> ----------
> From: Black Unicorn[SMTP:[EMAIL PROTECTED]]
>
> > At some point I will probably begin keeping logs that expire after a
> > period of several hours, so that I can identify and block spammers. I'm
> > interested in your thoughts on this, Uni. Is the defense "I never retain
> > logs longer than 2 hours; they are automatically deleted out of disk
> space
> > considerations" as string as the first one? (This is how many remailers
> > are configured. But even if the remailers all kept logs, if users are
> > chaining their messages through multiple remailers, anonymity should
> still
> > be preserved.)
>
> See my (huge) posting on this, but I would suspect that this isn't great.
> Were I operating one, which I am admittedly not, I'd want there to be no
> data
> of evidentiary value ever hitting my memory or media. To some degree
> that's
> not possible. In the alternative, actually _disabling_ logging is the
> best
> policy, in my view. The evidence never existed in the first place then.
> It
> suddenly becomes a challenge to show some kind of conspiracy on your part
> since the actual spoliation claim is harder to make. Showing conspiracy
> for
> anything with respect to either probably starts hard and gets marginally
> less
> hard in this order:
>
> a) A middle remailer in a multiple chain that knows nothing (little)
> about
> original sender, content or recipient. [...]
> b) A back end remailer in a multiple chain that knows nothing (little)
> about
> content or original sender. [...]
> c) A front end remailer in a multiple chain that knows nothing (little)
> about content or recipient. [...]
> d) A "one hop" remailer.
[...]
You're forgetting
e) A remailer which silently ignores (and deletes) all mail which is
not still encrypted after the remailer's decryption key is applied.
(Complaints from Choate that I don't show how to distinguish
encrypted vs cleartext mail with 100% accuracy will be silently
ignored (and deleted).)
This protects the remailer operator from:
(1) having any knowledge of the ultimate destination of the mail,
since there is a good possibility that the next email address
is just another remailer.
(2) having any knowledge of the content of the email, since it is
still encrypted. Thus, a remailer operator in Afghanistan doesn't
knowingly pass on copies of 'The Satanic Verses'.
(3) passing on 99.9999% of spam. Spammers do not use encrypted
mail - it requires far too much per-message processing, in terms of
obtaining public keys, constructing nested encrypted messages, etc.
And yes, BU's point about not generating logs at all is well taken -
I've not looked at remailer software, but commenting out a few lines
should take care of this. If I ran one, I might consider keeping
aggregate data (# of messages/week, MB/week), but I can't see anything
useful I'd do with individual message data.
This ties into the discussion about headless, disposable remailers - many
of the discussed designs have no mass storage to speak of, so of course
they would not keep logs.
Peter Trei
