02Feb14c An interesting article (Peter Bk)
Tom Spring, PCWorld.com
Monday, February 11, 2002
Ever wonder how to trace the trail of that spam, track its source, and shut it down once and for all? These days, so does the U.S. government.
E-mail messages yielded a few clues to the location of abducted Wall Street Journal reporter Daniel Pearl. But investigators complain the search for Pearl is hampered by difficulties pinpointing where the e-mail originated. Authorities have released few details, but apparently the e-mail was prepared and sent in a way that made it difficult to track. In at least one case, investigators were able to identify three Pakistanis who allegedly had links to a particular PC used to send photos and messages about Pearl.
The Pearl case is just the latest current event fueling a contentious debate over anonymity on the Internet. Tracking down bad guys is good thing. But without anonymity, can free speech and whistle-blowers exist online?
Sending anonymous e-mail is quite easy. Both fee-based and free services pander to the paranoid and guarantee anonymity. Advicebox.com lets you send e-mail anonymously and free through a Web-based interface. Anonymizer charges $5 monthly for a subscription that supports anonymous e-mail and Web browsing. Both it and QuickSilver also let you post messages anonymously to Usenet groups. Other anonymous e-mail software programs include Private Idaho and Potato, which make tracing an e-mail nearly impossible.
The simplest way to send anonymous e-mail is through one of about 35 remailers. The service strips your e-mail of all electronic ties to you and ships the message to its recipient. However, privacy purists point out that the remailer still knows your real identity. So some remailers encrypt and send e-mail through the Mixmaster network, developed by Anonymizer president Lance Cottrell.
The Mixmaster network involves client software that runs on your PC, and Mixmaster servers that forward your e-mail. The client can be used as a plug-in for the QuickSilver e-mail client or with other remailer software. When you use QuickSilver, e-mail is encrypted (under triple DES technology) and sent to multiple Mixmaster servers, stripping the return address each time and making e-mail impossible to trace. On the last leg of your e-mail's journey, it's decrypted and delivered to an in-box. Cottrell insists the Mixmaster remailer network is hack-and spook-proof.
"If a message is sent and you want to find out who sent it, there is no way you can," Cottrell says.
Most Internet users don't realize how easy it is to trace e-mail. For most normal law-abiding people a Yahoo Mail account under a pseudonym is sufficient.
However, e-mail sent from Web-based e-mail services like Yahoo or Hotmail carry the fixed Internet protocol address of the PC or network used to send the message. A site like Advicebox.com doesn't carry IP information with its Web-based mail.
Advicebox.com keeps tabs of computers that visit its site but doesn't log or record the e-mail sent through its service, according to Tim Cutting, company spokesperson. But last year, Advicebox.com had to hand over the electronic evidence to police when a recipient of a death threat delivered by Advicebox.com e-mail reported it to police.
"AdviceBox keeps zero record of the e-mail contents sent from the site. However, as with any computer server, it does keep a record of what ISPs access the server and at what time," Cutting adds.
Anonymizer intentionally keeps no records of people's comings and goings, making a subpoena useless, says Cottrell. How do the Feds feel about that? Since September 11, law enforcement has not contacted Cottrell except to sign up for his service. Cottrell says his clients include local cops, FBI agents, and U.S. embassies.
Most anonymous e-mail proprietors admit their products can be tools for terrorists, pedophiles, and scammers. But they also point out that anonymous e-mail can protect whistle-blowers or the politically oppressed, and help shield the identity of people who would otherwise be afraid to seek help over the Net.
"Just like any powerful technology, in the wrong hands it can be misused," says Rob Courtney, policy analyst with the Center for Democracy and Technology. "It's quite clear the benefits of anonymous e-mail greatly outweigh the risks," he claimed.
Certainly, anonymous e-mail can be a safe way for an employee to blow the whistle on a questionable business practices, or to tip off police to a crime. On the other hand, it also is easy to imagine anonymous e-mail making it safe for terrorists to communicate, plan murderous attacks, or issue ransom notes.
