On Saturday, December 5, 2015 10:52 PM, Ned Freed wrote: > SM <[email protected]> writes: > > > An attack on organization is a security issue; it isn't a privacy > > issue. The privacy issue is about mail-related metadata which can be > > collected by state surveillance agencies. Will the proposed working > > group attempt to fix that? > > As I pointed out on the perpass list when the Received: field draft was first > posted, there are definitely privacy issues associated with Received: fields, > but metadata collection by state actors really isn't one of them. Why bother > with Received: fields when you can simply collect transaction logs from > ISPs/MSPs.
Ned, you are basically saying, "why bother plugging one leak when the same data can leak somewhere else." Well, I think it is actually important to plug all the privacy leaks, much like in security it is important to plug all the holes. You are making the argument that authorities can commandeer data by imposing on mail providers. They can, but in countries with decent rule of laws there are limits, such as requesting probable cause and not going through fishing expeditions. We have seen rogue agencies attempt to bypass these limits by just taking the data whichever way they can, and we want to stop that. We also worry that what these agencies can do today, organized gangs can do tomorrow, and petty criminals after that. The email traces are particular because they are carried to multiple places, not just the submission site but also every relay and every mail recipient. That multiplies the chances of compromise. My email provider has some reason to try maintain my trust, but relays and recipients may not. For me, it makes a great deal of difference whether the information can be obtained from just one place or from many. As I wrote in a previous message, we have a specific problem with the correlation between IP address and user identity. Once that correlation is established, it becomes possible to attribute 5-tuple traces to specific individuals. You may think that the relation between someone's home IP address and their identity is static, but in many case it is not. Some ISP can provide you with addresses that deliberately vary over time. You can use VPN. You can use Wi-Fi hot spots. That's exactly what privacy conscious users do. And that's why I find the listing of submission IP in traces problematic. I understand that there are good use of the information, and that managing email systems is hard. I also understand that the problem is complex. For example, precise timestamp information can be used for debugging and validation. But it can also be used to retrieve the IP address of a message sender, by looking in the 5 tuple traces what addresses were sending packets to the email provider at that time. We need to surface these issues, to understand both the cost of the value of the information, and to propose solutions. -- Christian Huitema > And unless I'm missing something, the generation and collection of > transaction logs is far beyond the purview of the IETF. > > Ned > > _______________________________________________ > Shutup mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/shutup _______________________________________________ Shutup mailing list [email protected] https://www.ietf.org/mailman/listinfo/shutup
