[Mailman-Developers] [GSoC14] Full Anonymization Project Idea

[Stephen J. Turnbull]

Rashi Karanpuria writes:

 > If I am still thinking it all the wrong way. Please guide me as to
 > how do I approach the problem.

The problem with your thinking is that you're thinking that there's a
technical solution to a social problem called "full anonymization".

I'm 99.44% sure that whatever you're thinking of doing will be a good
solution to *somebody's* problem, so I wouldn't worry about that end
of things.

What I *do* worry about is that (1) I don't have a use case in mind
for all the gymnastics you propose to do, because (2) it seems to me
that if the site admin is not trusted she can work around any of the
measures you describe, and otherwise I don't see a need for more than
keeping the list keys secret from everybody else (including list
admins).  (3) Encryption doesn't cover the whole attack surface, which
includes various kinds of traffic analysis (trace headers give a lot
of information about network location, timestamps may help provide
geographical location, and of course message content and writing style
can provide very strong clues).

You can say "I know that".  The problem is that your users frequently
will not, and may read more into "*full* anonymization" than can
possibly be delivered.  If we're going to deliver this feature as part
of Mailman, it's really important that we be able to explain what use
cases it's good for, and what it's not.

None of the use cases you've proposed so far are particularly
appealing to me, but the one that comes closest is the "group therapy"
application.  So let's look at that use case and what its requirements
are.

1. Who can be trusted with the keys?
2. Who needs to be anonymous?
3. What are the social threats if anonymity is breached?
4. What are the technical threats to anonymity (ie, how can it be breached)?

I'm sure there are more questions needing answers, but that's a good
place to start.

Regards,