Email insecurity (was One of the great benefits of Open Source)
Email insecurity (was One of the great benefits of Open Source)
Posted Nov 7, 2025 18:01 UTC (Fri) by anselm (subscriber, #2796)In reply to: Email insecurity (was One of the great benefits of Open Source) by paulj
Parent article: Debian to require Rust as of May 2026
vast vast majority of email providers are companies and already taking payment from /someone/ (whether the email sender, or the advertisers who want to place ads before the email senders).
That may be the case, but today I am the email provider for myself and a few friends, and I would like to keep doing this. If, to continue to be my own email provider, I would have to connect to some payment system and deal with all the legal red tape required to be a commercial entity (and at least around here, “doing something on a sustained basis that involves other people and money” is the basic definition of “being a commercial entity”), then this would no longer be a viable proposition, and that would really suck. It may turn out that in the end I might not actually be liable to pay taxes, etc., but the red tape would still be there in order to get to that point.
Anyway, never mind micropayments, which are way too much of a hassle to be worthwhile. If we really want to fix email, the first thing to do is to stop sending email around on the off-chance. Instead, the email is stored at the sender's end and the receiver is notified that there is some email to pick up for them. The receiver can then decide whether they want it (based on whether the sender is on a list of approved senders, or the notification has the correct signature, or the hash for the actual mail doesn't show up in a spam database, or whatever) and pick it up from the sender's server if that is the case. This approach makes it harder for spammers to fake the sender's address (they could still try to send fake notifications but there wouldn't be anything on the sender's server to pick up; also the system would presumably validate that a notification for a message from sender@example.com actually comes from a server which is allowed to send notifications for example.com, à la SPF) and doesn't require receivers to download and store messages they're going to discard later because they're spam. Backscatter-type spam is eliminated completely because there is no need for “bounces” in the first place. Just a thought.
Posted Nov 10, 2025 11:43 UTC (Mon)
by paulj (subscriber, #341)
[Link] (27 responses)
Again, all jurisdictions I am familiar with have thresholds and exemptions for non-commercial and/or no-low revenue businesses. E.g., VAT... there are thresholds and you have to have a fairly non-trivial business before you are required to register for VAT. If you are not making money, there are no tax liabilities and unlikely to be even be reporting obligations (unless, again, you have some large revenue on which you're making no money). I am unsure what other regulations you think might apply to running a small commununication system for friends, for which you might have to have them contribute money in some online-payment system - even reporting obligations for financial transactions have thresholds that are at set at least €1000 across the EU.
Alternatively, just go anonymous. A system secured against spam by money, or other proof of resources, can have anonymous nodes.
So... it's just a strawman. There are no regulations nor taxes that would apply to some trivial-scale "friends and family" next-gen-email-replacement system.
There are open-source projects in this space already, and you can run their servers if you wish. E.g., Session (partly a signal fork, but replacing the messaging fabric). The notion you need to register a company and pay taxes to run a Session server and have it participate in the swarms is just flat out false.
Posted Nov 10, 2025 13:32 UTC (Mon)
by pizza (subscriber, #46)
[Link] (22 responses)
Methinks the "strawman" here is one of your own construction.
Remember, you're not interacting with "friends and family", you're interacting with everyone said friends+family communicates with, and that's going to necessarily include complete strangers and businesses of all sizes. (If it was just a closed friends+family system, you have an alternate trust system and can eschew all of this automagic micropayment system entirely!)
Meanwhile, if you interact with real-world currencies, you will run into voliminous regulations and the 5th circle of hell that are payment processing systems. This goes well beyond the scope of taxation; Look up the UCC sometime.
Posted Nov 10, 2025 14:11 UTC (Mon)
by farnz (subscriber, #17727)
[Link] (21 responses)
The moment money gets involved, though, I have to ensure that I don't attempt to pay for mail delivery to this person's mail server, because if I do so, I will be in breach of sanctions law. And the easiest way to handle this problem is to pay someone who already handles sanctions law as a matter of course - stop running my own server, and just pay for Google Workspace or similar.
