[Noisebridge-discuss] Fwd: Private Address Forwarding proposal to USPS

Sai noisebridge at saizai.com
Thu Oct 17 22:13:38 UTC 2013


/On Thu, Oct 17, 2013 at 7:27 AM, spinach williams
<spinach.williams at gmail.com> wrote:
> how much benefit is there for this abstraction?

That depends entirely on how much you value people not knowing where you live.

> first case, an arbitrary number wouldn't protect an abused spouse any more
> than a mailing address would as, in either situation, an abuser is trying to
> send themself to a place rather than some mail and the primary mechanic for
> that is social engineering, which cannot be coded away.

Sorry, but I don't think that's the primary mechanic.

This would prevent things like having your real address looked up
through data brokers. And at least as far as social engineering, it
would be a criminal offense to obtain the information outside of the
narrow cases I specified. The USPS is relatively good at protecting
information that they know they have a legal duty to protect, and most
employees should not even have lookup privileges in the first place.
(They only have a need to know if they're involved in mail processing
or legal compliance.)

I have never said that it is perfect, and I don't believe that's a
reasonable standard. Please don't ask whether it is perfect or has
flaws — it isn't, and it does, and I welcome constructive ideas to
improve those flaws.

Rather, ask whether it would be an incremental improvement (or
oppositely, whether it'd be *worse* than what you currently have
available).

> second case, p,o. boxes exist.

http://s.ai/paf/#faq addresses that. PO Boxes are simply not
equivalent in utility.

> fourth case, similar to one and
> three in that most datamining is still done on foot by canvassers (r.i.p.
> murdered census workers).

Yes, and census information is governed by serious non-disclosure
laws. Again, I have never said that there aren't other ways
information can leak, and saying that there are is not an argument
against *improving* privacy in one area. This is quite specific: it
lets you get mail without disclosing your location, and thereby lets
you not disclose your location to anyone who only would need it to
mail you stuff.

(And even aside from privacy, it has significant convenience etc
benefits — e.g. if you move, you only have to update the USPS [and
maybe DMV], not every single business who mails you stuff.)

> publicly disclosing is ridiculous no matter what and there is already a defense
> against it in p.o. boxes and other proxy addresses, some of which don't
> require a residential address to obtain

Getting a PO box requires license and sworn affidavit of your
residence. And it partially discloses your location. Again, please see
the FAQ; I already addressed that.

> bulk mailers hit every house no matter what, they're not really tied to
> residence. the only difference mail forwarding makes as regards junk mail is
> it'll have "[your name] or current resident" instead of "[prior tenant's
> name] or current resident" or "our neighbors at". anything targeted comes
> from a list you've put yourself on, so direct mail campaigns similarly won't
> be  affected because all that matters is that your identifier, whatever it
> is, is tied to your interest -- meaning any mailing list you've signed up
> for, any package you've ordered from a given company, any catalogs you've
> had sent to you and so on.

This is partially true, though see http://s.ai/paf/#changes for
something that addresses that.

> and what happens if someone knows you, knows your address, has lived near
> you, wishes to reconnect but doesn't have your unique arbitrary alphanumeric
> identifier? a human interaction is lost for no reason.

Your friends probably know you by more than your address. Besides, you
could forward a former address to a PAF ID.


On Thu, Oct 17, 2013 at 10:58 AM, spinach williams
<spinach.williams at gmail.com> wrote:
> also! such an abstraction requires a lookup table of addresses which
> currently does not exist -- mail is forwarded only for six months, and only
> if one chooses to have mail forwarded directly through the post. after that
> six months, your previous address is no longer a suitable identifier for
> your present address, meaning you aren't tracked and the only information on
> your whereabouts is specifically information you push. so, a naming scheme
> as proposed would introduce a vulnerability which currently does not exist
> and for minimal real benefit.

That lookup table *does* exist, through mail forwarding and PO box records.

If you want to destroy a PAF ID after 6 months, you can. You can also
preserve it indefinitely. And unlike mail forwarding — which tells
anyone who has your old address your new one (unless you a get
protective court order or the like, which you probably won't unless
there's been criminal activity, i.e. not for just your privacy, and is
a huge pain to get) — someone having your PAF ID doesn't have your
real address.

My proposal gives you that choice. I don't see how that's an
*introduced* vulnerability greater than current practice.


On Thu, Oct 17, 2013 at 9:15 AM, Adrian Chadd <adrian.chadd at gmail.com> wrote:
> ... I get a lot of "We don't deliver to PO boxes" when I ship packages.

Yes, 3rd party shippers can't deliver to PO boxes. My proposal
includes a third party authorization component to address that.

> (Besides, this could be something interesting to do as a private service;
> except that I wonder what the legality is of being a
> middleman-that-isnt-a-registered-post-company.

See again http://s.ai/paf/#faq about PO boxes on this one. Private
services cannot offer you the same legal protection.

On Thu, Oct 17, 2013 at 9:34 AM, Nicholas LoCicero
<nick.locicero at gmail.com> wrote:
> I like the idea, just think you could develop it a little more. Like add
> some backend features, an API to allow developers the ability to seamlessly
> integrate one's unique address as easily as an email address.

It has a portion for third-party disclosure authorization. I don't
know what other API you have in mind; please elaborate.

Please keep in mind that such disclosures have to be done in a
privacy-protecting manner. An API that says simply "yes that ID is a
deliverable address" to anyone who asks would probably be good, but I
don't see what else would be.

> This seems
> like a move Facebook could make. It allows for more user privacy (something
> their brand lacks) and allows them to bolster the profiles of it's users by
> making those profiles even more marketable for business.

… I don't understand this. Please explain / rephrase.


On Thu, Oct 17, 2013 at 12:05 PM, Lee Sonko <lee at lee.org> wrote:
> With current addresses, there is some built-in redundancy.

PAF IDs have a CRC-5 checksum. See http://goo.gl/wRNOaS, page 2, 4(b).

Plus the keyspace is large enough that a mis-hit is unlikely even
without the checksum.

>  If the letter is accidentally sent to, for instance,
> Guam, the post office will incur extra unneeded expense. How can such
> problems be avoided?
> Maybe limiting the geographic delivery area. Internal checking of names
> against addresses

Why shouldn't Guam residents get the same service?

And don't assume that someone mailing you via your PAF ID would have
your name on it. They might not; that's kinda the point.

> Junk mailers will want to be able to send mail to every home in a defined
> area. They do this now. It is a great source of revenue for the post office
> and some people actually like it.

They can still do that. PAF IDs are simply redirects. USPS' "every
door direct mail" means literally that; it would be unaffected. They
just wouldn't know who you are.

> I looked on your website. Your info is very complete and intensive. I got
> lost after 10 minutes of looking at it. Can you tell us laypersons about
> sending positive or negative feedback to USPS about your proposal?

I strongly encourage you to do so — whether you agree, disagree, have
improvements to suggest, or would simply want to use it. See
http://s.ai/paf/#formal for instructions.

Only one caveat I ask: if you have improvements to suggest, please
give me an opportunity to integrate them into my own follow-up 'I
would like to amend these things'. That doesn't mean "don't also send
them in formally", just please don't blindside me; I want to make it
better and have already gotten feedback I intend to use for that. See
http://s.ai/paf/#changes

On Thu, Oct 17, 2013 at 12:16 PM, Adrian Chadd <adrian.chadd at gmail.com> wrote:
> Take a page or two from information theory - use a forward error correction
> code as part of the unique identifier, as well as a checksum. That way you
> can identify whether the address is corrupt.

CRC-5 does this, AFAICT.

> Choose symbols that aren't going to clash - eg, all uppercase or numeric, no
> letter O (ie, number 0), no letter I (ie, number 1), etc, etc.

Already thought of that too. That's what Base32-Crockford encoding does. :-)


- Sai


More information about the Noisebridge-discuss mailing list