Operating an anonymity service or providing privacy enhancing technologies to the public poses potential risks to the provider if sufficiently motivated entities wish to prevent the availability of such technology. In particular danger are individuals whose meatspace identity and nyms are not publicly linked. If the attacker is able to compromise a nym and silence the individual in meatspace, other anonymity providers and the general public will have no way of knowing that this has occurred. This is information that is important to the public (who will want to know if a remailer's operator has disappeared, though his remailer is still operating) and to the other operators (who may be next.) Given the practice of remops hiding their identities, it would be somewhat difficult to connect the sudden tragic death of a quiet computer programmer in Arkansas with the abrupt silence of the operator of a remailer in New York, whose ID is unknown to all but a very few.[1] Given the necessity of providing on-going administration for a remailer server, and the lack of a viable IP-level anonymity system, a remop's identity is almost surely known to any attacker who can observe network traffic. Operating a remailer while concealing one's name from the general public makes it easier for this attacker to hide one's disappearance from the public, or delay their knowledge. Still, there are many compelling reasons to operate an anonymity service or provide anonymity software without revealing one's name. It would be desirable for a remop to be able to do so without putting himself at greater than normal risk. Discussions with some members of the remailer operator community [2] have lead me to propose the following "I am alive" monitoring system for anonymous members. Although it was designed with remailer operators in mind, this system could benefit other groups which face problems similar to the ones described above (such as human rights workers and people with Muslim-sounding last names who have recently emigrated to America). "I'm not Dead Yet" 1. This system assumes that a stable, reliable monitoring server can be operated in a fixed location on the Internet. The server stores a list of email addresses it is monitoring, a public PGP key for each nym, and a datestamp "s" (which is a number in seconds) for each nym. The server is configured with an "allowed silence period" variable "T", which is an integer equal to the number of days a monitored member may be without contact with the server and still be considered safe. 2. Users add themselves to the system by sending a signed administrative request to the server's email address and providing the public key to be used. Updates to the personal information for that nym can only be changed by further administrative email requests signed by the same key. 3. The monitoring server publishes a unique random nonce each day on its website and posted to USENET (in a suitable place such as alt.privacy.anon-server). The server will store a rolling list of nonces and their issuance date for the duration of T. 4. Members being monitored obtain this nonce, sign it with the key held by the server, and submit an "I am alive" notification. 5. Upon receipt of this notification, the server resets the datestamp s equal to the nonce issuance time. 6. If age of s (present time in seconds minus s) for any nym entry reaches (T-3)*86400, the nym address is pinged with a message -- "Are you alive?". If the nym's owner were alive and had simply forgotten to check in, he could respond within three days to avoid a false alert. 7. If the age of s reaches T*86400, a "Missing Nym" alert is issued, either to all of the other members of the monitoring service, a separate alerts list, or a public forum. 8. The missing nym owner can declare a false alert by checking in through the normal fashion. (There's an application for reputation tracking on nyms who cry wolf). Notes: a) Nym owners will wish to communicate with the monitoring server through anonymous remailers, as to avoid revealing their identities to the monitoring system. b) This system makes no distinction between nyms and true names. It can monitor email addresses of either. This could provide a useful system even if one is not using a real nym. c) The PGP keys supplied to the nym server for purpose of ID verification should be signing-only keys not used for any other purpose. This will eliminate justification for a legal or quasi-legal entity to seize the key. If a member is in the position to have his keys demanded from him, it will be obvious that this is only being done for one purpose: so that the public can be tricked into thinking he is alive and free (when presumably he will not be.) This should aid him in his decision to comply or not. -MW- -- [1] Anonymity software developers who publish their products anonymously are also potentially at risk. RProcess, the author of a popular Windows remailer client and a Mixmaster-compatible Windows remailer server suddenly "disappeared" from alt.privacy.anon-server a little over two years ago. His absence was noticed almost immediately, because he had been involved in several discussions and a major project at the time of his disappearance -- but had he been a remailer operator or a developer with little direct interaction with the public, he may have not been missed. [2] Peter Palfrader, Roger Dingledine, Len Sassaman, and Eric Arneson contributed suggestions to this system. Bill Stewart provided the initial suggestions.