Justification for sharing email lists

Jon Roland

Several questions have been raised concerning the production and distribution of email lists of militia contacts and allies and directories of militia contacts. This is to explain and justify this effort, and to enable persons to make better use of such lists.

Each person who is active on the Internet and wants to copy messages to groups of recipients inevitably gets into the business of maintaining email lists. It can be quite a chore, requiring a great deal of valuable time to keep the lists complete and accurate.

This process is facilitated by two kinds of distribution methods: usenet newsgroups and email listservices (sometimes called reflectors). In the first, a subscriber to the newsgroup reads postings to that newsgroup, posts his own articles to it, and they may or may not be read by others. In the second, persons subscribe to the service, and persons sending an email message to the list will have their message copied to all subscribers.

The advantage of a listservice is that if you know who is subscribed and online, you can have some confidence that they will receive your messages, whereas you can never know who may or may not read a newsgroup during the short period that your postings are made available.

A person who frequently reads and posts to certain newsgroups, and who subscribes to certain listservices, will inevitably develop lists of newsgroups for cross-posting the same message to multiple newsgroups, and lists of listservices for cross-posting messages to multiple email lists. But neither provides assurances that a message is received by a particular party.

If email cannot be delivered to a recipient, it will normally be bounced, or returned to the sender, with a message explaining why the message could not be delivered, such as "bad address", or "mailbox full", or "delivery deferred". However, although some bounces will be reflected to all the subscribers to a listservice, normally a well-running listservice will filter such bounces out, and only the administrator of the listservice will receive them. Moreover, some popular Internet providers do not return bounced email to the sender. All the sender knows is that he didn't get a reply from the recipient, and it may take a phone call or two to find out whether he got it.

So what does one do if one wants some assurance that his messages will reach all of the members of some group who are online to read their mail? One has to maintain one's own email list. This may be done in several ways: One can manually type in a long list of recipients in the Cc: list of each message sent. One can define an "alias" name to which a message can be sent, consisting of a list of email addresses, and the mailing program (MUA or Mail User Agent) will expand the alias into the list before the message goes out. Or, one can maintain a database table of email addresses, perhaps with other identifying information, and use a program to send a given message to each address in the table, perhaps selecting on some combination of field values.

If a group of persons united in a common cause want to keep each other, and perhaps a larger surrounding group, mutually informed via email, then the only practical alternative is for them to maintain and share a common directory or database of addresses. One way to do that would be for one of them to undertake to set up a listservice for the group. But that makes the group dependent on the administrator to maintain the subscriber lists, and to notify each of the subscribers of changes in the composition of the membership. If something happens to that administrator or his computer, everybody is out of contact.

The only secure thing anyone can do is to maintain their own local email list, but how does one acquire and maintain its member addresses? One can begin by including everyone one has corresponded with as a primary addressee. Next, one can add the entries on the Cc: lists of one's correspondents for messages on the subject of interest, on the assumption that they are persons with a continuing interest in the subject. This is most easily done by simply including all the recipients of a received message in a reply, perhaps after adding a few recipients of one's own.

There are several problems with this. First, you don't always know who the addresses belong to, and therefore whether they are really a suitable recipient for a given message. If enough people add an inappropriate recipient to their lists, the result may be many, many copies of that address in many, many correspondent's email lists, and an irate recipient who doesn't want email on that subject. Second, you may get bad addresses from messages of a sender whose Internet provider doesn't return misaddressed email. Third, you may not get changes to email addresses, and may even continue to send to bad addresses after you get the changes, especially if you just "include all recipients" in making replies.

The obvious solution is for several of the members of the group to get together, consolidate correspondent addresses, figure out who they are, divide them into subsets based on the kinds of messages appropriate to each, share the lists among the group, and ask for people to submit additions and corrections.

The questions that have been raised mainly concern the disclosure of such lists. While admitting that such disclosure aids the members of the group in communicating with one another, some may feel that it also aids potential adversaries, and that the damage such potential adversaries can be expected to do with the information outweighs the expectable benefits to the group.

A determination of the risks and benefits of such disclosure must begin with a threat assessment. Who are the potential adversaries, what are the chances that such disclosure will provide them any information they don't already have, what damage might they do with any additional information it would provide them, and how would the disclosure affect the chances that they would undertake to do any such damage, or that they would be successful?

First, who are the potential adversaries? We can group them into several categories: federal agencies and their puppetmasters, state and local agencies, the media, commercial organizations, and rival advocacy groups.

Let us begin with federal agencies. To understand whether such disclosure aids them, one must first have an understanding of their capabilities, and for that one must begin with an understanding of how the Internet works.

The Internet is a cooperative network of computers, linked together with communications lines, which store and forward messages from the sender to each computer along a path to the recipient. Each of the computers or organizations in the network has a facility called the Domain Name Service (DNS) which resolves the address of the recipient and determines the next computer in the path. This is done by maintaining a common database of computers linked to the network, called hosts, organized into named hierarchies called domains. One includes one's computer in the system by registering a name and IP number for it with a central service called the NIC. Some computers mainly act as forwarders to other computers along the main channels, or trunks, which others, the branches or leaves, are only concerned with forwarding messages to other computers in the organization, or to users, and with managing outgoing message traffic.

The important thing to know about all this is that each of the main computers in the system has its own copy of the addresses of all known "leaves" or hosts, that messages are stored on disk for a short period of time while the DNS facility figures out where to send them next, and that most of the computers in the system are not secure against intrusion by the government, or even by private parties, with physical access to the computers. While they are on disk, or, for that matter, even while they are in memory, messages can be read, copied, scanned, selected, and copies of selected messages diverted. Most of the main computers in the Internet system are owned by organizations that receive public funds, either by government agencies themselves, universities, or corporations that do a substantial amount of business with the government.

It is not a secret that all email traffic is monitored by the National Security Agency, not only the traffic in the United States, but throughout the world. Other agencies are known to do their own monitoring.

Some think that to receive such messages, "infiltrators" must pose as recipients. This is not the case. That would be inefficient. They have much easier ways.

One of the things they are known to do is to maintain a database of all sender-recipient pairs, with the dates and subjects of their messages. That includes the usenet newsgroups. This can enable them to get a report of all of the combinations of corresponding addressees on any given topic. This is not difficult to do. Any competent programmer could easily whip out a program to do that, and keep it running in background on a link in the network, scanning and organizing the sender, recipient, and copy lists within the messages, and showing how each is linked to all the others.

It is possible to encrypt the contents of messages in ways that are effectively unbreakable, using RSA/PGP encryption, which also provides for authentication of the sender. But the address information cannot be encrypted in the present Internet system. (The author is involved in studies of ways to encrypt addressing as well, making the kind of penetration described above much more difficult.)

It is also not a secret that the NSA monitors all other forms of communication as well: voice and fax telephone, radio and television broadcasting, two-way radio communications. Most such monitoring is done by computers, which record everything while listening for certain keywords or other "signatures" (such as individual voices), and flag the tape for suspected sessions, so that later, personnel time permitting, the flagged tapes can be audited by human beings. If a tape is not flagged, or if no one gets around to auditing it, then after a certain period of time the tape gets reused. Tapes of special interest are saved for future use.

The reader may recall that the FBI and other government agencies have been active lately trying to do things like get their own encryption technology used in all telephones, and getting it made legal to obtain reports of who called or was called by any given person in a given period. They are only asking for it to be made legal to do what they are already doing illegally, from a single central office, with a few keystrokes. They want to use in court what they are now using in investigations.

So, we can conclude that federal agencies know who is communicating with whom. But, some might object, "they don't necessarily know the identities of the individuals behind the addresses, and that is what we object to the disclosure of".

It is a simple matter to write a program that extracts the addresses of everyone who posts to a given newsgroup, everyone who sends email to a listservice, and everyone on the sender and Cc: lists of received email, and which even extracts identifying information and saves it. This doesn't have to be done at a link in the network. Any user can do it. Sooner or later most people will provide some identifying information, to someone, somewhere, and it will get picked up.

So, one might be careful and not provide identifying information. But what about the account information kept by the Internet provider? Small, local or regional providers may be somewhat secure against outsiders obtaining copies of account information, but the larger, nationwide providers are not. Some even sell the information to the open market. If you provided any identifying information in obtaining the account, such as a credit card, and the provider is one of the larger ones, then you can assume that the federal agencies have the information.

So, you say you work for a company, and your name is not identified as part of the address of your workstation or your user account on it. Really? The company files personnel information with the government on its employees, and federal agencies have their own "crackers" who can probably penetrate your system and find out who belongs to each user account and who has superuser privileges. If you are a contractor or system administrator, perhaps you can conceal your identity, but not if you are a wage employee.

So what about state and local agencies? Any threat they might provide would be in conjunction with federal agencies. Generally, the prospect of attacking persons who are linked into a nationwide network of people who can bring a lot of unwanted attention and pressure down on them from all across the country is more likely to discourage them than to assist them.

