Anonymity: A Modest Proposal
-----BEGIN PGP SIGNED MESSAGE----- Several weeks back, I posted a message stating the need (in my opinion) for a system of anonymity on the Internet that would be more secure than the anonymous remailers. Despite the valuable service provided by the remailers, I am troubled by their vulnerability. It seems likely that at some point in the near future, a remailer is going to be silenced, and possibly (though not inevitably) the contents of its database made public. This may possibly lead to criminal charges being filed against someone, based on alleged criminal acts in which the remailer plays a part. (I am not going to state what these "criminal acts" may be, because I don't know which ones will be involed. I don't know when this blow to the remailer system will come, or who it will happen to. I simply believe that, given the growing trend towards censorship and anti-privacy in government and business circles, the blow will come sooner or later.) The vulnerability of the remailer system, in my opinion, rests in the fact that a remailer is physically located in a certain place. This makes the remailer a target for attacks, as shown by the futile efforts (so far) of the so-called "church" of Scientology to silence the remailers at anon.penet.fi and xs4all.nl. (The original demand of Scientology in the Penet affair was for the entire contents of Julf's database to be revealed, but fortunately Julf was able to limit the exposure to a single user. When Scientology attempted to raid xs4all, their original seizure order was against the remailer itself - -- but fortunately (again) the remailer itself had been closed two months before. The representative of Scientology had to re-phrase the seizure order on the spot, declaring instead that the reason for the seizure was the existence of the infamous "Fishman Affivavit" on an xs4all Web page.) I believe a system of anonymity is needed that can withstand attacks of this sort. The current remailer system may be able to weather the oncoming storm, but it will suffer damage in the process. A system to reduce the effect of pro-censorship forces on sources of online anonymity is needed. But what shall this system be? Since the prime vulnerability of the remailers rests in their physical locations, we have the possibility of physically hiding their locations. This is impossible in the long run, and it hampers the ability to set up a remailer on a short-term basis. How hard is it to set up a node that is hidden from efforts to discover its location? If setting up a remailer requires you to go into hiding, many would-be privacy activists will be dissuaded from giving it a try. Rather, I wonder if it would be possible to devise a system that introduced a random element into the picture, one that lessens the possibility of blame being placed on any one individual, or any one site. The Netherlands responded to Scientology's attack on xs4all by spreading the Fishman Affivavit far and wide. At the time of this writing, this document now exists on more than eighty Web pages in Holland, and this makes it far more difficult for Scientology to stop the spread of information. (They are still trying, however. The latest word from Europe is that a member of Scientology's "Office of Special Affairs" has flown to Europe, and is now calling service providers and individual users. A lawyer for Scientology is there as well. See alt.religion.scientology for more details of this case.) Using Scientology as an example once again (this will be my last mention of it, I promise), note the failure of the "church" to shut down alt.religion.scientology. They have tried every possible means to prevent the newsgroup from spreading information to the world, and every attempt to stop this "leak" has failed. If it was possible to effectively eradicate a newsgroup, Scientology would certainly have done so by now. Alt.religion.scientology cannot be shut up because it is distributed to thousands of sites around the world, thus making it impossible to shut them all down. That's why I believe a newsgroup for anonymous messages would be able to withstand attacks by would-be censors. Previously, I had suggested the possibility of a "moderated" anonymous newsgroup that would forward all postings to the address of the "moderator," where they might then be randomly distributed to remailers before being posted to the anonymous newsgroup. However, that idea had several inherent weaknesses, including attacks on the "moderation" site and newgroup messages designed to compromise the newsgroup and send postings to other places. The way to prevent a newsgroup from being compromised in this manner, then, would use a different method -- one that is immune to control messages. In the course discussion with a group of cyberpunks on IRC a couple of days ago, another possible system for anonymity was devised. This system can reply on a unmoderated newsgroup as a source for messages. Instead of forwarding messages to an address in order to hide the ID of an anonymous poster, it was suggested that PGP be used to protect the messages themselves. The basic idea for this system goes like this: 1) A person writes a message and encrypts it with PGP. 2) That person then posts his message to the "anonymous messages" newsgroup. 3) A remailer scanning the newsgroup picks up the message, decrypts it, strips the headers and makes it anonymous, and sends it to its destination. Because the anonymous messages come to the remailer by scanning a newsgroup, tracking a remailer's incoming-mail logs would be useless. To offer further protection for the remailers, a random system could be devised to ensure that no one knows exactly which remailer scans a particular message at a particular time. I am not a programmer, and some of the technical details in this proposal go over my head. Hopefully you can clairfy some of the points presented here and see if this system is possible or not. The actual remailer code, involving scanning the newsgroup for PGP-encrypted messages and stripping headers, could be written with PERL scripts. This would keep it portable, and it would be easy for a person to tell if it has been tampered with. This code would be distributed widely. A series of remailers would be used to decrypt anonymous messages. A "token" (like the token ring of IBM fame) would be passed back and forth between all of the Cryptoclients in the remailer network, so that only one remailer would be "active" at any given time. This token would be passed back and forth at random, so no one would know exactly which remailer is being used to anonymize a message. The "token" is the key to this remailing system. This token would include necessary information such as the last message scanned, and to coordinate timing among the remailers. This will work to avoid duplication of messages. (Of course, the remailers should also hold messages for a random amount of time -- say, up to two hours -- in order to prevent someone from being traced, based on the time he posted his encrypted message to the newsgroup.) The decryption key for the anonymous messages would be created using a 2047-bit PGP key. To prevent this key from falling into the wrong hands, a "web of trust" could be used to pass pieces of the key among each other. If enough sites trust remailers trust a site, that site will receive enough pieces of the group key to be able to respond and "accept" the token. The public key for this PGP key would be sent to the keyservers. People would encrypt their messages using this key. The mental image I have is that of a virtual "anon demon," zipping back and forth among the network of remailer sites, stopping at each site to scan messages from the newsgroup and send them to their destinations. If a large network of remailers is connected in this fashion, it becomes impossible to prevent stop anonymous messages from reaching their destination simply by attacking one site, or even a series of sites. The "anon demon" would simply bypass the compromised sites and use other points in the network. Comments are welcome concerning the vulnerability of this system, its complexity, its ability to withstand attacks, and any other constructive criticism. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMIToGR7ohFhEPknNAQHEtwP9EmdEVtNoEJC6MtokZs66ea27Nx874K+s ueOiX21QL01SGjn7AvHUxTDPSiNXdnqSlDRqsnc2nefNlkhc2bzZklovlnZ15XC/ ZUxRWtCBk0LFoPyxbc/kEOM2cjqJdZ4llxYRHed0RcH0ABvYcGv8ZTjxtKEwN9Sy IDxmiTlqHXU= =yLqV -----END PGP SIGNATURE-----
Modemac writes:
The vulnerability of the remailer system, in my opinion, rests in the fact that a remailer is physically located in a certain place. ... Since the prime vulnerability of the remailers rests in their physical locations, we have the possibility of physically hiding their locations. ... The basic idea for this system goes like this:
1) A person writes a message and encrypts it with PGP. 2) That person then posts his message to the "anonymous messages" newsgroup. 3) A remailer scanning the newsgroup picks up the message, decrypts it, strips the headers and makes it anonymous, and sends it to its destination.
This doesn't really help. The only information that's different in this approach is in fields that are removed by the remailer before it goes to the folks who get upset. I suppose it might improve the traffic analysis situation somewhat, though, by making it harder for the analyst to collect all the data.
To offer further protection for the remailers, a random system could be devised to ensure that no one knows exactly which remailer scans a particular message at a particular time. ... A series of remailers would be used to decrypt anonymous messages. A "token" (like the token ring of IBM fame) would be passed back and forth between all of the Cryptoclients in the remailer network, so that only one remailer would be "active" at any given time. This token would be passed back and forth at random, so no one would know exactly which remailer is being used to anonymize a message.
Why bother? It means all the remailers need to share the same key, making it impossible to add a new remailer without verifying that it isn't a CoS/NSA/FBI/whatever tentacle. A vastly simpler solution would be to have all the remailers scanning all the time, and only forwarding those messages encrypted with its key.
The "token" is the key to this remailing system. This token would include necessary information such as the last message scanned, and to coordinate timing among the remailers. This will work to avoid duplication of messages.
This also significantly overestimates the efficiency of news propagation. Two remailers at distant parts of the net see news messages arrive in different orders --- often a message received at one point won't reach the other for up to a day.
The vulnerability of the remailer system, in my opinion, rests in the fact that a remailer is physically located in a certain place. This makes the remailer a target for attacks, as shown by the futile efforts (so far) of the so-called "church" of Scientology to silence the remailers at anon.penet.fi and xs4all.nl.
