ietf@mustelids.ca>
X-Original-To: shutup@ietfa.amsl.com
Delivered-To: shutup@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6105B1B3265 for <shutup@ietfa.amsl.com>; Sat, 5 Dec 2015 22:34:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.043
X-Spam-Level: ***
X-Spam-Status: No, score=3.043 tagged_above=-999 required=5 tests=[BAYES_50=0.8, FH_RELAY_NODNS=1.451, RDNS_NONE=0.793, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DKzFhIMPvIMY for <shutup@ietfa.amsl.com>; Sat, 5 Dec 2015 22:34:56 -0800 (PST)
Received: from stoat.mustelids.ca (unknown [174.35.246.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3AD331B3263 for <shutup@ietf.org>; Sat, 5 Dec 2015 22:34:56 -0800 (PST)
Received: from [192.168.0.6] (badger.mustelids.ca [192.168.0.6]) (authenticated bits=0) by stoat.mustelids.ca (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id tB66YrGD005602 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT) for <shutup@ietf.org>; Sun, 6 Dec 2015 01:34:54 -0500
To: shutup@ietf.org
References: <6.2.5.6.2.20151205205343.0c75fed0@elandnews.com>
From: Chris Lewis <ietf@mustelids.ca>
X-Enigmail-Draft-Status: N1110
Message-ID: <5663D70D.30707@mustelids.ca>
Date: Sun, 6 Dec 2015 01:34:53 -0500
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.23) Gecko/20090812 Thunderbird/2.0.0.23 Mnenhy/0.7.6.666
MIME-Version: 1.0
In-Reply-To: <6.2.5.6.2.20151205205343.0c75fed0@elandnews.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/shutup/YnZYmc9ZB9XP-sL0nqXXfOf254o>
Subject: Re: [Shutup] Proposed Charter for the "SMTP Headers Unhealthy To User Privacy" WG
X-BeenThere: shutup@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: SMTP Headers Unhealthy To User Privacy <shutup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/shutup>, <mailto:shutup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/shutup/>
List-Post: <mailto:shutup@ietf.org>
List-Help: <mailto:shutup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/shutup>, <mailto:shutup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 06 Dec 2015 06:34:57 -0000

On 12/06/2015 12:24 AM, SM wrote:

> An attack on organization is a security issue; it isn't a privacy
> issue.  The privacy issue is about mail-related metadata which can be
> collected by state surveillance agencies.  Will the proposed working
> group attempt to fix that?

Privacy is only about state surveillance?  That seems to be a, um, 
remarkably narrow definition, and completely ignores the privacy issues 
that people usually get harmed by.  Furthermore, state surveillance 
doesn't need to scrape headers, they just get the providers to reveal 
the contents of their logs, which no amount of header obfuscation can hide.

The NSA didn't get their 5 years worth of universal phone penlogs from 
tapping wires, they did it with taps right into the provider's 
equipment.  No amount of on-the-wire fussing would have done a thing.

This harks back to a big investigation I was involved with in the late 
1970's/early 80's[*], prompted by a huge public uproar over (supposed) 
LE access to medical information from Canada's (Ontario's) health 
insurance programme (and later spread to Workman's Compensation).

Our investigation showed that there were indeed a few (on the order of 
a dozen or two) LE-related incidents, and as far as I remember, not one 
of them involved medical information (they were current address searches 
in order to serve warrants).  The real problem was 3rd party private 
insurers accessing full medical information of thousands of people (we 
proved out more than 5000 incidents with one insurer alone) that could 
result in severe financial or in some cases medical harm.  At least one 
suicide resulted, probably more.  Oh, and yes, some of the access claims 
were entirely bogus (eg: claims of accessing information that didn't and 
couldn't exist) - made up by people who were happy to lie to the 
journalists and get their own tiny bits of fame and a few beers.

The biggest fault with the charter that there is no mandate whatsoever 
to explore/mention/define the risks (of either revealing the information 
or omitting it).

I can see a BCP on privacy protection arising out of this effort, but 
without any serious attempt to give the reader guidance on pro/con, 
it'll do more harm than good.

[*] The Royal Commission of Enquiry into the Confidentiality of Health 
Records in Ontario.  I was the computer security consultant/advisor ro 
the commission.  The first "Krevor Commission".  Most Canadians will 
associate Justice Krevor (Ontario Supreme Court Judge) with the tainted 
blood Commission years later.

We plugged quite a few policy/procedural holes, the Ministry of Health 
got bruised and battered by it, but survived.  A lot of really good 
things happened from that Commission and carried over to other 
jurisdictions and even other countries, I'm quite proud of my minor 
contributions.