Commit 95d97150 authored by Kurt Zeilenga's avatar Kurt Zeilenga
Browse files

Add initial draft of munging rant

parent 31177c0e
#!wml -omunged.html
#use wml::openldap::openldap area=project subarea=main logo=prj header=off
<page_title name="Kurt D. Zeilenga"
keywords="Kurt Zeilenga"
description="Email Addressing Munging considered Harmful">
<page_id>
$OpenLDAP$
</page_id>
<h2>Email Address Munging Considered Harmful</h2>
<p>
I'm the guy who says "no" to requests to alter the content in the
OpenLDAP public archives of its mailing lists. I'm the OpenLDAP.org
postmaster.
<p>
The most common request we get, and I reject, is from a person who
has posted to messages to OpenLDAP mailing lists and wishes their
email address be redacted or obscured from the public archives. This
rant focuses on such requests.
<p>
We get all sorts of requests to redact or obscure information in
our archives. A some of these cases are discussed <a href="#near">near
the bottom</a> of this page.
<p>
Upon receipt of such requests, I do a quick check to confirm that
this is the common case and then I, per our established policies
and practicies, issue a rejection notice. With this notice, I now
send a link to this page. It's my hope that by reading this page
the requestor will gain an understanding of why their request was
denied.
<p>
I will ignore attempts by the requestor to engage me in debate of
our established policies and practices, and will deny any request for
reconsideration based your opinions (or the opinions of others) regarding
our policy or practices.
<h3>Why does the OpenLDAP Project maintain public archives of its open
subscription mailing list</h3>
<p>
The primary purpose of the archives is to provide a complete and accurate
record of mailing list discussions to serve a wide range of uses. The
following is a list of just some of the intended uses:
<ul>
<li>Research prior discussions by topic,
<li>Research prior discussions by partcipant,
<li>Audit participant activity,
<li>Research who participated in a particular discussion, or discussions at
a particular time, or any discussion,
<li>Browse the archives to determine if a recently submitted message has
been distributed to the list.
</ul>
<h3>Why are email addresses not redacted or obscured?</h3>
<p>
The most obvious reason is that by redaction or obscuring email addresses
would reduce the usefulness of the archives.
<p>
Various pages on the Internet discuss the <a
href="http://www.interhack.net/pubs/munging-harmful/">harmful</a>
effects of <a href="http://en.wikipedia.org/wiki/Address_munging">email
address munging</a> in detail, so I'll just give a terse list of
some of the reasons.
<ul>
<li>Redacting and/or obscuring email addresses hinders general
use of the archives (including uses the Project desire to support),
<li>Redacting and/or obscuring email addresses hinders use by persons
with disibilities.
<li>Redacting and/or obscuring email addresses hinders interoperability.
<li>Redacting and/or obscuring all email addresses is not feasible (e.g., leaks
will occurs).
</ul>
<h3>But what about email address harvesting?</h3>
<p>
Please note that we intend to support harvesting of email for
generally accepted and lawful purposes. For instance, one might
want to research who, as identified by email address, particated
in the development of OpenLDAP Software. Redacting or obscuring
email addresses would not only hinder such activities, but generally
reduce the usefulness of the archives.
<p>
We fully realize that some entities will abuse the public archives.
However, there is no feasible solution that would both provide the
desired features and preclude abuse. We choose supporting features
over precluding abuse.
<h3>But I already posted to the your mailing lists?</h3>
That's too bad. If it was your intention to not to expose your email
address to the public you should have never posted it to a public
forum. Your error is not our problem.
<h3>But what about my right to privacy?</h3>
You waived any such right you might have had to privacy of your email
address when you posted it a public forum.
<h3>But what about SPAM?</h3>
<p>
Fight it by means which can reasonable believed to be effective.
<p>
Personally, I think efforts to keep well used email addresses of the
hands of SPAM'ers is futile.
