8.1 copyright
   THE  CYPHERNOMICON: Cypherpunks FAQ and More, Version 0.666,
   1994-09-10, Copyright Timothy C. May. All rights reserved.
   See the detailed disclaimer. Use short sections under "fair
   use" provisions, with appropriate credit, but don't put your
   name on my words.

8.2 - SUMMARY: Anonymity, Digital Mixes, and Remailers
 8.2.1. Main Points
  - Remailers are essential for anonymous and pseudonymous
     systems, because they defeat traffic analysis
  - Cypherpunks remailers have been one of the major successes,
     appearing at about the time of the Kleinpaste/Julf
     remailer(s), but now expanding to many sites
  - To see a list of sites:  finger remailer-
     list@kiwi.cs.berkeley.edu
     ( or http://www.cs.berkeley.edu/~raph/remailer-list.html)
  - Anonymity in general is a core idea
 8.2.2. Connections to Other Sections
  - Remailers make the other technologies possible
 8.2.3. Where to Find Additional Information
  - Very little has been written (formally, in books and
     journals) about remailers
  - David Chaum's papers are a start
 8.2.4. Miscellaneous Comments
  - This remains one of the most jumbled and confusing
     sections, in my opinion. It needs a lot more reworking and
     reorganizing.
  + Partly this is because of several factors
    - a huge number of people have worked on remailers,
       contributing ideas, problems, code, and whatnot
    - there are many versions, many sites, and the sites change
       from day to day
    - lots of ideas for new features
    - in a state of flux
  - This is an area where actual experimentation with remailers
     is both very easy and very instructive...the "theory" of
     remailers is straighforward (compared to, say, digital
     cash) and the learning experience is better than theory
     anyway.
  - There are a truly vast number of features, ideas,
     proposals, discussion points, and other such stuff. No FAQ
     could begin to cover the ground covered in the literally
     thousands of posts on remailers.

8.3 - Anonymity and Digital Pseudonyms
 8.3.1. Why is anonymity so important?
  - It allows escape from past, an often-essential element of
     straighening out (an important function of the Western
     frontier, the French Foreign Legion, etc., and something we
     are losing as the dossiers travel with us wherever we go)
  - It allows new and diverse types of opinions, as noted below
  - More basically, anonymity is important because identity is
     not as important as has been made out in our dossier
     society. To wit, if Alice wishes to remain anonymous or
     pseudonymous to Bob, Bob cannot "demand" that she provide
     here "real" name. It's a matter of negotiation between
     them. (Identity is not free...it is a credential like any
     other and cannot be demanded, only negotiated.)
  - Voting, reading habits, personal behavior...all are
     examples where privacy (= anonymity, effectively) are
     critical. The next section gives a long list of reasons for
     anonymity.
 8.3.2. What's the difference between anonymity and pseudonymity?
  + Not much, at one level...we often use the term "digital
     pseudonym" in a strong sense, in which the actual identity
     cannot be deduced easily
    - this is "anonymity" in a certain sense
  - But at another level, a pseudonym carries reputations,
     credentials, etc., and is _not_ "anonymous"
  - people use pseudonyms sometimes for whimsical reasons
     (e.g., "From spaceman.spiff@calvin.hobbes.org   Sep 6, 94
     06:10:30"), sometimes to keep different mailing lists
     separate (different personnas for different groups), etc.
 8.3.3. Downsides of anonymity
  - libel and other similar dangers to reputations
  + hit-and-runs actions (mostly on the Net)
    + on the other hand, such rantings can be ignored (KILL
       file)
      - positive reputations
  - accountability based on physical threats and tracking is
     lost
  + Practical issue. On the Cypherpunks list, I often take
     "anonymous" messages less seriously.
    - They're often more bizarre and inflammatory than ordinary
       posts, perhaps for good reason, and they're certainly
       harder to take seriously and respond to. This is to be
       expected. (I should note that some pseudonyms, such as
       Black Unicorn and Pr0duct Cypher, have established
       reputable digital personnas and are well worth replying
       to.)
  - repudiation of debts and obligations
  + infantile flames and run-amok postings
    - racism, sexism, etc.
    - like "Rumormonger" at Apple?
  - but these are reasons for pseudonym to be used, where the
     reputation of a pseudonym is important
  + Crimes...murders, bribery, etc.
    - These are dealt with in more detail in the section on
       crypto anarchy, as this is a major concern (anonymous
       markets for such services)
 8.3.4. "How will privacy and anonymity be attacked?"
  - the downsides just listed are often cited as a reason we
     can't have "anonymity"
  - like so many other "computer hacker" items, as a tool for
     the "Four Horsemen": drug-dealers, money-launderers,
     terrorists, and pedophiles.
  - as a haven for illegal practices, e.g., espionage, weapons
     trading, illegal markets, etc.
  + tax evasion ("We can't tax it if we can't see it.")
    - same system that makes the IRS a "silent partner" in
       business transactions and that gives the IRS access to--
       and requires--business records
  + "discrimination"
    - that it enables discrimination (this _used_ to be OK)
    - exclusionary communities, old boy networks
 8.3.5. "How will random accusations and wild rumors be controlled in
   anonymous forums?"
  - First off, random accusations and hearsay statements are
     the norm in modern life; gossip, tabloids, rumors, etc. We
     don't worry obsessively about what to do to stop all such
     hearsay and even false comments. (A disturbing trend has
     been the tendency to sue, or threaten suits. And
     increasingly the attitude is that one can express
     _opinions_, but not make statements "unless they can be
     proved." That's not what free speech is all about!)
  - Second, reputations matter. We base our trust in statements
     on a variety of things, including: past history, what
     others say about veracity, external facts in our
     possession, and motives.
 8.3.6. "What are the legal views on anonymity?"
  + Reports that Supreme Court struck down a Southern law
     requiring pamphlet distributors to identify themselves. 9I
     don't have a cite on this.)
    - However, Greg Broiles provided this quote, from _Talley
       v. State of California_, 362 U.S. 60, 64-65, 80 S.Ct.
       536, 538-539 (1960) : "Anonymous pamphlets, leaflets,
       brochures and even books have played an important role in
       the progress of mankind. Persecuted groups and sects from
       time to time throughout history have been able to
       criticize oppressive practices and laws either
       anonymously or not at all."
       
       Greg adds: "It later says "Even the Federalist Papers,
       written in favor of the adoption of our Constitution,
       were published under fictitious names. It is plain that
       anonymity has sometimes been assumed for the most
       constructive purposes." [Greg Broiles, 1994-04-12]
       
  + And certainly many writers, journalists, and others use
     pseudonyms, and have faced no legal action.
    - Provided they don't use it to evade taxes, evade legal
       judgments, commit fraud, etc.
  - I have heard (no cites) that "going masked for the purpose
     of going masked" is illegal in many jurisdictions. Hard to
     believe, as many other disguises are just as effective and
     are presumably not outlawed (wigs, mustaches, makeup,
     etc.). I assume the law has to do with people wearning ski
     masks and such in "inappropriate" places. Bad law, if real.
 8.3.7. Some Other Uses for Anonymous Systems:
  + Groupware and Anonymous Brainstorming and Voting
    - systems based on Lotus Notes and designed to encourage
       wild ideas, comments from the shy or overly polite, etc.
    - these systems could initially start in meeting and then
       be extended to remote sites, and eventually to nationwide
       and international forums
    - the NSA may have a heart attack over these trends...
  + "Democracy Wall" for encrypted messages
    - possibly using time-delayed keys (where even the public
       key, for reading the plaintext, is not distributed for
       some time)
    - under the cover of an electronic newspaper, with all of
       the constitutional protections that entails: letters to
       the editor can be anonymous, ads need not be screened for
       validity, advertising claims are not the responsibility
       of the paper, etc.
  + Anonymous reviews and hypertext (for new types of journals)
    + the advantages
      - honesty
      -  increased "temperature" of discourse
    + disadvantages
      - increased flames
      - intentional misinformation
  + Store-and-forward nodes
    - used to facillitate the anonymous voting and anonymous
       inquiry (or reading) systems
    - Chaum's "mix"
    + telephone forwarding systems, using digital money to pay
       for the service
      - and TRMs?
  + Fiber optics
    + hard to trace as millions of miles are laid, including
       virtually untraceable lines inside private buildings
      - suppose government suspects encrypted packets are going
         in to the buildings of Apple...absent any direct
         knowledge of crimes being aided and abetted, can the
         government demand a mapping of messages from input to
         output?
      - That is, will the government demand full disclosure of
         all routings?
    - high bandwidth means many degrees of freedom for such
       systems to be deployed
  + Within systems, i.e., user logs on to a secure system and
     is given access to his own processor
    - in a 288-processor system like the NCR/ATT 3600 (or even
       larger)
    - under his cryptonym he can access certain files, generate
       others, and deposit message untraceably in other mail
       locations that other agents or users can later  retrieve
       and forward....
    - in a sense, he can use this access to launch his own
       agent processes (anonymity is essential for many agent-
       based systems, as is digital money)
  + Economic incentives for others to carry mail to other
     sites...
    - further diffusion and hiding of the true functions
  + Binary systems (two or more pieces needed to complete the
     message)
    - possibly using viruses and worms to handle the
       complexities of distributing these messages
    - agents may handle the transfers, with isolation between
       the agents, so routing cannot be traced (think of scene
       in "Double-Crossed" where bales of marijuana are passed
       from plane to boat to chopper to trucks to cars)
    - this protects against conspiracies
  + Satellites
    + physical security, in that the satellites would have to
       be shot down to halt the broadcasting
      + scenario: WARC (or whomever) grants broadcast rights in
         1996 to some country or consortium, which then accepts
         any and all paying customers
        - cold cash
        - the BCCI of satellite operators
    + VSATs, L-Band, Satellites, Low-Earth Orbit
      - Very Small Aperture Terminals
      - L-Band...what frequency?
      + LEO, as with Motorola's Iridium, offers several
         advantages
        - lower-power receivers and smaller antennas
        - low cost to launch, due to small size and lower need
           for 10-year reliability
        - avoidance of the "orbital slot" licensing morass
           (though I presume some licensing is still involved)
      - can combine with impulse or nonsinusoidal transmissions
 8.3.8. "True Names"
 8.3.9. Many ways to get pseudonyms:
  - Telnet to "port 25" or use SLIP connections to alter domain
     name; not very secure
  - Remailers
8.3.10. "How is Pseudonymity Compromised?"
  - slip-ups in style, headers, sig blocks, etc.
  - inadvertent revealing, via the remailers
  - traffic analysis of remailers (not very likely, at least
     not for non-NSA adversaries)
  - correlations, violations of the "indistinguishability
     principle"
8.3.11. Miscellaneous Issues
  - Even digital pseudonyms can get confusing...someone
     recently mistook "Tommy the Tourist" for being such an
     actual digital pseudonym (when of course that is just
     attached to all posts going througha particular remailer).

