From: Kevin L Prigge <Kevin.L.Prigge-2@tc.umn.edu>
Date: Wed, 9 Oct 1996 15:26:49 -0700 (PDT)
To: tcmay@got.net (Timothy C. May)
Subject: Re: "Forward Privacy" for ISPs and Customers
In-Reply-To: <v03007802ae819385a300@[207.167.93.63]>
Message-ID: <325c26935621002@noc.tc.umn.edu>
MIME-Version: 1.0
Content-Type: text/plain


Timothy C. May said:
> However, there are certain things my phone company does *not* do. They
> don't keep _copies_ (recordings) of my phone conversations. This means a
> court order can't yield copies of past conversations. They also don't track
> incoming phone calls to me. (I don't believe such records of incoming phone
> calls are kept; maybe I'm wrong. Certainly with Caller ID, storing incoming
> phone numbers is possible....I just don't think local or regional phone
> companies care about such records, and hence don't bother to accumulate
> them.)

I had heard through the grapevine about a year ago that US West (the
local Phone Monopoly) was required to turn over a list of all phones
that called a certain local number. I don't recall what the details,
but it implies that records of calls (from, to, possibly duration) are
kept at least for a time.

> Something ISPs could do--and may do if there is sufficient customer
> pressure--is to adopt a policy of "forward secrecy" (to slightly abuse this
> technical term). That is, to have an explicit policy--implemented in the
> software--of _really_ deleting the back messages once a customer downloads
> them to his site. This means that _backups_ must be done in a careful
> manner, such that even the backup tapes or disks are affected by a removal.

Interesting thought, but it fails when it gets to my scale. It would
be trivial to exclude a file or set of files from normal backup, but
it would be problematic to exclude files from filesystem dumps, etc.
The scale I deal with (40,000 users, 12gb of /home directory files and
about the same in the mail spool) would make it almost impossible to
provide this service with accuracy to my users.

> But if no logs and backup tapes of mail are kept, at least the job of
> gaining access to communications is made more difficult.

I've been concerned about system logging on remailers, and what kind of
traffic details they could leave. If a remailer operator doesn't control
the machine that the remailer runs on, there can be no guarantee that 
traffic information is unavailable to someone with a warrant or a gun.
It wouldn't be to much of a stretch to imagine a coordinated raid of
all remailers, to "capture a terrorist ring" or some other likely
excuse.

-- 
Kevin L. Prigge                     | Some mornings, it's just not worth
Systems Software Programmer         | chewing through the leather straps.
Internet Enterprise - OIT           | - Emo Phillips
University of Minnesota             |