#!wml -omunged.html #use wml::openldap::openldap area=project subarea=main logo=prj header=off $OpenLDAP$

Email Address Munging Considered Harmful

I'm the guy who says "no" to requests to alter the content in the OpenLDAP public archives of its mailing lists. I'm the OpenLDAP.org postmaster.

The most common request we get, and I reject, is from a person who has posted to messages to OpenLDAP mailing lists and wishes their email address be redacted or obscured from the public archives. This rant focuses on such requests.

We get all sorts of requests to redact or obscure information in our archives. A some of these cases are discussed near the bottom of this page.

Upon receipt of such requests, I do a quick check to confirm that this is the common case and then I, per our established policies and practicies, issue a rejection notice. With this notice, I now send a link to this page. It's my hope that by reading this page the requestor will gain an understanding of why their request was denied.

I will ignore attempts by the requestor to engage me in debate of our established policies and practices, and will deny any request for reconsideration based your opinions (or the opinions of others) regarding our policy or practices.

Why does the OpenLDAP Project maintain public archives of its open subscription mailing list

The primary purpose of the archives is to provide a complete and accurate record of mailing list discussions to serve a wide range of uses. The following is a list of just some of the intended uses:

Why are email addresses not redacted or obscured?

The most obvious reason is that by redaction or obscuring email addresses would reduce the usefulness of the archives.

Various pages on the Internet discuss the harmful effects of email address munging in detail, so I'll just give a terse list of some of the reasons.

But what about email address harvesting?

Please note that we intend to support harvesting of email for generally accepted and lawful purposes. For instance, one might want to research who, as identified by email address, particated in the development of OpenLDAP Software. Redacting or obscuring email addresses would not only hinder such activities, but generally reduce the usefulness of the archives.

We fully realize that some entities will abuse the public archives. However, there is no feasible solution that would both provide the desired features and preclude abuse. We choose supporting features over precluding abuse.

But I already posted to the your mailing lists?

That's too bad. If it was your intention to not to expose your email address to the public you should have never posted it to a public forum. Your error is not our problem.

But what about my right to privacy?

You waived any such right you might have had to privacy of your email address when you posted it a public forum.

But what about SPAM?

Fight it by means which can reasonable believed to be effective.

Personally, I think efforts to keep well used email addresses of the hands of SPAM'ers is futile.

If a web search can find my email address...

One of my favorite assertions I often get goes like this "If [insert favorite web search engine] can find my email address, spammers can harvest it." Well, yes. But what about often implied collary: "If [insert favorite web search engine] cannot find my email address therefore spammers cannot harvest it." This is obviously false.

To date, most web search engines providers have had little incentive to implement demunging of email addresses. If is reasonable to assume there is significant incentive for email harvesters to implement demunging algoirthms to obscure email addresses. Eventually web search engines will catch up here.

It should be noted that web search engines typically only search the web. Harvesters don't limit themselves to the web. For instance, harvesters have reportedly used email interactions with a mailing list server in their harvesting.

Do you enjoy doing this to me?

I enjoying using our public accessible archives, and enjoy seeing others use them, for the purposes they were designed to serve.

You mean to support email harvesting?

To the extend it email harvesting is used for generally accepted and lawful purposes, yes.

You mean to support SPAM'ers?

No. I don't consider SPAM neither generally accepted nor lawful. I do what I "deal" with it, I refuse to "throw out the baby with the bath water" as some seem willing to do.

Will you please reconsider the policy?

Nothing new to reconsider here.

But everyone else is doing it?

Not everyone else is redacting and/or obscuring email addresses in public email archives. There are actually a number of 3rd party sites (at the time of this writing) providing public accessible archives of OpenLDAP mailing mails which don't redact or obsure email addresses. A number of other 3rd party sites, including major list archiving sites, obscure by trivally reversable algorithms (such as any algorithm which can be reversed by rendering HTML to plain text using any available web rendering engines) to be of little to no hinderance to email harvesters. It seems they do it just for same reasons the TSA makes take off your shoes, to make you feel "secure".

To date, every email address that has been requested to be removed from the OpenLDAP mailing list archives has been found to be otherwise published in readily available archives with little to no munging.

What the project is doing is illegal?

This has to be my all time favorite assertion I've received in response to a rejection notice. To this, I say "Hogwash!".

But you have a legal obligation to redact or obscure my email address?

Hogwash!

I've read your rant, now what?

I appreciate your time. Have a nice day.

But?

No butts.

But my email address appears in your archives due to no fault of my own?

Unforunately, this can and does happen. For instance, someone submitting a message to one of our lists might have desired to carbon copy you. We'll end up getting a message with your address listed in the Cc: header and that address will appear in the archives.

In this case, I'm likely do some research before deciding whether to reject your request or not. While I consider each such case on a case by case, there are number of commonly found reasons for which I've rejected such requests. Here's a few.

The address has otherwise been made public, especially by acts of persons or entities associated (presently or in the past) with the email address.

The address was made public by a person previously in control of the email address.

The person making the request could not establish they were the "owner" of the email address they where requesting to be removed. For a "personal" email address (such as from any one of the main personal email account providers, I expect to be able to authenticate the requestor is in personal control of the account by completing an email exchange. This is prevent removal of an address counter to the wishes of the entity in control of the account. For "work" accounts, I expect to be able to establish the requestor is an authorized representative of the "owner" of the account. I consider the owner of such accounts to same as the owner of the domain for which the account was issued under.

The address was published at openldap.org over a year ago. Those who are fail to make requests in a timely manner shall, by their past in action, be viewed as granted us license to publish their email address in our archives.

What about other identifying information?

Requests to remove identifying information other than email addresses will be handled similarly to request to remove email addresses.