On Sunday, November 29, 2015 12:54 PM, Jim Fenton wrote: > > There are users for whom their privacy is critically important, such > as press informants in totalitarian societies. There are many other > ways to determine their location (network monitoring coupled with > a STARTTLS downgrade attack, for one), and it would be harmful > (potentially life-threatening) if anyone thought that this would truly > protect them. They should be using something like SecureDrop and > not using email at all.
Uh, No. This is the classic "the other side of the boat is leaking too" argument, coupled with a dollop of "no security is better than imperfect security." Yes, there are many ways for metadata to leak. But that does not mean that we should not plugs the leaks that we do know about. The discussion so far shows that one hand many people believe that we are disclosing too much metadata in mail headers, while many more believe that the metadata disclosure is actually useful to fight various forms of abuse, some of which may well compromise users' privacy. We also heard that some of the big providers have already unilaterally decided to suppress some of the metadata, like the first hop address. So we have at least one data point showing that not all metadata needs to be preserved. The "submission" hop may be a special case, but as Jim points out, mailing lists may well another special case, for which some guidance would be useful. The concern about topology disclosure may or may not justify pruning some of the metadata. In short, it appears that there is enough concern and enough uncertainty to justify working at least on an analysis document, and depending on the outcome on a best practice document. Let's have this debate, and let's make some progress on email privacy. -- Christian Huitema _______________________________________________ Shutup mailing list [email protected] https://www.ietf.org/mailman/listinfo/shutup
