Re: [Shutup] [ietf-smtp] real life privacy tradeoffs, was Proposed Charter

Ted Lemon <mellon@fugue.com> Wed, 02 December 2015 16:26 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: shutup@ietfa.amsl.com
Delivered-To: shutup@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 805961B2B81; Wed, 2 Dec 2015 08:26:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.912
X-Spam-Level:
X-Spam-Status: No, score=-1.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WDBn9_b05g80; Wed, 2 Dec 2015 08:26:53 -0800 (PST)
Received: from fugue.com (mail-2.fugue.com [IPv6:2a01:7e01::f03c:91ff:fee4:ad68]) by ietfa.amsl.com (Postfix) with ESMTP id B39051B2B75; Wed, 2 Dec 2015 08:26:52 -0800 (PST)
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="----sinikael-?=_1-14490736094280.4613548668567091"
From: Ted Lemon <mellon@fugue.com>
To: shutup@ietf.org
In-Reply-To: <20151202160626.22889.qmail@ary.lan>
References: <20151202160626.22889.qmail@ary.lan>
Date: Wed, 02 Dec 2015 16:26:49 +0000
Message-Id: <1449073609748-d67ce695-2d04f2ef-aaba9619@fugue.com>
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/shutup/qnEuGjAzjBrif09XLTOyP4mnJCg>
Cc: ietf-smtp@ietf.org
Subject: Re: [Shutup] [ietf-smtp] real life privacy tradeoffs, was Proposed Charter
X-BeenThere: shutup@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: SMTP Headers Unhealthy To User Privacy <shutup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/shutup>, <mailto:shutup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/shutup/>
List-Post: <mailto:shutup@ietf.org>
List-Help: <mailto:shutup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/shutup>, <mailto:shutup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2015 16:26:55 -0000

Wednesday, Dec 2, 2015 11:06 AM John Levine wrote:
>>Show your data or please stop making generalizations like this.   This is really not helpful.
> Hmmn.  If people are this unfamilar with practical user security, and
> are unable to type "trade password for a candy bar" into Google, this
> is going to be a very slow slog.

John, what is deeply frustrating about this conversation is that every time I ask a serious question, I get an answer like this.   Did you look into that study?   Can you describe their methodology?   Did they identify potentially confounding factors that would introduce bias into the results?   Does their methodology account for those factors?   Do they make any sort of case at all for why their sample is a representative sample?   You don't know, do you?   You just read one of the clickbait articles that Google offered you.

The very study you are citing is actually used as an example of bad methodology in a textbook, _Elementary Statistics: Looking at the Big Picture_, by Nancy Pfenning.   Did the researchers check to see if the people they surveyed gave their actual birthday, or their actual password?   Or were they the ones who were scammed?   The survey was also done in 2004.   Do you think nothing has changed since then?

The reason this has become a slog is that nearly every answer I've gotten for a question I've asked, and nearly every criticism I've seen of a statement I've made, is of a similar level of quality to the answer you just gave me.  I don't mean to single you out--your example study is just too good an example not to use.

What this conversation has told me is that nobody on this mailing list actually knows the answer to this question: "what are the costs and benefits of redacting information from the Received header fields in email messages?"   You all think you know the answer, and your intuition is probably not completely invalid, but if we actually care what the answer to this question is, we probably do need to form a working group to study it a bit more seriously than we have done thus far, and we definitely can't rely on the assurances of supposed subject matter experts as to what the actual cost is.


--
Sent from Whiteout Mail - https://whiteout.io

My PGP key: https://keys.whiteout.io/mellon@fugue.com