8.4 - Reasons for Anonymity and Digital Pseudonyms (and Untraceable E-Mail)
 8.4.1. (Thre are so many reasons, and this is asked so often, that
   I've collected these various reasons here. More can be added,
   of course.)
 8.4.2. Privacy in general
 8.4.3. Physical Threats
  + "corporate terrrorism" is not a myth: drug dealers and
     other "marginal" businessmen face this every day
    - extortion, threats, kidnappings
  + and many businesses of the future may well be less
     "gentlemanly" than the conventional view has it
    - witness the bad blood between Intel and AMD, and then
       imagine it getting ten times worse
    - and national rivalries, even in ostensibly legal
       businesses (think of arms dealers), may cause more use of
       violence
    + Mafia and other organized crime groups may try to extort
       payments or concessions from market participants, causing
       them to seek the relative protection of anonymous systems
      - with reputations
    + Note that calls for the threatened to turn to the police
       for protection has several problems
      - the activities may be illegal or marginally illegal
         (this is the reason the Mafia can often get involved
         and why it may even sometimes have a positive effect,
         acting as the cop for illegal activities)
      - the police are often too busy to get involved, what
         with so much physical crime clogging the courts
  - extortion and kidnappings can be done using these very
     techniques of cryptoanarchy, thus causing a kind of arms
     race
  + battered and abused women and families may need the
     equivalent of a "witness protection program"
    + because of the ease of tracing credit card purchases,
       with the right bribes and/or court orders (or even
       hacking), battered wives may seek credit cards under
       pseudonyms
      - and some card companies may oblige, as a kind of
         politically correct social gesture
      + or groups like NOW and Women Against Rape may even
         offer their own cards
        - perhaps backed up by some kind of escrow fund
        - could be debit cards
  + people who participate in cyberspace businesses may fear
     retaliation or extortion in the real world
    - threats by their governments (for all of the usual
       reasons, plus kickbacks, threats to close them down,
       etcl)
    - ripoffs by those who covet their success...
 8.4.4. Voting
  - We take it for granted in Western societies that voting
     should be "anonymous"--untraceable, unlinkable
  - we don't ask people "What have you got to hide?" or tell
     them "If you're doing something anonymously, it must be
     illegal."
  - Same lesson ought to apply to a lot of things for which the
     government is increasingly demanding proof of identity for
  + Anonymous Voting in Clubs, Organizations, Churches, etc.
    + a major avenue for spreading CA methods: "electronic
       blackballing," weighted voting (as with number of shares)
      + e.g., a corporation issues "voting tokens," which can
         be used to vote anonymously
        - or even sold to others (like selling shares, except
           selling only the voting right for a specific election
           is cheaper, and many people don't much care about
           elections)
      + a way to protect against deep pockets lawsuits in, say,
         race discrimination cases
        - wherein a director is sued for some action the
           company takes-anonymity will give him some legal
           protection, some "plausible deniability"
      + is possible to set up systems (cf. Salomaa) in which
         some "supervotes" have blackball power, but the use of
         these vetos is indistinguishable from a standard
         majority rules vote
        - i.e., nobody, except the blackballer(s), will know
           whether the blackball was used!
        + will the government seek to limit this kind of
           protocol?
          - claiming discrimination potential or abuse of
             voting rights?
    + will Justice Department (or SEC) seek to overturn
       anonymous voting?
      - as part of the potential move to a "full disclosure"
         society?
      - related to antidiscrimination laws, accountability,
         etc.
    + Anonymous Voting in Reputation-Based Systems (Journals,
       Markets)
      + customers can vote on products, on quality of service,
         on the various deals they've been involved in
        - not clear how the voting rights would get distributed
        - the idea is to avoid lawsuits, sanctions by vendors,
           etc. (as with the Bose suit)
      + Journals
        - a canonical example, and one which I must include, as
           it combines anonymous refereeing (already standard,
           in primitive forms), hypertext (links to reviews),
           and basic freedom of speech issues
        - this will likely be an early area of use
      - this whole area of consumer reviews may be a way to get
         CA bandwidth up and running (lots of PK-encrypted
         traffic sloshing around the various nets)
 8.4.5. Maintenance of free speech
  - protection of speech
  + avoiding retaliation for controversial speech
    - this speech may be controversial, insulting, horrific,
       politically incorrect, racist, sexist, speciesist, and
       other horrible...but remailers and anonymity make it all
       impossible to stop
  - whistleblowing
  + political speech
    - KKK, Aryan Resistance League, Black National Front,
       whatever
    - cf. the "debate" between "Locke" and "Demosthenes" in
       Orson Scott Card's novel, "Ender's Game."
  - (Many of these reasons are also why 'data havens' will
     eventually be set up...indeed, they already exist...homolka
     trial, etc.)
 8.4.6. Adopt different personnas, pseudonyms
 8.4.7. Choice of reading material, viewing habits, etc.
  - to prevent dossiers on this being formed, anonymous
     purchases are needed (cash works for small items, not for
     video rentals, etc.)
  + video rentals
    - (Note: There are "laws" making such releases illegal,
       but...)
  - cable t.v. viewing habits
  + mail-order purchases
    - yes, they need your address to ship to, but there may be
       cutouts that delink (e.g., FedEx might feature such a
       service, someday
 8.4.8. Anonymity in Requesting Information, Services, Goods
  + a la the controversy over Caller ID and 900 numbers: people
     don't want their telephone numbers (and hence identities)
     fed into huge consumer-preference data banks
    - of the things they buy, the videos they rent, the books
       they read. etc. (various laws protect some of these
       areas, like library books, video rentals)
    - subscription lists are already a booming resale
       market...this will get faster and more finely "tuned"
       with electronic subscriptions: hence the desire to
       subscribe anonymously
  + some examples of "sensitive" services that anonymity may be
     desired in (especially related to computers, modems, BBSes)
    + reading unusual or sensitive groups: alt.sex.bondage,
       etc.
      - or posting to these groups!
      - recent controversy over NAMBLA may make such
         protections more desirable to some (and parallel calls
         for restrictions!)
    - posting to such groups, especially given that records are
       perpetual and that government agencies read and file
       postings (an utterly trivial thing to do)
    - requesting help on personal issues (equivalent to the
       "Name Witheld" seen so often)
    + discussing controversial political issues (and who knows
       what will be controversial 20 years later when the poster
       is seeking a political office, for example?)
      - given that some groups have already (1991) posted the
         past postings of people they are trying to smear!
    + Note: the difference between posting to a BBS group or
       chat line and writing a letter to an editor is
       significant
      - partly technological: it is vastly easier to compile
         records of postings than it is to cut clippings of
         letters to editors (though this will change rapidly as
         scanners make this easy)
      - partly sociological: people who write letters know the
         letters will be with the back issues in perpetuity,
         that bound issues will preserve their words for many
         decades to come (and could conceivably come back to
         haunt them), but people who post to BBSes probably
         think their words are temporary
      + and there are some other factors
        - no editing
        - no time delays (and no chance to call an editor and
           retract a letter written in haste or anger)
        + and letters can, and often are, written with the
           "Name Witheld" signature-this is currently next to
           impossible to do on networks
          - though some "forwarding" services have informally
             sprung up
  + Businesses may wish to protect themselves from lawsuits
     over comments by their employees
    + the usual "The opinions expressed here are not those of
       my employer" may not be enough to protect an employer
       from lawsuits
      - imagine racist or sexist comments leading to lawsuits
         (or at least being brought up as evidence of the type
         of "attitude" fostered by the company, e.g., "I've
         worked for Intel for 12 years and can tell you that
         blacks make very poor engineers.")
    + employees may make comments that damage the reputations
       of their companies
      - Note: this differs from the current situation, where
         free speech takes priority over company concerns,
         because the postings to a BBS are carried widely, may
         be searched electronically (e.g., AMD lawyers search
         the UseNet postings of 1988-91 for any postings by
         Intel employees besmirching the quality or whatever of
         AMD chips),
    - and so employees of corporations may protect themselves,
       and their employers, by adopting pseudonyms
  + Businesses may seek information without wanting to alert
     their competitors
    - this is currently done with agents, "executive search
       firms," and lawyers
    - but how will it evolve to handle electronic searches?
    + there are some analogies with filings of "Freedom of
       Information Act" requests, and of patents, etc.
      + these "fishing expeditions" will increase with time, as
         it becomes profitable for companies to search though
         mountains of electronically-filed materials
        - environmental impact studies, health and safety
           disclosures, etc.
        - could be something that some companies specialize in
  + Anonymous Consultation Services, Anonymous Stringers or
     Reporters
    + imagine an information broker, perhaps on an AMIX-like
       service, with a network of stringers
      + think of the arms deal newsletter writer in Hallahan's
         The Trade, with his network of stringers feeding him
         tips and inside information
        - instead of meeting in secretive locations, a very
           expensive proposition (in time and travel), a secure
           network can be used
        - with reputations, digital pseudonyms, etc.
    + they may not wish their actual identities known
      - threats from employers, former employers, government
         agencies
      + harassment via the various criminal practices that will
         become more common (e.g., the ease with which
         assailants and even assassins can be contracted for)
        - part of the overall move toward anonymity
      - fears of lawsuits, licensing requirements, etc.
    + Candidates for Such Anonymous Consultation Services
      + An arms deals newsletter
        - an excellent reputation for accuracy and timely
           information
        + sort of like an electronic form of Jane's
          - with scandals and government concern
        - but nobody knows where it comes from
        + a site that distributes it to subscribers gets it
           with another larger batch of forwarded material
          - NSA, FBI, Fincen, etc. try to track it down
      + "Technology Insider" reports on all kinds of new
         technologies
        - patterned after Hoffler's Microelectronics News, the
           Valley's leading tip sheet for two decades
        - the editor pays for tips, with payments made in two
           parts: immediate, and time-dependent, so that the
           accuracy of a tip, and its ultimate importance (in
           the judgment of the editor) can be proportionately
           rewarded
        + PK systems, with contributors able to encrypt and
           then publicly post (using their own means of
           diffusion)
          - with their messages containing further material,
             such as authentications, where to send the
             payments, etc.
      + Lundberg's Oil Industry Survey (or similar)
        - i.e., a fairly conventional newsletter with publicly
           known authors
        - in this case, the author is known, but the identities
           of contributors is well-protected
      + A Conspiracy Newsletter
        - reporting on all of the latest theories of
           misbehavior (as in the "Conspiracies" section of this
           outline)
        + a wrinkle: a vast hypertext web, with contributors
           able to add links and nodes
          + naturally, their real name-if they don't care about
             real-world repercussions-or one of their digital
             pseudonyms (may as well use cryptonyms) is attached
            + various algorithms for reputations
              - sum total of everything ever written, somehow
                 measured by other comments made, by "voting,"
                 etc.
              - a kind of moving average, allowing for the fact
                 that learning will occur, just as a researcher
                 probably gets better with time, and that as
                 reputation-based systems become better
                 understood, people come to appreciate the
                 importance of writing carefully
      + and one of the most controversial of all: Yardley's
         Intelligence Daily
        - though it may come out more than daily!
        + an ex-agent set this up in the mid-90s, soliciting
           contributions via an anonymous packet-switching sysem
          - refined over the next couple of years
          - combination of methods
        - government has been trying hard to identify the
           editor, "Yardley"
        - he offers a payback based on value of the
           information, and even has a "Requests" section, and a
           Classifed Ad section
        - a hypertext web, similar to the Conspiracy Newsletter
           above
        + Will Government Try to Discredit the Newsletter With
           False Information?
          - of course, the standard ploy in reputation-based
             systems
          + but Yardley has developed several kinds of filters
             for this
            - digital pseudonyms which gradually build up
               reputations
            - cross-checking of his own sort
            - he even uses language filters to analyze the text
          + and so what?
            - the world is filled with disinformation, rumors,
               lies, half-truths, and somehow things go on....
      + Other AMIX-like Anonymous Services
        + Drug Prices and Tips
          - tips on the quality of various drugs (e.g.,
             "Several reliable sources have told us that the
             latest Maui Wowie is very intense, numbers
             below...")
          + synthesis of drugs (possibly a separate
             subscription)
            - designer drugs
            - home labs
            - avoiding detection
        + The Hackers Daily
          - tips on hacking and cracking
          - anonymous systems themselves (more tips)
        - Product evaluations (anonymity needed to allow honest
           comments with more protection against lawsuits)
    + Newspapers Are Becoming Cocerned with the Trend Toward
       Paying for News Tips
      - by the independent consultation services
      - but what can they do?
      + lawsuits are tried, to prevent anonymous tips when
         payments are involved
        - their lawyers cite the tax evasion and national
           security aspects
  + Private Data Bases
    + any organization offering access to data bases must be
       concerned that somebody-a disgruntled customer, a
       whistleblower, the government, whoever-will call for an
       opening of the files
      - under various "Data Privacy" laws
      - or just in general (tort law, lawsuits, "discovery")
    + thus, steps will be taken to isolate the actual data from
       actual users, perhaps via cutouts
      + e.g., a data service sells access, but subcontracts out
         the searches to other services via paths that are
         untraceable
        + this probably can't be outlawed in general-though any
           specific transaction might later be declared illegal,
           etc., at which time the link is cut and a new one is
           established-as this would outlaw all subcontracting
           arrangements!
          - i.e., if Joe's Data Service charges $1000 for a
             search on widgets and then uses another possibly
             transitory (meaning a cutout) data service, the
             most a lawsuit can do is to force Joe to stop using
             this untraceble service
          - levels of indirection (and firewalls that stop the
             propagation of investigations)
  + Medical Polls (a la AIDS surveys, sexual practices surveys,
     etc.)
    + recall the method in which a participant tosses a coin to
       answer a question...the analyst can still recover the
       important ensemble information, but the "phase" is lost
      - i.e., an individual answering "Yes" to the question
         "Have you ever had xyz sex?" may have really answered
         "No" but had his answer flipped by a coin toss
    + researchers may even adopt sophisticated methods in which
       explicit diaries are kept, but which are then transmitted
       under an anonymous mailing system to the researchers
      - obvious dangers of authentication, validity, etc.
  + Medical testing: many reasons for people to seek anonymity
    - AIDS testing is the preeminent example
    - but also testing for conditions that might affect
       insurablity or employment (e.g.,  people may go to
       medical havens in Mexico or wherever for tests that might
       lead to uninsurability should insurance companies learn
       of the "precondition")
    + except in AIDS and STDs, it is probably both illegal and
       against medical ethics to offer anonymous consultations
      - perhaps people will travel to other countries
 8.4.9. Anonymity in Belonging to Certain Clubs, Churches, or
   Organizations
  + people fear retaliation or embarassment should their
     membership be discovered, now or later
    - e.g., a church member who belongs to controversial groups
       or clubs
  - mainly, or wholly, those in which physical contact or other
     personal contact is not needed (a limited set)
  - similar to the cell-based systems described elsewhere
  + Candidates for anonymous clubs or organizations
    - Earth First!, Act Up, Animal Liberation Front, etc.
    - NAMBLA and similar controversial groups
  - all of these kinds of groups have very vocal, very visible
     members, visible even to the point of seeking out
     television coverage
  - but there are probably many more who would join these
     groups if there identities could be shielded from public
     group, for the sake of their careers, their families, etc.
  + ironically, the corporate crackdown on outside activities
     considered hostile to the corporation (or exposing them to
     secondary lawsuits, claims, etc.) may cause greater use of
     anonymous systems
    - cell-based membership in groups
  - the growth of anonymous membership in groups (using
     pseudonyms) has a benefit in increasing membership by
     people otherwise afraid to join, for example, a radical
     environmental group
8.4.10. Anonymity in Giving Advice or Pointers to Information
  - suppose someone says who is selling some illegal or
     contraband product...is this also illegal?
  - hypertext systems will make this inevitable
8.4.11. Reviews, Criticisms, Feedback
  - "I am teaching sections for a class this term, and tomorrow
     I am going to: 1) tell my students how to use a remailer,
     and 2) solicit anonymous feedback on my teaching.
     
