ZKS mail system questions (RE: anonymity)

[Adam Back]

I think the 2.0 mail system has a number of advantages over the
reply-blocks based 1.0 pseudonymous mail system, though a couple of
disadvantages.  These trade offs are documented in the mail system
white paper.

	http://www.freedom.net/info/whitepapers/

In summary for people who don't want to wade through a wide paper, ZKS
version 2 mail system is a POP and SMTP server you connect to
pseudonymously via the freedom network and therefore tunnel your SMTP
and POP sessions through the freedom cloud.

The system is put together with Dan Bernstein's popular qmail high
performance mail system to build ZKS' mail hub and pop account system.

The differences are that ZKS has a number of qmail modifications to
deal with pseudonym to internet and internet to pseudonym mail.  (To
encrypt incoming mail for the pseudonym and a few other things to do
with authentication).  The details are in the white paper.

> Does zk traffic traverse public networks (via VPN or otherwise)?

In the case of the connections between the user, the nodes in the
freedom network, and the ZKS mail system the traffic is all routed
over the internet.  The nodes in the freedom network are operated by a
mixture of owners.  Some ISPs, some individuals interested in privacy
and some ZKS operated.  The user can choose which nodes he trusts.

There is a diagram in the mail system white paper showing the internal
communications inside the mail system.  However these are just
messages passing information between the mail system cluster of
machines and are inside a firewall.  Conceptually you can consider
this cluster as a single machine owned by ZKS.  The point is if you
are connecting pseudonymously you have limited need to trust ZKS mail
system because it doesn't know who you are, and further, nym to nym
mail is end to end encrypted.  

The mail server sees nym to internet user and internet user to nym
mail bodies, but so does any passive eavesdropper sniffing packets
entering and leaving the mail system as the internet user has no
compatible client software, unless the nym and internet user use end
to end encryption software such as openPGP or S/MIME.  The mail system
does encrypt internet to nym mail for the nym's key so it doesn't have
data it can read after the fact, although clearly it could record it,
at least it protects against after the fact requests to decrypt mail
-- ZKS can't decrypt it because only the nym has the keys.

> Do these networks collect packet data (to, say, analyse attacks)?

The freedom network is operated by third parties.  ZKS to my knowledge
makes all attempts to not log things and to set up the software so
that it does not.  Third party operators may or may not record data.
Whether you trust third party operators or ZKS to not log is a matter
of personal taste, and why you want distributed trust -- so you can
choose who to trust based on your opinions of who is trustworthy (or
more correctly which set of nodes can be trusted not to collude -- a
mutually distrusting pair of nodes operated by NSA and KGB might
provide pretty good security even if you didn't trust either of them,
if you trust their paranoia prevents them from colluding or
collaborating).

The software is not setup or written to log anything which could lead
to privacy leaks we audit what it does log for error tracking for
privacy and correlation implications.  So no.  It would probably be
difficult to log enough to analyse attacks without logging enough to
erode privacy.  But then as the system attempts to offer distributed
trust, you should not have to trust that a given node does not log all
that it could log and this is the case with limitations as discussed
below.

> Do they stagger packet transmissions to confuse origin and
> destination?

The freedom network supports only interactive pseudonymous tunnels.

You might think that this would allow a timing correlation attack on
the mail system by getting ISP usage logs and comparing freedom users
online time with outgoing mails as there are no (significant) delays
in the freedom mail system.  However one of the advantages of the
freedom 2.0 mail system over the 1.0 reply block based one is that web
and mail traffic act as cover for each other.  An ISP log just shows
when you logged on, not when you uploaded mail.  The window of time in
which you send mail may allow some users to be excluded from being
potential originators of a message, and this effect can be
cummulative.  The same argument would apply to necessarily interactive
internet activity -- ISP logs together with logs of pseudonymous
behavior can lead to correlations.  This latter effect is a general
attack on any pseudonymity system even with a perfect idealised mix
net.  You can observe and correlate input and output activity based on
time if the inputs are not continously connected, continuously sending
traffic and 100% failure free.  (A tall order).  Mail traffic does not
need to be completely interactive.  15 mins or even an hours delay may
be quite acceptable and allows more cover in terms of potential
originators.  We are looking at this for mail 2.1.

