Remailer logs

Sun Aug 5 18:32:49 PDT 2001

----- Original Message -----
From: "Tim May" <tcmay at got.net>
To: <cypherpunks at lne.com>
Sent: Sunday, August 05, 2001 3:36 PM
Subject: Remailer logs

> On Sunday, August 5, 2001, at 03:01 PM, Aimee Farr wrote:

> > Yes. Unless it is of special relevance. For example:
> >
> > Dear company:
> >
> > I just wanted to write you and tell you that the microwave that I bought
> > from you exploded. Thought you should know. Nobody was hurt, thank
> > goodness!
> > Maybe something is wrong with it?
> >
> > Thanks,
> >
> > Mrs. Smith
> >
> > The above wouldn't just be any old email now would it?

Mr. May replies:

> Which is why important letters and notifications which may be relevant
> in some future case are almost always sent via registered mail, served
> in person, and so on.

...and why some lawsuit attracting materials are sent via remailers.  And this
I think is the point.

> There is a big difference between a legal notice like "You are hereby
> notified of a possible defect in your Whackomatic product and copies of
> this letter have been sent to your legal offices and with the Better
> Business Bureau." and "Hey, I hope you kept that e-mail I sent you last
> year."

Yes, but in two of the cases I cited no such notice was sent or required.
Moreover, the remailer operator is in a much _worse_ position with respect to
this issue.  How can he or she know which emails are of potential probative
value to a court?  The remailer operator who gets a _single_ complaint
arguably should have to retain _all_ logs and correspondence indefinitely
after that and archive it as he/she is on notice that one or more might be
infringing and he/she has no ability to distinguish which one will be
important- at least under this argument.

> LIkewise, communications are frequently channeled to specific addresses
> ("Send product warranty queries to ....") and are even discarded
> ("Unsolicited manuscripts and letters sent to Big Studio, Inc. are
> destroyed").

But now we are talking about communications sent through third parties with
much more established content immunity (postal service, common carriers, etc.)
Remailers don't seem to be at that level yet.  We are also moving the
discussion to the potential liability of a company who receives these things,
a direct party to the suit, rather than where it was originally, on the
potential liability of a third party for "spoliation" of "evidence" they
wittingly or unwittingly handled.

Making comparisons to Big Studio, Inc. and such avoid the basic point I think.
Big Studio, Inc. for one- has a much more legitimate set of reasons to have a
_document_ destruction policy.  Storage costs and etc.  Now, Big Studio, Inc.
has even _less_ reason to destroy email.  It's easy to archive, bits don't
weigh much (anything), it's cheap compared to paper storage and CD-Rs have a
good shelf life (15-50 years I think I once read?  Your mileage may vary).

What compelling reason does Bob's garage housed remailer service have to
destroy information related to the content that passes his wires.  The first
and most obvious answer is the exact and stated purpose of the remailer-
obscuring information about that content's source, destination and etc.  This
is the problem.  Impossible to deal with?  No.  Criminal?  Maybe, but the
circumstances would have to be extreme.  Potentially the subject of a costly
civil suit?  Potentially.  Potentially subjecting the remailer operator to
subpoena or other nonsense?  Definitely.  Already happened.  It's like someone
(Mr. May?) once said about y2k: It's not the odds, it's the stakes.  A little
insurance goes a long way.

With respect to third parties it's clear that liability for spoliation can
exist.  It's also clear that that can be based on mere negligence.  It's also
clear that there need be no proceeding in progress.  The third party can be
entirely ignorant of a potential case.  All of this is worrisome.

> Now, is there some _specific_ legislation requiring either these kinds
> of "records retention" or "manuscript submission" policies? Maybe in
> some cases, by direct legislation. Certainly not for remailer logs,
> which is the point James and others of us have been making.

Specific legislation?  Not needed.  Of course the first thing we look for is
specific legislation- that makes the job easy.  The reality is that there is
rarely a statute that speaks directly to a new issue like the liability of
remailers for "infringing" content or thought crime distribution.  If there
were lawyers wouldn't be needed.  (That would be a nice change).

On the flip side it means that prosecutors, in the absence of a specific
statute, are going to stretch what they have and that legislators (trying to
keep up with the lack of specific statutes for technical issues) will write
nice broad laws to keep the prosecutors (which they once probably were
themselves) happy.

Also remember, that criminal liability (which would be covered by statute)
isn't necessarily all we are worried about.  For the graduate
student/salaryman remailer operator civil liability would be much the same
problem, if not worse since if it got to that point the powers driving civil
litigation would probably be better funded and incented than would the feds
_and_ in some cases (copyright, DMCA, Antitrust etc.) will _also_ have the
feds to play with.  Combine copyright with DMCA, Adobe and a remailer and you
have something potentially really ugly for a remailer operator.  He/she might
not even be the focus of the suit, but get steamrolled in the process-
typical.

> Is there a _custom_ for some of these policies? Sure. Lawyers probably
> keep most letters  which come to them...but probably don't worry about
> e-mail too much. (I used to correspond with several lawyers. Should I
> expect that they kept my e-mails? Of course not.)

Well, given that there are at least 3 examples I know of where e-mail
destruction (even in Microsoft's case where it was made to look "routine" and
linked with a newly developed policy) was used successfully to impose
sanctions or modify jury instructions I think there is ample precedent for
concern.  Also, as I've pointed out, destruction policies do help some, but
not all _that_ much and the only reason they help is because the large company
has a legitimate reason for the policies (storage costs, maintenance costs,
sorting costs- mostly costs).  Again, Bob's remailing service isn't going to
have that argument (of course the battle of the experts might ensue where Bob,
at his own expense and with the $67.50 legal defense fund raised by the
cypherpunks hires Mr. Trei or someone similar to testify about how these are
normal and best practices- but I'd be surprised if that made a whole lot of
difference).

Let's just try to step out of techno-think here for a second.  If you tell joe
sixpack that Bob is running a service that strips off the headers of email for
the purposes of rendering the sender anonymous (not to mention all the other
things mixmaster does far beyond this simple measure) and that Bob not only
full well knew this but fully intended to provide this service- add to that
the fact that it would be pretty easy to show that remailer operators knew (or
should have known) that their service was highly likely to attract illicit or
otherwise litigation attracting content (this is the point right?)- I think
it's a pretty safe bet joe sixpack is going to nod his head a lot at the
prosecutor despite the objections of all these young whipper-snapper
techno-weenies making clever "but it's not REALLY destroying the data, its
just making it totally inaccessible for 900 years without the right key"
arguments.  Now that's just joe sixpack.  I haven't even gotten to thinking
much about what a judge will think of what the prosecution will inevitably
call an "evidence destruction engine."

Here's how I might play this out as a prosecutor:

