Re: [Shutup] [ietf-smtp] Proposed Charter for the "SMTP Headers Unhealthy To User Privacy" WG (fwd)

"Rolf E. Sonneveld" <R.E.Sonneveld@sonnection.nl> Mon, 30 November 2015 09:35 UTC

Return-Path: <R.E.Sonneveld@sonnection.nl>
X-Original-To: shutup@ietfa.amsl.com
Delivered-To: shutup@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59B751B2DD4; Mon, 30 Nov 2015 01:35:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.301
X-Spam-Level:
X-Spam-Status: No, score=-1.301 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HQqhr6iK7GHx; Mon, 30 Nov 2015 01:35:01 -0800 (PST)
Received: from mx20.mailtransaction.com (mx20.mailtransaction.com [78.46.16.213]) by ietfa.amsl.com (Postfix) with ESMTP id AF1461B2DD6; Mon, 30 Nov 2015 01:34:59 -0800 (PST)
Received: from mx14.mailtransaction.com (mx11.mailtransaction.com [88.198.59.230]) by mx20.mailtransaction.com (Postfix) with ESMTP id 3p8Lxs5PVXz1L8n7; Mon, 30 Nov 2015 10:34:57 +0100 (CET)
Received: from jaguar.sonnection.nl (D57E1702.static.ziggozakelijk.nl [213.126.23.2]) by mx14.mailtransaction.com (Postfix) with ESMTP id 3p8Lxs445rz5Mgfl; Mon, 30 Nov 2015 10:34:57 +0100 (CET)
Received: from localhost (localhost [127.0.0.1]) by jaguar.sonnection.nl (Postfix) with ESMTP id 2E89B123552; Mon, 30 Nov 2015 10:34:57 +0100 (CET)
X-Virus-Scanned: amavisd-new at sonnection.nl
Received: from jaguar.sonnection.nl ([127.0.0.1]) by localhost (jaguar.sonnection.nl [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id mFF9pvXbCzF2; Mon, 30 Nov 2015 10:34:53 +0100 (CET)
Received: from [192.168.3.49] (unknown [192.168.1.1]) by jaguar.sonnection.nl (Postfix) with ESMTPSA id C04801234EE; Mon, 30 Nov 2015 10:34:52 +0100 (CET)
To: Christian Huitema <huitema@huitema.net>, 'Jim Fenton' <fenton@bluepopcorn.net>, ietf-smtp@ietf.org, shutup@ietf.org
References: <alpine.OSX.2.11.1511282155180.1479@ary.lan> <565A7234.7010000@alameth.org> <Eoqbyz/axxwfm7I0m8X7QOm53qcBtCJIuS/eiVFyCig=.sha-256@antelope.email> <072F93223CD351A88ECCDB69@JcK-HP5.jck.com> <etPan.565b31fa.335268bd.11ea@dhcp-whq-twvpn-1-vpnpool-10-159-139-85.vpn.oracle.com> <565B81F4.8090401@bluepopcorn.net> <015801d12b0a$dc8731d0$95959570$@huitema.net>
From: "Rolf E. Sonneveld" <R.E.Sonneveld@sonnection.nl>
Message-ID: <565C183B.4030109@sonnection.nl>
Date: Mon, 30 Nov 2015 10:34:51 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <015801d12b0a$dc8731d0$95959570$@huitema.net>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sonnection.nl; s=2009; t=1448876097; bh=p0j4x5p1domfRwP+xPpOWWlktEecm6W1vtqBHxv1eg4=; h=Subject:To:From:Message-ID:Date:From; b=YD57Rgh7RE45t1nOjDJ2AgSyXqM106le+bV+CHgsTiV/KvwNwlAd4W11ctUr/SQs7 +/+VTUSL4pnS4u5HN4OGHwEMnO5PBkbrUq7YuxKWCuOvuwabnL7rcTcrYSJltVlA3A qaN6tarUuL3Ju7OYkc6XDk31edZyIqQXqo6WT0u4=
DKIM-Filter: OpenDKIM Filter v2.8.2 mx20.mailtransaction.com 3p8Lxs5PVXz1L8n7
Archived-At: <http://mailarchive.ietf.org/arch/msg/shutup/bxFwHvpVH-_06tIu3wOY6q4Ne9k>
Subject: Re: [Shutup] [ietf-smtp] Proposed Charter for the "SMTP Headers Unhealthy To User Privacy" WG (fwd)
X-BeenThere: shutup@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: SMTP Headers Unhealthy To User Privacy <shutup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/shutup>, <mailto:shutup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/shutup/>
List-Post: <mailto:shutup@ietf.org>
List-Help: <mailto:shutup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/shutup>, <mailto:shutup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Nov 2015 09:35:03 -0000

On 30-11-15 02:02, Christian Huitema wrote:
> On Sunday, November 29, 2015 12:54 PM, Jim Fenton wrote:
>> There are users for whom their privacy is critically important, such
>> as press informants in totalitarian societies. There are many other
>> ways to determine their location (network monitoring coupled with
>> a STARTTLS downgrade attack, for one), and it would be harmful
>> (potentially life-threatening) if anyone thought that this would truly
>> protect them. They should be using something like SecureDrop and
>> not using email at all.
> Uh, No. This is the classic "the other side of the boat is leaking too"
> argument, coupled with a dollop of "no security is better than imperfect
> security." Yes, there are many ways for metadata to leak. But that does not
> mean that we should not plugs the leaks that we do know about.
>
> The discussion so far shows that one hand many people believe that we are
> disclosing too much metadata in mail headers, while many more believe that
> the metadata disclosure is actually useful to fight various forms of abuse,
> some of which may well compromise users' privacy.
>
> We also heard that some of the big providers have already unilaterally
> decided to suppress some of the metadata, like the first hop address.

Can anyone share some information about which providers made which decision?

> So we
> have at least one data point showing that not all metadata needs to be
> preserved.

I fail to see the causality with the first sentence here: do you mean: 
the worlds e-mail ecosystem did not collapse, so this proves that not 
all metadata needs to be preserved?

>
> The "submission" hop may be a special case, but as Jim points out, mailing
> lists may well another special case, for which some guidance would be
> useful.
>
> The concern about topology disclosure may or may not justify pruning some of
> the metadata.
>
> In short, it appears that there is enough concern and enough uncertainty to
> justify working at least on an analysis document, and depending on the
> outcome on a best practice document. Let's have this debate, and let's make
> some progress on email privacy.

There has been done some work on this, which might be useful input to 
the discussion: see the report "Investigating the leakage of sensitive 
personal and organisational information in email headers" [1].

/rolf

[1] https://www.cs.ox.ac.uk/publications/publication9347-abstract.html.