"The abuse bothers me," acknowledges Richard Christman, the developer of QuickSilver. But he says free speech is more important. Anonymizer's Cottrell says his services have helped many, such as Yugoslavian human-rights activists during the Milosovec regime. Also, an airline mechanic once inquired about Anonymizer so he could anonymously tip off airline executives to shoddy maintenance practices.
Anonymity is an important aspect of free speech, say government legal agencies. But if it's used for a crime, law enforcement will try to strip away the cloak.
The FBI likens anonymous e-mail to guns. Like firearms, services and software are legal, but if they're used in a crime, the FBI will take action. "If we need to, we will investigate," says Steven Berry, an FBI spokesperson. Tracing e-mail has helped catch bad guys, such as the Philippino creator of the I Love You virus. It also identified a University of California at Irvine student whose e-mail message threatened to "hunt down and kill" Asian students.
Late last year, the U.S. government got some serious investigative help when Congress passed the Patriot Act in response to the terrorist attacks. The measure gives government the authority to monitor e-mail and other electronic communication and share that information among agencies. "E-mail is just one clue to the larger crime," says a representative of the Department of Justice, of the new tools provided by the Patriot Act.
Last November, the FBI acknowledged the existence of Magic Lantern, a Trojan horse program under development. It is intended to render encryption useless by logging the keystrokes on a suspect's PC. That will only help in some cases, however; if FBI officials can't figure out who is sending e-mail, how can they plant a bug on the computer?
The threat to online privacy is real, say privacy activists. They argue that anonymous e-mail, in an age of cookies, Web bugs, and government surveillance, may be even more important today than before September 11.
Since the terrorist attacks, public and political sensibility has shifted regarding privacy, says Beth Givens, director of the Privacy Rights Clearinghouse. Americans are now more willing to accept facial recognition technology at the Olympics, show a personal ID to virtually anyone who asks, and surrender their anonymity online.
That sensibility has reached the Internet. Anonymous Internet usage is getting harder to achieve. Just days after the terrorist strike, the government required ISPs to open their records in hope of finding electronic leads.
Zero Knowledge, which ensured anonymous Internet access, shut down its Freedom Network, which provided anonymous e-mail and Web surfing. SafeWeb closed its free anonymous Web browsing service, too. Both say they halted anonymous Net access not because of government pressure, but because they were not commercially viable.
Privacy advocates say this weakens consumers' protection from government and big business. Givens says anonymous remailers are not a rogue tool, but one of the Net's last free speech vehicles. She argues the Internet has also become less anonymous as companies use libel suits to find and unmask their online critics.
In fact, civil and criminal investigations have pried at anonymous communication. Anonymity could have helped 21 Raytheon employees who riled Raytheon executives on a Yahoo bulletin board. Raytheon was so upset by the postings, which it alleges disclosed confidential information, that it forced Yahoo by court order to reveal the users' identities. Charges were eventually dropped.
Remailers, though legal, are not immune from such investigations. At the request of California police and the Church of Scientology, Finnish police ordered Johan Helsingius to identify an Internet user who allegedly stole files from the church and was using Helsingius' remailer technology to post them on Usenet groups.
In 1999, Canadian Carl Edward Johnson used a remailer network called Cypherpunks to send rambling but threatening messages to Bill Gates, the IRS, and government officials. Investigators pieced together rants posted on Web sites, in e-mail messages, and writing found at his home to confirm his identity.
The issue raises concern throughout the political spectrum. Anonymous communications has a long, proud history in the United States, says Adam Thierer, of the Cato Institute, a right-wing Libertarian think tank. In 1776, Thomas Paine's Common Sense, a pamphlet urging separation from Britain, was released under the pseudonym "An Englishman."
"Paine didn't hide his identity to be cute or clever. He did it so he wouldn't be thrown in jail or put to death," Thierer says. "Anonymity is a key component to free speech and political discord."
The most cautious even worry that some remailers are operated by hackers or government agents.
"There is no evidence that any of these tools of anonymity have ever been used by a terrorist," says Anonymizer's Cottrell. But then again, if terrorist did use Cottrell's Anonymizer service, how would anyone know?