taint.org: Justin Mason’s Weblog

Things have really been heating up recently around the AOL/Goodmail “pay to send” CertifiedMail scheme — the EFF and a host of other groups have launched dearaol.com, stating:

This system would create a two-tiered Internet in which affluent mass emailers could pay AOL a fee that amounts to an “email tax” for every email sent, in return for a guarantee that such messages would bypass spam filters and go directly to AOL members’ inboxes. Those who did not pay the “email tax” would increasingly be left behind with unreliable service. Your customers expect that your first obligation is to deliver all of their wanted mail, and this plan is a step away from that obligation.

While I dislike this proposal, too, as far as I can tell, AOL actually have pretty reasonable intentions with this program — nowhere near as bad as the DearAOL.com site makes out.

However, they’re doing a really really crappy job of getting this information out there, or committing to reasonable limits on the program, such as announcing that they will use it only for transactional emails, as Yahoo! have done.

I’d strongly recommend reading Carl Hutzler’s posting on the subject. Carl was AOL’s head of anti-spam operations until last year, so he really knows what he’s talking about, and he lays it out clearly — a lot more clearly than any corporate statements from AOL do. His blog contains a fair bit more on the subject, too.

But seriously — why isn’t there a press release on the AOL site about this scheme? Some front-channel communication about now might be useful, I’d suggest, before things really get hairy — this crapstorm is coming about partly because AOL’s comments are all filtering out in drips and drabs via third parties, and (AOLers say) are being misconstrued and misrepresented in the process. It’s a classic case of missing the cluetrain.

I’d also really encourage the EFF people to tone done the rhetoric; statements like “senders will have no guarantee that their emails will be delivered” is scare-mongering, given that SMTP email already provides no such guarantee.

Update: wow, MoveOn went really overboard — “threatening the Internet as we know it … The very existence of online civic participation and the free Internet as we know it are under attack.” OMG the sky is falling!

Side Issue: The Spam Definition

Also, another note to EFF: defining spam as “whatever you don’t want to read” is a terrible mistake to make. That confuses a good, clear, enforceable and automatable definition of spam – unsolicited bulk email – and makes it effectively unenforceable by law, unpoliceable by ISPs, impossible to detect automatically, and incompatible with existing, effective EU and Australian legislation.

Listen to your own Chairman of the Board; he’s right on this count.

PS: any luck fixing up the non-confirmed signups issue? Last time I checked I could still subscribe any address to the EFF Action Alerts without a cross-check, which is not a good thing.

Tags: anti-spam, aol, defining-spam, eff, goodmail, pay-to-send, spam, ube

Ireland: There’s been some discussion about ‘an Irish EFF’ recently, reminding me of the old days of Electronic Frontier Ireland in the 1990s.

I was reminded of this by Danny O’Brien’s article in The Guardian, where he notes an interesting point — half of the effectiveness of the EFF in the US, is because they have a few full-time people sitting in an office, answering phone calls. Essentially they act as a human PBX, being the go-to guy connecting journalists to activists and experts.

Now that is something that could really work, and is needed in Ireland, which is in the same boat as the UK in this respect; the journalists don’t know who to ask for a reliable opposing opinion when the BSA, ICT Ireland, or the IRMA put out incorrect statements. It has to be someone who’s always available for a quote at the drop of a hat, over the phone. From experience, this takes dedication — and without getting paid for it, it’s hard to keep the motivation going.

IrelandOffline have done it pretty well for the telecoms issue; ICTE have done a brilliant job, the best I’ve seen in Europe IMO, of grabbing hold of the e-voting issue to the stage where they own it; but for online privacy, software patenting, and other high-tech-meets-society issues, there’s nobody doing it that successfully.

(Update: added ICTE, slipped my mind! Sorry Colm!)

Tags: danny-obrien, eff, efi, icte, ireland, irma, society

Privacy: after reading Adam Shostack’s weblog posting about private/anonymous blogging, I’ve been driven to think about that, and would up writing up a case study of Cogair, which was an influential anonymously-published proto-weblog in Ireland in the ’90s.

Now, quinn at ambiguous.org quotes a review of EFF’s recent ‘anonymous blogging’ guidelines, which largely comes up with one conclusion: it’s a usability nightmare. The problem is, the EFF report recommends using invisiblog.com, which in turns uses the Mixmaster remailers. Those things are awful, and I doubt anyone but their authors could possibly know how to use them ;)

Here’s an easier way to blog anonymously. I haven’t tried it (honest ;) but from keeping up on this stuff, it should work…

Firefox

• First off, install Firefox. No point giving your identity away through an MSIE security hole. Clear out all cookies in Preferences:Privacy:Cookies (or better still — start a new Firefox profile from scratch).
• Visit IPID and note down the IP address noted (this is your own, traceable, IP address).

Tor

• Next, install Tor, EFF’s ‘Onion routing’ anonymizer system. This also means installing privoxy as directed in the Tor install guide.
• Set up Tor on your machine, so that Firefox will browse via that software.
• Using Tor, visit IPID and make sure it doesn’t give you the same traceable IP address. This is to make sure you’re browsing securely.

Hushmail

• visit Hushmail and create a new free email account. Obviously, don’t use usernames and passwords that map in any way to your existing ones, and avoid words that may show up under your interests (especially if they’re googleable)…

Blogger

• Using that Hushmail account as the email address, go to Blogger.com and create yourself a blog, then get publishing.
• Hey presto — anonymous blogging the easy way!
• For safety, don’t use the Firefox anonymous-blogging profile for any sites other than Hushmail and Blogger.com’s publishing end. (A future Firefox vulnerability could expose personal info directly from Firefox itself.)

This is essentially the ‘TOR to blog server’ method described at the privateblogging wiki.

Now, note that along that chain we have 3 levels of identity — the IP address (hidden by Tor), the email address (traceable to Hushmail, who could conceivably give up the Tor router’s IP), and the Blogger.com weblog site (traceable to Blogger, who could give up the Hushmail address and the Tor router’s IP).

As long as you don’t give it away in your writings on that weblog — and as long as Tor remains safe — your own identity in turn is safe, too; and Tor has proved safe, so far.

There are still problems:

• The weblog site itself could still get taken down, e.g. via a DMCA takedown notice. This could be an issue, depending on what’s being published.
• Tor traffic is identifiable as such as it traverses the internet. For bloggers in countries with a pervasive internet surveillance regime at the local ISP end, the watchers will be able to tell that Tor is in use, and tell who is the person using Tor. (They won’t be able to tell what it’s being used for, just that it’s being used.)

PS, for the future: the guys behind Tor are working on a replacement for Mixmaster anonymous remailer software, called Mixminion. There’s also a wiki for discussion of ‘private blogging’ here.

Tags: anonymity, blogger, blogging, blogs, cogair, eff, hushmail, paranoia, security, tor

Spam: The EFF are a great organisation — damn, I even helped set up an organisation based on its goals in Ireland, back in the day! But this white paper is shockingly clueless.

(Note: this posting has been updated. Original left intact, but there’s an update below worth noting.)

For example:

Spam Assassin, a popular program that does ad hoc pattern matching, assigns ‘points’ to various features of an email to determine whether it is spam. … One of the major problems with this system is that messages from certain countries — like China, for example — can be blocked purely on the basis of where they come from and what language they’re in. The implications for free speech here are very troubling indeed: … thus anti-spam technology unintentionally works as a political censorship mechanism.

SpamAssassin does not give points for country of origin, or language the message arrives in, unless the user explicitly either (a) adds rules from an external source, or (b) modifies the ‘ok_languages’ setting in their configuration, from the default, to specify that they do not want to receive messages in particular languages. No country- or language-blocking happens by default. This is by design.

It’s a shame that the authors felt the need to outright fabricate a danger, here.

The white paper features more broad generalisations about ’spam filters’, mostly using unsubstantiated friend-of-a-friend stories, without detailed data. And I do know that there have been cases of MoveOn.org, at least, being a source of UBE, in the past — so it’s not valid to claim that this is all a ‘free speech’ issue; political UBE is still spam.

They need to realise there’s a lot of very smart, very reasonable anti-spammers out there, and most of us agree with the rest of their goals, except for their spam position. This is hurting them.

Still, it appears they’re finally getting a clue about requiring subscription requests be confirmed using closed-loop opt-in, so that’s good. More political newsletters, and political campaigns, need to get this clue — just because it’s political speech does not mean it’s not spam. (I have several thousand political spams in my spam folder — most from that German anti-immigration virus from earlier this year.)

Note that Rod is unsure if they’re practicing what they preach…

Update: Annalee Newitz has been in touch, and pointed out that the white paper in fact says ‘mails … can be blocked’, rather than ‘are blocked’ based on country of origin. In other words, it’s purely a matter of this being possible, rather than the default, and that administrators apply these customisations.

In addition, she notes that the conclusions recommend that ISPs and administrators of spam blocking systems allow end users to control their own filtering settings, saying ‘If a user wants to block all mail from China, great. If a sysadmin does it for a bunch of users without permission, then that is a problem in our opinion.’

So I agree with that. Misdirected outrage hereby turned off ;)

(Mind you, I still think they need to work more with the reasonable anti-spammers… and fix that unconfirmed sign-up that Rod mentioned, if it’s really still unconfirmed!)

Tags: country, default, eff, example, language, organisation, paper, source, spam, speech

Web: The slashdot story. The comments contain a massive amount of noise, but there are some highlights…

Some details of the backend; it appears Indymedia need more mirrors, and the imc-tech list and #tech channel are the best contact locations to get in touch. The comment also notes that the Mir CMS used by most IMCs generates static HTML — which is a good thing! I hereby withdraw my kvetching about server-side dynamic scripting in that case ;)

The techie who ‘had the contract with Rackspace’ comments, and provides a link to his weblog, which contains copies of the trouble tickets.

He also notes that the possible illegal posting was a newswire submission — therefore not ‘published’ per se, just uploaded in the same way an unmoderated-up slashdot comment is.

And finally — he notes that the EFF are offering to represent himself and Indymedia pro bono. Yay EFF!

The Electronic Frontier Foundation (EFF) is currently assisting Indymedia investigate possible responses to the seizure of its information. More than 20 Indymedia-related websites, along with Indymedia’s online radio, were hosted on the servers, which were dedicated machines provided by Rackspace.

‘This seizure has grave implications for free speech and privacy. The Constitution does not permit the government unilaterally to cut off the speech of an independent media outlet, especially without providing a reason or even allowing Indymedia the information necessary to contest the seizure,’ said EFF Staff Attorney Kurt Opsahl.

This is great news. Top-secret takedowns are not a good thing, especially when they span three national borders…

Tags: comment, eff, indymedia, information, rackspace, seizure, slashdot, speech, story, thing, web