On Oct 17, 2013, at 10:51 AM, [email protected] wrote: > >> Hiya, > >> Many snippets below... > >> On 10/15/2013 07:13 PM, [email protected] wrote: >>>> Following up on my own point - not stylish but I think >>>> in this case justified:-) >>> >>>> On 10/15/2013 12:41 AM, Stephen Farrell wrote: >>>>> I don't >>>>> see why we shouldn't be equally comfortable in saying "don't >>>>> send cleartext" - *if* that's an IETF consensus position - as >>>>> we have seen sending cleartext is also just broken when one >>>>> consideres pervasive monitoring. >>> >>>> I guess this Washington Post story [1] that I saw this >>>> morning would appear to provide a relevant example. >>>> In that case, I would argue that the fact that cleartext >>>> IMAP provides interop and is successful does imply that >>>> some services somewhere will use that for large populations >>>> that will inevitably (as we now know) be subject to >>>> pervasive monitoring. >>> >>> What is this "cleartext IMAP" of which you speak? > >> I guess that's a fair comment - we don't know that they're >> able gather to inbox data via IMAP due to it being sent in >> clear, however that seems like a reasonable guess based >> on the newspaper story which says that collection is done >> by telcos that are "overseas" and assuming that TLS is not >> busted for these services. > > Actually, it's exactly the opposite: Details from the article make it very > unlikely that tapping into IMAP sessions is a significant source of data here. > In particular, both the article and the source material make it very clear > that > this is primarily about address book information and only secondarily about > actual message content. As I noted previously IMAP does not carry address book > information. > > Additionally, there's the peculiar use of the term "inbox" rather than to > email > messages in general. IMAP provides access to all folders, whereas protocols > like ActiveSync are used specifically to notify users of the presence of new > messages in their inbox.
Disclosures about inboxes and individual messages were part of earlier revelations/declassification: https://www.eff.org/document/october-3-2011-fisc-opinion-holding-nsa-surveillance-unconstitutional https://www.eff.org/deeplinks/2013/08/intelligence-agency-attorney-explains-how-multi-communication-transactions-allowed https://www.cdt.org/blogs/alissa-cooper/1109nsa%E2%80%99s-laziness-masquerading-reasonableness Alissa
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