Mr. Smith, you run a service called the "nobody" mixmaster remailer?
And this service destroys identifying information from incoming electronic
mail before passing it on to the next destination?
So the purpose of this service is to mask the identity of the sender?
If say, I wanted to send a death threat, this would mask my identity fairly
well?
I could probably get away with that then, couldn't I?
The police would be powerless?
The FBI?
Indeed, your service been carefully designed with that kind of threat model in
mind?
And are you aware of any legal proceedings involving other remailers?
Are you aware of a similar service offered called the "Free Zone at
blah at blah.net?
So you aren't aware of the legal complications involving that remailer and the
Church of Scientology?
Your honor, I'd like to introduce Exhibit D, conversations on a mailing list
discussing the design of the mixmaster remailer in which the designers and
other participants discuss mixmaster remailer use in deterring legitimate law
enforcement and civil investigations and the Scientology incident
specifically.
I'd also like to introduce Exhibit E, a list of the email addresses of
recipients on that list during these discussions.
If the witness could please read line 453, highlighted on the sheet there.
Is that your email address?
Does that refresh your memory,  you _were_ on this mailing list during these
discussions weren't you?
So you were aware of these design criteria, to deny identifying evidence to
lawful authorities or civil litigants?
Excuse me, to provide the users with.... total anonyminity.  I'm sorry.
Mr. Smith, do you charge for users of the remailer?
So is it safe to say that you don't intent to profit from this service?
Then your motivation for running the service is... to help people destroy
evidence then?
Ok, sorry your honor, withdrawn.
Then your motivation for running this service is definitely not for profit?
You're a good citizen, as it were?
Yes, of course you are.
You destroy all logs about users of the service, isn't that correct?
Excuse me, you "fail to record" any information about users of the service?
I'm confused.  Someone sends an electronic mail to your service, it has a
"reply to" or a "from" header on it when it arrives, correct?
But before sending it on to its destination, you destroy this information,
correct?
Excuse me.  Delete it.  Whatever.  I see.
So people would use this service to mask their identity, if they didn't want
to be responsible for the content they are sending perhaps?
And someone committing a crime, something untraceable, they would be able to
hide behind your service wouldn't they?
But that is a risk of running the service yes?
What about, say a drug deal?
A death threat?
Something libelous?
So wouldn't it be safe to say that a reasonable person might expect some abuse
of such a service by criminals?
Isn't it true that you have an abuse at blah.net address to deal with this
precise eventuality?
So you expected there might be legal problems?
blah blah blah

Now, I've omitted the witnesses responses, the myriad of objections and such
that such an exchange would certainly create, but I think it makes a point.
Whatever the outcome of this exchange in terms of the record the 50+ year old
gray haired Reagan appointee behind the bench and the idiots who couldn't
figure out how to dodge jury duty are going to get a pretty distinct
impression of this service.  It just plain looks bad.  This is what I have to
keep pointing out.  It doesn't _matter_ if its technically kosher.  It just
plain looks bad.  I'd be surprised of some of the jury members didn't write
their congressmen insisting a law be passed to rid us of this scourge of
remailers after a clever prosecutor got to them.

We need to work hard on making remailers look better in this kind of a
scenario.  Granted it's extreme, but that's how cypherpunks define their
threat models- no?  Overkill is our friend in security design, plus, it's
usually pretty cheap to add 64 bits to a key.

I've only thrown this example together using typical prosecutorial tricks (use
of the word "mask" instead of hide, use of the word "destroy" instead of
strip, work in a parade of horribles, etc. etc.) that came to me off the top
of my head.  Yes yes, armchair lawyers, I've lead the witness a few times and
such to keep the space down, but I could get it all in with twice the space if
I really wanted to.  So could any good courtroom lawyer.  I'm sure someone who
had prepared carefully would be plenty more sophisticated about it, and run
the witness into plenty more traps than I bothered to get into.

> What about the role of _technology_? With the technology of formal
> letters, printed on formal legal department letterheads, and with filing
> cabinets in offices across the land, the _technology_ fits with the
> _custom_ of filing every letter received. With e-mail, which is
> ephemeral, subject to inadvertent erasure (hit the wrong key and it's
> gone), subject to erasure or misfiling during housecleaning, hard disk
> crashes, reformattings, or just plain switching mailers, there is much
> less expectation of permanence.

But that's going away slowly.  The EPM, digital signatures, archival services,
all of these things are moving towards permanence, not away from it.  I can
find ancient posts I forgot I even wrote from years back on google or anywhere
else.  I can't find any of the paper copies of papers I wrote from back then
anymore in anything less than 2 hours of looking.  I'd say digital technology
is doing just fine in this regard.  Sure, there's bit rot, but it's closely
coming to be not much more significant than microfiche run, or paper mold,
perhaps even less so with the introduction of cheap CD-R technologies and
coming cheap DVD-R technologies.  If anything the persistence of archives and
search engines is having the reverse effect, one of the reasons I started
using a nym in the first place, one of the reasons I continue to.

Also, courts are constantly whining about the potential destruction of
evidence in such a way that it's caused major erosions of the 4th.  No-knock
searches are primarily justified at the threat of lost evidence to the court.
E-mail and electronic data is the ultimate threat for lost evidence.  It takes
just a power interruption to destroy all the information (read: evidence) on a
poorly (properly?) designed system.  Doesn't that make you wonder if
eventually, over the next several years these sorts of things are going to be
taken much more seriously?

When there is no more "smoking memo" because the office is mostly paperless,
the smoking e-mail is going to be the king of the Hollywood courtroom drama
scene.  Expect e-mail to get more, not less onerous for people handling it.

[Good stuff about Lessig removed]

> Getting back to remailer logs for a moment, why is a remailer any more
> responsible for keeping detailed logs than a person like me is for
> keeping logs of what mail I received, whom I bounced it over to, and so
> on?

Because the case is much easier to make that a remailer operator knew or
should have known that there was the potential for content coming across his
service to be the subject of a dispute.  That's the whole point of the
remailer.  It shifts the risk and costs of investigation to the remailer
operators, from the sender.  It follows that in the efficient market the
remailer operators are the best able to deal with that risk and those costs,
hence their willingness to shoulder that burden.  I think today that's not
necessarily so and given that the risk of handling illicit information has
geometrically increased over the last few years (DMCA etc. etc. ad nauseaum)
it only follows that remailer operators should follow suit and augment their
risk management efforts.

The inescapable reality- despite all the window dressing we might put on them-
is that remailers perform a single function- making email untraceable- from
which a few purposes legitimate- free speech, recovery groups, human rights,
whistleblowers- and illegitimate- libel, copyright violation, etc.- may stem.
I'm going to take the liberty of pointing out (without taking a position one
way or the other) that even the _legitimate_ purposes are somewhat at odds
with the interests of courts and the judicial system.  Specifically, someone
admitting they have just bought and currently possess 2 grams of cocaine on
narcotics anonymous and god if they aren't trying to resist using it if only
their NA buddy would answer the phone- is a contemporaneous admission of a
felony (to wit: possession of narcotics) in which a court has a legitimate
interest in preserving the evidence for (whatever you think of drug laws or
the jurisdictions of courts and etc.)  Whistleblowers are probably in
violation of an NDA somewhere.  They are circumventing law for the "higher
good."  That "higher good" is generally going to be a matter of perspective
and it will vary in its weighted importance depending on the individual.  (One
man's freedom fighter, another man's terrorist, etc.).

Remailers are a "short circuit" of some of the really poor and unfortunate
outcomes of all information being traceable and available to courts.  (Insert
discussion of importance of anonymity and its critical role in everything from
political speech to the founding fathers, the federalist papers etc.)  But
let's be frank and recognize that not everyone, particularly non-cypherpunkish
types, will appreciate that or consider that a "good thing"(tm).  To these
people a prosecutor's description of an "evidence destroying engine" is going
to probably stick- even if it was objected right out of the record (which it
may or may not have been) and the jury instructed to disregard it (which they
may or may not have been).  Some of the high end plaintiff's lawyers I've
encountered and worked with will actually test their catch phrases ("evidence
destroying engine") on focus groups to see what sticks- what they can slip in
that will stay with jurors even if they can't read it in the record later.
Sometimes they will do these things by adding in what they know about the
jurors.  GM and Hogan & Hartson were very good at this- using demographic
information about the jury to tailor "objected away" comments to stick in the
minds of mothers, single working professionals, etc. right to the end.

> The fact that Robb London might be "very interested" in where I
> bounced Jim Bell's mail to does NOT mean I had any obligation to keep
> detailed records, presumably in a form not subject to erasure or loss
> through routine misadventures of the computer kind.

