enable "User-Agent" header only with consent
Currently, all outgoing messages include a "User-Agent:" header by default.
This was implemented in an age when the internet was a different place. RFC 7258 states that "Pervasive Monitoring Is an Attack":
Pervasive Monitoring is widespread (and often covert) surveillance through intrusive gathering of protocol artefacts, including application content, or protocol metadata such as headers.
This is not only theoretical: People are in jail because multiple personas have been linked with the help of version headers in emails - specifically OpenPGP version headers.
The OpenPGP community has responded by disabling version headers by default across the ecosystem: GnuPG, GPGTools, SKS keyserver, LibTMCG.
Many MUAs have also disabled the "User-Agent" header by default: notmuch, Enigmail, GPGTools.
I propose to change the default value of user_agent
to no
. Of course it can still be enabled for debugging, vanity or fun - but with explicit user consent.