Posted Nov 10, 2025 15:02 UTC (Mon)
by paulj (subscriber, #341)
[Link] (20 responses)
As stated before, it is technically possible to have a distributed system that includes or relies on a distributed ledger payment system where no one can determine from the ledger, with any useful certainty, how much was sent by whom to whom. Only the sender knows how much was sent to which sub-address. The recipient knows how much was received to which sub-address, but not the address from which it was sent. I.e., a CryptoNote protocol.
Such non-transparent payment systems will ultimately dominate in the space for online, decentralised, distributed payment systems (and already do!), precisely because the older technology of transparent public ledger systems become mired in unworkable regulations. Eventually, the regulatory system will lose here and have to concede - just like in the previous regulatory war on maths in the 90s.
Posted Nov 10, 2025 15:41 UTC (Mon)
by paulj (subscriber, #341)
[Link] (18 responses)
Ergo, users are not sending any money to any specific node. Ergo, users in regime X, where regime X dislikes another regime Y enough that it has punitive sanctions against people within the reach of regime X who might do such terrible things as send messages within a distributed system that happens to have some participant nodes located in or run by people in regime Y, can not be said to have interacted in any way with regime Y.
The shocking rise of illiberalism, even neo-fascism, *across the world* will simply accelerate the adoption of privacy-protecting distributed messaging and payment systems. (Session - getsession.org - possibly being the best of what is workable, at this time, in the messaging system space).
Posted Nov 10, 2025 21:07 UTC (Mon)
by pizza (subscriber, #46)
[Link] (17 responses)
LOLwut?
Party A wants to send email to party B. To do so a token of some "value" must be transferred that can be converted to/from "money" at either end.
No matter how much technical handwavery you layer in the middle, there's no escaping that fundamental fact, nor the fact that national governments have _very_ strong opinions (ie "laws" backed up by literal armies) on the subject of "transferring tokens of value".
It doesn't matter what value I transfer to a sanctioned entity, or how I do it. Legally it only matters that I did so (or directed someone else to do so on my behalf).
> The shocking rise of illiberalism, even neo-fascism, *across the world* will simply accelerate the adoption of privacy-protecting distributed messaging and payment systems.
I'd agree with you on the messaging front, but *payment systems* are another matter entirely. The fundamental problem with distributed payment systems is how said system converts into "real" currency on either end.
Posted Nov 11, 2025 10:37 UTC (Tue)
by paulj (subscriber, #341)
[Link] (16 responses)
To fight illiberalism requires the ability to associate. To fight illiberalism in a state that is willing to use the tools of control against opponents (as has now happened in a number of western "liberal democracies", against dissident motivations across the spectrum - it's not a question of left or right) requires the ability to associate anonymously (at least, anonymous to outsiders). Effective association requires some anonymity in communication, and in acquiring and distributing resources.
To object to such tools because "Lolwut? govs wont like it bruv" is simply not an argument worth considering.
Posted Nov 11, 2025 12:38 UTC (Tue)
by malmedal (subscriber, #56172)
[Link] (15 responses)
No, anonymity is helpful if you want to subvert a democracy. Crypto is helpful for paying agitators in a deniable way(e.g. where does Tommy Robinson get money for his luxury vacations?)
If you want to overthrow a dictatorship(what's the point of using euphemisms like illiberal?) what you need is a mass movement that is too big for the state to handle.
The greater control a state today has because of surveillance is because of the current state of technology, you are not changing that by getting democracies to restrain themselves with laws. A dictator will just ignore these, making them completely pointless.
Posted Nov 11, 2025 14:05 UTC (Tue)
by daroc (editor, #160859)
[Link]
(Remember Debian? This is a song about Debian ...)
Posted Nov 11, 2025 14:08 UTC (Tue)
by paulj (subscriber, #341)
[Link] (2 responses)
It is interesting to see how my generation of techies - who when they were young would have nearly all been involved in or at least strongly supported the cypherpunk movement and been against the government in the crypto-wars of the 90s - have with often become more conservative at least in terms of supporting state control. People who once would have invoked May's (popularised by Schneier) four horseman of the Internet as a derisory label, now invoke those horsemen in support of the ever broadening tech-panopticon surveillance state.
Posted Nov 11, 2025 15:34 UTC (Tue)
by malmedal (subscriber, #56172)
[Link] (1 responses)
It's possible to write a fictional scenario where these really are the bad guys, but currently on planet earth none of the far to few countries that are actually respecting the rule of law deserve to be overthrown.
Your specific example refers to Syria, the old regime would have collapsed years earlier if they hadn't been propped up by the drug trade and associated money laundering so crypto was very much on the wrong side there.
Posted Nov 11, 2025 17:59 UTC (Tue)
by paulj (subscriber, #341)
[Link]
Posted Nov 11, 2025 15:51 UTC (Tue)
by NAR (subscriber, #1313)
[Link] (10 responses)
In Hungary (an illiberal democracy) the mass movement (a new opposition party) that grew too big to handle was (partly) sparked by an anonymous report that the president pardoned a pedophile-enabler. As far as I know, the guy who noticed that pardon (buried in official communication) and sent it to the press is still anonymous. So having an anonymous communication format has it merits even if a mass movement is required to replace the government.
Posted Nov 11, 2025 16:48 UTC (Tue)
by malmedal (subscriber, #56172)
[Link] (9 responses)
it is in a democracy's own best interest that its citizens can communicate safely without being overheard.
Posted Nov 11, 2025 18:12 UTC (Tue)
by paulj (subscriber, #341)
[Link] (8 responses)
We want to communicate anonymously (from the POV of others), without being overheard. We have looked at our threat model and our security requirements, and determined it is best served by obtaining phones running GrapheneOS. You lack the resources to obtain such a phone, and further the regime you are in views the purchase of secure phones as very suspicious - and you are likely to be put (at a minimum) under observation if such a purchase is detected. We have determined that it is best I purchase the phone for you (you havn't the resources), and we do so as anonymously as possible (so we have at least some plausible deniability if detected, e.g. intercepted shipment). I am known, in the wider world, to be associated with you.
One option is for me to use Tor to go to an anonymous online bazaar. Then to use an anonymous distributed payment method to buy a GrapheneOS phone, and have it shipped it to you (ideally, some drop-box or shared address that is at least not /uniquely/ associated with you). You and I know, from experience of others, that there is a minimal intercept rate on such shipments.
This is NOT an unrealistic example of how anonymous communication systems AND anonymous payment systems can be used to help protect activism in some places.
Posted Nov 11, 2025 20:12 UTC (Tue)
by pizza (subscriber, #46)
[Link]
This is an example of a quasi-anoymous communication system that sorta works (except for the glaring problem that it's a literal *phone* which means you're going to be "anonymously" tracked by $telco and/or anyone running an ISMI catcher)
Take away the "phone" part of that and you can piggyback off of public/"open" wifi, again for varying degrees of anonymity. That said, a not-terribly-repressive regime can easily require folks to require some sort of government ID and/or tied to your device [1] as a condition to grant access to said wifi. And said regime can easily require all traffic to be routed through "great firewalls" or some other classification/inspection/tracking system [2]
And sure, you can interpose middlemen, but when $oppressive_regime has no qualms about disappearing its own citizens, all you'll accomplish is a slight delay in how long it takes your door to be kicked in.
> One option is for me to use Tor to go to an anonymous online bazaar. Then to use an anonymous distributed payment method
Again, the vulnerability here is the ability to convert this "payment method" into $national_currency on either end. Those exchanges are the choke points that governments can, and do, go after.
...I keep coming back to the "what threat vector are you trying to protect yourself against" question. Because a guido wielding a gympie trounces technical handwavery... every. single. time. (see xkcd #538)
[1] I experienced this a decade ago when traveling in the Middle East.
Posted Nov 12, 2025 13:12 UTC (Wed)
by malmedal (subscriber, #56172)
[Link] (6 responses)
It's unrealistic to the point where it looks like a parody. Is it intended as one?
Phones are widely available in almost all countries, it is rarely a hard to get item. In a country where they are hard to get, North Korea, they have implemented some kind of authorization scheme so only government provided phones can actually connect to the network, an activist firing up your graphene os phone will be arrested immediately.