     "I figure it will make them less apprehensive about making
     honest suggestions and comments (assuming any of them
     bother, of course)." [Patrick J. LoPresti
     patl@lcs.mit.edu, alt.privacy.anon-server, 1994-09-08]
8.4.12. Protection against lawsuits, "deep pockets" laws
  + by not allowing the wealth of an entity to be associated
     with actions
    - this also works by hiding assets, but the IRS frowns on
       that, so unlinking the posting or mailing name with
       actual entity is usually easier
  + "deep pockets"
    - it will be in the interest of some to hide their
       identities so as to head off these kinds of lawsuits
       (filed for whatever reasons, rightly or wrongly)
    - postings and comments may expose the authors to lawsuits
       for libel, misrepresentation, unfair competition, and so
       on (so much for free speech in these beknighted states)
    + employers may also be exposed to the same suits,
       regardless of where their employees posted from
      - on the tenuous grounds that an employee was acting on
         his employer's behalf, e.g., in defending an Intel
         product on Usenet
    - this, BTW, is another reason for people to seek ways to
       hide some of their assets-to prevent confiscation in deep
       pockets lawsuits (or family illnesses, in which  various
       agencies try to seize assets of anybody they can)
    - and the same computers that allow these transactions will
       also allow more rapid determination of who has the
       deepest pockets!
  + by insulating the entity from repercussions of "sexist" or
     "racist" comments that might provoke lawsuits, etc.
    - (Don't laugh--many companies are getting worried that
       what their employees write on Usenet may trigger lawsuits
       against the companies.)
  + many transactions may be deemed illegal in some
     jursidictions
    + even in some that the service or goods provider has no
       control over
      - example: gun makers being held liable for firearms
         deaths in the District of Columbia (though this was
         recently cancelled)
    - the maze of laws may cause some to seek anonymity to
       protect themselves against this maze
  + Scenario: Anonymous organ donor banks
    + e.g., a way to "market" rare blood types, or whatever,
       without exposing one's self to forced donation or other
       sanctions
      - "forced donation" involves the lawsuits filed by the
         potential recipient
      - at the time of offer, at least...what happens when the
         deal is consummated is another domain
    - and a way to avoid the growing number of government
       stings
8.4.13. Journalism and Writing
  + writers have had a long tradtion of adopting pseudonyms,
     for a variety of reasons
    - because they couldn't get published under their True
       Names, because they didn't _want_ their true names
       published, for the fun of it, etc.
    - George Elliot, Lewis Carroll, Saki, Mark Twain, etc.
  - reporters
  + radio disc jockeys
    - a Cypherpunk who works for a technology company uses the
       "on air personna" of "Arthur Dent" ("Hitchhiker's Guide")
       for his part-time radio broadcasting job...a common
       situation, he tells me
  + whistleblowers
    - this was an early use
  + politically sensitive persons
    - "
    + I subsequently got myself an account on anon.penet.fi as
       the "Lt.
      - Starbuck" entity, and all later FAQ updates were from
         that account.
      - For reasons that seemed important at the time, I took
         it upon myself to
      - become the moderator/editor of the FAQ."
      - 
  + Example: Remailers were used to skirt the publishing ban on
     the Karla Homolka case
    - various pseudonymous authors issued regular updates
    - much consternation in Canada!
  + avoidance of prosecution or damage claims for writing,
     editing, distributing, or selling "damaging" materials is
     yet another reason for anonymous systems to emerge: those
     involved in the process will seek to immunize themselves
     from the various tort claims that are clogging the courts
    - producers, distributors, directors, writers, and even
       actors of x-rated or otherwise "unacceptable" material
       may have to have the protection of anonymous systems
    - imagine fiber optics and the proliferation of videos and
       talk shows....bluenoses and prosecutors will use "forum
       shopping" to block access, to prosecute the producers,
       etc.
8.4.14. Academic, Scientific, or Professional
  - protect other reputations (professional, authorial,
     personal, etc.)
  - wider range of actions and behaviors (authors can take
     chances)
  - floating ideas out under pseudonyms
  - later linking of these pseudonyms to one's own identity, if
     needed (a case of credential transfer)
  -  floating unusual points of view
  - Peter Wayner writes: "I would think that many people who
     hang out on technical newsgroups would be very familiar
     with the anonymous review procedures practiced by academic
     journals. There is some value when a reviewer can speak
     their mind about a paper without worry of revenge. Of
     course everyone assures me that the system is never really
     anonymous because there are alwys only three or four people
     qualified to review each paper. :-) ....Perhaps we should
     go out of our way to make anonymous, technical comments
     about papers and ideas in the newsgroups to fascilitate the
     development of an anonymous commenting culture in
     cypberspace." [Peter Wayner, 1993-02-09]
8.4.15. Medical Testing and Treatment
  - anonymous medical tests, a la AIDS testing
8.4.16. Abuse, Recovery
  + personal problem discussions
    - incest, rape, emotional, Dear Abby, etc.
8.4.17. Bypassing of export laws
  - Anonymous remailers have been useful for bypassing the
     ITARs...this is how PGP 2.6 spread rapidly, and (we hope!)
     untraceably from MIT and U.S. sites to offshore locations.
8.4.18. Sex groups, discussions of controversial topics
  - the various alt.sex groups
  - People may feel embarrassed, may fear repercussions from
     their employers, may not wish their family and friends to
     see their posts, or may simply be aware that Usenet is
     archived in many, many places, and is even available on CD-
     ROM and will be trivially searchable in the coming decades
  + the 100% traceability of public postings to UseNet and
     other bulletin boards is very stifling to free expression
     and becomes one of the main justifications for the use of
     anonymous (or pseudononymous) boards and nets
    - there may be calls for laws against such compilation, as
       with the British data laws, but basically there is little
       that can be done when postings go to tens of thousands of
       machines and are archived in perpetuity by many of these
       nodes and by thousands of readers
    - readers who may incorporate the material into their own
       postings, etc. (hence the absurdity of the British law)
8.4.19. Avoiding political espionage
  + TLAs in many countries monitor nearly all international
     communications (and a lot of domestic communications, too)
    - companies and individuals may wish to avoid reprisals,
       sanctions, etc.
    - PGP is reported to be in use by several dissident groups,
       and several Cypherpunks are involved in assisting them.
    - "...one legitimate application is to allow international
       political groups or companies to exchange authenticated
       messages without being subjected to the risk of
       espionage/compromise by a three letter US agency, foreign
       intelligence agency, or third party." [Sean M. Dougherty,
       alt.privacy.anon-server, 1994-09-07]
8.4.20. Controversial political discussion, or membership in
   political groups, mailing lists, etc.
  + Recall House UnAmerican Activities Committee
    - and it's modern variant: "Are you now, or have you ever
       been, a Cypherpunk?"
8.4.21. Preventing Stalking and Harassment
  - avoid physical tracing (harassment, "wannafucks," stalkers,
     etc.)
  - women and others are often sent "wannafuck?" messages from
     the males that outnumber them 20-to-1 in many newsgroups--
     pseudonyms help.
  - given the ease with which net I.D.s can be converted to
     physical location information, many women may be worried.
  + males can be concerned as well, given the death threats
     issued by, for example, S. Boxx/Detweiler.
    - as it happens, S. Boxx threatened me, and I make my home
       phone number and location readily known...but then I'm
       armed and ready.
8.4.22. pressure relief valve: knowing one can flee or head for the
   frontier and not be burdened with a past
  - perhaps high rate of recidivism is correlated with this
     inability to escape...once a con, marked for life
     (certainly denied access to high-paying jobs)
8.4.23. preclude lawsuits, subpoenas, entanglement in the legal
   machinery
8.4.24. Business Reasons
  + Corporations can order supplies, information, without
     tipping their hand
    - the Disney purchase of land, via anonymous cutouts (to
       avoid driving the price way up)
    - secret ingredients (apocryphally, Coca Cola)
  - avoiding the "deep pockets" syndrome mentioned above
  - to beat zoning and licensing requirements (e.g., a certain
     type of business may not be "permitted" in a home office,
     so the homeowner will have to use cutouts to hide from
     enforcers)
  - protection from (and to) employers
  + employees of corporations may have to do more than just
     claim their view are not those of their employer
    - e.g., a racist post could expose IBM to sanctions,
       charges
    + thus, many employees may have to further insulate their
       identities
      - blanc@microsoft.com is now
         blanc@pylon.com...coincidence?
  + moonlighting employees (the original concern over Black Net
     and AMIX)
    - employers may have all kinds of concerns, hence the need
       for employees to hide their identities
    - note that this interects with the licensing and zoning
       aspects
  - publishers, service-prividers
  + Needed for Certain Kinds of Reputation-Based Systems
    + a respected scientist may wish to float a speculative
       idea
      - and be able to later prove it was in fact his idea
8.4.25. Protection against retaliation
  - whistleblowing
  + organizing boycotts
    - (in an era of laws regulating free speech, and "SLAPP"
       lawsuits)
  + the visa folks (Cantwell and Siegel) threatening those who
     comment with suits
    - the law firm that posted to 5,000 groups....also raises
       the issue again of why the Net should be subsidized
  - participating in public forums
  + as one person threatened with a lawsuit over his Usenet
     comments put it:
    - "And now they are threatening me. Merely because I openly
       expressed my views on their extremely irresponsible
       behaviour. Anyways, I have already cancelled the article
       from my site and I publicly appologize for posting it in
       the first place. I am scared :) I take all my words back.
       Will use the anonymous service next time :)"
8.4.26. Preventing Tracking, Surveillance, Dossier Society
  + avoiding dossiers in general
    - too many dossiers being kept; anonymity allows people to
       at least hold back the tide a bit
  + headhunting, job searching, where revealing one's identity
     is not always a good idea
    - some headhunters are working for one's current employer!
    - dossiers
8.4.27. Some Examples from the Cypherpunks List
  + S, Boxx, aka Sue D. Nym, Pablo Escobar, The Executioner,
     and an12070
    - but Lawrence Detweiler by any other name
    + he let slip his pseudonym-true name links in several ways
      - stylistic cues
      - mention of things only the "other" was likely to have
         heard
      + sysops acknowledged certain linkings
        - *not* Julf, though Julf presumably knew the identity
           of "an12070"
  + Pr0duct Cypher
    - Jason Burrell points out: "Take Pr0duct Cypher, for
       example. Many believe that what (s)he's doing(*) is a
       Good Thing, and I've seen him/her using the Cypherpunk
       remailers to conceal his/her identity....* If you don't
       know, (s)he's the person who wrote PGPTOOLS, and a hack
       for PGP 2.3a to decrypt messages written with 2.6. I
       assume (s)he's doing it anonymously due to ITAR
       regulations." [J.B., 1994-09-05]
  + Black Unicorn
    - Is the pseudonym of a Washington, D.C. lawyer (I think),
       who has business ties to conservative bankers and
       businessmen in Europe, especially Liechtenstein and
       Switzerland. His involvement with the Cypherpunks group
       caused him to adopt this pseudonym.
    - Ironically, he got into a battle with S. Boxx/Detweiler
       and threated legal action. This cause a rather
       instructive debate to occur.

8.5 - Untraceable E-Mail
 8.5.1. The Basic Idea of Remailers
  - Messages are encrypted, envelopes within envelopes, thus
     making tracing based on external appearance impossible. If
     the remailer nodes keep the mapping between inputs and
     outputs secret, the "trail" is lost.
 8.5.2. Why is untraceable mail so important?
  + Bear in mind that "untraceable mail" is the default
     situation for ordinary mail, where one seals an envelope,
     applies a stamp, and drops it anonymously in a letterbox.
     No records are kept, no return address is required (or
     confirmed), etc.
    - regional postmark shows general area, but not source
       mailbox
    + Many of us believe that the current system of anonymous
       mail would not be "allowed" if introduced today for the
       first time
      - Postal Service would demand personalized stamps,
         verifiable return addresses, etc. (not foolproof, or
         secure, but...)
  + Reasons:
    - to prevent dossiers of who is contacting whom from being
       compiled
    - to make contacts a personal matter
    - many actual uses: maintaining pseudonyms, anonymous
       contracts, protecting business dealings, etc.
 8.5.3. How do Cypherpunks remailers work?
 8.5.4. How, in simple terms, can I send anonymous mail?
 8.5.5. Chaum's Digital Mixes
  - How do digital mixes work?
 8.5.6. "Are today's remailers secure against traffic analysis?"
  - Mostly not. Many key digital mix features are missing, and
     the gaps can be exploited.
  + Depends on features used:
    - Reordering (e.g., 10 messages in, 10 messages out)
    - Quantization to fixed sizes (else different sizes give
       clues)
    - Encryption at all stages (up to the customer, of course)
  - But probably not, given that current remailers often lack
     necessary features to deter traffic analysis. Padding is
     iffy, batching is often not done at all (people cherish
     speed, and often downcheck remailers that are "too slow")
  - Best to view today's remailers as experiments, as
     prototypes.

8.6 - Remailers and Digital Mixes (A Large Section!)
 8.6.1.  What are remailers?
 8.6.2. Cypherpunks remailers compared to Julf's
  + Apparently long delays are mounting at the penet remailer.
     Complaints about week-long delays, answered by:
    - "Well, nobody is stopping you from using the excellent
       series of cypherpunk remailers, starting with one at
       remail@vox.hacktic.nl. These remailers beat the hell out
       of anon.penet.fi. Either same day or at worst next day
       service, PGP encryption allowed, chaining, and gateways
       to USENET." [Mark Terka, The normal delay for
       anon.penet.fi?, alt.privacy.anon-server, 1994-08-19]
  + "How large is the load on Julf's remailer?"
    - "I spoke to Julf recently and what he really needs is
       $750/month and one off $5000 to upgrade his feed/machine.
       I em looking at the possibility of sponsorship (but don't
       let that stop other people trying).....Julf has buuilt up
       a loyal, trusting following of over 100,000 people and
       6000 messages/day. Upgrading him seems a good
       idea.....Yes, there are other remailers. Let's use them
       if we can and lessen the load on Julf." [Steve Harris,
       alt.privacy.anon-server, 1994-08-22]
    - (Now if the deman on Julf's remailer is this high, seems
       like a great chance to deploy some sort of fee-based
       system, to pay for further expansion. No doubt many of
       the users would drop off, but such is the nature of
       business.)
 8.6.3. "How do remailers work?"
  - (The MFAQ also has some answers.)
  - Simply, they work by taking an incoming text block and
     looking for instructions on where to send the remaining
     text block, and what to do with it (decryption, delays,
     postage, etc.)
  + Some remailers can process the Unix mail program(s) outputs
     directly, operating on the mail headers
    - names of programs...
  + I think the "::" format Eric Hughes came up with in his
     first few days of looking at this turned out to be a real
     win (perhaps comparable to John McCarthy's decision to use
     parenthesized s-expressions in Lisp?).
    - it allows arbitary chaining, and all mail messages that
       have text in standard ASCII--which is all mailers, I
       believe--can then use the Cypherpunks remailers
 8.6.4. "What are some uses of remailers?"
  - Thi is mostly answered in other sections, outlining the
     uses of anonymity and digital pseudonyms:  remailers are of
     course the enabling technology for anonymity.
  + using remailers to foil traffic analysis
    - An interesting comment from someone not part of our
       group, in a discussion of proposal to disconnect U.K.
       computers from Usenet (because of British laws about
       libel, about pornography, and such): "PGP hides the
       target. The remailers discard the source info. THe more
       paranoid remailers introduce a random delay on resending
       to foil traffic analysis. You'd be suprised what can be
       done :-).....If you use a chain then the first remailer
       knows who you are but the destination is encrypted. The
       last remailer knows the destination but cannot know the
       source. Intermediate ones know neither."  [Malcolm
       McMahon, JANET (UK) to ban USENET?, comp.org.eff.talk,
       1994-08-30]
    - So, word is spreading. Note the emphasis on Cyphepunks-
       type remailers, as opposed to Julf-style anonymous
       services.
  + options for distributing anonymous messages
    + via remailers
      - the conventional approach
      - upsides: recipient need not do anything special
      - downsides: that's it--recipient may not welcome the
         message
    + to a newsgroup
      - a kind of message pool
      - upsides: worldwide dist
    - to an ftp site, or Web-reachable site
    - a mailing list
 8.6.5. "Why are remailers needed?"
  + Hal Finney summarized the reasons nicely in an answer back
     in early 1993.
    - "There are several different advantages provided by
       anonymous remailers. One of the simplest and least
       controversial would be to defeat traffic analysis on
       ordinary email.....Two people who wish to communicate
       privately can use PGP or some other encryption system to
       hide the content of their messages.  But the fact that
       they are communicating with each other is still visible
       to many people: sysops at their sites and possibly at
       intervening sites, as well as various net snoopers.  It
       would be natural for them to desire an additional amount
       of privacy which would disguise who they were
       communicating with as well as what they were saying.
       
       "Anonymous remailers make this possible.  By forwarding
       mail between themselves through remailers, while still
       identifying themselves in the (encrypted) message
       contents, they have even more communications privacy than
       with simple encryption.
       
       "(The Cypherpunk vision includes a world in which
       literally hundreds or thousands of such remailers
       operate.  Mail could be bounced through dozens of these
       services, mixing in with tens of thousands of other
       messages, re-encrypted at each step of the way.  This
       should make traffic analysis virtually impossible.  By
       sending periodic dummy messages which just get swallowed
       up at some step, people can even disguise _when_ they are
       communicating.)" [Hal Finney, 1993-02-23]
       
