July 22, 2024

Abandoning the Envelope Analogy (What Your Mailman Knows Part 2)

Last time, I commented on NPR’s story about a mail carrier named Andrea in Seattle who can tell us something about the economic downturn by revealing private facts about the people she serves on her mail route. By critiquing the decision to run the story, I drew a few lessons about the way people value and weigh privacy. In Part 2 of this series, I want to tie this to NebuAd and Phorm.

It’s probably a sign of the deep level of monomania to which I’ve descended that as I listened to the story, I immediately started drawing connections between Andrea and NebuAd/Phorm. Technology policy almost always boils down to a battle over analogies, and many in the ISP surveillance/deep packet inspection debate embrace the so-called envelope analogy. (See, e.g., the comments of David Reed to Congress about DPI, and see the FCC’s Comcast/BitTorrent order.) Just as mail carriers are prohibited from opening closed envelopes, so a typical argument goes, so too should packet carriers be prohibited from looking “inside” the packets they deliver.

As I explain in my article, I’m not a fan of the envelope analogy. The NPR story gives me one more reason to dislike it: envelopes–the physical kind–don’t mark as clear a line of privacy as we may have thought. Although Andrea is restricted by law from peeking inside envelopes, every day her mail route is awash in “metadata” that reveal much more than the mere words scribbled on the envelopes themselves. By analyzing all of this metadata, Andrea has many ways of inferring what is inside the envelopes she delivers, and she feels pretty confident about her guesses.

There are metadata gleaned from the envelopes themselves: certified letters usually mean bad economic news; utility bills turn from white to yellow to red as a person slides toward insolvency. She also engages in traffic analysis–fewer credit card offers might herald the credit crunch. She picks up cues from the surroundings, too: more names on a mailbox might mean that a young man who can no longer make rent has moved in with grandma. Perhaps most importantly, she interacts with the human recipients of these envelopes, reporting in the story about a guy who runs a cafe who jokes about needing credit card offers in order to pay the bill, or describing the people who watch her approach with “a real desperation in their eyes; when they see me their face falls; what am I going to bring today?”

So let’s stop using the envelope analogy, because it makes a comparison that doesn’t really fit well. But I have a deeper objection to the use of the envelope analogy in the DPI/ISP surveillance debate: It states a problem rather than proposes a solution, and it assumes away all of the hard questions. Saying that there is an “inside” and an “outside” to a packet is the same thing as saying that we need to draw a line between permissible and impermissible scrutiny, but it offers no guidance about how or where to draw that line. The promise of the envelope analogy is that it is clear and easy to apply, but the solutions proposed to implement the analogy are rarely so clear.


  1. Interesting points being made – but it’s not accurate.

    The author suggests the postman can infer lots of data without opening any envelopes. That’s fine in my opinion – this is how behavioural targeting works.

    Phorm is different, because it DOES open the envelope (or some envelopes) – so the analogy still stands firm. If my postman guesses I’m financially screwed because I get lots of red letters, then credit to him. If he knows I’m screwed because he’s opening my mail, I’m not going to be very happy.

    Everyone has a basic right to privacy of communication. End of story. If people are stupid enough to sell that right for a few quid then fine – but everyone should be given the choice. As long as Phorm is TRULY opt in, then I have no further objections!

  2. Paul,

    I agree that the analogy of DPI to the postman reading your mail is inaccurate. I posted thoughts on the topic last week, you can read them here:


    • Paul,

      In my argument (link posted above), I make the point that it is paramount to separate the roles that people and computers play in our lives. For example, erasing Andrea’s memory or removing certain apparatus are probably not a viable options.

  3. Curt Sampson says

    The envelope analogy is also being misused in the sense that the ISPs *are* opening the envelopes, at least some of them.

    Internet protocols are layered, with protocols encapsulated within further protocols within further protocols yet. For example; TCP is encapsulated within IP; you need to open the “IP envelope” to see the “TCP envelope” inside, in order to get the port number. So doing something as simple as distinguishing between TCP requests to port 80 (the standard port for HTTP) and TCP requests to port 25 (the standard port for SMTP–mail) you are already opening envelopes. Given that the port information is not necessary for routing the packet, but used only by the end hosts, even with the “envelope argument” one could argue that ISPs should not be allowed to look at that information, which would put quite a crimp in their ability to distinguish between web and torrent downloads.

    The other mistake made in this analogy is ignoring who gets to see the information. While we don’t consider the writing on envelopes to be “private” the way we consider the contents of the envelop to be private; we do have certain expectations of privacy. If the post office started offering a service that would allow me to pay them for photocopies of the front and back of every envelope delivered to a given address, I’m pretty sure people would be up in arms. And that’s an example where I do like the analogy; I think that that may help make it clear to the non-technical user what this packet sniffing really means, especially when shown examples along the lines of the mailman story.

  4. I think Adam has an important point (if not necessarily useful in this context). The people at the post office who can track which envelopes go to which people on a massive scale don’t know who those people are and don’t really care. It’s also their job not to care. They don’t see different-colored envelopes, and they don’t see people’s faces. The mail carriers at the individual routes do know and care (everyone at the local PO congratulated us on our first kid, for example), but they make a point of not transmitting or aggregating that information. If they did, we’d all freak out.

    But the people doing deep — or even shallow — packet inspection operate much higher up in the distribution network, so they can know millions of people on an individual basis. And they intend to make money by caring about that information and sharing it as widely as they profitably can.

    In some ways it comes back to the european-style privacy principles: the kind of extra data collected by local mail carriers is arguably in service of delivering your mail as effectively as possible, but we can’t say the same thing about packet inspection somewhere up the backbone.

  5. I saw my mailman put about 20 envelopes from DUI lawyers in my neighbor’s mail slot and 2 mistakenly made it into mine. Okay, my neighbor got a DUI. I didn’t open any envelopes to know that.

    You can apply this logic to ISP mail traffic too. I suppose we can all assume that crimes are public information, and we all know that lots of lawyers send out spam to people accused of recent crimes, and that everyone should know when any lawyer sends out mail to potential clients.

    I don’t know. I’m starting to think that privacy advocates are the most incompetent professionals. In the case of EFF, they advocate and sue for the exact opposite of “privacy”. Everyone needs to know what Palin’s private email says. If you don’t want to be a privacy lawyer, don’t be a privacy lawyer. This stuff isn’t that hard. The issue is competence.

  6. You can only encrypt if both sides want to, but most servers won’t because they don’t want to pay the cost.

    Some people have been proposing solutions (e.g. fair queueing for the P2P problem), but it doesn’t get as much attention as saying “help, I’m being oppressed!” over and over.

    (BTW, did someone change the fonts on this site? I’m seeing some ridiculously small text in the comments section.)

  7. Seal your Internet envelopes! Enforce the end-to-end argument by end-to-end encryption! Stop complaining! Start doing!

  8. Your mail carrier is only one person. That is the key issue and also the solution.

    The amount of data she can amass is tiny and most definately not economically valueable. She is also a person we have the option to have a real relationship with. She might know the coffee shop owners credit situation, but talking to him every day and befriending him means she is far less likely to use that information in a possibly malicious way. This makes the mail system and andrea safe from a privacy standpoint.

    As we move to more efficiant systems like email where servers process mail in volumes many orders of magnitude higher then andrea we start to get the problem that the server can amass enough infomration to make it economically valuable. To most people the line separating what andrea does and what the server can do is so thin it is almost invisible. The opportunity in terms of dollars however is very clear in their mind.

    To solve this we need to make sure policy makers are well aware of the difference between andea and the server. We also need to make sure these poeple see privacy as the right it is and not a comodity that can be traded away for short tern financial gain.