Envelopes and GDPR
Privacy is a funny concept, isn't it? Very few people want the whole world to know what medical complaints they have. But most hospitals are open-access buildings, where the waiting rooms have large monitors to tell patients that their doctor is running late.
A few years ago I was sat in the proctology waiting room. Anyone who knew me would have seen I was waiting for an bum doctor. They may not have known my specific complaint, but the laser-display board announced that my appointment was with Doctor X. Anyone can look up Doctor X online and see that they specialise in removing foreign objects which have mysteriously found their way inside a person. Whither privacy?
But that's the kind of trade-off we make. It would be expensive to have individual waiting cubicles. And most people aren't famous enough to be recognised in public. And the chances of your neighbour also being in hospital are slim. Any you might just be waiting for a friend. So we sort of hand-wave it away because it is a small but difficult problem to solve.
Anyway, a few months later, I received a letter from the hospital. It was delivered in a plain envelope with no hospital markings. The return address was a suitably anonymous bulk mailing service. There were no warning markings to say this was a medical letter. There is no way that my postman, my housemate, or my cleaner would have known what the letter was about.
But see if you can spot the incredibly subtle mistake that was made:

Printing a physical letter on paper and then folding it in such a way that both the address is displayed and the paper cannot slip is a surprisingly hard problem. I get letters from lots of organisations where this has happened.
But, before lighting up the pitchforks, what's the real harm that has occurred here and how could it be prevented?
My postie now knows some of my medical info. That's assuming they bothered reading past the address, and that they remember anything specific from the 500 letters they had that day. My postie seems nice enough - but I don't doubt that a postal worker somewhere could use this to blackmail or intimidate a vulnerable person.
Anyone with access to my letterbox, and who gets there before me, also has sight of my information. Again, I tend to trust the people I let in. But not everyone is so lucky. A sufficiently abusive person would have opened the letter regardless of what they saw.
A fully paper envelope with no plastic window reduces one specific class of error - but may be too expensive to implement at scale. And, of course, if there's no window then there is the chance that the wrong letter might go into an envelope addressed to someone else.
Would going digital solve this? Email is mostly end-to-end encrypted between the big providers, so it would be unlikely that anyone saw it as it was being delivered.
Most email clients show the first few lines of a message - and some of them will show that preview as a pop-up on a locked phone. So anyone with access to your device could see something untoward. A sender name and subject have to be useful to the receiver - but is "FROM: Proctology. RE: The object we pulled out of you" too revealing?
An email could be fairly anonymous and link to a download portal of the real message. But that's quite a lot of work for a user to do. And an abuser could still have access to your device.
An email encrypted with your public key and send with a cryptic subject line is the sort of theoretical magic that geeks love, while forgetting that most people reuse their passwords and leave their laptops unlocked in the coffee shop.
What I'm getting at is that there's no perfect solution. Only incremental changes which may introduce a new class of problem.
Ian says:
More comments on Mastodon.