       "The more controversial vision associated with anonymous
       remailers is expressed in such science fiction stories as
       "True Names", by Vernor
       Vinge, or "Ender's Game", by Orson Scott Card.  These
       depict worlds in which computer networks are in
       widespread use, but in which many people choose to
       participate through pseudonyms.  In this way they can
       make unpopular arguments or participate in frowned-upon
       transactions without their activities being linked to
       their true identities.  It also allows people to develop
       reputations based on the quality of their ideas, rather
       than their job, wealth, age, or status." [Hal Finney,
       1993-02-23]
  - "Other advantages of this approach include its extension to
     electronic on-line transactions.  Already today many
     records are kept of our financial dealings - each time we
     purchase an item over the phone using a credit card, this
     is recorded by the credit card company.  In time, even more
     of this kind of information may be collected and possibly
     sold. One Cypherpunk vision includes the ability to engage
     in transactions anonymously, using "digital cash", which
     would not be traceable to the participants.  Particularly
     for buying "soft" products, like music, video, and software
     (which all may be deliverable over the net eventually), it
     should be possible to engage in such transactions
     anonymously.  So this is another area where anonymous mail
     is important."  [Hal Finney, 1993-02-23]
 8.6.6. "How do I actually use a remailer?"
  + (Note: Remailer instructions are posted _frequently_. There
     is no way I can keep up to date with them here. Consult the
     various mailing lists and finger sites, or use the Web
     docs, to find the most current instructions, keys, uptimes,
     etc._
    + Raph Levien's finger site is very impressive:
      + Raph Levien has an impressive utility which pings the
         remailers and reports uptime:
        - finger remailer-list@kiwi.cs.berkeley.edu
        - or use the Web at
           http://www.cs.berkeley.edu/~raph/remailer-list.html
        - Raph Levien also has a remailer chaining script at
           ftp://kiwi.cs.berkeley.edu/pub/raph/premail-
           0.20.tar.gz
  + Keys for remailers
    - remailer-list@chaos.bsu.edu (Matthew Ghio maintains)
  + "Why do remailers only operate on headers and not the body
     of a message? Why aren't signatures stripped off by
     remailers?"
    - "The reason to build mailers that faithfully pass on the
       entire body of
       the message, without any kind of alteration, is that it
       permits you to
       send ANY body through that mailer and rely on its
       faithful arrival at the
       destination." [John Gilmore, 93-01-01]
    - The "::" special form is an exception
    - Signature blocks at the end of message bodies
       specifically should _not_ be stripped, even though this
       can cause security breaches if they are accidentally left
       in when not intended. Attempting to strip sigs, which
       come in many flavors, would be a nightmare and could
       strip other stuff, too. Besides, some people may want a
       sig attached, even to an encrypted message.
    - As usual, anyone is of course free to have a remailer
       which munges message bodies as it sees fit, but  I expect
       such remailers will lose customers.
    - Another possibility is another special form, such as
       "::End", that could be used to delimit the block to be
       remailed. But it'll be hard getting such a "frill"
       accepted.
  + "How do remailers handle subject lines?"
    - In various ways. Some ignore it, some preserve it, some
       even can accept instructions to create a new subject line
       (perhaps in the last remailer).
    - There are reasons not to have a subject line propagated
       through a chain of remailers: it tags the message and
       hence makes traffic analysis trivial. But there are also
       reasons to have a subject line--makes it easier on the
       recipient--and so these schemes to add a subject line
       exist.
  + "Can nicknames or aliases be used with the Cypherpunks
     remailers?"
    - Certainly digitally signed IDs are used (Pr0duct Cypher,
       for example), but not nicknames preserved in fields in
       the remailing and mail-to-Usenet gateways.
    - This could perhaps be added to the remailers, as an extra
       field. (I've heard the mail fields are more tolerant of
       added stuff than the Netnews fields are, making mail-to-
       News gateways lose the extra fields.)
    + Some remailer sites support them
      - "If you want an alias assigned at vox.hacktic.nl, one -
         only- needs to send some empty mail to
          and the adress the mail was send
         from will be inculded in the data-base.....Since
         vox.hacktic.nl is on a UUCP node the reply can take
         some time, usually something like 8 to 12 hours."[Alex
         de Joode, , 1994-08-29]
  + "What do remailers do with the various portions of
     messages? Do they send stuff included after an encrypted
     block? Should they? What about headers?"
    + There are clearly lots of approaches that may be taken:
      - Send everything as is, leaving it up to the sender to
         ensure that nothing incriminating is left
      - Make certain choices
    - I favor sending everything, unless specifically told not
       to, as this makes fewer assumptions about the intended
       form of the message and thus allows more flexibility in
       designing new functions.
    + For example, this is what Matthew Ghio had to to say
       about his remailer:
      - "Everything after the encrypted message gets passed
         along in the clear. If you don't want this, you can
         remove it using the cutmarks feature with my remailer.
         (Also, remail@extropia.wimsey.com doesn't append the
         text after the encrypted message.)  The reason for this
         is that it allows anonymous replies.  I can create a
         pgp message for a remailer which will be delivered to
         myself.  I send you the PGP message, you append some
         text to it, and send it to the remailer.  The remailer
         decrypts it and remails it to me, and I get your
         message. [M.G., alt.privacy.anon-server, 1994-07-03]
 8.6.7. Remailer Sites
  - There is no central administrator of sites, of course, so a
     variety of tools are the best ways to develop one's own
     list of sites. (Many of us, I suspect, simply settle on a
     dozen or so of our favorites. This will change as hundreds
     of remailers appear; of course, various scripting programs
     will be used to generate the trajectories, handled the
     nested encryption, etc.)
  - The newsgroups alt.privacy.anon-server, alt.security.pgp,
     etc. often report on the latest sites, tools, etc.
  + Software for Remailers
    + Software to run a remailer site can be found at:
      - soda.csua.berkeley.edu in /pub/cypherpunks/remailer/
      -  chaos.bsu.edu in  /pub/cypherpunks/remailer/
  + Instructions for Using Remailers and Keyservers
    + on how to use keyservers
      - "If you have access to the World Wide Web, see this
         URL: http://draco.centerline.com:8080/~franl/pgp/pgp-
         keyservers.html" [Fran Litterio, alt.security.pgp, 1994-
         09-02]
  + Identifying Remailer Sites
    + finger  remailer-list@chaos.bsu.edu
      - returns a list of active remailers
      - for more complete information, keys, and instructions,
         finger remailer.help.all@chaos.bsu.edu
      - gopher://chaos.bsu.edu/
    + Raph Levien has an impressive utility which pings the
       remailers and reports uptime:
      - finger remailer-list@kiwi.cs.berkeley.edu
      - or use the Web at
         http://www.cs.berkeley.edu/~raph/remailer-list.html
      - Raph Levien also has a remailer chaining script at
         ftp://kiwi.cs.berkeley.edu/pub/raph/premail-0.20.tar.gz
  + Remailer pinging
    - "I have written and installed a remailer pinging script
       which
       collects detailed information about remailer features and
       reliability.
       
