Re: [Shutup] [ietf-smtp] Proposed Charter for the "SMTP Headers Unhealthy To User Privacy" WG (fwd)

Ted Lemon <mellon@fugue.com> Wed, 02 December 2015 15:20 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: shutup@ietfa.amsl.com
Delivered-To: shutup@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F26A91A013F; Wed, 2 Dec 2015 07:20:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.912
X-Spam-Level:
X-Spam-Status: No, score=-1.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nxBVGZ7fNZLO; Wed, 2 Dec 2015 07:20:19 -0800 (PST)
Received: from fugue.com (mail-2.fugue.com [IPv6:2a01:7e01::f03c:91ff:fee4:ad68]) by ietfa.amsl.com (Postfix) with ESMTP id 6CD741A0125; Wed, 2 Dec 2015 07:20:18 -0800 (PST)
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="----sinikael-?=_1-14490696098940.9147816265467554"
From: Ted Lemon <mellon@fugue.com>
To: dcrocker@bbiw.net
In-Reply-To: <565F0A42.2070402@dcrocker.net>
References: <20151130042819.10658.qmail@ary.lan> <1448858775386-ceecd236-8b11ac04-a03b4438@fugue.com> <01PTPUIP3IUK01729W@mauve.mrochek.com> <11d014e5-9a6a-4b78-92a1-8e0a1e0a905d@gulbrandsen.priv.no> <lGTaHvC8ygXWFAuu@highwayman.com> <57B818513A0069189BA3CF41@JcK-HP8200.jck.com> <1449014394167-7d2dec58-2c6a9ae8-33fc8e7a@fugue.com> <565E4CCF.3080901@mustelids.ca> <1449024914920-c367c12b-5b2db232-b118a379@fugue.com> <565EB238.6060207@pscs.co.uk> <1449064251263-c451a28b-ba1e4af8-62e69b69@fugue.com> <565F0A42.2070402@dcrocker.net>
Date: Wed, 02 Dec 2015 15:20:09 +0000
Message-Id: <1449069610234-da77a7a5-9aad0b81-0070a67b@fugue.com>
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/shutup/bbpWKoxGt0O28gmCselNVQd9IVA>
Cc: shutup@ietf.org, ietf-smtp@ietf.org
Subject: Re: [Shutup] [ietf-smtp] Proposed Charter for the "SMTP Headers Unhealthy To User Privacy" WG (fwd)
X-BeenThere: shutup@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: SMTP Headers Unhealthy To User Privacy <shutup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/shutup>, <mailto:shutup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/shutup/>
List-Post: <mailto:shutup@ietf.org>
List-Help: <mailto:shutup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/shutup>, <mailto:shutup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2015 15:20:21 -0000

Wednesday, Dec 2, 2015 10:12 AM Dave Crocker wrote:
> Absent hard data that shows efficacy, both of you are wrong.

Not leaking data is 100% effective at not leaking data.

> At base, we don't know how to prevent folks from getting scammed, while
> still allowing them to interact with the outside world.

We know that revealing their personal information is harmful.   We know that this information is used, in real world situations, to cause harm to real people.   We do not know which specific sources are used, so it may well be that nobody is currently using the Received header field to do it.   It may be that the Received header field is not currently the weakest link.   However, it is clearly a weak link: as soon as I wanted to see what information my email was revealing, all I had to do was go to the ietf-smtp archive and look at my recent messages to the archive, and there the Received headers were, available for the world to see.

> Lots of people are sure they know the right answer here, but none of
> them can document efficacy.  Worse, most of the ways people cite have
> already been demonstrated to be inadequate or unachievable.

Redacting IP address information from SMTP submission servers is very achievable, as witness the fact that the major email providers are doing it.   Whether it actually prevents peoples' demonstrably violated privacy from being used against them is indeed unknown.


--
Sent from Whiteout Mail - https://whiteout.io

My PGP key: https://keys.whiteout.io/mellon@fugue.com