Email traffic analysis (Was: Who bought off Zimmermann?)

[Bill Stewart]

At 08:43 PM 8/30/2013, grarpamp wrote:
> > On 8/30/13, Jon Callas <jon@callas.org> wrote:
> > What we're learning from Snowden is that they're doing traffic analysis --
> > analyzing movements, social graphs, and so on and so forth. The irony here
> > is that this tells us that the crypto works.
>
>Are we sure? This seems to tell us they are doing traffic analysis 
>and so forth.
>It doesn't seem to say much about cryptanalytic capabilities. For all we know
>they could have all the crypto in the bag but need analysis to identify
>talkers due to people being exceedingly careful about the message content.
>
>"Blue hen rides over the book on the left side when the sun is low.
>Do you copy?"

If they know that Alice and Bob have been sending mail to each other,
that's often more valuable than the traffic itself.
Certainly for the model that says they're tracking two or three degrees
of separation from Alice the Foreigner, with a court letting them demand
that ISPs hand over any plaintext they have, though you can avoid some of that
by using remailers.

 >>> Received:, Message-ID:, etc.
Those are tricky.  They're not really part of SMTP, they're part of 
the email message.
A "pen register" style of wiretapping the envelope gets you the
SMTP headers TO and FROM and the IP addresses and email options,
but at least if you're using SMTP encryption you won't get the message headers.
On the other hand, if you're just using PGP or SMIME on the message body,
you do get them, so that's not going to help alice@gmail.com much.