          To use it, just finger remailer-
       list@kiwi.cs.berkeley.edu
       
       There is also a Web version of the same information, at:
       http://www.cs.berkeley.edu/~raph/remailer-list.html"
       [Raph Levien, 1994-08-29]
  + Sites which are down??
    - tamsun.tamu.edu and tamaix.tamu.edu
 8.6.8. "How do I set up a remailer at my site?"
  - This is not something for the casual user, but is certainly
     possible.
  - "Would someone be able to help me install the remailer
     scripts from the archives?  I have no Unix experience and
     have *no* idea where to begin.  I don't even know if root
     access is needed for these.  Any help would be
     appreciated." [Robert Luscombe, 93-04-28]
  - Sameer Parekh, Matthew Ghio, Raph Levien have all written
     instructions....
 8.6.9. "How are most Cypherpunks remailers written, and with what
   tools?"
  - as scripts which manipulate the mail files, replacing
     headers, etc.
  - Perl, C, TCL
  - "The cypherpunks remailers have been written in Perl, which
     facilitates experimenting and testing of new interfaces.
     The idea might be to migrate them to C eventually for
     efficiency, but during this experimental phase we may want
     to try out new ideas, and it's easier to modify a Perl
     script than a C program." [Hal Finney, 93-01-09]
  - "I do appreciate the cypherpunks stuff, but perl is still
     not a very
     widely used standard tool, and not everyone of us want to
     learn the
     ins and outs of yet another language...  So I do applaud
     the C
     version..." [Johan Helsingius, "Julf," 93-01-09]
8.6.10. Dealing with Remailer Abuse
  + The Hot Potato
    - a remailer who is being used very heavily, or suspects
       abuse, may choose to distribute his load to other
       remailers. Generally, he can instead of remailing to the
       next site, add sites of his own choosing. Thus, he can
       both reduce the spotlight on him and also increase cover
       traffic by scattering some percentage of his traffic to
       other sites (it never reduces his traffic, just lessens
       the focus on him).
  + Flooding attacks
    - denial of service attacks
    - like blowing whistles at sports events, to confuse the
       action
    - DC-Nets, disruption (disruptionf of DC-Nets by flooding
       is a very similar problem to disruption of remailers by
       mail bombs)
  + "How can remailers deal with abuse?"
    - Several remailer operators have shut down their
       remailers, either because they got tired of dealing with
       the problems, or because others ordered them to.
    - Source level blocking
    - Paid messages: at least this makes the abusers _pay_  and
       stops certain kinds of spamming/bombing attacks.
    - Disrupters are dealt with in anonymous ways in Chaum's DC-
       Net schemes; there may be a way to use this here.
  + Karl Kleinpaste was a pioneer (circa 1991-2) of remailers.
     He has become disenchanted:
    - "There are 3 sites out there which have my software:
       anon.penet.fi, tygra, and uiuc.edu.  I have philosophical
       disagreement with the "universal reach" policy of
       anon.penet.fi (whose code is now a long-detached strain
       from the original software I gave Julf -- indeed, by now
       it may be a complete rewrite, I simply don't know);
       ....Very bluntly, having tried to run anon servers twice,
       and having had both go down due to actual legal
       difficulties, I don't trust people with them any more."
       [Karl_Kleinpaste@cs.cmu.edu, alt.privacy.anon-server,
       1994-08-29]
    - see discussions in alt.privacy.anon-server for more on
       his legal problems with remailers, and why he shut his
       down
8.6.11. Generations of Remailers
  + First Generation Remailer Characteristics--Now (since 1992)
    - Perl scripts, simple processing of headers, crypto
  + Second Generation Remailer Characteristics--Maybe 1994
    - digital postage of some form (perhaps simple coupons or
       "stamps")
    - more flexible handling of exceptions
    - mail objects can tell remailer what settings to use
       (delays, latency, etc.(
  + Third Generation Remailer Characteristics--1995-7?
    - protocol negotiation
    + Chaum-like "mix" characteristics
      - tamper-resistant modules (remailer software runs in a
         sealed environment, not visible to operator)
  + Fourth Generation Remailer Characteristics--1996-9?
    - Who knows?
    - Agent-based (Telescript?)
    - DC-Net-based
8.6.12. Remailer identity escrow
  + could have some uses...
    - what incentives would anyone have?
    - recipients could source-block any remailer that did not
       have some means of coping with serious abuse...a perfect
       free market solution
  - could also be mandated
8.6.13. Remailer Features
  + There are dozens of proposed variations, tricks, and
     methods which may or may not add to overall remailer
     security (entropy, confusion). These are often discussed on
     the list, one at a time. Some of them are:
    + Using one's self as a remailer node. Route traffic back
       through one's own system.
      - even if all other systems are compromised...
    - Random delays, over and above what is needed to meet
       reordering requirements
    - MIRVing, sending a packet out in multiple pieces
    - Encryption is of course a primary feature.
    + Digital postage.
      - Not so much a feature as an incentive/inducement to get
         more remailers and support them better.
  + "What are features of a remailer network?"
    - A vast number of features have been considered; some are
       derivative of other, more basic features (e.g., "random
       delays" is not a basic feature, but is one proposed way
       of achieving "reordering," which is what is really
       needed. And "reordering" is just the way to achieve
       "decorrelation" of incoming and outgoing messages).
    + The "Ideal Mix" is worth considering, just as the "ideal
       op amp" is studied by engineers, regardless of whether
       one can ever be built.
      - a black box that decorrelates incoming and outgoing
         packets to some level of diffusion
      - tamper-proof, in that outside world cannot see the
         internal process of decorrelation (Chaum envisioned
         tamper-resistant or tamper-responding circuits doing
         the decorrelation)
    + Features of Real-World Mixes:
      + Decorrelation of incoming and outgoing messages. This
         is the most basic feature of any mix or remailer:
         obscuring the relationship between any message entering
         the mix and any message leaving the mix. How this is
         achieve is what most of the features here are all
         about.
        - "Diffusion" is achieved by batching or delaying
           (danger: low-volume traffic defeats simple, fixed
           delays)
        - For example, in some time period, 20 messages enter a
           node. Then 20 or so (could be less, could be
           more...there is no reason not to add messages, or
           throw away some) messages leave.
      + Encryption should be supported, else the decorrelation
         is easily defeated by simple inspection of packets.
        - public key encryption, clearly, is preferred (else
           the keys are available outside)
        - forward encryption, using D-H approaches, is a useful
           idea to explore, with keys discarded after
           transmission....thus making subpoenas problematic
           (this has been used with secure phones, for example).
      + Quanitzed packet sizes. Obviously the size of a packet
         (e.g., 3137 bytes) is a strong cue as to message
         identity. Quantizing to a fixed size destroys this cue.
        + But since some messages may be small, and some large,
           a practical compromise is perhaps to quantize to one
           of several standards:
          - small messages, e.g., 5K
          - medium messages, e.g., 20K
          - large messages....handled somehow (perhaps split
             up, etc.)
        - More analysis is needed.
      + Reputation and Service
        - How long in business?
        - Logging policy? Are messages logged?
        - the expectation of operating as stated
  + The Basic Goals of Remailer Use
    + decorrelation of ingoing and outgoing messages
      - indistinguishability
      + "remailed messages have no hair" (apologies to the
         black hole fans out there)
        - no distinguishing charateristics that can be used to
           make correlations
        - no "memory" of previous appearance
    + this means message size padding to quantized sizes,
       typically
      - how many distinct sizes depends on a lot fo things,
         like traffic, the sizes of other messages, etc.
  + Encryption, of course
    - PGP
    - otherwise, messages are trivially distinguishable
  + Quantization or Padding: Messages
    - padded  to standard sizes, or dithered in size to obscure
       oringinal size. For example, 2K for typical short
       messages, 5K for typical Usenet articles, and 20K for
       long articles. (Messages much longer are hard to hide in
       a sea of much shorter messages, but other possibilities
       exist: delaying the long messages until N other long
       messages have been accumulated, splitting the messages
       into smaller chunks, etc.)
    + "What are the quanta for remailers? That is, what are the
       preferred packet sizes for remailed messages?"
      - In the short term, now, the remailed packet sizes are
         pretty much what they started out to be, e.g, 3-6KB or
         so. Some remailers can pad to quantized levels, e.g.,
         to 5K or 10K or more. The levels have not been settled
         on.
      - In the long term, I suspect much smaller packets will
         be selected. Perhaps at the granularity of ATM packets.
         "ATM Remailers" are likely to be coming. (This changes
         the nature of traffic analyis a bit, as the _number_ of
         remailed packets increases.
      - A dissenting argument: ATM networks don't give sender
         the control over packets...
      - Whatever, I think packets will get smaller, not larger.
         Interesting issues.
    - "Based on Hal's numbers, I would suggest a reasonable
       quantization for message sizes be a short set of
       geometrically increasing values, namely, 1K, 4K, 16K,
       64K.  In retrospect, this seems like the obvious
       quantization, and not arithmetic progressions." [Eric
       Hughes, 1994-08-29]
    - (Eudora chokes at 32K, and so splits messages at about
       25K, to leave room for comments without further
       splitting. Such practical considerations may be important
       to consider.)
  + Return Mail
    - A complicated issue. May have no simple solution.
    + Approaches:
      - Post encrypted message to a pool. Sender (who provided
         the key to use) is able to retrieve anonymously by the
         nature of pools and/or public posting.
      + Return envelopes, using some kind of procedure to
         ensure anonymity. Since software is by nature never
         secure (can always be taken apart), the issues are
         complicated. The security may be gotten by arranging
         with the remailers in the return path to do certain
         things to certain messages.
        - sender sends instructions to remailers on how to
           treat messages of certain types
        - the recipient who is replying cannot deduce the
           identity, because he has no access to the
           instructions the remailers have.
        - Think of this as Alice sending to Bob sending to
           Charles....sending to Zeke. Zeke sends a reply back
           to Yancy, who has instructions to send this back to
           Xavier, and so on back up the chain. Only if Bob,
           Charles, ..., Yancy collude, can the mapping in the
           reverse direction be deduced.
        - Are these schemes complicated? Yes. But so are lot of
           other protocols, such as getting fonts from a screen
           to a laser printer
  + Reordering of Messages is Crucial
    + latency or fanout in remailers
      + much more important than "delay"
        - do some calculations!
        + the canard about "latency" or delay keeps coming up
          - a "delay" of X is neither necessary nor sufficient
             to achieve reordering (think about it)
      - essential for removing time correlation information,
         for removing a "distinguishing mark" ("ideal remailed
         messages have no hair")
  + The importance of pay as you go, digital postage
    + standard market issues
      - markets are how scarece resources are allocated
    - reduces spamming, overloading, bombing
    - congestion pricing
    - incentives for improvement
    + feedback mechanisms
      - in the same way the restaurants see impacts quickly
    - applies to other crypto uses besides remailers
  + Miscellaneous
    - by having one's own nodes, further ensures security
       (true, the conspiring of all other nodes can cause
       traceability, but such a conspiracy is costly and would
       be revealed)
    + the "public posting" idea is very attractive: at no point
       does the last node know who the next node will be...all
       he knows is a public key for that node
      + so how does the next node in line get the message,
         short of reading all messages?
        - first, security is not much compromised by sorting
           the public postings by some kind of order set by the
           header (e.g., "Fred" is shorthand for some long P-K,
           and hence the recipient knows to look in the
           Fs...obviously he reads more than just the Fs)
    + outgoing messages can be "broadcast" (sent to many nodes,
       either by a literal broadcast or public posting, or by
       randomly picking many nodes)
      - this "blackboard" system means no point to point
         communication is needed
    + Timed-release strategies
      + encrypt and then release the key later
        - "innocuously" (how?)
        - through a remailing service
        - DC-Net
        - via an escrow service or a lawyer (but can the lawyer
           get into hot water for releasing the key to
           controversial data?)
        - with a series of such releases, the key can be
           "diffused"
        - some companies may specialize in timed-release, such
           as by offering a P-K with the private key to be
           released some time later
      - in an ecology of cryptoid entities, this will increase
         the degrees of freedom
      + this reduces the legal liability of
         retransmitters...they can accurately claim that they
         were only passing data, that there was no way they
         could know the content of the packets
        - of course they can already claim this, due to the
           encrypted nature
    + One-Shot Remailers
      - "You can get an anonymous address from
         mg5n+getid@andrew.cmu.edu. Each time you request an
         anon address, you get a different one.  You can get as
         many as you like.  The addresses don't expire, however,
         so maybe it's not the ideal 'one-shot' system, but it
         allows replies without connecting you to your 'real
         name/address' or to any of your other posts/nyms." [
         Matthew Ghio, 1994-04-07]
8.6.14. Things Needed in Remailers
  + return receipts
    - Rick Busdiecker notes that "The idea of a Return-Receipt-
       To: field has been around for a while, but the semantics
       have never been pinned down.  Some mailer daemons
       generate replies meaning that the bits were delivered."
       [R.B., 1994-08-08]
  + special handling instructions
    - agents, daemons
    - negotiated procedures
  + digital postage
    - of paramount importance!
    - solves many problems, and incentivizes remailers
  + padding
    + padding to fixed sizes
      - padding to fixed powers of 2 would increase the average
         message size by about a third
  - lots of remailers
  - multiple jursidictions
  - robustness and consistency
  + running in secure hardware
    - no logs
    - no monitoring by operator
    - wipe of all temp files
  - instantiated quickly, fluidly
  - better randomization of remailers
8.6.15. Miscellaneous Aspects of Remailers
  + "How many remailer nodes are actually needed?"
    - We strive to get as many as possible, to distribute the
       process to many jurisdictions and with many opeators.
    - Curiously, as much theoretical diffusivity can occur with
       a single remailer (taking in a hundred messages and
       sending out a hundred, for example) as with many
       remailers. Our intuition is, I think, that many remailers
       offer better diffusivity and better hiding. Why this is
       so (if it is) needs more careful thinking than I've seen
       done so far.
    - At a meta-level, we think multiple remailers lessens the
       chance of them being compromised (this, however, is not
       directly related to the diffusivity of a remailer network-
       -important, but not directly related).
    - (By the way, a kind of sneaky idea is to try to always
       declare one's self to be a remailer. If messages were
       somehow traced back to one's own machine, one could
       claim: 'Yes, I'm a remailer." In principle, one could be
       the only remailer in the universe and still have high
       enough diffusion and confusion. In practice, being the
       only remailer would be pretty dangerous.)
    + Diffusion and confusion in remailer networks
      + Consider a single node, with a message entering, and
         two messages leaving; this is essentially the smallest
         "remailer op"
        - From a proof point of view, either outgoing message
           could be the one
        - and yet neither one can be proved to be
      - Now imagine those two messages being sent through 10
         remailers...no additional confusion is added...why?
      - So, with 10 messages gong into a chain of 10 remailers,
         if 10 leave...
      - The practical effect of N remailers is to ensure that
         compromise of some fraction of them doesn't destroy
         overall security
  + "What do remailers do with misaddressed mail?"
    - Depends on the site. Some operators send notes back
       (which itself causes concern), some just discard
       defective mail. This is a fluid area. At least one
       remailer (wimsey) can post error messages to a message
       pool--this idea can be generalized to provide "delivery
       receipts" and other feedback.
    - Ideal mixes, a la Chaum, would presumably discard
       improperly-formed mail, although agents might exist to
       prescreen mail (not mandatory agents, of course, but
       voluntarily-selected agents)
    - As in so many areas, legislation is not needed, just
       announcement of policies, choice by customers, and the
       reputation of the remailer.
    - A good reason to have robust generation of mail on one's
       own machine, so as to minimize such problems.
  + "Can the NSA monitor remailers? Have they?"
    + Certainly they _can_ in various ways, either by directly
       monitoring Net traffic or indirectly. Whether they _do_
       is unknown.
      - There have been several rumors or forgeries claiming
         that NSA is routinely linking anonymous IDs to real IDs
         at the penet remailer.
      + Cypherpunks remailers are, if used properly, more
         secure in key ways:
        - many of them
        - not used for persistent, assigned IDs
        - support for encryption: incoming and outgoing
           messages look completely unlike
        - batching, padding, etc. supported
    - And properly run remailers will obscure/diffuse the
       connection between incoming and outgoing messages--the
       main point of a remailer!
  + The use of message pools to report remailer errors
    - A good example of how message pools can be used to
       anonymously report things.
    - "The wimsey remailer has an ingenious method of returning
       error messages anonymously.  Specify a subject in the
       message sent to wimsey that will be meaningful to you,
       but won't identify you (like a set of random letters).
       This subject does not appear in the remailed message.
       Then subscribe to the mailing list
       
       errors-request@extropia.wimsey.com
       
       by sending a message with Subject: subscribe.  You will
       receive a msg
       for ALL errors detected in incoming messages and ALL
       bounced messages." [anonymous, 93-08-23]
    - This is of course like reading a classified ad with some
       cryptic message meaningful to you alone. And more
       importantly, untraceable to you.
  + there may be role for different types of remailers
    - those that support encryption, those that don't
    + as many in non-U.S. countries as possible
      - especially for the *last* hop, to avoid subpoena issues
    - first-class remailers which remail to *any* address
    + remailers which only remail to *other remailers*
      - useful for the timid, for those with limited support,
         etc.
    -
  + "Should mail faking be used as part of the remailer
     strategy?"
    - "1. If you fake mail by talking SMTP directly, the IP
       address or domain name of the site making the outgoing
       connection will appear in a Received field in the header
       somewhere."
       
