He can give you your own PO Box on the Net.
Johan Helsingius is the 32-year-old president of Penetic, a Helsinki,Finland, firm that helps businesses connect to the Internet. His hobby is running a controversial anonymous remail server on the Internet, anon@penet.fi. Think of it as your own secret PO Box on the Net. Anyone can send e-mail to the server. Unlike some other such servers, anon@penet.fi also forwards replies to you. (Send e-mail for further instructions.) We caught up with Helsingius recently at the Massachusetts Institute of Technology.
Wired: What's the setup of penet.fi? What kind of computer do you use, where is it, and so forth?
Helsingius:
It's a generic 486; I don't even remember the brand. It's just a typical 486 box. The current machine has been in operation for something like a half a year - an earlier 386 ran out of steam pretty early.
Where physically is it?
That's something I probably wouldn't like to discuss. It's not in my house. It used to be. It's now somewhere that I have access to, but I wouldn't like people to know where it's located. It's in a machine room at a business in Helsinki, a pretty big business with lots of machines. Nobody knows except a couple of guys who are running the computing room. It's not in a university, because at universities you always run into political problems. I'm a bit paranoid about people getting access to the actual server. I think there are lots of people around who'd like to have that database, the database correlating the real people to their anonymous handles. That's kept forever, but I don't keep copies of the messages that actually go through the machine.
How do we know that you don't read any of the mail that flows through penet.fi?
You don't. There's absolutely no way I could guarantee to anyone, I mean really prove I'm not looking at the stuff. There's no way to prove it. People just have to trust me.
Do you use it yourself?
I haven't actually posted anything through the server, except using the administrative account anonymously. I actually don't use it myself, nope. I never had the need. But I can definitely relate to people who have the need. Who has the need? People who want to talk about things having to do with minorities. I actually belong to a Swedish-speaking minority [that makes up 4 percent of Finland's population]. I was born in Finland to Swedish- speaking parents. It's not a problem but it sort of makes you appreciate the problems. There are some situations where I wouldn't want people to know I belong to the Swedish-speaking minority.
So why do you run an anonymous remailer?
It's important to be able to express certain views without everyone knowing who you are. One of the best examples was the great debate about Caller ID on phones. People were really upset that the person at the receiving end would know who was calling. On things like telephones, people take for granted the fact that they can be anonymous if they want to and they get really upset if people take that away. I think the same thing applies for e-mail.... Living in Finland, I got a pretty close view of how things were in the former Soviet Union. If you actually owned a photocopier or even a typewriter there you would have to register it and they would take samples of what your typewriter would put out so they could identify it later. That's something I find so appalling. The fact that you have to register every means of providing information to the public sort of parallels it - like saying you have to sign everything on the Net. We always have to be able to track you down.
Who really needs to use an anonymous remailer?
It's clear that for things like the Usenet groups on sexual abuse, people need to be able to discuss their own experiences without everyone knowing who they are. Where you're dealing with minorities - racial, political, sexual, whatever - you always find cases in which people belonging to a minority would like to discuss things that are important to them without having to identify who they are.
But there are other people who use it, too, right? You mentioned people who posted questions to groups on child rearing and programmers who wanted to ask technical questions anonymously.
That's right. Posting technical questions because they're really afraid they don't know what they're supposed to know. A more important case would be someone who, for example, found out that his or her computer had a bad security problem and the manufacturer wasn't doing anything about it.
How long does it take for a message to go through your machine, have any traces of the user's identity stripped, and move on?
Theoretically, it only takes a couple of minutes. But the machine has been really overloaded lately, and delays can stretch up to a few hours. It's currently handling about 4,000 messages a day. I'm actually about to rewrite the software to be more efficient.
You've been the target of a number of attacks, I understand. Someone said your server was shut down recently when someone from the US government complained to Finnish authorities?
It wasn't actually someone from the government in the US. It was someone who was pretty well known on the Net, a guy who has been on the Net for a really long time. I don't want to say who he is because I feel he didn't know his actions would result in a shutdown. It was a short shutdown and never a complete shutdown - I shut down the posting part for something like two to three weeks, but mail still worked and I re-enabled the full service pretty soon.... I shut down because of the sensitive nature of the connection. The international network connection went through the Finnish University net, FUnet, and this man complained to the domain administrator at FUnet. He said basically that the anon server was generating lots of junk traffic on the Net. He was saying it wasn't a good thing. Most of it was just stuff like silly arguments, personal attacks against people. The domain administrator contacted me and said he had received complaints; because of the delicate situation with the international connection, I thought it was best to restrict the service for some time until we actually got the international thing sorted out.
Some people are very hostile to your setup, aren't they? People have tried everything from "saturation mail bombings" to anon-mail-eating worms, right?
Saturation bombings actually happen every now and then. About once a month someone tries to send 100 Mbytes of something. It's random data mostly. When that happens you either get lots of delays or start losing data. Mostly at that point the traffic goes so high the service provider notices it and contacts me and I ask to have service blocked from that site for a couple of days. I know it's not the same person doing it. It seems to come from random sites.
What about the anon-mail-eating worm?
It was just a really silly scheme, the cancel bomb. Someone wrote a program to automatically cancel anonymous messages. The basic idea was to send out cancel messages for all the anonymous postings. But it actually backfired pretty badly, both politically and technically. Politically, there were lots of people who got really angry about censorship - that their articles were canceled and that someone was actively censoring stuff, trying to play network police. As far as technically, there was some problem with the software, so it actually ended up posting hundreds of messages on usenet. admin.something. There were just lots of garbage messages there suddenly and everyone got really pissed off and a few mail servers crashed from the load.
You could make a lot of money selling some of the secrets of cyberspace, couldn't you?
There was an April Fools' joke last spring, an e-mail message coming from an obscure site in South America, saying that someone had managed to crack my machine and get access to the database. They posted something like, "If you wish to know under which ID someone's posting, just send $10 to us. For well-known net personalities, send $50."
