PGP: sequencing messages

[John Drabik]

On Sat, 08 Apr 2000 21:14:31 -0300 (ADT), Trevor Smith wrote:

This is rather long, but very important to more than just mail -
please bear with me, this is a serious First Amendment rights issue,
and any input would be appreciated.

>>I don't see how.  The issue involves both electronic and paper e-mail
>
>Oh, I didn't know you had to visually inspect paper copies of the
>....
>Case 1:
>You send your messages with your own scheme of IDs, say something
>like "Bob109r22" appears in the email somewhere to tell you you sent
>it to Bob.
>Case 2:
>Or suppose you send your message with the line "Dear Bob," in it and
>you PGP sign it. The unique identifier in this case will be the PGP
>signature which will be similar to something like this:

OK, I've been doing some experimenting, and was able to punch holes
in both of these almost immediately.

I've kept people in the dark long enough.  Here is the reason for
this line of inquiry: I am a member of a volunteer group in our city,
and we send e-mails among the group members to discuss various issues
of interest to citizens (all perfectly legal under First Amendment,
and according to our city-charter). We hold meetings, make
presentations to the city, etc., and our e-mail is informational
only.   Later, I found that one of the members was forwarding the
messages to a blind copy list and a land developer, and included on
that list are several other land developers.  One of the developers
has now brought suit against me, in an effort to shutdown my First
Amendment rights, as well as those of the citizens in general.  Other
developers have already jumped into the fray, and have taken or
threatened legal action against other citizens and the city itself,
including elected officials.  In other words, a full-court press to
destroy citizen input and rights.

Don't bother telling me that can't do that - they already have, the
lawsuit is active (kind of: the judge isn't doing anything with it
yet), and the amount of money they have hinted at for "punitive
damages" - several million dollars - would put me and the city I live
in right into the poor house.  That, of course, is the point of the
suit : silence people through legal intimdation.  It is called a
SLAPP (Strategic Lawsuit Against Public Participation).  Enough said,
for now.

The issue is, who was leaking the material?  (actually, I've now
determined, through other means, the exact publisher of the material,
the date, and the various e-mail and other accounts involved.  It
wasn't fun.).  By the way, the leaks don't bother me - this is public
information, after all.  However, the sneaky, under-handed, and
downright devious mechanisms used, along with later support by the
very same developer for that person when that person ran for public
office, I find to be repulsive or worse.  That person won a seat -
anybody want to guess if they'll actually represent the wishes of the
people who elected them, none of whom seem to be aware of the link?

In any event, when the suit arrived, it was accompanied by a copy of
one of the e-mails.  I was already pretty sure who had sent it, but
the question was How To PROVE It, in court?

Simple sequencing won't do - somebody can just remove the line
(although it could be argued that if EVERY message is sequenced, and
you can prove that, then you might argue to the court that the
document has been tampered with, and that perhaps other tampering was
performed too).

The PGP approach is tough, because looking at a printout, you can't
tell the difference between tabs and spaces, or even the number of
spaces in some cases, so you can't reconstruct a key easily (and
perhaps, not at all).  I tried a few messages to myself, and was
unable, without "cheating" to accurately reconstruct every space and
tab.

I've been considering another approach - encapsulating an encrypted
message within the first message, and placing a disclaimer on all
outgoing messages to the effect that "This e-mail has been tampered
with if this line and the encrypted message above it have been
removed", but again, the issue is : How do you get such a "message"
(the sequence number), into EVERY outbound message, so that later,
you could decrypt that much smaller message, and determine to which
document it was attached?  BTW, this approach also removes the
possibility that someone could copy the encrypted (say, hexadecimal)
"text" from somebody else's message, in an effort to frame them -
then, the PGP key on the encapsulating message would be wrong.  And,
the message must identify the receiver in some way - either through
the sequence list, or in the message itself.  This is tough if you
put several people on the "To:" or "CC:" lists, since each message
MUST be individually signed in that case; this implies some
client-side rework and transmission of individual messages.

But for that approach to work, you must be able to prove to the court
that every outbound message is tagged, is unique, and is encrypted in
such a way that the true recipient can be identified.

As you can tell, this is of more than theoretical interest: the
developer that is suing me has stated punitive damage amounts of $4.5
million dollars or more - millions more than I would ever make in a
lifetime.  He has also stated, in documents submitted to the court,
that he intends that I should forfeit my First Amendment rights for
at least five years, and I would then have to meet some capricious
"approval" condition (i.e., HE gives ME "permission" to speak)
thereafter.

If it sounds like he's trying to take that old piece of paper called
the US Constitiution, and rip, shred, and burn it, I wouldn't argue
with you.  To date, the court has done ABSOLUTELY nothing about it
either.  This is common - most judges don't ever see a real, live,
First Amendment case, and don't know how to react to one.  BTW, if
you look on google.com for SLAPP you will find a wealth of
information about the real danger and damage that such suits do to
the community, and about 15 states already have active anti-SLAPP
laws.

As a side note, the Legislature here (several months ago),
unanimously passed, in the House, an anti-SLAPP bill.  However, the
Senate, many of whom (including the former leader) are themselves
developers, didn't even bring it to the floor.  Further, the
developer in my case went out and hired a former law professor and
paid him to lobby on their behalf - despite the fact that he's
retired, apparently no longer licensed to practice law, and was
DEFINITELY not a registered lobbyist as the law requires!  
Outrageous?  You bet!   But happening, right now, to hundreds of
other people in our state too.

In other words: ELECTRONIC PRIVACY, AND MESSAGE SEQUENCING AND
TRACKING TO PROTECT INNOCENT PEOPLE AGAINST FRIVOLOUS AND FALSE SLAPP
SUITS, IS A SERIOUS PROBLEM!  (Sorry, didn't mean to shout, but this
@#$@ has been ruining my life for months, and the court system is
totally powerless to stop the @#$@).

Anybody have any more thoughts on a simple, effective way to
absolutely sequence and identify messages, via print and
electronically too (both are mandatory), even through blind-copy
lists and other mechanisms, to protect the rights of people?

>>rapid lookup - you have to get the message, strip comments or >
>>markers, and then recompute the PGP signature, *without* sending the
>>message, and then compare the results to some archive.  The last
>I'm not sure what you're talking about here. Probably since I don't
>understand the full intended purpose it's just not clear to me.

Perhaps now you see the issue.  The mail message sent with the suit
was printed, not electronic, and had been forwarded to the developer
in question, and broadcast to a list, surreptitiously, by somebody
else (and my reading of the law leads me to think that if somebody
else broadcasts a message that somebody deems "defamatory", it is
THAT broadcaster who is legally responsible - of course, that
wouldn't matter here, since the person was openly (and now, by
admission) working with that developer.  If I could have absolutely
determined the broadcaster/sender quickly, I could have alerted the
community before they voted that person into office.  But then, I
think that was one of the reasons the suit was filed when it was - in
September - in order to keep me out of the political process, so that
I wouldn't be able to identify and hurt "their" candidate.

There's a lot more to this story.  Stay tuned for a web page with all
the info.  In the meantime, sorry for the long message.  Hints or
advice on a solid solution to this problem, for future use at least,
would be GREATLY appreciated.  Obviously, I NEED it to work with
PMMail, but the technique could be usable for other e-mail clients
too, and if a good approach is found, I'll put the technique on the
coming web page, and give FULL credit to the person who devises a
workable scheme.

John