Friday, March 20, 2015

Why I think most 'email metadata privacy' issues are Sales FUD.

I run an email service. In fact I've run VFEmail.net since 2001 - that's before Gmail. There's been a lot of talk about privacy and re-writing SMTP to provide more encryption and 'mask' metadata.  Long articles about email headers and how correlation of To/From/Subject can lead to a 'highly accurate guess' without any actual content.  This is definitely a concern, especially because correlation only provides a guess. Let's take a look at what's really happening, from the ESP (Email Service Provider) side to the LEO (Law Enforcement Organization) side to better understand the problem.

So let's start with an email's structure. Email's are designed to be like letters. There is an envelope, and content. Take a closer look at this LaTeX Template for the content part:

As you can see - it has what's referred to as 'metadata'. There is 
To: "Prof. Jones".
From: "John Smith"
and various other address info.

Remember though - this is a letter.  It's enclosed inside an envelope.  This is the content of an email that you would see. The only way to retrieve the content or the metadata contained in this email, is to open the email itself.

The envelope, on the other hand, has similar data. It has a 'To', a 'From', and a 'Date' in the form of a Postmark. This is also metadata.

So what is the difference?  It's all the same you say?

IMHO, LEGALLY, there is a world of difference.
In addition, you can leave out the From address on the envelope - so keep that in mind. Also keep in mind - LEO are building a case.
An ESP isn't required by law to provide Inbox content because the target looked at a cop funny. To get that, an investigator must investigate. There must be evidence first, and a judge must sign off on that warrant. That's the point of checks and balances in our system (Of course, in regards to NSA vacuuming up data - we're no longer talking about legal activity).

Here's the confusion - As an email provider, I receive legal requests for metadata. That metadata is gathered from the SMTP logs - not the email contents. Those logs, in my opinion, likely also exist at the Post Office. I find it highly unlikely that all the automation in the USPS (including automated scanning of hand-written envelopes), doesn't get logged somewhere. In any case, if the investigator wanted INBOX CONTENT, they MUST request INBOX content.  Therefore, if the warrant does not include mailbox contents, I can only provide log data.

This is a VFEmail log:
2015-03-24 07:58:43.155818500 CHKUSER accepted rcpt: from [win-lotto dabspalsy.com::] remote [kit.dabspalsy.com:unknown:antispamip] rcpt [rick@havokmon.com] : found existing recipient

That log data comes from two places - the knowledge of the connection (Remote IP address, local time) and two commands - MAIL FROM and RCPT TO.  Those are pretty obvious.  Technically there is also HELO, which is a text identifier of the remote server.

As you can see - the recipient is there, me, and the sender is win-lotto@dabspalsy.com. Obviously Spam.  That's the envelope data.

Another point of confusion - Unlike USPS mail, Emails are processed in their entirety as they're passed through the system. That is, all the 'header' info (on the left, everything above 'deekayen,') is visible to the SMTP server during transmission. This is true everywhere, no matter what Lavabit claims.

What does that mean? It means that we can help stop Spam by checking the IPs of all the previous servers in the header to look for points of abuse. It means we can find delivery delays by checking the timestamps of each server in the header.  It does also mean that sometimes the Subject may be added to a log file - or any of the other header info. BUT, doing so is ENTIRELY up to the ESP.
Technically, during this processing, an ESP could easily write out an entire copy of this email for nefarious or legal purposes. This is also true everywhere, no matter what Lavabit claims - but in this post we're concentrating on the Metadata scare.

Any provider, unless requested to examine full email contents, should only be providing the ENVELOPE data. That's it.

"I just read half this post, I don't want my emails correlated and a profile built of me, and you haven't told me anything yet!", you say. Not true, we've whittled down perception to reality. Unless the government is requesting a wiretap, they'll simply get MAIL FROM, RCPT TO, and REMOTE IP (at least from an ESP who is privacy conscious).

So let's look at the envelope again. Just like USPS mail, the MAIL FROM can be forged. But, if you forge the From on an envelope - returned mail won't be able to reach you.  At least not directly..

