1995-10-18 - Re: Anonymity: A Modest Proposal

Header Data

From: Scott Brickner <sjb@universe.digex.net>
To: Modemac <modemac@netcom.com>
Message Hash: 6ad07cc2f66cc51e1c75f7f00de1f08f58719b3ff44d5dd1fd6ab3d358da6acb
Message ID: <199510181652.MAA02409@universe.digex.net>
Reply To: <Pine.3.89.9510180431.A22347-0100000@netcom4>
UTC Datetime: 1995-10-18 16:52:37 UTC
Raw Date: Wed, 18 Oct 95 09:52:37 PDT

Raw message

From: Scott Brickner <sjb@universe.digex.net>
Date: Wed, 18 Oct 95 09:52:37 PDT
To: Modemac <modemac@netcom.com>
Subject: Re: Anonymity: A Modest Proposal
In-Reply-To: <Pine.3.89.9510180431.A22347-0100000@netcom4>
Message-ID: <199510181652.MAA02409@universe.digex.net>
MIME-Version: 1.0
Content-Type: text/plain

Modemac writes:
>The vulnerability of the remailer system, in my opinion, rests in the
>fact that a remailer is physically located in a certain place.
>Since the prime vulnerability of the remailers rests in their physical
>locations, we have the possibility of physically hiding their
>The basic idea for this system goes like this:
>     1) A person writes a message and encrypts it with PGP.
>     2) That person then posts his message to the "anonymous messages"
>        newsgroup.
>     3) A remailer scanning the newsgroup picks up the message,
>        decrypts it, strips the headers and makes it anonymous, and
>        sends it to its destination.

This doesn't really help.  The only information that's different in
this approach is in fields that are removed by the remailer before it
goes to the folks who get upset.  I suppose it might improve the
traffic analysis situation somewhat, though, by making it harder
for the analyst to collect all the data.

>To offer further protection for the remailers, a random system could
>be devised to ensure that no one knows exactly which remailer scans a
>particular message at a particular time.
>A series of remailers would be used to decrypt anonymous messages.
>A "token" (like the token ring of IBM fame) would be passed back and
>forth between all of the Cryptoclients in the remailer network, so
>that only one remailer would be "active" at any given time.  This
>token would be passed back and forth at random, so no one would know
>exactly which remailer is being used to anonymize a message.

Why bother?  It means all the remailers need to share the same key,
making it impossible to add a new remailer without verifying that it
isn't a CoS/NSA/FBI/whatever tentacle.

A vastly simpler solution would be to have all the remailers scanning
all the time, and only forwarding those messages encrypted with its

>The "token" is the key to this remailing system.  This token would
>include necessary information such as the last message scanned, and
>to coordinate timing among the remailers.  This will work to avoid
>duplication of messages.

This also significantly overestimates the efficiency of news propagation.
Two remailers at distant parts of the net see news messages arrive
in different orders --- often a message received at one point won't
reach the other for up to a day.