[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Remailer Abuse

Russ Nelson writes:
>    Heh. An anonymous remailer paid for by credit card... 

> Sure, I'll know who used it, but I'm not going to keep that
> information.  (Yes, yes, FV says that I have to keep records of who
> bought what, but I'll label all my information with a random number,
> that simply says that X bought information worth Y, not *what*
> information.)  And if you don't trust a remailer operator, then you
> won't use it.

I'd be worried about a couple of issues - 
one is just the transaction cost - can you successfully market remailer use
at a buck a shot or whatever you'd be charging beyond FV's 29c stamp,
or would you have some convenient way to aggregate bill?
Beyond that, though, are some traffic analysis problems -
remailers require a fair bit of traffic to be useful, and unless
you receive a reasonable amount of encrypted traffic, 
and support encrypted email for purchasing remailer service
and other merchandise, an eavesdropper would have a fairly good source
of traffic data on your remailer users, especially since buying and using 
remailer service requires two messages within an hour or so.

An alternative billing mechanism, which wouldn't use Chaum-patented cash,
would be to sell a bunch of one-shot random-number tokens.
When you sell the tokens, you add them to the database of valid tokens,
and when one comes in on a message you delete it.
This allows you to sell more than one message or service-period per 
FV transaction, and separates the purchase and use by a longer time,
without adding the need for record-keeping based on the user's ID.
It obviously does require encrypted reply messages.

Another variant is for the user to send you a bunch of tokens
along with the purchase, which you store.  Blind signatures would improve
the security of this process, but require more computation and
may involve Chaum's patents.  In this case, the message from the client
to you would be encrypted, but you wouldn't have to send a reply,
so the request could come in anonymously.