Cyphernomicon Top
Cyphernomicon 8.9

Anonymity, Digital Mixes, and Remailers:
Legal Issues with Remailers


    8.9.1. What's the legal status of remailers?
           - There are no laws against it at this time.
           - No laws saying people have to put return addresses on
              messages, on phone calls (pay phones are still legal), etc.
           - And the laws pertaining to not having to produce identity
              (the "flier" case, where leaflet distributors did not have
              to produce ID) would seem to apply to this form of
              communication.
           + However, remailers may come under fire:
             + Sysops, MIT case
               - potentially serious for remailers if the case is
                  decided such that the sysop's creation of group that
                  was conducive to criminal pirating was itself a
                  crime...that could make all  involved in remailers
                  culpable
    8.9.2. "Can remailer logs be subpoenaed?"
           - Count on it happening, perhaps very soon. The FBI has been
              subpoenaing e-mail archives for a Netcom customer (Lewis De
              Payne), probably because they think the e-mail will lead
              them to the location of uber-hacker Kevin Mitnick. Had the
              parties used remailers, I'm fairly sure we'd be seeing
              similar subpoenas for the remailer logs.
           - There's no exemption for remailers that I know of!
           + The solutions are obvious, though:
             - use many remailers, to make subpoenaing back through the
                chain very laborious, very expensive, and likely to fail
                (if even one party won't cooperate, or is outside the
                court's jurisdiction, etc.)
             - offshore, multi-jurisdictional remailers (seleted by the
                user)
             - no remailer logs kept...destroy them (no law currently
                says anybody has to keep e-mail records! This may
                change....)
             - "forward secrecy," a la Diffie-Hellman forward secrecy
    8.9.3. How will remailers be harassed, attacked, and challenged?
    8.9.4. "Can pressure be put on remailer operators to reveal traffic
            logs and thereby allow tracing of messages?"
           + For human-operated systems which have logs, sure. This is
              why we want several things in remailers:
             - no logs of messages
             - many remailers
             - multiple legal jurisdictions, e.g., offshore remailers
                (the more the better)
             - hardware implementations which execute instructions
                flawlessly (Chaum's digital mix)
    8.9.5. Calls for limits on anonymity
           + Kids and the net will cause many to call for limits on
              nets, on anonymity, etc.
             - "But there's a dark side to this exciting phenomenon, one
                that's too rarely understood by computer novices.
                Because they
                offer instant access to others, and considerable
                anonymity to
                participants, the services make it possible for people -
                especially computer-literate kids - to find themselves in
                unpleasant, sexually explicit social situations....  And
                I've gradually
                come to adopt the view, which will be controversial among
                many online
                users, that the use of nicknames and other forms of
                anonymity
                must be eliminated or severly curbed to force people
                online into
                at least as much accountability for their words and
                actions as
                exists in real social encounters." [Walter S. Mossberg,
                Wall Street Journal, 6/30/94, provided by Brad Dolan]
             - Eli Brandt came up with a good response to this: "The
                sound-bite response to this: do you want your child's
                name, home address, and phone number available to all
                those lurking pedophiles worldwide?  Responsible parents
                encourage their children to use remailers."
           - Supreme Court said that identity of handbill distributors
              need not be disclosed, and pseudonyms in general has a long
              and noble tradition
           - BBS operators have First Amendment protections (e.g..
              registration requirements would be tossed out, exactly as
              if registration of newspapers were to be attempted)
    8.9.6. Remailers and Choice of Jurisdictions
           - The intended target of a remailed message, and the subject
              material, may well influence the set of remailers used,
              especially for the very important "last remailer' (Note: it
              should never be necessary to tell remailers if they are
              first, last, or others, but the last remailer may in fact
              be able to tell he's the last...if the message is in
              plaintext to the recipient, with no additional remailer
              commands embedded, for example.)
           - A message involving child pornography might have a remailer
              site located in a state like Denmark, where child porn laws
              are less restrictive. And a message critical of Islam might
              not be best sent through a final remailer in Teheran. Eric
              Hughes has dubbed this "regulatory arbitrage," and to
              various extents it is already common practice.
           - Of course, the sender picks the remailer chain, so these
              common sense notions may not be followed. Nothing is
              perfect, and customs will evolve. I can imagine schemes
              developing for choosing customers--a remailer might not
              accept as a customer certain abusers, based on digital
              pseudonyms < hairy).
    8.9.7. Possible legal steps to limit the use of remailers and
            anonymous systems
           - hold the remailer liable for content, i.e., no common
              carrier status
           - insert provisions into the various "anti-hacking" laws to
              criminalize anonymous posts
    8.9.8. Crypto and remailers can be used to protect groups from "deep
            pockets" lawsuits
           - products (esp. software) can be sold "as is," or with
              contracts backed up by escrow services (code kept in an
              escrow repository, or money kept there to back up
              committments)
           + jurisdictions, legal and tax, cannot do "reach backs" which
              expose the groups to more than they agreed to
             - as is so often the case with corporations in the real
                world, which are taxed and fined for various purposes
                (asbestos, etc.)
           - (For those who panic at the thought of this, the remedy for
              the cautious will be to arrange contracts with the right
              entities...probably paying more for less product.)
    8.9.9. Could anonymous remailers be used to entrap people, or to
            gather information for investigations?
           - First, there are so few current remailers that this is
              unlikely. Julf seems a non-narc type, and he is located in
              Finland. The Cypherpunks remailers are mostly run by folks
              like us, for now.
           - However, such stings and set-ups have been used in the past
              by narcs and "red squads." Expect the worse from Mr.
              Policeman. Now that evil hackers are identified as hazards,
              expect moves in this direction. "Cryps" are obviously
              "crack" dealers.
           - But use of encryption, which CP remailers support (Julf's
              does not), makes this essentially moot.
 

Next Page: 8.10 Cryptanalysis of Remailer Networks
Previous Page: 8.8 Anonymous Message Pools, Newsgroups, etc.

By Tim May, see README

HTML by Jonathan Rochkind