1995-01-06 - Re: Remailer Abuse

Header Data

From: Nathaniel Borenstein <nsb@nsb.fv.com>
To: nelson@crynwr.com
Message Hash: 9aeaeadeaeff65550e6cc3434f867968be5cd1b222d0e7e345cadf8656a5f715
Message ID: <Ij3P7Kn0Eyt5AxI6Zx@nsb.fv.com>
Reply To: <28351.789422888.1@nsb.fv.com>
UTC Datetime: 1995-01-06 21:15:51 UTC
Raw Date: Fri, 6 Jan 95 13:15:51 PST

Raw message

From: Nathaniel Borenstein <nsb@nsb.fv.com>
Date: Fri, 6 Jan 95 13:15:51 PST
To: nelson@crynwr.com
Subject: Re: Remailer Abuse
In-Reply-To: <28351.789422888.1@nsb.fv.com>
Message-ID: <Ij3P7Kn0Eyt5AxI6Zx@nsb.fv.com>
MIME-Version: 1.0
Content-Type: text/plain


Excerpts from mail: 6-Jan-95 Re: Remailer Abuse nelson@crynwr.com (779)

>    From: jrochkin@cs.oberlin.edu (Jonathan Rochkind)

>    In a First Virtual payment-scheme remailernet, no matter how many remailers
>    I send my message through, any _one_ operator, together with First Virtual,
>    can burst my anon bubble.

> Why?  Why wouldn't the FV remailers use settlements?  At the end of
> the month, everyone settles accounts in re who gets what fraction of
> what.  No logs are needed other than counters.

I hate to say it, because I generally tend to take the pro-FV side of
most arguments :-), but I think Jonathan's closer to the mark in this
case.  If mail goes through ten remailers, and they ALL charge via First
Virtual, then the last one in the chain won't have to know who you are,
but it will have to know your FV billing account.  Thus it, together
with FV, have enough information to break anonymity.

This is NOT the same as saying that ANY one operator, together with FV,
can burst anonymity; it means that the last one + FV can do so.  I
think, however, that you'd need to break into the last one to get enough
information to allow the next-to-last one to figure out the right FV-id.
 (This assumes that you're tracing the message from its ultimate
destination, not monitoring traffic as it passes through the remailers
-- in the latter case, Jonathan is probably right on the mark.)

Personally, for my taste this is sufficiently anonymous for any
reasonable purpose.  HOWEVER, I can imagine how to make it even more
anonymous.  Imagine that there are ten for-profit anonymous remailer
operators who form an "anonymous remailers consortium".  Each of them
operates TWO remailers, a for-pay one and a free one, but the free one
will only take things that have come directly via some consortium
member's anonymous remailer, so your message has to be paid for once, at
the entry point to the overall system.    Now you can build up a chain
that STARTS with a payment, but then threads its way through a bunch of
less traceable systems. where the operators can't give tracing
information even under court order.  The consortium members would
probably have to agree to some revenue sharing arrangements, but you
could make this work.  

I think this level of engineering is overkill -- for my personal level
of paranoia, I would settle for a single for-pay anonymous remailer
located in a country with very different laws than those that governed
the payment system.    Such a system would probably be "breakable" for
the legal pursuit of genuine terrorists, but not for government
harassment of political dissidents, closet gays from conservative
countries, pornographers, etc.   I guess my basic assumption is that
while any given government can not be trusted with too much power, if
you can't distribute your trust for such things across several very
different governments, human freedom may be a lost cause in the long run
anyway.  -- Nathaniel





Thread