[Mailman-Developers] [GSoC14] Full Anonymization Project Idea

Wed Feb 18 18:48:50 CET 2015

Rashi Karanpuria writes:

 > A possible use case might be:

 > 1. A suggestion and discussion list of an organisation where
 > subscribers could post all problems and issues and slackenings in
 > the organisation's structure and authorities without worrying about
 > their names being involved. They could even use the list in
 > decision making process, internal polling or maybe even reviewing
 > the system.

If the president of the company doesn't have root, he can fire whoever
does and replace them with somebody who will do what he says.  Not
going to work unless you trust the site admin *and* her boss.  Note
that they also have access to MTA and firewall logs, and so probably
know who made connections when.

 > 2. Similarly a psychiatrist's list where patients can discuss there
 > issues and arrive at mutual solutions with help from the doctor,
 > while bonding with people of their kind. Some syndromes are not
 > cured beacuse of social stigmas that could find a possible solution
 > in such lists.

If you don't trust your psychiatrist and her office staff, you are in
very big trouble.  No need to protect the list from the list admin,
but you might want to protect it from the site admin if the list is
hosted by a third party.

Security (including privacy) of electronic communication is brain-
breaking hard stuff.  Note: I am *not* saying "don't do this project"
-- past experience shows that the level of coding needed for proof of
concept is about right for GSoC -- but you need to be very careful not
to make overly optimistic claims that you're actually protecting
anyone's privacy.

When I was mentoring Abhilash's project in 2013, I thought quite
carefully about possible applications and came to the conclusion that
the crypto was useless.  One use-case you might find interesting was
student evaluations of classes they took.  Either the students trust
the faculty not to peek, or they don't, and in the latter case there
just isn't any sure way to protect the students' privacy *and* at the
same time prevent ballot-box stuffing (ie, the students need to
authenticate).  The traditional method (check ids at the door and give
one marksheet to each student to fill in, then have a student collect
the marksheets and deliver them to the Faculty Development Office) is
much closer to airtight.

OTOH, if you *do* have that level of trust in the list and site
admins, encrypting traffic does make sense (otherwise mail is an open
book to relaying hosts), and encrypting with your key is as good a
signature as encrypting a hash of the message (the usual "digital
signature").