theinfopunk.com-hugo/content/posts/email2.0.md
2024-10-11 19:45:30 +00:00

3.4 KiB
Raw Permalink Blame History

+++ title = "Email2.0" date = "2023-12-17T12:41:15+01:00" author = "infopunk" authorTwitter = "" #do not include @ cover = "" tags = ["tech", "email"] keywords = ["", ""] description = "" showFullContent = false readingTime = false hideComments = false color = "" #color from the theme settings +++

For those who may not know, email is not owned by any one company. There are no copyrights or patents associated with email itself. It's an open standard that evolves over time through RFCs. While individuals and companies are free to develop software—whether open or closed source—using this standard, the core of email remains unchanged.

My Suggestion: Make Metadata-Minimized Email the New Standard Currently, email consists of headers and a body. Even if the body is encrypted, the headers are not. These headers contain a significant amount of data that can be harvested, even if the message content remains unknown. This makes email inherently less private than other forms of electronic communication, and its one of its greatest vulnerabilities.

What is Metadata-Minimized (M&M) Email?

M&M email would have just one piece of unencrypted metadata: the recipient's email address. Thats it. The recipient's information consists of two parts: the user and their domain. For example, in jsmith@example.com, "jsmith" is the user, and "example.com" is the domain. When an email reaches the example.com server, it simply routes the message to jsmith. Theres no need to include the senders information, timestamp, server type, IP address, or any other details typically found in unencrypted headers. Only the recipient's address is necessary.

What About Spam?

This brings us to the second part of the standard. All elements of the email, apart from the recipient's address, would be encrypted using the recipient's public key. Users could choose whether or not to advertise their public key. If you dont have the recipient's public key, you cant send them an email—the message would be automatically deleted. For business users, this would drastically reduce the amount of malware received via email. Additionally, if a spammer doesnt have your public key, they can't spam you. If they do have it, standard heuristic spam checks would still apply.

Handling Other Metadata and Backwards Compatibility

What if the receiving server adds metadata like “date received” or “IP address received from,” even though its not part of the M&M standard? Unfortunately, theres little that can be done to prevent this. However, the amount of data exposed would still be significantly less than what is typically available.

M&M email may not be backwards compatible with traditional email servers, as they might not know how to handle a message without all the usual headers. Conversely, an M&M-compliant server could theoretically ignore extra headers but would inform the user that the email is insecure.

And What About Services Like Signal?

Theres nothing inherently wrong with Signal, but its not an open standard, and users dont know what kind of metadata is collected or used. Additionally, Signal is designed for short-form messaging on mobile devices. Email, on the other hand, can handle megabytes of data, including text and attachments. The use cases for email and Signal are fundamentally different.

Let me know what you think! What would you add, change, or remove from this idea?