On 8 June 2013 22:04, Nadim Kobeissi <na...@nadim.cc> wrote: > I want to encourage all the open source, communication and security software > developers on this list to start talking about metadata. > > 1. Start raising awareness on what metadata is given to your software and how > it's handled. > 2. Don't limit your privacy policy to content but also clarify what's done > with metadata. > > [Shameless plug] We've already done this at Cryptocat. Our table can serve as > a template: > https://blog.crypto.cat/2013/06/cryptocat-who-has-your-metadata/
Something I would add (there's no comments enabled, or I missed them) is that most online messaging protocols (XMPP, Email, OTR, IRC, Cryptocat I think, etc) enable attackers to de-anonymize recipients if they have a publicly accessible point of contact that accepts data from unknown senders, and the attacker can watch the network. Stated more simply, if the Syrian government sends 5MB emails to syriandissidentx...@yahoo.com, they just have to look for who receives that much data from the appropriate server at appropriate intervals.[0] This can work over Tor too, although it's a tad more difficult. This may be obvious to us... but then again, that table is obvious to us also, we're aiming this at everyone else ;) The solution is something as complex as Pond (which requires users to be authorized) or possibly XMPP contact lists requests (I'm not actually sure if those prevent you from sending lots of data to a user before they accept you.) -tom [0] I mention this briefly in https://crypto.is/blog/tagging_attacks, but owe a better blog post to it. -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech