Private Delivery Networks (Nomadic Systems Group)

Nicolas Lee, Alex Berke, Patrick Chwalek, Jake Read

The following is a thought piece modeled after a scientific publication from the year 2030. The technologies described here are extrapolations of existing methods based upon current sociotechnical trends, specifically those that may reshape the balance between rural, urban, and nomadic populations. Both real and fictional sources are cited throughout the piece. This publication is a part of Media Lab X.0: Anthology of Tomorrows.

Authors Alex Berke (City Science), Nicolas Lee (Mediated Matter), Patrick Chwalek (Responsive Environments), and Jake Read (Center for Bits and Atoms)

Emerging Trends and Innovations: Nomadic Systems Group 2030 Report


The past years of climate crises and health epidemics have led to the proliferation of nomadic communities and a near reliance on e-commerce and personal deliveries. This has resulted in growing privacy concerns surrounding the personal data connected to such digital and physical transactions. These changes have also widened equity gaps, in terms of both wealth and privacy equity, as lower-income demographics have faced disproportionate challenges in the rapid economic shifts. These challenges include the low availability of affordable privacy-enhancing services, which makes specific groups of people vulnerable for exploitation.  

Purchase histories are highly personal and can reveal identifying information about individuals and households. Constructing profiles from this data allows for the targeting of  individuals and communities through practices such as individually tailored advertisements or focused information campaigns. When purchase profiles are connected with delivery addresses, these data can measure the demographics of a local community and allow for individualized targeting to reach beyond the digital realm to the physical one. This information has been highly valuable for companies to advance their market dominance and for government agencies to improve their population statistics with a more complete and real-time data source.

This work surveys recent innovations and systems that address the rising privacy and wealth inequality concerns in e-commerce and delivery networks. We describe the privacy threats of e-commerce and deliveries, and analyze how recent innovations have approached these issues by aligning personal incentives with market forces.  This includes hacks on the Amazon Locker system, systems to mask and add noise to personal purchase histories, and the use of Private Mutual Aid Networks, which allow higher-income individuals to buy privacy while contributing to those in need. 


Privacy; distributed networks; inequality; public-key cryptography; autonomous vehicles


In the past decade, global populations have experienced tremendous shifts in how people live, work, and buy goods. The number of US citizens living far from urban centers has grown dramatically, with rural populations outnumbering urban centers for the first time in over a century. Some of this migration can be explained by loss of habitable space due to rising sea levels, increasingly destructive weather events, and extreme heat. Health crises such as the 2020 COVID-19 pandemic and subsequent infectious disease outbreaks disproportionately impacted urban areas as well, causing migratory surges in which residents rapidly relocated to rural settings. While the first half of the past decade saw a modest migration from cities and trending nomadic communities, the health and climate crises in more recent years have impacted new demographics, going beyond those who could afford to migrate, to those forced to migrate.

The rapid nature of this shift towards nomadic living and informal settlements likely contributed to the new reliance on e-commerce and deliveries [1]. These economic and societal shifts have also been coupled with increased mistrust of third-party data collection (Figure 1), and have led to a novel set of strategies to disrupt data collection. These strategies were initially pioneered by certain communities who were able to leverage their nomadic lifestyles and high levels of community trust and cooperation in order to prototype simple systems for community use.  By deliberately obscuring purchase history and geolocation from corporate and federal entities, individuals in these communities could dissociate previously constructed data profiles from their residence and activities. Their early strategies have since evolved into a variety of systems that span communities and geographies, many of which have become commercialized services. This in turn has driven more aggressive methods of data harvesting by vendors.

Online vendors have great insight into people’s demographics and personal identities based on their purchase histories. For example, they can infer the size of a household based on the frequency and size of their orders of simple necessities like toilet paper, or infer whether someone is single, pregnant, or has children of a certain age, based on what they buy. They might infer income level by the quality of items purchased, education level or profession based on books and professional supplies, ethnicity based on food items, race based on hair products, whether someone is male or female based on personal hygiene products, and more, with all of the personal nuances in between.  Purchase histories have become especially informative with their recent links to individuals’ medications data [2] and credit profiles [3]. Furthermore, when purchases are tied to physical delivery addresses, this makes available to companies census geographical information about their customers.