VFEmail provides what we call the 'Metadata Mitigator'.  It re-writes the MAIL FROM so both the local logs and the recipient servers logs show a unique MAIL FROM address. This address is parsed at VFEmail (if the email is returned), so a bounce doesn't get lost. Most importantly though, the log data on the recipients server only shows that an email was delivered to 'Prof  Jones' from 'Random account at VFEmail'.  This method has existed for decades and is known as VERP.  Though historically it's been used for managing mailing list member bounces, not for privacy.

Wait - what?  Yes, simply mask the MAIL FROM - and there will be nothing to correlate.  The recipient's log metadata, even if they only receive email from YOU - will simply show a single email from 'anyone and everyone' - no duplicates.  The recipient would need to be specifically monitored via a wiretap order to see that you had sent them more than one email.

So why would we want to re-write the entire Email ecosystem?
We don't. It's a pointless exercise. It would remove many features we take for granted (Spam blocking, forwarding, queuing), and make things more difficult for users (No debugging info available ANYWHERE).

"But a rewrite fixes other issues too!" - so do the hundreds of alternate ways to handle email in it's current form:  
- By using PGP (see above full email example), the 'user viewable' content of an email, everything under 'Date', is encrypted at rest and in transit.
- Using TLS will encrypt everything including the MAIL FROM and RCPT TO during transit - to prevent snooping, assuming you're not rewriting your MAIL FROM. Sure, the headers are available at rest, while the email is sitting in your INBOX. But no respectable mail system uses headers for log data. And again, in order to read those headers, the ESP should have a subpoena for full mailbox content.
- Worried about the ESP reading the mail headers in your INBOX? POP and delete your mail.
- Don't trust that a provider follows their policies? They claim they can't read your INBOX, but copy it's contents to the FBI anyways? Run your own server - with SMTP being an open standard, you can choose from any number of packages and personally remove the last link in the metadata debate.

Done. You've just created 'DarkMail'.




Sunday, March 15, 2015

Why I will no longer use Chase bank

Once upon a time I had awesome credit - not anymore. Mostly due to Chase.
Sometime in 2006 Chase sent me a credit card offer - $20,000 credit, 0% until paid off. I should have saved the document. There was no '0% for 24 months' or 18 months or whatever. It was just straight up '0% until paid off'. I even called them to confirm. I should have recorded the call. I already had 3 other credit cards with them - totaling at least $15,000.
Looking back, I believe they intended it to be used for debt consolidation - I bought a motorcycle on it. A 'cash' purchase made negotiation easy, and with it being a credit card, if something were to occur I wouldn't need to meet potentially high monthly payments. I paid off about $10,000 before Chase revoked their offer and started charging me 12% interest.
That was problem #1 - and while it's MOST DEFINITELY their fault for straight up lying about their offer, I should have kept the offer and recorded the verification call.
Problem #2 came when they called me about fraud on a credit card. At this point I was no longer using Chase credit cards, and what I did have was kept in my safe. There was about $50 in iTunes charges. I asked the rep for all the info she could give me in regards to the charges (basically nothing, just 'iTunes' and the dates, no IP Address) - but I scoured my devices and accounts for an indication that possibly I left a credit card active on an account and one of my kid's used it. Nothing. I found no receipts, no purchases, no additional software or music anywhere.
This rep practically accused me of committing fraud. She didn't believe I didn't spend $50 on iTunes. I don't buy music online. I don't buy anything through iTunes because of previous DRM issues. Fortunately it didn't matter - Visa regulations say the customer is always right if there is no receipt.
That's when Chase exacted their revenge. They took all 4 of my Credit Card accounts and 'reviewed' them. They decided my $20,000 credit limit was a 'threat' to them, and dropped it down to $6000. They made similar claims and changes on each of my credit cards. They knocked at least $30,000 from my available credit.
Not a big deal, as I don't use it - right? Wrong. Your debt/credit ratio has a huge impact on your credit rating. These changes knocked 25points of my credit rating. They got their revenge.
In addition - this 'review' is now a yearly occurrence. Every year, as I pay off credit cards that I used to be 'responsbile for myself' (rather than file for bankruptcy) they drop my available credit to just above the current balance.  Lesson learned.

Don't use Chase bank. Go with a local bank/lender that doesn't have a record of lying and crashing the economy.