> Do they only broadcast real data and no masking data?

In freedom 2.0 the freedom network used fixed sized data packets at
the transport layer with end to end crypto between the user and the
exit node.  There are however other things which limit the amount of
privacy and anonymity you can get from an interactive communications
tunnel implemented on top of best effort routing, and selectively and
plausbily deniably DoSable IP.  There was discussion of this on this
list a few months back with comments from Lucky Green and Wei Dai.
These issues are discussed somewhat in "Freedom 2.0 security issues
and analysis" at the same URL as above.  

Anton Stiglic, Ulf Moeller and I have a paper submitted to the
Information Hiding Workshop which discusses these issues a little more
formally which hopefully should stimulate discussion from Lucky and
others, and hopefully encourage the crypto community to explore the
open questions we pose in the area of interactive anonymous
communications.

> And if they properly conceal data how well do they scale?  With all
> the encryption of traffic, etc. ZK's adoption by isps, etc. etc. is
> a scalability question.

The encryption is a constant factor.  Each user uses 1, 2 or 3 hops
and therefore incurs the bandwidth between those hops, and the CPU
load on those nodes to do the keyexchanges to set the link up and the
bulk encrypt and decrypt to do the end-to-end crypto, but once the key
exchange is done an entry level PC can do blowfish at 16MB/sec (there
are other overheads in the freedom nodes, but it's quite fast).  So if
you imagine going from 10 nodes to 20 nodes it can support almost
linearly more users based purely on crypto overhead.  The trickier
thing to get right is scalable topology management and scalable PKI
for the authentication of node and nym keys.

> 2. is their e-mail system really anonymous? if i were a known bad
> actor, le might be capturing data from my pc or my isp or my phone
> company directly.  why bother worming through zk networks?  

Because your data is end-to-end encrypted through the freedom cloud
tunneled through a pseudonymous tunnel?

> oh, and if someone could respond to you via your anonymous zk e-mail
> address, isn't that an instantaneous-tag-the-sender tool for le?
> Gee, let's see the recipe for this...serve zk a search warrant, map
> zk address 'A' to e-mail address 'B' and there you have it: easier
> than instant jello pudding.  Nice system for anonymizing traffic to
> companies, bad system if you're trying to get away with something
> you shouldn't.

The mail system doesn't work like penet.fi -- there is no map of nyms
to users.  Users pick up their mail pseudonymously from a mailbox in
the pseudonym name.  It's a third type of pseudonymous mail system.
In the taxonomy of cryptographically secured replyable email systems

- alpha nymserver with reply blocks (or manually maintained and
  managed reply blocks).  freedom 1.0 mail system worked like this
  also.

- freedom 2.0 mail system (pop mail account accessed via pseudonymous
  IP tunnel over anonymous IP network)

The have different properties.

- reply blocks are subpoena-able, because they are not forward secret.

- reply blocks get good cover because they rely on mixing.  But you
  can flood them and watch the flow of traffic because there is no
  replay protection as it does not make sense if people are allowed to
  send arbitrary amounts of mail.  (Mixmaster has replay protection
  but that is for sending not receiving).

- pseudonymous pop boxes have forward secrecy because all
  communications with them are forward secret and they have no
  remaining information which could identify users encrypted or
  unencrypted.

- pseudonymous pop boxes don't have distributed trust mixing, or
  delays.  usability advantage, but potential security disadvantage.
  One could envisage adding trust-the-pop-server delays, or perhaps
  alternate routing rules inside the anonymity network to have
  distributed trust mixing and delays for delivery to the mail system.
  This would a bit like using mixmaster to deliver mail.

