Writing

Feed Software, technology, sysadmin war stories, and more.

Friday, September 7, 2012

Privacy via non-durable contact information

Here's another solution in search of a problem. Call it another half-baked idea, perhaps. This one focuses on contact information, the matter of keeping it current, and what happens when you'd rather not hear from a given business or individual again.

First, suppose you set up the equivalent of an address book entry for yourself on this vaporware service. You'd put everything you could possibly want to give to someone else in there: name, address, phone numbers, e-mail addresses, web sites, and so on. Even if you wouldn't give any one person all of that data, you'd still put it all in there.

Then, let's say you wanted to share some of that with someone. You'd give them some magic link, and when they loaded it, you'd get a notification on your phone (or e-mail, but that's so 2000s). It would look something like this, only nicer:

CAPTAIN TANDOORI'S TAKEOUT requests your e-mail address.

[ Reject ] [ Allow e-mail address ]

If you tapped "allow", then the service would allow their system access to that component of your profile via a URL which is only for them.

"So what", right? What's so special about this? Ah, just wait.

Let's say you change your e-mail address some day and you still want to get their coupons electronically. You'd just change it in one place, and then anyone who had been authorized to see that part of your profile would be able to get an update.

Notice how I worded that: they would be able to get an update. It would not magically change in their systems. In fact, senders would be told that they should not cache contact information beyond a relatively short amount of time, like a day or two. They should make a call back to the service to look up contact information any time they need it.

So, after you changed your e-mail on file, if one of these places went to contact you in the future, they'd ping the service, get your updated info, and would mail that instead... assuming they're still allowed. Maybe a given source has been sending you garbage. You could just disconnect them from your profile, and then they'd no longer get updates for you.

At this point someone is going to suggest that "they will just cache it anyway", and they're totally right. Lazy and/or evil senders will cache the contact details they get from this system instead of doing a "just in time" lookup. Here's what you do about that.

Your e-mail address could actually be a series of aliases which are created fresh every time they do a lookup. Any given alias would only be valid for as long as the TTL on that particular lookup. After that, it would just reject the mail. Look at how "domain protection" works at certain registrars. You get an e-mail address which is a bunch of garbage at some magic domain, and it forwards to you. The garbage changes regularly to screw up WHOIS scrapers.

Now, if they cache the data beyond its stated lifetime, it's highly likely that mail will bounce. A suitably clever implementation could even do some nasty tricks with DNS records to make it so that attempts to mail dead addresses don't come anywhere near the forwarding service's mail exchangers. (Hint: wildcard MX plus specific overrides.)

Could this work for phone numbers? Sure. The same basic principle applies: many external numbers, all with a limited lifetime, and call routing to the user's actual number behind the scenes. Again, if you no longer have access to a profile, then you can't find out what the "burner number of the month" might be for a given person.

This could even be made to work for postal mail. This one would require actual people handling and routing things, but for someone who really cared about such a thing, it would be possible. The mail handling center could be instructed to discard anything which isn't addressed in whatever manner happens to be appropriate for that receipient at the current time. This might even dovetail nicely with existing services which receive your mail and scan it and just send you the images instead.

Another level of indirection could be added by creating different endpoints (e-mail addresses, postal addresses, phone numbers) depending on who's asking. This way, if one of these places with access to your profile "sells out" or (surprise surprise) has a leak, you'd have some chance of figuring out who did it. Then you could choose to not do business with them any more, and tell your friends to avoid them as well.

For anyone attempting this, good luck getting anyone to bother with it. About the only incentive I can think of for making senders even pay attention would be if all of their customers suddenly refused to give up personal contact info and started only providing profile connections.

Of course, for that to work, there would have to be a concerted effort to get all of those customers online with the thing in the first place. That might be possible if you could sell it as "never have to spell your name out again or read your address off to a clerk ever again". It would probably make more sense to most people as a replacement for having to say all of your contact info over and over again. The non-durable privacy aspects of it would be secondary at best.

I'm not sure exactly what you would call such a thing. It essentially amounts to "distributed unique non-durable points of contact".

Does anyone have a BINGO yet?

Incidentally, if done intelligently, there's no reason why this would need to be centralized. Alice could use her webmail provider while Bob uses his ISP, and as long as they speak the same language to Stu the sender, it doesn't matter who's hosting it or how it's implemented on the backend.

Finally, how do you close the last gap, which is having to convey the access URL to someone who wants to make the connection? Well, that's actually pretty easy. You can just put up a QR code and let them scan it. There are quite a few "loyalty programs" here in the Valley which do exactly this right now.

Failing that, have the app generate a shortened URL and read it to them. Don't forget to avoid ambiguous characters: o O 0, l I 1, 5 S, 2 Z, and so on. Remember that these have to be highly readable and easy to convey to another person.

Go on world, surprise me. Make it happen. If you make a billion dollars, remember me, okay?