How security could benefit from high volume spam The parliament of the European Union today has passed a law that electronical call detail records, such as phone numbers, e-mail addresses, web accesses of all 450 million EU citizens are to be recorded and stored for 6 to 24 months. So everyone will be subject of complete surveillance of telecommunication. No place to hide. The given reasons are the need to investigate and prosecute terrorism and severe crime. But there is no evidence that this law actually has this effect, and that it is worth to sacrifice democracy and civil rights. Our constitution protects the right to communicate confidentially, for all citizens, and especially for lawyers, journalists, priests, etc. So terrorists finally begin to succeed in destructing our european, modern, democratic, and free way of life and civil rights. It is ridiculous that the modern world has not been attacked by a large army, but by just about 30-40 people with knives and a few bombs. The attack is not the primary attack itself. The main attack is to provocate overextended counter measures. Technically spoken, a denial-of-civil-rights-attack. And the EU proved to be vulnerable to this kind of attack. A patch is not available yet. Another threat to privacy and civil rights is the intellectual property industry. We have seen Sony attacking and sabotaging private computers, revealing private data, taking secretly control over people's communication and working equipment. We have seen a mother of five been sued into bankruptcy in the USA just for listening to music. This is perverse. We currently see governments considering to outlaw open source software or any kind of data processing or communication device without a digital rights management. There are good reasons to assume, that the European Union's collection of all telecommunication details will be abused to allow the intellectual property industry to completely track every communication. Just having received any e-mail from someone who had illegally downloaded music could be enough to have your home searched, your computer confiscated, and find yourself sued or prosecuted. The art and science of communication security will have to realign and focus on new goals. When designing telecommunication protocols we have to take much more care about what communication could reveal about the communication parties and the contents. It is not enough to just put some kind of simple encryption on a message body. We need to protect against traffic analysis, in particular the one without democratic legitimation. What does that mean? When designing a protocol we should take more care than we did to describe its vulnerability for and resistance against traffic analysis. Not just whether the contents are encrypted, but what an eavesdropper can tell about the communicating parties. We need to incorporate techniques like oblivious transfer and traffic hiding. An important component of such protection methods is noise. Plenty of noise. Something to hide in, to cover, to overload recording of call details. We should think about and research how to produce noise. We already have some noise. Its called spam. Some of you might know that I am one of the early days fighters against spam. I tried to eliminate as much spam as possible. But now, there could be a positive aspect about spam, virus mails, and other mass mails. Maybe it could become an advantage to receive a million mails per day from any senders. Maybe that is what is needed to hide my personal e-mails. Maybe that's the answer I have to give when someone blames me to have received e-mail from the wrong person: "I have no idea what you are talking about. I received about 150,000 virus and spam e-mails that day from arbitrary addresses, and didn't read a single one of them. I have just deleted them." When designing measures against spam, we should take this into consideration. Maybe in near future the advantages of that noise produced by millions of bots will outweigh the disadvantages? Comments are welcome. Hadmut Danisch _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf