From: Ben Holiday <ncognito@gate.net>
Date: Wed, 22 May 1996 14:13:48 +0800
To: "Daniel R. Oelke" <droelke@rdxsunhost.aud.alcatel.com>
Subject: Re: An alternative to remailer shutdowns
In-Reply-To: <9605212219.AA05501@spirit.aud.alcatel.com>
Message-ID: <Pine.A32.3.93.960521183731.12238A-100000@seminole.gate.net>
MIME-Version: 1.0
Content-Type: text/plain




On Tue, 21 May 1996, Daniel R. Oelke wrote:

> 
> Ben Holiday <ncognito@gate.net> wrote:
> > At this point there are 2 options, which I havnt examined closely: The
> > first is that you require them to send a request for their "consent-code"
> > which can be used to decrypt the mail. Under this arrangment you could
> 
> This could be done with no "storage" as well, by a slightly
> different method and still require end reciepient acknowledgement. 
> The end reciepient could be required to reply and include the encrypted
> message. The remailer would then decrypt the message and send back the 
> plaintext.  Only storage would be the key vs. a message id database.

Well, if we've gone that far, why not attach an encrypted copy of the key
to the peice of mail, and eliminate all storage from the r-ops machine? 


> > The second is to simply include the
> > consent-code along with the encrypted peice of mail and a legal notice
> > stating that decryption of the mail constitutes your consent to receive
> > the mail, as well as your agreement to hold the remailer-operator harmless
> 
> By reduction - you could just do a rot13 on the message and 
> append the "legal notice".   If all the information for decoding
> a message is present in that message, is a different encoding
> mechanism really any different from straight ASCII text?  
> (i.e. Netscape 9.13 might have auto decoding built it....)
> Then, the user doesn't do anything "extra" - does this invalidate 
> the notice?

Donno. IANAL. :)

> I might be wrong, but I don't think that this second method would
> gain you anything in the 2 situations where operators will get 
> hassled.  1) Posting of copyrighted material - the lawyers will
> at least harass you no matter what kind of legal notice is up front.
> 2) Mailing of "harassing" information - the person still gets
> unwanted email, and has no way to stop it.

[RANT MODE ON- skip to the next paragraph if you dont like politiks]

Here we are back at step one again. In the end, it would seem that there
isn't much that can be done about the worst forms of abuse, without
filtering mail for content. However, someone pointed out that other
package delivery services have acheived freedom from responsibilty for the
content of the packages they deliver - and I beleive that a part of the
explanation for this lies in the fact that they /do/ make attempts to
limit abuse in-so-far as they are able. Part of limiting the remailers
liability is tied up with legitimizing them as a useful service, and
establishing to the public that we are concerned with abuse. Too many
people beleive that the whole point of a remailer is to facilitate illegal
and abusive communication, and unless that changes we can expect to be
dealt with as criminals at worst, or at best as purposfully negligent.

I'm not certain what the solution is, but I am certain that doing nothing
isnt it...

[RANT MODE OFF--]

One idea that came up a while back was a sort of limited tracking of mail
-- an example would be keeping a hash of the email address where mail was
received from for 48 hours, with the hash value being attached to the
peice of mail as a header.

This would accomplish two things: We could source block an address without
knowing the source; and if push came to shove an address could be
backtracked to its original source, provided a complaint was made in time,
and that the Bad Guy sent another mail from the same address. I think
that legally there would be a good argument that the remailer ops had made
a reasonable attempt and holding lawbreakers accountable, while still
preserving the anonymity of non-abusers.



Just a thought.. 

Ben.