> [...].  so i'll go out on a limb and predict now that anonymous
> email is going to be nearly impossible for them to sell to more than
> 1/2 of 1% of the world.  

Predicting privacy and anonymity system uptake is an interesting
discussion.  Do users care?  It seems that many users probably think
they are fairly anonymous and untouchable just using the internet with
no privacy tools.  Until they get snarled up in some chat room law
suit for some dubm-ass defamation suit, or whatever.  Perhaps this
will change, perhaps not.  Also general public perception of
"anonymity" and "privacy" are quite different though one is necessary
to obtain the other.  We see LEs trying to do news management and
color people's opinion of privacy.

> plus would you want to receive anonymous e-mail?

Who is "Phillip Zakas" is that a nym?  Does it matter?  What about
hotmail accounts?  Who is dave123 at hotmail.com, superman at hotmail.com,
etc.  Most email accounts for normal purposes are nyms.  So I'd
suspect in most cases the recipient simply wouldn't care or even
notice.

> 4. ZK is a commercial entity, ergo cooperation with everyone.  I'm
> sure they have IPO plans.  They claim IBM as a partner (actually IBM
> is selling them stuff, but these days anyone who sells you equipment
> is a 'partner'...I see this every day).  If a grandma in illinois is
> going to invest in their company when it goes public, is she going to
> be happy that drug dealers, stalkers and pedophiles use this network?
> I don't think so.  I'm sure there are contingency plans for
> 'revealing' activity when served with a subpeona and/or a search
> warrant.  

ZKS is about cryptographically assured privacy with "zero knowledge",
This means the systems are designed with distributed trust, which
means the threat model is that users don't have to trust ZKS.  So
clearly if they don't trust ZKS it doesn't matter what info ZKS does
or does not give to LE because ZKS does not know anything to give
them.

> 5. Is ZK a spammers tool?  If truly secure and anonymous,
> etc. etc. etc. why couldn't the spam king use it? If it is a spammers
> tool will ZK be blackholed?  

There are mail sending limits.  Currently around 250 mails per day per
nym.  Junk mailers want to send 100s of thousands per hour.  Not much
of a haven for that activity.

> I don't believe a commercial entity, especially a US-based one with
> IPO plans, can market themselves as a full anonymizing service for
> e-mail.  

ZKS is development is done in Canada.  ZKS has servers in a number of
US and European and other locations.

> I think anonymous e-mail is best achieved through a cooperative,
> non-commercial program of unaffiliated individuals (with no
> commercial worries, and lots of jurisdictions around the world), or
> by simply purchasing pre-paid internet access, or if i were a
> wealthy bad actor find a more expensive solution.

There are a number of anonymous mail systems, and combinations of
things that can be used to achieve anonymity even though they weren't
designed for it competing (commercial and non-commercial).  I'm sure
the market will decide which is used, or if the market even cares
about the whole issue.  The deciding factors will be the usual things:
tradeoffs of convenience, usability, reliability, compatibility, cost
etc.

- mixmaster (anonymous send only, no receive)
- freedom mail (pseudonymous send and receive)
- alpha nym server systems (pseudonymous send and receive -- based on
  cypherpunk remailer reply blocks)
- a bunch of penet.fi like systems (trust me send and receive
  pseudonymity) I think proxymate works like this, plus it has target
  revokable mail, which is handy.
- a bunch of "trust me" pop/smtp proxies -- seem to be just ISP like
  setups with the addition that they say "trust us not to record your
  IP address"
- privada (trust me pseudonymous send and receive with a twist -- it
  has a publicly declared spook backdoor -- carnivore enabled -- see
  their press release
  http://www.privada.com/news/releases/20000717.html)
- open access web proxies and hot mail accounts
- anonymizer.com and hot mail accounts
- anonymizer.com shell accounts which have mail I presume
- anonymizer.com shell accounts accessed via freedom network (freedom
  supports SSH) -- anonymous SSH account -- how cool is that..

All interesting stuff.

Adam

Personal opinions only, of course.