I have the same doubt. You need to define "anonymous list". In particular, specify who is, and who is not, supposed to be able to
- See email addresses of subscribers.
- Figure out whether two posts are from the same person. as well whether you need to
- Ensure that subscribers' posts can't be spoofed.
These sites already are using anonymous lists http://www.na.org.za/mailing-lists, http://www.12stepforums.net/mailinglist.html, http://www.e-aa.org/maillist.html.
From the above I deduced that there can be three different use cases.
The list manager is a doctor, treating their patients. In this case they'll be able to view patients e-mail ids. The e-mail ids will be mapped to something like "anonymous_timestamp@domain". The list manager in this case will have an interface where the anonymous ids will be listed along with the real e-mail ids. This shall help them know whether two posts are from the same patients or not. Also be able to communicate with patients, if time arises.This list can be like an online support group where the list manager is the doctor and the members are his patients. Lists like http://www.12stepforums.net/mailinglist.html, will come under that category.
The second use case can be when the list manager himself cannot be trusted with the details, like suppose there is an online mailing list for drug addicts to overcome their addiction, created by an ex-drug addict. But we cannot trust our mail ids with this person, as we don't know clearly his intentions. In this cases where the list manager cannot be trusted fully or the list manager has no use, knowing my email id. Here the list manager won't have any interface mapping anonymous ids with the original ids. But can identify if two mails are by the same user or not by seeing the header- From: anonymous id, on the two mails. Lists like http://ottawana.org/, here members help each other, in such case the list manager has no business knowing e-mail ids of members as he is not offering any help, like the doctor in the previous case, so it would remain hidden from him. But if someone tries to spam the mailing list, that person can be caught by noting his anonymous id.
I didn't come across a single mailing list for whistleblowers, activists, or people trading very sensitive information. Suppose there is a group of whistleblowers and journalists, who are connected with this mailing list. Obviously in this case the list manager won't be able to note my real e-mail id, but can verify me using my public key(X.509 certificate), the mails in such cases would be regarding national interests. Hence, there can be hacking attempts on the database or mail spoofing attempts.
Hacking attempts can be made futile as the people registering for this mailing list are definitely not going to register with their actual mail ids, hence even if those stored mail ids are exposed. There is very less chance of them getting caught. Sites like (http://www.sendanonymousemail.net/, http://www.33mail.com/, https://www.hushmail.com/) provide anonymous mail id creation.
Mail spoofing attempts can be stopped by encrypting mails, using PGP, but there is one problem. The person encrypting the mail would have to share their public key with everyone on the mailing list, which can be a tedious task as the mailing lists keep on changing in size, and also mails can be leaked if public key falls into wrong hands.
I've come up with a solution for this, these mailing lists will be kept in a very different category from others. Here when ever a user will register, they'll have to also provide their public key. So now it will work in this way- *User A will encrypt a message using his private key(PGP) and send on the mailing list.
*On receiving a message, it will de decrypted by the public key provided from the database.
*Now a sessions key will be generated, and it will be encrypted for different users using their public keys. So suppose ABC is a sessions key and user B, user C and user D are there. The sessions key will be encrypted differently for different user using their public key. (Although another way can be used is to encrypt the contents of the message using the public keys of users, so every message will be encrypted differently depending on the users public key. But in this situation there can be a lot of time loss as the time taken would increase with the size of the mailing list, but it can be implemented in cases where security is more important than time, so it'll depend on further details like size of the list)
*The message contents will be encrypted using the sessions keys to overcome the time overhead associated as mentioned above.
*The users will first decrypt the sessions key using their private keys and use it (session key) for decrypting the original message.
This can be thought as a safe method as people trying to spoof the messages won't be able to do anything which is what I suppose.
Maintaining a mail archive or not will be the decision of the mailing list managers.
This case doesn't necessarily apply to whistleblowers only, another use case can be between police and secret informants. Informants can pass messages through the mailing list.
Problem- The list manager has to be authentic, using their public key list subscribers can verify their authenticity(Or I propose a public key for the list itself and then people can use it to verify lists authenticity). Authenticity can be done using public key and using X.509 Certificate, more info here- http://en.wikipedia.org/wiki/X.509.
Working of PGP key- http://www.makeuseof.com/tag/pgp-me-pretty-good-privacy-explained/ Idea for sessions keys usage, also how to prevent identity spoofing- http://en.wikipedia.org/wiki/GNU_Privacy_Guard#Process
The encrypting and decrypting can be implemented by putting appropriate code in the pipelines process of the respective queues.
Sorry for such a long message, suggestion and criticism is welcome. I want to know areas where this mailing list would fail, in its work of keeping its members anonymous, should I go forward with creating a project proposal with this Idea for GSoC?
Pavan Shankar Koli
GitHub- www.github.com/pkoli Website- www.techjugaadcenter.me/pkoli