[Top] [All Lists]

[ietf-smtp] Preventing information disclosure during mail transport

2015-11-29 10:23:29
Another thought...

Privacy is often about, not just what added protections one gets
but about what one gives up.  Just as one can get complete
network security protection for a computer by isolating it from
the network and depriving it of any source of power, one can get
complete privacy protection for email messages and their
contents by not sending it.

There is a somewhat less drastic solution.  We've known about it
since the 1960s, when it was widely deployed, and have seen new
efforts to shift things back in that direction in recent years.
That method is having those who want to send mail log in and
upload it to the same servers from which their correspondent
will retrieve it.  If any transport across the network is
required, it can be done by private arrangements between mail
providers using single-hop approaches and, preferably,
semi-permanent virtual circuits protected by IPSec or equivalent
(or, in the 60s and early 70s, writing the messages as batches
onto physical media and then moving those media by means that
were presumed to be secure).  With that sort of arrangement and
appropriately-secured connections between the sender and
recipient users and their servers, the only privacy
vulnerability point is whether the mail accounts themselves are
anonymous.  We know how to do that too, but it may not be
compatible with email and related business models that depend on
selling users with known profiles to advertisers.  

There is also the matter that, if the mail provider retains both
(or all) sides of a conversation in the clear, then there are
much greater and easier opportunities for disclosure, not just
of trace/envelope information but of content, as a result of
government action (or attack by (other) malicious parties).

I don't think it would be desirable to return to that model.  I
am, from a personal and practical standpoint, far more concerned
about a court order that says "dear mail provider, give me all
of Klensin's messages, including header and correspondent
information, and don't tell him we asked" than I am about
disclosure of who I'm communicating with and when (and I know
how to hide that information if I really, really, need to).  Of
course, centralizing all email to a small number of very large
providers with private mail exchange agreements increases the
risks of that sort of attack even it decreases the in-transit
disclosure ones but, again, it depends on what one is worried

I do sincerely hope that the observation that several of the
people who are pushing hardest for mechanisms that decrease
interoperability in the claimed interest of, e.g., more privacy
or less phishing, work for or with organizations whose business
interests are served by concentrating larger and larger
percentages of the world's email traffic on their accounts is
just a coincidence.  Or, if they believe that less use of mail
transport between independent actors would really improve the
world, I wish that they would come out and say so explicitly.


p.s. Alexey and Murray (or anyone else subscribed there),
obviously feel free to copy this to "Shutup" if that seems

ietf-smtp mailing list

<Prev in Thread] Current Thread [Next in Thread>
  • [ietf-smtp] Preventing information disclosure during mail transport, John C Klensin <=