Thus the need to locate them in countries where such supression is not supported. The vexing part is -- those places seem to have poor connectivity. We need to provide a feed to Freedonia. -- A host is a host from coast to coast.................wb8foz@nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433
From my experience operating two remailers, ALL complaints are the result of SENDING messages, not RECEIVING them. This is how I can tell: my two remailers, hal@alumni.caltech.edu and hfinney@shell.portal.com, are different. The first one is run on a "free" account whereas the second I
Modemac proposes sending messages to remailers via newsgroup postings. This is not a bad idea, although I would not use a shared secret key for all remailers, but rather use a stealth system and encrypt for a specific remailer. However, it doesn't go to the crux of the problem. pay $20 to $50 a month for. Also, the management at Portal has demonstrated commitment to cypherpunk type goals. So I view that remailer as much stronger, politically. As a result I have my alumni.caltech.edu remailer configured to forward all messages via the portal remailer. That means that no one will EVER see an anonymous message from hal@alumni.caltech.edu. People can send messages to that remailer, but they come out via the portal one. Now, since I have set it up this way, which was about two years ago, I have not received a single complaint about operating the remailer at alumni.caltech.edu. Nobody sends me mail saying "your system is accepting objectionable messages." Instead, all the complaints I get are about the Portal remailer (averaging one per week, probably). People complain when they receive a message or newsgroup posting that they find objectionable. They don't care if some system is accepting messages. They care about the system which is sending them. This has always been the weak link in the remailer system: the last remailer in the chain takes the political and legal heat. If there is ever a libel or copyright infringement suit, or criminal prosecution, against a remailer it will almost certainly be against the last remailer in the chain. Those are the source of the complaints and those are the ones which people try to shut down. So I don't think schemes to produce "virtual remailers" and such are going to work unless you have a very secure remailer as the last in the chain. And once you have that there is not much need to change the system for accepting messages into the remailer net. Hal
Hal said:
This has always been the weak link in the remailer system: the last remailer in the chain takes the political and legal heat.
A cause of this is that the last remailer is the only agent in a position to see the message before delivery, so it can be argued that it should take responsibility for the decision to deliver. If you split the message into shadows, you avoid having anyone in this position. It can then be argued that nobody should pass along random noise from unknown parties... you can't solve political problems with technology, but you can make the politics increasingly absurd. Well, maybe it wouldn't be considered too absurd. "Remailing unknown data is like letting scruffy-looking people put things in your carry-on luggage."? Pretty close, if you think speech is a bomb. -- Eli Brandt eli+@cs.cmu.edu
Eli Brandt writes:
A cause of this is that the last remailer is the only agent in a position to see the message before delivery, so it can be argued that it should take responsibility for the decision to deliver. If you split the message into shadows, you avoid having anyone in this position. It can then be argued that nobody should pass along random noise from unknown parties... you can't solve political problems with technology, but you can make the politics increasingly absurd.
As I mentioned in a reply to Modemac I just sent, the recipient's MDA in this scheme reassembles the shadows/fragments into the intended message. So it would only be possible to send anonymous mail to recipients who have Message Gluing Agents on their accounts. I posit that such people are likely to be anonymity-friendly, and thus unlikely to complain vociferously about any anonymous mail they receive. This protocol generally could not be used to send anonymous mail to public fora -- mailing lists, newsgroups, etc. -- except some freewheeling places like cypherpunks which don't object to conventional anonymized mail anyway. However, I foresee a slight possibility that a split delivery scheme like this could fall into favor in some circles as a compromise <ahem> "solution". The requirement that the recipient take an active role in accepting anonymous mail could reduce the traditional spam/harassment complaints to a minimal level. -Futplex <futplex@pseudonym.com>
Eli Brandt <eli@UX3.SP.CS.CMU.EDU> writes:
If you split the message into shadows, you avoid having anyone in this position.
I think splitting the message would be OK, but then the question is who is responsible for reassembling it? If there were a "reassembly server" which took such messages, assembled them, and forwarded them, then we would be right back where we started from. If the end user is responsible for reassembly, then that is tantamount to voluntarily agreeing to receive anonymous messages, and that is no problem. The complaints we get are virtually 100% from people who didn't want to receive such messages, or see them posted. And of course anonymous news postings via shadows would also have the reassembly problem. Hal
Hal said:
I think splitting the message would be OK, but then the question is who is responsible for reassembling it? If there were a "reassembly server" which took such messages, assembled them, and forwarded them, then we would be right back where we started from. If the end user is responsible for reassembly, then that is tantamount to voluntarily agreeing to receive anonymous messages, and that is no problem.
I was thinking that the recipient would be responsible -- otherwise, there's not much point. Yes, this is particularly awkward for news. Also, the sender would probably have to do the splitting, to avoid presenting any remailer with the whole message. Is there really "no problem" if the recipient does the merging? If Child Terrorist A is communicating with Child Terrorist B, law enforcement is going to be unhappy. I imagine you don't get too many complaints about that, but it's part of the political argument against remailers. -- Eli Brandt eli+@cs.cmu.edu
-----BEGIN PGP SIGNED MESSAGE----- Hello, Hal <hfinney@shell.portal.com> wrote: (replying to Eli Brandt <eli@UX3.SP.CS.CMU.EDU>)
I think splitting the message would be OK, but then the question is who is responsible for reassembling it? If there were a "reassembly server" which took such messages, assembled them, and forwarded them, then we would be right back where we started from. If the end user is ...
