Re: [Shutup] [ietf-smtp] real life privacy tradeoffs, was Proposed Charter

"John Levine" <> Wed, 02 December 2015 14:50 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 516E11A9119 for <>; Wed, 2 Dec 2015 06:50:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 1.663
X-Spam-Level: *
X-Spam-Status: No, score=1.663 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id oTSL5I5VFy7z for <>; Wed, 2 Dec 2015 06:50:20 -0800 (PST)
Received: from ( [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 70F261A00B6 for <>; Wed, 2 Dec 2015 06:50:16 -0800 (PST)
Received: (qmail 99112 invoked from network); 2 Dec 2015 14:50:15 -0000
Received: from unknown ( by with QMQP; 2 Dec 2015 14:50:15 -0000
Date: 2 Dec 2015 14:49:53 -0000
Message-ID: <20151202144953.22592.qmail@ary.lan>
From: "John Levine" <>
In-Reply-To: <>
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset=utf-8
Content-transfer-encoding: 8bit
Archived-At: <>
Subject: Re: [Shutup] [ietf-smtp] real life privacy tradeoffs, was Proposed Charter
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: SMTP Headers Unhealthy To User Privacy <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 02 Dec 2015 14:50:21 -0000

>> So, training HAS to be done, otherwise people will lose privacy.
>Look, I'm really sorry to keep harping on this, because I know it's a bit off topic and probably
>annoying, but your model of how to do security for end users is simply wrong. ...

Different people are different and it is not helpful to pretend that
all end users are the same.  Most people say they care about privacy,
but their actions show that they actually don't, e.g., they'll trade
their password and SSN for a candy bar.

Some people really do care about privacy.  I don't know if you've ever
talked to someone who runs a battered women's shelter, but I have.
For them, their privacy is really a matter of life and death, and they
have to deal with impressively complex threats.  I've heard direct
reports of malware that installs keyloggers that report back to the
hostile spouse.  These people boot their computers from a CD to use
webmail through Tor, and buy burner phones in bulk.  The kind of stuff
we're talking about redacting here is completely irrelevant to them,
since as I said, they are not so dim as to depend on their mail
provider's logging practices for their safety.

Christian's point about bulk collection is a reasonable one, but just
as the collection affects a lot of people, the security benefits from
good header logging affect a lot of people, too.  We need to start by
understanding how they're really used and what the benefits are.

>From what we've heard here from people who run significant mail
systems for real users, the benefits are substantial.