<h3>If a web search can find my email address...</h3>
<p>
One of my favorite assertions I often get goes like this "If [insert
favorite web search engine] can find my email address, spammers can
harvest it." Well, yes. But what about often implied collary: "If
[insert favorite web search engine] cannot find my email address
therefore spammers cannot harvest it." This is obviously false.
<p>
To date, most web search engines providers have had little incentive
to implement demunging of email addresses. If is reasonable to assume
there is significant incentive for email harvesters to implement
demunging algoirthms to obscure email addresses. Eventually web search
engines will catch up here.
<p>
It should be noted that web search engines typically only search the web.
Harvesters don't limit themselves to the web. For instance, harvesters
have reportedly used email interactions with a mailing list server in
their harvesting.
<h3>Do you enjoy doing this to me?</h3>
I enjoying using our public accessible archives, and enjoy seeing
others use them, for the purposes they were designed to serve.
<h3>You mean to support email harvesting?</h3>
To the extend it email harvesting is used for generally accepted and lawful purposes, yes.
<h3>You mean to support SPAM'ers?</h3>
No. I don't consider SPAM neither generally accepted nor lawful.
I do what I "deal" with it, I refuse to "throw out the baby with
the bath water" as some seem willing to do.
<h3>Will you please reconsider the policy?</h3>
Nothing new to reconsider here.
<h3>But everyone else is doing it?</h3>
Not everyone else is redacting and/or obscuring email addresses in
public email archives. There are actually a number of 3rd party
sites (at the time of this writing) providing public accessible
archives of OpenLDAP mailing mails which don't redact or obsure
email addresses. A number of other 3rd party sites, including major
list archiving sites, obscure by trivally reversable algorithms
(such as any algorithm which can be reversed by rendering HTML to
plain text using any available web rendering engines) to be
of little to no hinderance to email harvesters. It seems they do
it just for same reasons the TSA makes take off your shoes, to make
you feel "secure".
<p>
To date, every email address that has been requested to be removed from
the OpenLDAP mailing list archives has been found to be otherwise
published in readily available archives with little to no munging.
<h3>What the project is doing is illegal?</h3>
<p>
This has to be my all time favorite assertion I've received in response
to a rejection notice. To this, I say "Hogwash!".
<h3>But you have a legal obligation to redact or obscure my email address?</h3>
Hogwash!
<h3>I've read your rant, now what?</h3>
<p>
I appreciate your time. Have a nice day.
<h3>But?</h3>
No butts.
<h3><a name="near">But my email address appears in your archives due to no fault of my own?</a></h3>
Unforunately, this can and does happen. For instance, someone
submitting a message to one of our lists might have desired to
carbon copy you. We'll end up getting a message with your address
listed in the Cc: header and that address will appear in the archives.
<p>
In this case, I'm likely do some research before deciding whether
to reject your request or not. While I consider each such case on
a case by case, there are number of commonly found reasons for which
I've rejected such requests. Here's a few.
<p>
The address has otherwise been made public, especially by acts of
persons or entities associated (presently or in the past) with
the email address.
<p>
The address was made public by a person previously in control of the
email address.
<p>
The person making the request could not establish they were the
"owner" of the email address they where requesting to be removed.
For a "personal" email address (such as from any one of the main
personal email account providers, I expect to be able to authenticate
the requestor is in personal control of the account by completing
an email exchange. This is prevent removal of an address counter
to the wishes of the entity in control of the account. For "work"
accounts, I expect to be able to establish the requestor is an
authorized representative of the "owner" of the account. I
consider the owner of such accounts to same as the owner of the
domain for which the account was issued under.
<p>
The address was published at openldap.org over a year ago. Those
who are fail to make requests in a timely manner shall, by their
past in action, be viewed as granted us license to publish their
email address in our archives.
<h3>What about other identifying information?</h3>
Requests to remove identifying information other than email
addresses will be handled similarly to request to remove
email addresses.
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment