Marc.Ringuette@GS80.SP.CS.CMU.EDU says:

I wonder if full crypto anonymity as we envision it will be stable? I'm very concerned about the problem of anonymous users intentionally flooding the network with garbage in order to bring it to its knees. Current practice, in the non-anonymous world, is to trace excess traffic to its source and stop it from being generated. This will no longer be possible when true anonymity is available.

Yes, this is a REAL danger. But if the network providers will charge per-packet fee (what an ugly idea :-), and no packet will be moved without being "taxed" (:-) - i.e. some digital cash removed from it's header (:-) - well, I see no reason, why somebody can't invest his $1,000,000 in shutting y'all up for a day (:-).

This would particularly be a problem if a remailer is willing to forward an incoming message to more than one destination. In that case, by sending a single anonymous message, a saboteur could generate an exponential amount of net traffic. This would be bad.

It only depends on who pays for each packet (:-).

However, I still have some fundamental concerns that an anonymity-based system is vulnerable to flooding and denial of service by the bad guys, including Big Brother, who may wish to prevent effective use of such systems. This may make operating a remailer a difficult proposition.

Yeah, THIS can be a problem: our Big Brother has enough money to do all the smelly things we discussed above... And if not - he'll tax us more...

I'm discouraged. Any thoughts?

There's no way to limit Big Brother's power, except for getting rid of him altogether, I'm afraid... -- Regards, Uri uri@watson.ibm.com scifi!angmar!uri N2RIU ----------- <Disclamer>

Teodore Ts'o writes:

At MIT, we're considering to start up an anonymous remailer, but with the proviso that if we get a complaint about a particular pseudonym is used to send harassing email, or email with threatening violence, and some other well-defined occassions, that we would reveal, to the proper authorities, the email address used for sending replies back.

A warning to that effect would be sent back to an email address the first time the anonymous contact service saw that particular email address, and assigned it a pseudonym address for replies. This way, users would have the proper expectations of privacy.

Hmm... Could you briefly outline those "well-defined" occasions? How about this case: I send you a complaint about somebody who has repeatedly harrassed everybody soc.culture.india/tamil/srilanka with anonymous postings about faked reports about then indian army raping civilians in sri lanka?

Ultimately, I think this is the only way that anonymous remailers will be able to function. Otherwise, the public outcry the first time one of these remailers are abused will cause these full remailers to be shutdown, or otherwise cut off from the net.

Exactly as has happened to anon.penet.fi. ;-) Julf

We haven't completely finished drafting those policies yet, so I can't give you a comprehensive answer. (If you have suggestions about where to draw the line, please send me email!)

If you can come up with hard and fast rules that don't ultimately reflect your own views and biases, I would *love* to see them! What I'm claiming is that there can't ever be a clean-cut line, thus I am going for the policy of *never* releasing someone's true identity. Blocking is another matter...

As far as your example goes: What I do now, when someone sends me a complaint like that, is I go to the Usenet newsgroup myself, and take a look at the flame war in progress. (Usually both sides are behaving like pre-schoolers fighting in a sandbox, but we'll let that pass.) Whether or not we would need to impose sanctions on someone because of their USENET postings is a very hard-to-define area, which ultimately comes down to a judgement call. Usually, we try not to censor people, although we do usually send them a note suggesting that the follow some basic Net Etiquette. So that might not be grounds for digging up the real email address.

Censoring is not pretty, but still a long way off from actually exposing somebody.

On the other hand, if someone posts a message threatening to kill the President, and the Secret Service shows up at your doorstep (and no, this is not a Hypothetical Example), I think we would very clearly have justification for trying to track down the identity of the person posting the message.

I don't think so. This morning there was an article in my local paper about an estonian poet who was convicted to 10 years of prison for having written songs threatening Stalin and the Party apparatchniks with "real revolution". Yes, this was USSR in the 50's, but... According to your example you would gladly have helped KGB to find out the real address of the poet, right? And I hope the response isn't "but the President of the USA is *not* Stalin, and The Secret Service is not the KGB...".

Threats of violence in general would probably be grounds for tracking the person down and issuing sanctions of some kind.

Ok. So how about the complaint I got today from rec.pets.cats where somebody had posted something about how he was poisoning and shooting the cats in the neighbourhood?

The basic idea is that there are certain uses of a psedonym remailer (I'm not using the word anonymous remailer because we wouldn't be offering true anonymity) which are obviously legitimate --- for example, an anonymous suggestion box, alt.personals, etc. On the other hand, there are certain activities which are clearly out of bounds --- threats of violence, harassment, etc. What to do in the middle ground will require some amount of judgement, so perhaps we won't be able to make the list completely well-defined. Although obviously, it would be best if that list were as well-defined as possible.

What is legitimate for you might be (and certainly is, in some part of the world) for somebody else. And vice versa. And my apologies if I sound a bit harsh. I am still only sipping my morning coffee.... Julf