       "2. Fake mail by devious means is generally frowned upon.
       There's no need to take a back-door approach here--it's
       bad politically, as in Internet politics." [Eric Hughes,
       94-01-31]
    - And if mail can really be consistently and robustly
       faked, there would be less need for remailers, right?
       (Actually, still a need, as traffic analysis would likely
       break any "Port 25" faking scheme.)
    - Furthermore, such a strategy would not likely to be
       robust over time, as it relies on exploiting transitory
       flaws and vendor specifics. A bad idea all around.
  + Difficulties in getting anonymous remailer networks widely
     deployed
    - "The tricky part is finding a way to preserve anonymity
       where the majority of sites on the Internet continue to
       log traffic carefully, refuse to install new software
       (especially anon-positive software), and are
       administrated by people with simplistic and outdated
       ideas about identity and punishment. " [Greg Broiles,
       1994-08-08]
  + Remailer challenge: insulating the last leg on a chain from
     prosecution
    + Strategy 1: Get them declared to be common carriers, like
       the phone company or a mail delivery service
      + e.g., we don't prosecute an actual package
         deliveryperson, or even the company they work for, for
         delivery of an illegal package
        - contents assumed to be unknown to the carrier
        - (I've heard claims that only carriers who make other
           agreements to cooperate with law enforcement can be
           treated as common carriers.)
    + Strategy 2: Message pools
      + ftp sites
        - with plans for users to "subscribe to" all new
           messages (thus, monitoring agencies cannot know
           which, if any, messages are being sought)
        - this gets around the complaint about too much volume
           on the Usenet (text messages are a tiny fraction of
           other traffic, especially images, so the complaint is
           only one of potentiality)
    + Strategy 3: Offshore remailers as last leg
      - probably set by sender, who presumably knows the
         destination
    - A large number of "secondary remailers" who agree to
       remail a limited number...
  + "Are we just playing around with remailers and such?"
    - It pains me to say this, but, yes, we are just basically
       playing around here!
    - Remailer traffic is so low, padding is so haphazard, that
       making correlations between inputs and outputs is not
       cryptographically hard to do. (It might _seem_ hard, with
       paper and pencil sorts of calculations, but it'll be
       child's play for the Crays at the Fort.)
    - Even if this is not so for any particular message,
       maintaining a persistent ID--such as Pr0duct Cypher does,
       with digital sigs--without eventually providing enough
       clues will be almost impossible. At this time.
    - Things will get better. Better and more detailed
       "cryptanalysis of remailer chains" is sorely needed.
       Until then, we are indeed just playing. (Play can be
       useful, though.)
  + The "don't give em any hints" principle (for remailers)
    - avoid giving any information
    - dont't say which nodes are sources and which are sinks;
       let attackers assume everyone is a remailer, a source
    - don't say how long a password is
    - don't say how many rounds are in a tit-for-tat tournament

8.7 - Anonymous Posting to Usenet
 8.7.1. Julf's penet system has historically been the main way to
   post anonymously to Usenet (used by no less a luminary than
   L. Detweiler, in his "an12070/S. Boxx" personna). This has
   particulary been the case with postings to "support" groups,
   or emotional distress groups. For example,
   alt.sexual.abuse.recovery.
 8.7.2. Cryptographically secure remailes are now being used
   increasingly (and scaling laws and multiple jurisdictions
   suggest even more will be used in the future).
 8.7.3. finger remailer.help.all@chaos.bsu.edu gives these results
   [as of 1994-09-07--get a current result before using!]
  - "Anonymous postings to usenet can be made by sending
     anonymous mail to one of the following mail-to-usenet
     gateways:
     
     group.name@demon.co.uk
     group.name@news.demon.co.uk
     group.name@bull.com
     group.name@cass.ma02.bull.com
     group.name@undergrad.math.uwaterloo.ca
     group.name@charm.magnus.acs.ohio-state.edu
     group.name@comlab.ox.ac.uk
     group.name@nic.funet.fi
     group.name@cs.dal.ca
     group.name@ug.cs.dal.ca
     group.name@paris.ics.uci.edu (removes headers)
     group.name.usenet@decwrl.dec.com (Preserves all headers)"
     

8.8 - Anonymous Message Pools, Newsgroups, etc.
 8.8.1. "Why do some people use message pools?"
  - Provides untracable communication
  - messages
  - secrets
  - transactions
  + Pr0duct Cypher is a good example of someone who
     communicates primarily via anonymous pools (for messages to
     him). Someone recently asked about this, with this comment:
    - "Pr0duct Cypher chooses to not link his or her "real
       life" identity with the 'nym used to sign the software he
       or she wrote (PGP Tools, Magic Money, ?).  This is quite
       an understandable sentiment, given that bad apples in the
       NSA are willing to go far beyond legal hassling, and make
       death threats against folks with high public visibility
       (see the threads about an NSA agent threatening to run
       Jim Bidzos of RSA over in his parking lot)." [Richard
       Johnson,  alt.security.pgp, 1994-07-02]
 8.8.2. alt.anonymous.messages is one such pool group
  - though it's mainly used for test messages, discussions of
     anonymity (though there are better groups), etc.
 8.8.3. "Could there be truly anonymous newsgroups?"
  - One idea: newgroup a moderated group in which only messages
     sans headers and other identifiers would be accepted. The
     "moderator"--which could be a program--would only post
     messages after this was ensured. (Might be an interesting
     experiment.)
  + alt.anonymous.messages was newgrouped by Rick Busdiecker,
     1994-08.
    - Early uses were, predictably, by people who stumbled
       across the group and imputed to it whatever they wished.

8.9 - Legal Issues with Remailers
 8.9.1. What's the legal status of remailers?
  - There are no laws against it at this time.
  - No laws saying people have to put return addresses on
     messages, on phone calls (pay phones are still legal), etc.
  - And the laws pertaining to not having to produce identity
     (the "flier" case, where leaflet distributors did not have
     to produce ID) would seem to apply to this form of
     communication.
  + However, remailers may come under fire:
    + Sysops, MIT case
      - potentially serious for remailers if the case is
         decided such that the sysop's creation of group that
         was conducive to criminal pirating was itself a
         crime...that could make all  involved in remailers
         culpable
 8.9.2. "Can remailer logs be subpoenaed?"
  - Count on it happening, perhaps very soon. The FBI has been
     subpoenaing e-mail archives for a Netcom customer (Lewis De
     Payne), probably because they think the e-mail will lead
     them to the location of uber-hacker Kevin Mitnick. Had the
     parties used remailers, I'm fairly sure we'd be seeing
     similar subpoenas for the remailer logs.
  - There's no exemption for remailers that I know of!
  + The solutions are obvious, though:
    - use many remailers, to make subpoenaing back through the
       chain very laborious, very expensive, and likely to fail
       (if even one party won't cooperate, or is outside the
       court's jurisdiction, etc.)
    - offshore, multi-jurisdictional remailers (seleted by the
       user)
    - no remailer logs kept...destroy them (no law currently
       says anybody has to keep e-mail records! This may
       change....)
    - "forward secrecy," a la Diffie-Hellman forward secrecy
 8.9.3. How will remailers be harassed, attacked, and challenged?
 8.9.4. "Can pressure be put on remailer operators to reveal traffic
   logs and thereby allow tracing of messages?"
  + For human-operated systems which have logs, sure. This is
     why we want several things in remailers:
    * no logs of messages
    * many remailers
    * multiple legal jurisdictions, e.g., offshore remailers
       (the more the better)
    * hardware implementations which execute instructions
       flawlessly (Chaum's digital mix)
 8.9.5. Calls for limits on anonymity
  + Kids and the net will cause many to call for limits on
     nets, on anonymity, etc.
    - "But there's a dark side to this exciting phenomenon, one
       that's too rarely understood by computer novices.
       Because they
       offer instant access to others, and considerable
       anonymity to
       participants, the services make it possible for people -
       especially computer-literate kids - to find themselves in
       unpleasant, sexually explicit social situations....  And
       I've gradually
       come to adopt the view, which will be controversial among
       many online
       users, that the use of nicknames and other forms of
       anonymity
       must be eliminated or severly curbed to force people
       online into
       at least as much accountability for their words and
       actions as
       exists in real social encounters." [Walter S. Mossberg,
       Wall Street Journal, 6/30/94, provided by Brad Dolan]
    - Eli Brandt came up with a good response to this: "The
       sound-bite response to this: do you want your child's
       name, home address, and phone number available to all
       those lurking pedophiles worldwide?  Responsible parents
       encourage their children to use remailers."
  - Supreme Court said that identity of handbill distributors
     need not be disclosed, and pseudonyms in general has a long
     and noble tradition
  - BBS operators have First Amendment protections (e.g..
     registration requirements would be tossed out, exactly as
     if registration of newspapers were to be attempted)
 8.9.6. Remailers and Choice of Jurisdictions
  - The intended target of a remailed message, and the subject
     material, may well influence the set of remailers used,
     especially for the very important "last remailer' (Note: it
     should never be necessary to tell remailers if they are
     first, last, or others, but the last remailer may in fact
     be able to tell he's the last...if the message is in
     plaintext to the recipient, with no additional remailer
     commands embedded, for example.)
  - A message involving child pornography might have a remailer
     site located in a state like Denmark, where child porn laws
     are less restrictive. And a message critical of Islam might
     not be best sent through a final remailer in Teheran. Eric
     Hughes has dubbed this "regulatory arbitrage," and to
     various extents it is already common practice.
  - Of course, the sender picks the remailer chain, so these
     common sense notions may not be followed. Nothing is
     perfect, and customs will evolve. I can imagine schemes
     developing for choosing customers--a remailer might not
     accept as a customer certain abusers, based on digital
     pseudonyms < hairy).
 8.9.7. Possible legal steps to limit the use of remailers and
   anonymous systems
  - hold the remailer liable for content, i.e., no common
     carrier status
  - insert provisions into the various "anti-hacking" laws to
     criminalize anonymous posts
 8.9.8. Crypto and remailers can be used to protect groups from "deep
   pockets" lawsuits
  - products (esp. software) can be sold "as is," or with
     contracts backed up by escrow services (code kept in an
     escrow repository, or money kept there to back up
     committments)
  + jurisdictions, legal and tax, cannot do "reach backs" which
     expose the groups to more than they agreed to
    - as is so often the case with corporations in the real
       world, which are taxed and fined for various purposes
       (asbestos, etc.)
  - (For those who panic at the thought of this, the remedy for
     the cautious will be to arrange contracts with the right
     entities...probably paying more for less product.)
 8.9.9. Could anonymous remailers be used to entrap people, or to
   gather information for investigations?
  - First, there are so few current remailers that this is
     unlikely. Julf seems a non-narc type, and he is located in
     Finland. The Cypherpunks remailers are mostly run by folks
     like us, for now.
  - However, such stings and set-ups have been used in the past
     by narcs and "red squads." Expect the worse from Mr.
     Policeman. Now that evil hackers are identified as hazards,
     expect moves in this direction. "Cryps" are obviously
     "crack" dealers.
  - But use of encryption, which CP remailers support (Julf's
     does not), makes this essentially moot.