(I believe they do have provisions for tourists calling abroad, but an activist trying this will be noticed and arrested)
Posted Nov 12, 2025 17:08 UTC (Wed)
by paulj (subscriber, #341)
[Link] (5 responses)
1. proceeds to give an example of a country where phone purchases generally are restricted as described
If your argument really is that activists never need to buy anything that may be sensitive, where anonymity is desirable, then it is your argument that is parody.
Posted Nov 12, 2025 17:10 UTC (Wed)
by paulj (subscriber, #341)
[Link]
Posted Nov 12, 2025 19:02 UTC (Wed)
by malmedal (subscriber, #56172)
[Link] (3 responses)
> "It's so unrealistic it's a parody!"...
> 1. proceeds to give an example of a country where phone purchases generally are restricted as described
No, I'm pointing out that anybody trying to use your OS if likely to be arrested very quickly. The phone will need to authenticate itself to the network in order to prove that it is indeed an approved phone with the correct spyware installed.
> 2. fails to spot that my comment says "You lack the resources to obtain such a phone",
No, I'm saying that phones are ubiquitous, access to one is not a limitation and I'm saying that getting a Graphene OS phone is not going to help if you are physically in a dictatorship.
What activists need to do is to make their electronic signature as innocent as possible. One common tactic is to post coded messages to a popular forum that also used by normal people.
With your solution, as soon as the police finds the first activist with with a Graphene device, they will know what the traffic looks like and can use that that simply the search for the rest.
Posted Nov 12, 2025 19:28 UTC (Wed)
by pizza (subscriber, #46)
[Link]
Along those lines, the Iranian revolution in the late 70s was famously seeded via already-ubiquitous cassette tapes of Khomeni's speeches.
Posted Nov 13, 2025 10:11 UTC (Thu)
by farnz (subscriber, #17727)
[Link] (1 responses)
Thus, your goal is to not do anything that would give the police a reason to look at you; you're reliant on the fact that there's more citizens than police, and thus they cannot monitor everyone in depth. The moment you do something that marks you out as "odd", you're either fully compliant with the regime (just slightly weird - maybe you like brandy more than vodka), or you're marked out as a troublemaker and they will find a way to get you.
Posted Nov 13, 2025 11:54 UTC (Thu)
by malmedal (subscriber, #56172)
[Link]
Posted Nov 10, 2025 16:13 UTC (Mon)
by Wol (subscriber, #4433)
[Link]
And as far as I can tell, both you and farnz are in violent agreement on this point!
As farnz keeps on banging on, the problem is SOCIAL, and there is no way from a SOCIAL perspective that anything like this will take off.
Cheers,
Posted Nov 10, 2025 17:48 UTC (Mon)
by anselm (subscriber, #2796)
[Link] (3 responses)
Sez you. When the tax man rings my doorbell I'll refer them to you.
Anyway, as I said, the whole payment-for-mail issue is moot as far as I'm concerned because, as I've outlined in my previous message, there are better approaches for “next-gen-email-replacement systems” that don't even involve money (let alone shady cryptocurrencies).
Incidentally, one problem that makes me not like the pay-to-play approach to email is that I run a bunch of mailing lists (some with a few hundred subscribers). If I need to pay a trivial amount for each email message sent across these lists, that trivial amount times the number of subscribers times the number of messages per day at some point becomes not quite so trivial anymore. The obvious solution to this is to charge mailing list subscribers, but then hey, suddenly instead of someone with a fun hobby I'm a news publisher running a paid-for service for the public and again all sorts of regulations start to apply (apart from the hassle connected with having to ensure that every subscriber puts their contribution into the kitty). Why would I ever go for that sort of thing when right now I don't need to pay anything above the cost of the mail server, which is a trivial amount?
Posted Nov 10, 2025 18:00 UTC (Mon)
by paulj (subscriber, #341)
[Link] (2 responses)
If your understanding of what I've been sketching is a system where you have to manually charge people each time they send their message to your distribution group, then... let's just leave this. (It's way OT anyway).
Also, again, there's no tax obligations for a group of people running systems for informal associations. There are all kinds of clubs out there, where people pay money to cover the costs the activity of that club (e.g. hosting a website, hosting races for things like running and cycling clubs, buying club kit, etc.), and it's all on an unincorporated basis and there are no tax obligations on the club or the person who handles the money for the specific activity that generated the cost, if there are only costs involved. Both English and Irish law definitely have the concept of unincorporated associations, I know this for a fact, and I'm pretty sure there is an equivalent in germanic jurisdictions - that probably then covers very large swathes of the world, given how many others derive from those in some way.
Posted Nov 10, 2025 18:04 UTC (Mon)
by paulj (subscriber, #341)
[Link]
Posted Nov 10, 2025 19:02 UTC (Mon)
by anselm (subscriber, #2796)
[Link]
Now you're building the strawman. Obviously, the way this would really work is that people subscribe to the mailing list in the way they would subscribe to a magazine, i.e., X amount of money/month gets you everything that goes through the list. You would calibrate X such that your cost to send N messages per month to M subscribers would be less than X*M. Depending on the readership and volume of your mailing list, X*M can be a non-trivial amount of money. You would still have to have some sort of infrastructure to sort out every subscriber's payments (especially since, for d…n sure, you don't want every subscriber to have to deal with the likes of Monero), and depending on how big X*M is, you're absolutely running a commercial enterprise here.
Again, the whole idea of founding an email system on micropayments is something that will never fly, anyway. There are better ways to fix email which also require large numbers of participants to warm to the idea but don't involve money.
Email insecurity (was One of the great benefits of Open Source)
Email insecurity (was One of the great benefits of Open Source)
And note that you can't control who your friends and family choose as mail providers. For example, my home mail server (used by 3 people - me, my spouse, my mother) regularly sends mail to a server belonging to a sanctioned entity. This is fine, legally speaking, because no money is involved; I'm forwarding data from my mother's mail client to her friend's mail server, and the mere act of forwarding data is not sanctioned.
Sending e-mail via a possibly sanctioned entity
Sending e-mail via a possibly sanctioned entity
Sending e-mail via a possibly sanctioned entity
Sending e-mail via a possibly sanctioned entity
Sending e-mail via a possibly sanctioned entity
Sending e-mail via a possibly sanctioned entity
Sending e-mail via a possibly sanctioned entity
Sending e-mail via a possibly sanctioned entity
Sending e-mail via a possibly sanctioned entity
Sending e-mail via a possibly sanctioned entity
If you want to overthrow a dictatorship(what's the point of using euphemisms like illiberal?) what you need is a mass movement that is too big for the state to handle.
Sending e-mail via a possibly sanctioned entity
Sending e-mail via a possibly sanctioned entity
Sending e-mail via a possibly sanctioned entity
Sending e-mail via a possibly sanctioned entity
[2] This capability continues to be demonstrated by China
Sending e-mail via a possibly sanctioned entity
Sending e-mail via a possibly sanctioned entity
2. fails to spot that my comment says "You lack the resources to obtain such a phone", so either I have to send you money somehow (anonymously) or I have to send a phone.
3. I may also be in the same restrictive regime, I just happen to have the resources to be buy the item.
4. There may be numerous other types of items useful to activism that one may wish to purchase for oneself or others anonymously.
Sending e-mail via a possibly sanctioned entity
Sending e-mail via a possibly sanctioned entity
Sending e-mail via a possibly sanctioned entity
The key to this is that "innocent until proven guilty" is an artefact of liberal societies. If you're in an illiberal society of some form, once you've been identified as a troublemaker, you will be found guilty of something; if necessary, police will plant or forge evidence to show that you've been involved with something society at large considers abhorrent.
Sending e-mail via a possibly sanctioned entity
Sending e-mail via a possibly sanctioned entity
Sending e-mail via a possibly sanctioned entity
Wol
Email insecurity (was One of the great benefits of Open Source)
So... it's just a strawman. There are no regulations nor taxes that would apply to some trivial-scale "friends and family" next-gen-email-replacement system.
Email insecurity (was One of the great benefits of Open Source)
Email insecurity (was One of the great benefits of Open Source)
Email insecurity (was One of the great benefits of Open Source)
If your understanding of what I've been sketching is a system where you have to manually charge people each time they send their message to your distribution group, then... let's just leave this.