On Tuesday, December 1, 2015 11:24 AM, Martijn Grooten wrote: > > I agree that if keeping your geolocation is a matter of life and death, you > shouldn't use email, but for me that is not a reason for the IP address to be > visible for anyone who can read the email. I think privacy matters, even > when it's not about life and death. >
I am also concerned with automated mass surveillance, including traffic analysis. The basic traffic analysis produces "5-tupple" logs. Since a lot of the Internet usage is now mobile, there is no direct mapping between IP addresses and user identities. To move from traffic analysis to surveillance, the analyzers need to restore that mapping. There are multiple ways to do that, as explained in RFC 7624, and email headers are one of them. Clearly, there are also other sources of correlation between IP address and identity. Various IETF working groups are busy closing these other sources as well: MAC Address randomization to suppress direct mapping of identities to roaming devices; DHCP anonymity profile to remove the leakage of metadata in DNS packets; or, HTTPS to prevent observation of HTTP cookies. To break the correlation between IP address and identity, we need to also close the leakage in the SMTP traces. Everybody understands that there is a tension there between privacy and fighting spam. I get the use case of the virus-infected home PC that originates spam through the permissive SMTP relay of some local ISP. But then many mail providers feel the need to provide privacy to their users, which drives them to deploy their own formatting of the "received" field. We do have a tension there, and that tension is precisely why we want to study the alternatives and come up with a proposed recommendation. Hence the WG charter. -- Christian Huitema _______________________________________________ Shutup mailing list [email protected] https://www.ietf.org/mailman/listinfo/shutup