Not really. Wouldn't there be a different politic to reassembling messages as opposed to anonymous remailing? Such a reassembly server could cooperate with the authorities, nay, even precede each message with a PGP-signed list of where the various pieces came from. On second thoughts that last is a bad idea (because you might want the first line to be eg a reply block), but such a list could be published on WWW by Message-ID (or Subject, or ...). The remailers thus implicated have the defence that they could not possibly have known the contents of the message, because it was split. Actually, the same end can be achieved by having a non-anonymous remailer, which simply decrypts and mails - and cooperates with the authorities. It doesn't even need to strip the headers. However, such a thing would probably have no other function than this so it might be harder to run. (A reassembly server would have the stated function of implementing k-of-n splits, eg for key/document escrow etc. Pieces coming in anonymously would be merely permitted, not expected.) BTW: s1018954@aix2.uottawa.ca wrote:
On Wed, 18 Oct 1995, t byfield wrote: ...
header-forging: it's a practical fact of the net, and one that maybe shouldn't be overlooked on (basically vague) 'moral' grounds, any more than
The courts can't overlook it either. There goes liability. If I posted pirated software from this account, according to what you're saying, I could claim a forgery and show reasonable doubt.
I understand that a post of mine on Cypherpunks had certain piece of CoS scripture added to it. The original post was signed, and the person or persons responsible did not attempt to include the addition within the signed part (merely attached it to the end) so the signature still checked out. Even on cypherpunks somebody replied to that addition with the attribution "Jiri Baum wrote" without noting it wasn't signed by me. (Called it "drivil", too, but I guess that's between him, his English teacher and the CoS.) "Richard Martin" <rmartin@aw.sgi.com> replied to s.: ...
*If* we were all wonderful little cypher-junkies and signed everything, then we might plausibly be able to deny forged mail: "I ...
Well, I sign everything, don't I? (Somebody please tell me if I don't.) No I don't have it hard-coded into my mailer. However it's easy enough to do as it is: ":w qqq", switch windows or ^Z, "pgp -sat qqq", go back, "dG:r qqq.asc". ...
I'm looking forward to the point where my mail reader will sort things according to reputations I give correspondents, and perhaps flag mail ...
Yup. Why don't you write one? ("cypherpunks write code") Hope that makes sense... Jiri - -- If you want an answer, please mail to <jirib@cs.monash.edu.au>. On sweeney, I may delete without reading! PGP 463A14D5 (but it's at home so it'll take a day or two) PGP EF0607F9 (but it's at uni so don't rely on it too much) -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAwUBMIWnqCxV6mvvBgf5AQH5rgQAuQb2Q86dlORTGyByuZA9Uw1P+66gqune FWWc6uNFYysP6pjX0kl+Z3BVlYLJieRrY5wO/J1pJDOXcJC4NqAShfW8gXpA0F27 kkNc9yE+418ppdF5tyInjOGAHdeQyLQ0Klqthb2lBXo7pjAagEc9wXnlCRT8sj1i 9FXXZ4yDgjs= =Bnu1 -----END PGP SIGNATURE-----
Modemac writes:
The basic idea for this system goes like this:
1) A person writes a message and encrypts it with PGP. 2) That person then posts his message to the "anonymous messages" newsgroup. 3) A remailer scanning the newsgroup picks up the message, decrypts it, strips the headers and makes it anonymous, and sends it to its destination.
Just for the record, I'll note this is a fairly old idea (cf. the Cyphernomicon, news:alt.anonymous, news:alt.anonymous.messages, etc.) [...]
A "token" (like the token ring of IBM fame) would be passed back and forth between all of the Cryptoclients in the remailer network, so that only one remailer would be "active" at any given time. This token would be passed back and forth at random, so no one would know exactly which remailer is being used to anonymize a message.
I don't see how this is possible given widespread RFC 822 compliance. Any given message must be sent from some particular address. I see two main options: (1) The remailed-message is sent as a single message from a single remailer. That remailer is subject to various sorts of pressure if the remailed- message offends its recipient. (2) The remailed-message is sent as several messages from several remailers. The recipient's MDA reassembles the fragments into the remailed-message. Any or all of those remailers are subject to pressure if the remailed- message offends the recipient. Either way, at least one remailer is subject to pressure for sending a specific piece of email. (If the token is passed around randomly, then it might be more difficult for an adversary to predict which remailer will send the _next_ message. However, adversaries such as Cof$ are interested in assailing remailers that have _already_ sent messages, due to the content of those messages. They can tell which remailer sent _past_ messages, which is what they need.) -Futplex <futplex@pseudonym.com>
participants (7)
-
David Lesher -
Eli Brandt -
futplex@pseudonym.com -
Hal -
Jiri Baum -
Modemac -
Scott Brickner