I nearly did not blog this until I realized the underlying concept bothered me, and that I could explain why, in non-technical terms. It also fits broadly into my theme for the day: identity is the face we choose to show others, and privacy is the area of concerns that arise when that identity is challenged for one reason or another. Frustratingly, I’m in a hurry, and so I’m going to have to cover this very broadly and I hope I don’t misrepresent anything or mis-state a fact. If I do, I’ll clean it up as soon as I am aware of it.
The way that Loaf is described as working: an encrypted (or disguised, or hashed, at any rate it’s not human readable) copy of your whole email address book is appended to each one of your outbound email messages. When it’s recieved and parsed by another Loaf-using email system, the sender (you) is rated based, essentially, on your degree of familiarity to the recipient (or really, of course, to Loaf). The more familiar you are, the likelier it is that your message will get through.
It’s a pretty neat idea, and I can’t think of any reason, functionally, why this would be problematic.
However, I think there is a very good reason to mistrust the concept. It’s based on both legal approaches to privacy and ethical concerns underlying them. Forgive me a moment of digression.
Generally speaking, in the US, legal guidelines for organizations that gather and manage personally identifiable information (PII) are required to follow a specific set of practices with regard to how that information is gathered, stored, and made accessible for correction or deletion to the initial source of that data, generally the consumer. An example of that is COPPA, which is a law that effectively requires online data gatherers to either collect no PII from children under 13 or to ensure that parental permission has been granted for that data to be gathered.
It’s my opinion that the PII is the property of the consumer and that there is an ethical obligation to the consumer to permit some level of error-correction feedback mechanism. Additionally, there is an obligation on the part of the data maintainer to follow a ‘best-practices’ level of security with regards to the data, and practices which allow the data to move to a different organization with different privacy practices, while legal, are frowned upon. Of course, such data transfers happen all the time, notably in corporate acquisitions.
In practice, the response of most commercial organizations has been based on a desire to minimize the ancillary data-management costs of PII while making every effort to allow that data to be utilized within the business. It’s effectively a business asset, and as such is percieved as adding value to the organization. Thus your level of access to the data may be limited to writing a letter to the company to request that your record be deleted.
This is unsatisfactory for any number of reasons; adding to the problems with the current approach are the rumblings we hear about the possibility that data collections and methodologies may become available for proprietary protection under U.S. intellectual property law. This may mean, for example, that if in the context of a discussion of privacy management methodology I cited a sample record – or the structure of a specific PII database – I might be in violation of a proprietary concept or data object. But I’ll leave that bone for the EFF to worry at the moment, as vexing as it is.
Returning to Loaf: the concept relies on individual email users exposing their email address books to anyone they send email to. That information may or may not be unpackable to reconstitute the specific PII it contains in a way which is maliciously or unethically useful. From the lack of absolute language on the descriptive page I link to above, I’d be very surprised if it was impossible to do so.
Moreover, by deliberately placing the PII into a sharing-oriented environment, the strategy violates the legal and ethical guidelines I just sketched (however fuzzy my sketch might be), primarily by sharing a specifc element of that PII (your correspondent’s email address).
Therefore, it will be very difficult to deploy any solution based on this approach into commercial organizations that have been working to ensure compliance with the guidelines and regulations.
I am by no means an expert either in the sort of programming that Maciej (a good guy, by all accounts, and a hell of an online writer to boot) does, or, honestly, in online privacy. I do think that I have raised some valid points for discussion. I hope that Maciej or his partner can take the time to address them.