Depends on how you want to define obligation.  Do you think a manufacturer of
a product has an obligation to keep old design notes around for over a decade
even when their attorney tells them they can toss em?  Do you think a car
dealer has an obligation to keep around every used car they ever get their
hands on, instead of selling them, on the off chance they might be evidence in
a suit?  Do you think Microsoft has an obligation to keep every single email
they ever sent just in case they one day get sued for Antitrust?  I don't.
Courts have all found some level of obligation (of varying severity/intensity)
in these examples.  I think they are all patently silly.  I think they are bad
law.  Doesn't change the fact that they are precedent.

The key factor in all these is that information a court wanted seemed to be in
the possession or control of these parties at one time or another.  A remailer
operator, in my view, is much likelier to be in a position to handle such
information, or be seen as a potential source of the information, than the
same individual not running a remailer.

> And as James keeps ragging about, if they haven't gone after Microsoft
> for "spoliating" as MS got rid of old e-mail and limited employee
> planners and notes, they surely can't go after the operator of the
> noisebox remailer, for example, for failing to keep logs of all traffic
> from May 19, 1999 to May 24, 1999.

But they DID go after MS.  And MS was almost sanctioned for it and it _was_ in
the jury instructions.  Remember also that Microsoft lost at trial.

Moreover MS knew this was a potential problem and therefore specifically did
_not_ have an email destruction policy in place before the suit- at odds with
some of the fervent (and totally unsupported) claims by persons here that they
did.  They had a very aggressive e-mail _retention_ policy.  As early as 1992
they asserted that all U.S. emails were preserved for fifteen (15) years.  (!)
See e.g.,:  Los Angeles Times, November 5, 1998.  See Also Generally: Wendy
Goldman Rohm's outstanding book "Microsoft File: The Secret Case Against Bill
Gates."  Microsoft then instituted a far less inclusive "retention policy"
(See Caldera v. Microsoft) and also an "upgrade policy."  As it happened the
"upgrades" didn't convert over the old mail.  This was the subject of the
potential sanctions and quite a to-do at the time.  Mind you, these were all
in the context of "routine" destruction.  Since then I understand from third
parties that they have changed their policy and now archived email is pretty
much allowed to slowly rot and general disinterest paid to archives, no policy
is actually implemented- much better looking really.  Just careless, not
malicious.

> (And, by the way, conventional
> remailer logs, it would seem, would be of incoming traffic and outgoing
> traffic. The guts of the "request-remailing-to" operation, in either
> Cypherpunks Type I or 1 or Mixmaster remailers happens inside another
> program. It would take extra twiddling of the logging software to
> actually add a report saying "Incoming message #71734 was pooled and was
> sent out 23 minutes and 18 seconds later as outgoing message #70219."

A compelling technical argument.  Not so compelling without lots of expert
testimony in court.  _I_ agree with you, Mr. May.  I'm pointing out that we
need to find ways to give remailer operators more shielding than these kind of
technical arguments- which courts do not traditionally have an easy time
understanding.  (Napster, MPAA, RIAA, Microsoft, etc.).

> Standard Unix or Linux logs should not be very helpful, and keeping them
> is not required by any current statute. (CALEA may have stuff in it
> about logs, but the LEAs have yet to push in this direction. Certainly
> an ex post facto laws penalizing someone for violating CALEA when no
> CALEA standards/precedents are established would be a reach.)

Again, the fact that no statute exists hardly gets you out of the woods- none
of the cases I cited rely on a statute to impose sanctions, except for the
relevant rules of civil procedure and potentially obstruction of justice,
which is such a catch-all that it can be applied here.  (CALEA is dead at sea-
and I hope it stays that way).

Mr. May later comments:

> By the way, my insurance companies, financial advisors, and real estate
> agents will NOT take e-mail orders or instructions. Morgan Stanley Dean
> Witter, for example, will NOT take orders or instructions in e-mail.

My broker, banker, and financial advisors all will accept signed email
instructions from me.  I rarely give instructions this way, however- that's
personal preference.  They are not the only ones either.  I know of three
large trading operations that use email now to deal with large contract
trades.  (They used to use fax).   Moreover they keep archives for 10 years of
all their customer e-mails.