8.10 - Cryptanalysis of Remailer Networks
8.10.1. The Need for More Detailed Analysis of Mixes and Remailers
  + "Have remailer systems been adequately cryptanalyzed?"
    - Not in my opinion, no. Few calculations have been done,
       just mostly some estimates about how much "confusion" has
       been created by the remailer nodes.
    - But thinking that a lot of complication and messiness
       makes a strong crypto system is a basic mistake...sort of
       like thinking an Enigma rotor machine makes a good cipher
       system, by today's standards, just because millions of
       combinations of pathways through the rotor system are
       possible. Not so.
  + Deducing Patterns in Traffic and Deducing Nyms
    - The main lesson of mathematical cryptology has been that
       seemingly random things can actually be shown to have
       structure. This is what cryptanalysis is all about.
    - The same situation applies to "seemingly random" message
       traffic, in digital mixes, telephone networks, etc.
       "Cryptanalysis of remailers" is of course possible,
       depending on the underlying model. (Actually, it's always
       possible, it just may not yield anything, as with
       cryptanalysis of ciphers.)
    + on the time correlation in remailer cryptanalysis
      - imagine Alice and Bob communicating through
         remailers...an observer, unable to follow specific
         messages through the remailers, could still notice
         pairwise correlations between messages sent and
         received by these two
      + like time correlations between events, even if the
         intervening path or events are jumbled
        - e.g., if within a few hours of every submarine's
           departure from Holy Loch a call is placed to Moscow,
           one may make draw certain conclusions about who is a
           Russian spy, regardless of not knowing the
           intermediate paths
        - or, closer to home, correlating withdrawals from one
           bank to deposits in another, even if the intervening
           transfers are jumbled
      + just because it seems "random" does not mean it is
        - Scott Collins speculates that a "dynamic Markov
           compressor" could discern or uncover the non-
           randomness in remailer uses
  - Cryptanalysis of remailers has been woefully lacking. A
     huge fraction of posts about remailer improvements make
     hand-waving arguments about the need for more traffic,
     longer delays, etc. (I'm not pointing fingers, as I make
     the same informal, qualitative comments, too. What is
     needed is a rigorous analysis of remailer security.)
  - We really don't have any good estimates of overall security
     as a function of number of messages circulating, the
     latency ( number of stored messages before resending), the
     number of remailer hops, etc. This is not cryptographically
     "exciting" work, but it's still needed. There has not been
     much focus in the academic community on digital mixes or
     remailers, probably because David Chaum's 1981 paper on
     "Untraceable E-Mail" covered most of the theoretically
     interesting material. That, and the lack of commercial
     products or wide usage.
  + Time correlations may reveal patterns that individual
     messages lack. That is, repeated communicatin between Alice
     and Bob, even if done through remailers and even if time
     delays/dwell times are built-in, may reveal nonrandom
     correlations in sent/received messages.
    - Scott Collins speculates that a dynamic Markov compressor
       applied to the traffic would have reveal such
       correlations. (The application of such tests to digital
       cash and other such systems would be useful to look at.)
    - Another often overlooked weakness is that many people
       send test messages to themselves, a point noted by Phil
       Karn: "Another way that people often let themselves be
       caught is that they inevitably send a test message to
       themselves right before the forged message in question.
       This shows up clearly in the sending system's sendmail
       logs. It's a point to consider with remailer chains too,
       if you don't trust the last machine on the chain." [P.K.,
       1994-09-06]
  + What's needed:
    - aggreement on some terminology (this doesn't require
       consensus, just a clearly written paper to de facto
       establish the terminology)
    - a formula relating degree of untraceability to the major
       factors that go into remailers: packet size and
       quantization, latency (# of messages), remailer policies,
       timing, etc.
    - Also, analysis of how deliberate probes or attacks might
       be mounted to deduce remailer patterns (e.g., Fred always
       remails to Josh and Suzy and rarely to Zeke).
  - I think this combinatorial analysis would be a nice little
     monograph for someone to write.
8.10.2. A much-needed thing. Hal Finney has posted some calculations
   (circa 1994-08-08), but more work is sorely needed.
8.10.3. In particular, we should be skeptical of hand-waving analyses
   of the "it sure looks complicated to follow the traffic"
   sort. People think that by adding "messy" tricks, such as
   MIRVing messages, that security is increased. Maybe it is,
   maybe it isn't. But it needs formal analysis before claims
   can be confidantly believed.
8.10.4. Remailers and entropy
  - What's the measure of "mixing" that goes on in a mix, or
     remailer?
  - Hand=waving about entropy and reordering may not be too
     useful.
  + Going back to Shannon's concept of entropy as measuring the
     degree of uncertainty...
    + trying to "guess" or "predict' where a message leaving
       one node will exit the system
      - not having clear entrance and exit points adds to the
         difficulty, somewhat analogously to having a password
         of unknown length (an attacker can't just try all 10-
         character passwords, as he has no idea of the length)
      - the advantages of every node being a remailer, of
         having no clearly identified sources and sinks
  + This predictability may depend on a _series_ of messages
     sent between Alice and Bob...how?
    - it seems there may be links to Persi Diaconis' work on
       "perfect shuffles" (a problem which seemed easy, but
       which eluded solving until recently...should give us
       comfort that our inability to tackle the real meat of
       this issue is not too surprising
8.10.5. Scott Collins believes that remailer networks can be
   cryptanalyzed roughly the same way as pseudorandom number
   generators are analyzed, e.g., with dynamic Markov
   compressors (DNCs). (I'm more skeptical: if each remailer is
   using an information-theoretically secure RNG to reorder the
   messages, and if all messages are the same size and (of
   course) are encypted with information-theoretically secure
   (OTP) ciphers, then it seems to me that the remailing would
   itself be information-theoretically secure.)

8.11 - Dining Cryptographers
8.11.1. This is effectively the "ideal digital mix," updated from
   Chaum's original hardware mix form to a purely software-based
   form.
8.11.2. David Chaum's 1988 paper in Journal of Crypology (Vol 1, No
   1) outlines a way for completely untraceable communication
   using only software (no tamper-resistant modules needed)
  - participants in a ring (hence "dining cryptographers")
  - Chaum imagines that 3 cryptographers are having dinner and
     are informed by their waiter that their dinner has already
     been paid for, perhaps by the NSA, or perhaps by one of
     themselves...they wish to determine which of these is true,
     without revealing which of them paid!
  - everyone flips a coin (H or T) and shows it to his neighbor
     on the left
  + everyone reports whether he sees "same" or "different"
    -  note that with 2 participants, they both already know
       the other's coin (both are to the left!)
  - however, someone wishing to send a message, such as Chaum's
     example of  "I paid for dinner," instead says the opposite
     of what he sees
  + some analysis of this (analyze it from the point of view of
     one of the cryptographers) shows that the 3 cryptographers
     will know that one of them paid (if this protocol is
     executed faithfully), but that the identity can't be
     "localized"
    - a diagram is needed...
  + this can be generalized...
    + longer messages
      - use multiple rounds of the protocol
    + faster than coin-flipping
      - each participant and his left partner share a list of
         "pre-flipped" coins, such as truly random bits
         (radioactive decay, noise, etc.) stored on a CD-ROM or
         whatever
      - they can thus "flip coins" as fast as they can read the
         disk
    + simultaneous messages (collision)
      - use back-off and retry protocols (like Ethernet uses)
    + collusion of participants
      - an interesting issue...remember that participants are
         not restricted to the simple ring topology
      - various subgraphs can be formed
      - a participant who fears collusion can pick a subgraph
         that includes those he doubts will collude (a tricky
         issue)
    + anonymity of receiver
      - can use P-K to encrypt message to some P-K and then
         "broadcast" it and force every participant to try to
         decrypt it (only the anonymous recipient will actually
         succeed)
  - Chaum's complete 1988 "Journal of Cryptology" article is
     available at the Cypherpunks archive site,
     ftp.soda.csua.edu, in /pub/cypherpunks
8.11.3. What "DC-Net" Means
  - a system (graph, subgraphs, etc.) of communicating
     participants, who need not be known to each other, can
     communicate information such that neither the sender nor
     the recipient is known
  + unconditional sender untraceability
    - the anonymity of the broadcaster can be information-
       theoretically secure, i.e., truly impossible to break and
       requiring no assumptions about public key systems, the
       difficulty of factoring, etc.
  + receiver untraceability depends on public-key protocols, so
     traceability is computationally-dependent
    - but this is believed to be secure, of course
  + bandwidth can be increased by several means
    - shared keys
    - block transmission by accumulating messages
    - hiearchies of messages, subgraphs, etc.

8.12 - Future Remailers
8.12.1.  "What are the needed features for the Next Generation
   Remailer?"
  + Some goals
    - generally, closer to the goals outlined in Chaum's 1981
       paper on "Untraceable E-Mail"
    - Anonymity
    - Digital Postage, pay as you go, ,market pricing
    - Traffic Analysis foiled
  +  Bulletproof Sites:
    - Having offshore (out of the U.S.) sites is nice, but
       having sites resistant to pressures from universities and
       corporate site administrators is of even greater
       practical consequence. The commercial providers, like
       Netcom, Portal, and Panix, cannot be counted on to stand
       and fight should pressures mount (this is just my guess,
       not an aspersion against their backbones, whether organic
       or Internet).
    - Locating remailers in many non-U.S. countries is a Good
       Idea. As with money-laundering, lots of countries means
       lots of jurisdictions, and the near impossibility of
       control by one country.
  + Digital Postage, or Pay-as-you-Go Services:
    - Some fee for the service. Just like phone service, modem
       time, real postage, etc. (But unlike highway driving,
       whose usage is largely subsidized.)
    - This will reduce spamming, will incentivize remailer
       services to better maintain their systems, and will
    - Rates would be set by market process, in the usual way.
       "What the traffic will bear." Discounts, favored
       customers, rebates, coupons, etc. Those that don't wish
       to charge, don't have to (they'll have to deal with the
       problems).
  + Generations
    - 1st Gen--Today's Remailer:
    - 2nd Gen--Near Future (c. 1995)
    - 3rd Gen-
    - 4th Gen--
8.12.2. Remailing as a side effect of mail filtering
  - Dean Tribble has proposed...
  - "It sounds like the plan is to provide a convenient mail
     filtering tool which provides remailer capability as a SIDE
     EFFECT! What a great way to spread remailers!" [Hal Finney,
     93-01-03]
8.12.3. "Are there any remailers which provide you with an anonymous
   account to which other people may send messages, which are
   then forwarded to you in a PGP-encrypted form?" [Mikolaj
   Habryn, 94-04]
  - "Yes, but it's not running for real yet. Give me a few
     months until I get the computer + netlink for it. (It's
     running for testing though, so if you want to test it, mail
     me, but it's not running for real, so don't *use* it.)"
     [Sameer Parekh, 94-04-03]
8.12.4. "Remailer Alliances"
  + "Remailer's Guild"
    - to make there be a cost to flakiness (expulsion) and a
       benefit to robustness, quality, reliability, etc.
       (increased business)
    - pings, tests, cooperative remailing
    - spreading the traffic to reduce effectiveness of attacks
  - which execute protocols
  - e.g., to share the traffic at the last hop, to reduce
     attacks on any single remailer

8.13 - Loose Ends
8.13.1. Digital espionage
  + spy networks can be run safely, untraceably, undetectably
    - anonymous contacts, pseudonyms
    - digital dead drops, all done electronically...no chance
       of being picked up, revealed as an "illegal" (a spy with
       no diplomatic cover to save him) and shot
  + so many degrees of freedom in communications that
     controlling all of them is essentially impossible
    - Teledesic/Iridium/etc. satellites will increase this
       capability further
  + unless crypto is blocked--and relatively quickly and
     ruthlessly--the situation described here is unstoppable
    - what some call "espionage" others would just call free
       communication
    - (Some important lessons for keeping corporate or business
       secrets...basically, you can't.)
8.13.2. Remailers needs some "fuzziness," probably
  + for example, if a remailer has a strict policy of
     accumulating N messages, then reordering and remailing
     them, an attacker can send N - 1 messages in and know which
     of the N messages leaving is the message they want to
     follow; some uncertainly helps here
    - the mathematics of how this small amount of uncertainty,
       or scatter, could help is something that needs a detailed
       analysis
  - it may be that leaving some uncertainty, as with the
     keylength issue, can help
8.13.3. Trying to confuse the eavesdroppers, by adding keywords they
   will probably pick up on
  + the "remailer@csua.berkeley.edu" remailer now adds actual
     paragraphs, such as this recent example:
    - "I fixed the SKS.  It came with a scope and a Russian
       night scope.  It's killer.  My friend knows about a
       really good gunsmith who has a machineshop and knows how
       to convert stuff to automatic."
       
  - How effective this ploy is is debatable
8.13.4. Restrictions on anonymous systems
  - Anonymous AIDS testing. Kits for self-testing have been
     under FDA review for 5 years, but counseling advocates have
     delayed release on the grounds that some people will react
     badly and perhaps kill themselves upon getting a positive
     test result...they want the existing system to prevail. (I
     mention this to show that anonymous systems are somtimes
     opposed for ideological reasons.)