And the media? The hazard here is that they will be able to find you to ask you questions about topics of the day related to your political activities. If you are not ready for that, you can discredit yourself and the movement. The solution is to be ready for it, either to answer the questions yourself or to be able to put the media organization into contact with someone who is better prepared than you are.

If you are going to work for a cause, then you had better use the media for that when you get the chance. Don't expect them to be your lapdogs, as they too often are for the government and the Establishment. They can be tough, but if you hold your own, you can advance your cause better than through almost any other means. Stick to the facts, and keep your arguments brief and tightly reasoned. Maintain professional composure and project a positive attitude.

And commercial organizations? The main concern here is that disclosure may adversely affect business or employment. This is a legitimate concern. People have lost jobs over their political involvement, and had customers shun them. However, things are not as bad as they were in the McCarthy Era and the days of the House Un-American Activities Committee. Blacklisting requires a considerable expenditure of scarce assets, and as long as there are as many people involved in the patriot/militia movement as there are, it is unlikely that very many persons could be effectively targeted, or targeted in a way that would not be found out, resulting in bad publicity and expensive litigation for the government and businesses participating in such discrimination, which is a violation of criminal law. All a targeted person would have to do is spread the facts about the blacklisting across the Internet and enough people would come to the victim's aid to make him a hero and take care of many of his needs.

An informal survey of patriot/militia activists finds little evidence of systematic discrimination of this kind. Such as there is seems to be local in origin, and would not be significantly affected by something like disclosure of an email list or directory.

Finally, there are opposing advocacy groups. Obviously, some of them might try to make trouble for movement leaders. But they can also get into trouble that way, and discredit themselves and their causes. Most of them are going to know who the leaders are through their direct encounters with them. The most likely response will be for them to develop and disclose their own lists and directories, to demonstrate their relative strength, if they have any.

If the patriot/militia movement involved only a few tens of thousands of persons, then such disclosure might indeed be a problem. But it involves millions, and polls indicate that an increasing percentage of the general population share their concerns. The movement has numbers, and is gaining more support. What it lacks is organization and communications.

Some try to treat the situation as though we were the Resistance in Occupied France during WWII. Things might come to that some day, and we should prepare for the contingency that they might, but that is not the situation we are in today, and we need to take advantage of the present circumstances while we can.

Now consider the advantages of disclosure. The first is for improved effectiveness and speed of internal communications. Remember we are mainly disclosing the information to each other. This is especially important for alerts and rallying grassroots pressure. For this purpose, time is of the essence. React a day late and we miss our window of opportunity. And if we are not coordinated and united, our separate efforts will be far less effective and may even cancel each other out. We have also seen the importance of rumor control, of not having some people going off half-cocked, while disinformation prevents the rescue of someone who really needs it.

The second is to lower the cost of communications. The alternative to being able to contact many people rapidly and at low cost while one has the time to do it right is to have to do it under crisis conditions later, when there simply may not be the time to do it at all. This is especially the case with Internet email. It is far less costly than long-distance voice and fax calls, copying, and postage. And the patriot/militia movement is not exactly overflowing with funds. We are already spending far too much of our limited resources on conventional communications, that could be put to better use. That includes the personal time of patriots, as much as their money. Anything we can do to save our time will go a long way to keeping people active longer and the movement stronger.

The third is as a demonstration of strength. During the recent crisis period, the previous release of directory information was used effectively to demonstrate that the movement was indeed a movement of hundreds of thousands or millions, and not just of a few thousands, and that it was nationwide and spontaneous, arising everywhere at almost the same time. The fact that the media could call leaders in almost every state, and get similar information, impressed them, and through them, both policymakers and the public. It also went a long way, by being so open and forthright, in dispelling much of the disinformation that was directed against it.

The fourth is for recruitment. Such lists and directories make it possible for people to get involved, to find out how to organize in their own areas, to share materials and ideas, and to reassure one another that they have plenty of good company and that they are not just some fringe activity with no hope of success.

Now is the time to take advantage of the explosive growth of the Internet to develop email contacts in every county of every state, and in every precinct of metropolitan counties. They need to all share the same information in an inexpensive and timely manner. We need to help all activists who don't already have computers to get at least one, get online, and get involved at the federal state, and local level, each a part of a coordinated whole.

The next step will be to go wireless. We must take advantage of the wired Internet, but not become excessively dependent on it. Using packet radio, and perhaps techniques like spread-spectrum and frequency shifting, we can extend the Internet to a wireless network that will enable any militia unit to send an authenticated message to any other, anywhere in the country, in less than 4 seconds, and make sure the recipient reads it in less than a minute. Such a system could continue despite disasters or disorders of almost any kind, and allow the continuance of constitutional governance under the most trying circumstances.