Data retention question

[Andrew Cormack]

> -----Original Message-----
> From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto-
> bounces at chiark.greenend.org.uk] On Behalf Of Roland Perry
> Sent: 31 July 2014 11:27
> To: ukcrypto at chiark.greenend.org.uk
> Subject: Re: Data retention question
> 
> In article <20140730191727.68ab69e9 at peterson.fenrir.org.uk>, Brian
> Morrison <bdm at fenrir.org.uk> writes
> >> But being able to show where emailed death-threats (eg from an
> estranged
> >> ex-partner) were coming from might help.
> >
> >Isn't that what the headers on the received email do (amongst their
> >other uses)?
> 
> Only to a certain extent. And if they do reveal which account it was
> sent from, you need the network's help to identify information which
> might eventually trace it back sufficiently.

A concrete, and not unusually complex, example from a few years ago.

A death threat was sent from a commercial webmail account, so to trace that we would have needed the webmail provider to have details of who their subscriber was (assuming the details provided on registration were accurate, of course). In fact it turned out that we could skip that step because the webmail included the originating IP address in a mail header. That IP address turned out to belong to one of the national Janet web caches (hence my then team's involvement), so we needed to look in those logs to identify the actual IP address from which the message had been posted. That address (belonging to a commercial ISP) was passed to the police who I believe then got in touch with the ISP.

IIRC Richard Clayton's PhD thesis has a lot more examples of how complex it can get, and which sources of tracing information are actually reliable.

Andrew
 
> Of course, the headers can also be forged, which is another common
> technique: Abusers making false reports against their victims, which
> are
> often hard to debunk if all you have are the headers.
> --
> Roland Perry