loaf is an email filtering verification system from Maciej and a partner, in early days yet. For the record, I love the ‘cantbedone.org’ URL.

I nearly did not blog this until I realized the underlying concept bothered me, and that I could explain why, in non-technical terms. It also fits broadly into my theme for the day: identity is the face we choose to show others, and privacy is the area of concerns that arise when that identity is challenged for one reason or another. Frustratingly, I’m in a hurry, and so I’m going to have to cover this very broadly and I hope I don’t misrepresent anything or mis-state a fact. If I do, I’ll clean it up as soon as I am aware of it.

The way that Loaf is described as working: an encrypted (or disguised, or hashed, at any rate it’s not human readable) copy of your whole email address book is appended to each one of your outbound email messages. When it’s recieved and parsed by another Loaf-using email system, the sender (you) is rated based, essentially, on your degree of familiarity to the recipient (or really, of course, to Loaf). The more familiar you are, the likelier it is that your message will get through.

It’s a pretty neat idea, and I can’t think of any reason, functionally, why this would be problematic.

However, I think there is a very good reason to mistrust the concept. It’s based on both legal approaches to privacy and ethical concerns underlying them. Forgive me a moment of digression.

Generally speaking, in the US, legal guidelines for organizations that gather and manage personally identifiable information (PII) are required to follow a specific set of practices with regard to how that information is gathered, stored, and made accessible for correction or deletion to the initial source of that data, generally the consumer. An example of that is COPPA, which is a law that effectively requires online data gatherers to either collect no PII from children under 13 or to ensure that parental permission has been granted for that data to be gathered.

It’s my opinion that the PII is the property of the consumer and that there is an ethical obligation to the consumer to permit some level of error-correction feedback mechanism. Additionally, there is an obligation on the part of the data maintainer to follow a ‘best-practices’ level of security with regards to the data, and practices which allow the data to move to a different organization with different privacy practices, while legal, are frowned upon. Of course, such data transfers happen all the time, notably in corporate acquisitions.

In practice, the response of most commercial organizations has been based on a desire to minimize the ancillary data-management costs of PII while making every effort to allow that data to be utilized within the business. It’s effectively a business asset, and as such is percieved as adding value to the organization. Thus your level of access to the data may be limited to writing a letter to the company to request that your record be deleted.

This is unsatisfactory for any number of reasons; adding to the problems with the current approach are the rumblings we hear about the possibility that data collections and methodologies may become available for proprietary protection under U.S. intellectual property law. This may mean, for example, that if in the context of a discussion of privacy management methodology I cited a sample record – or the structure of a specific PII database – I might be in violation of a proprietary concept or data object. But I’ll leave that bone for the EFF to worry at the moment, as vexing as it is.

Returning to Loaf: the concept relies on individual email users exposing their email address books to anyone they send email to. That information may or may not be unpackable to reconstitute the specific PII it contains in a way which is maliciously or unethically useful. From the lack of absolute language on the descriptive page I link to above, I’d be very surprised if it was impossible to do so.

Moreover, by deliberately placing the PII into a sharing-oriented environment, the strategy violates the legal and ethical guidelines I just sketched (however fuzzy my sketch might be), primarily by sharing a specifc element of that PII (your correspondent’s email address).

Therefore, it will be very difficult to deploy any solution based on this approach into commercial organizations that have been working to ensure compliance with the guidelines and regulations.

I am by no means an expert either in the sort of programming that Maciej (a good guy, by all accounts, and a hell of an online writer to boot) does, or, honestly, in online privacy. I do think that I have raised some valid points for discussion. I hope that Maciej or his partner can take the time to address them.

Signal + Noise: Save Those Chicken Bones points us to a book which includes instructions on how to build an Apatosaurus from your KFC ossuary. [via Monkeyfilter.]

On October 3, 2000, Mr. Lope penned a few breif lines that directly contradict the central thesis of Being John Malkovich.

Of course, he’s also 2903.

This has nothing to do with Mr. Lope or anything, but my favorite part of Lawrence of Arabia is after Lawrence and the surviving boy under his, um, care pass through a blasted, abandoned Army base at the side of the Suez Canal, and emerge on the banks of the waterway. A lone motorcyclist on the opposite bank appears, and stops when hailed.

Cupping his hands, the British biker shouts over the unbridged gap of water and sand.

“Who are you?”

After a pause, he repeats the question with greater urgency. Lean cuts to a reverse-angle closeup of Lawrence’s face.