The more I think about it, the more important it seems that any anonymous email 
like communications system *not* include people who don't want to be part of 
it, and have lots of defenses to prevent its anonymous communications from 
becoming a nightmare for its participants.  If the goal is to make PRISM stop 
working and make the email part of the internet go dark for spies (which 
definitely includes a lot more than just US spies!), then this system has to be 
something that lots of people will want to use.  

There should be multiple defenses against spam and phishing and other nasty 
things being sent in this system, with enough designed-in flexibility to deal 
with changes in attacker behavior over tome.  If someone can send participants 
in the system endless spam or credible death threats, then few people are going 
to want to participate, and that diminishes the privacy of everyone remaining 
in the system, along with just making the system a blight in general.  If 
nonparticipants start getting spam from the system, it will either be shunned 
or shut down, and at any rate won't have the kind of reputation that will move 
a lot of people onto the system.  An ironclad anonymous email system with 
10,000 users is a whole lot less privacy-preserving than one with 10,000,000 
users.  As revelations of more and more eavesdropping come out, we might 
actually see millions of users want to have something really secure and 
anonymous, but not if it's widely seen as a firehose o' spam.  

A lot of the tools we use on the net everyday suffer from having been designed 
without thinking very far ahead into how they might be exploited or 
misused--hence spam, malware in PDF files, browser hijacking sorts of attacks, 
etc.  My thought is that we should be thinking of multiple independent defenses 
against spamming and malware and all the rest, because parasites adapt to their 
environment.  We can't count on "and then you go to jail" as a final step in 
any protocol, and we can't count on having some friendly utility read millions 
of peoples' mail to filter the spam if we want this to be secure.  So what can 
we count on to stop spam and malware and other nastiness?  

Some thoughts off the top of my head.  Note that while I think all these can be 
done with crypto somehow, I am not thinking of how to do them yet, except in 
very general terms.  

a.  You can't freely send messages to me unless you're on my whitelist.  

b.  This means an additional step of sending me a request to be added to your 
whitelist.  This needs to be costly in something the sender cares about--money, 
processing power, reputation, solving a captcha, rate-limits to these requests, 
whatever.  (What if the system somehow limited you to only, say, five 
outstanding requests at a time?). 

c.  Make account creation costly somehow (processing, money, solving a captcha, 
whatever).  Or maybe make creating a receive-only account cheap but make it 
costly to have an account that can request to communicate with strangers.  

d.  Make sending a message in general cost something.  Let receiver addresses 
indicate what proof of payment of the desired cost they require to accept 

e.  Enable some kind of reputation tracking for senders?  I'm not sure if this 
would work or be a good idea, but it's worth thinking about.  

f.  All this needs to be made flexible, so that as attackers evolve, so can 
defenses.  Ideally, my ppe (prism proof email) address would carry an 
indication of what proofs your request to communicate needed to carry in order 
for me to consider it.  

g.  The format of messages needs to be restricted to block malware, both the 
kind that wants to take over your machine and the kind that wants to help the 
attacker track you down.  Plain text email only?  Some richer format to allow 
foreign language support?  

h.  Attachments should become links to files in an anonymizing cloud storage 
system.  Among other things, this will make it easier to limit the size of the 
emails in the system, which is important for ensuring anonymity without 
breaking stuff.  

What else?  I see this as the defining thing that can kill an anonymous 
encrypted communications system--it can become a swamp of spam and malware and 
nutcases stalking people, and then nobody sensible will want to come within a 
hundred meters of it.  Alternatively, if users are *more* in control of who 
contacts them in the prism-proof scheme than with the current kind of email, we 
can get a lot more people joining.  



The cryptography mailing list

Reply via email to