Detailed customer data is highly valuable to companies who use it to win more market share, more data collection channels, and then more leverage against rivals. The consolidation of smaller and mid-sized vendors into larger conglomerates has further limited the options that remote and nomadic communities have to order essential products. Individuals with economic means may access the services that handle their purchase and location privacy, but methods that allow for data protection regardless of socio-economic status are scarce. As a result, the individuals most susceptible to the risks of targeted data collection and privacy loss, such as the risks of predatory marketing and targeted disinformation campaigns, are those with the most to lose from such practices. This report highlights the advances in private delivery network systems that have benefited the populations most in need.

Figure 1: (A)Data from the United States census and independent annual reports indicate that the percentage of USA citizens living far from urban centers has risen dramatically in the past decade. 2020 census data is likely inaccurate due to incomplete data collection efforts. (B) The number of breaches in which personal data profiles were exposed, counted in millions, is compiled by Statistita. (C) Consumer trust as related to third-party collection of personal data was measured by the Pew Research Center. Declines in consumer trust indicates that mistrust in third-party data collection is at a historic low, a decline which began with high-profile data-breaches and continued to grow with subsequent failures of third-parties to responsibly protect individual data [4]. The decline in consumer trust precedes mass migration from urban centers.

Steps towards privacy goals

A common goal in logistics and data privacy research is to find ways for people to purchase goods they need through existing vendors while preventing vendors from computing comprehensive views of people’s personal information. Pursuing this goal should not be reserved for only the privileged who may better afford privacy tools, it should also benefit low income and marginalized groups, who may be most vulnerable to predatory targeted marketing. The methods outlined here seek to provide high levels of data privacy for individuals of all socio-economic demographics.

Simple attempts to anonymize customers are not sufficient to make their activity private.  In 2015, De Montjoye et al. showed that purchase histories are so unique to individuals that even when purchase transactions are anonymized, users can be easily re-identified [1]. Their study used metadata from credit card transactions at physical shops and has since been repeated to yield similar and conclusive results for e-commerce and modern payment systems [5]. 

These realities have led to innovative approaches to make customer transaction activity private. Some approaches have added calibrated levels of noise to customers’ activity, while other approaches have allowed cooperative groups of customers to pool or exchange purchases, in order to obscure the purchase profile of any one individual.

There have also been innovative systems introduced to obfuscate delivery locations.  Many of these innovations draw from work that made internet traffic more private, such as Virtual Private Networks (VPNs) and The Onion Router project (TOR).  However, the delivery of physical goods presents new privacy challenges that go beyond the challenges of delivering internet packets. The challenges range from privacy and security to logistical challenges. For example, while internet packets can be encrypted, securing the contents of physical packages is more costly. Physical goods have monetary value and can incite theft, and unlike digital packets, they cannot be as easily redelivered if lost. In addition, the delivery of digital and physical packets have different latency concerns.

The following sections provide a survey of some of the most relevant innovations towards more private delivery networks. Notable innovations include those that break past the capitalist systems of the e-commerce industry and create cooperative means to improve privacy while also creating wealth redistribution.

Privacy Model

We consider knowledge of the following as privacy risks:

  1. Customer profile learned through digital transaction history
  2. Customer physical address

Moreover, links between digital profile (1) and physical location (2) present additional threats. While knowledge of (1) customer profiles enables the advanced targeting of individuals, linking this information to (2) physical location allows targeting to reach beyond the digital realm and into the physical one. Partial privacy may be achieved if purchase history and delivery address are disconnected.

Figure 2: (A)Conventional e-commerce delivery systems without privacy enhancements involve (B) the direct transmission of personal data to a vendor followed by the shipment of a desired product to the recipient’s address. 

In previous years, private data were also disclosed through payments, such as when credit cards were used. However the adoption of private online payment systems (which was likely accelerated by early investments into domains surrounding cryptocurrencies rather than privacy advocacy [6,7,8]) have largely rendered those privacy threats obsolete. Payment processes continue to rapidly evolve. For these reasons, our descriptions and analyses of private delivery networks leave payments out of scope.

Privacy is leaked when people explicitly tell an entity, such as a seller, the items they are ordering, and the location they should be delivered to. Entities can also learn this information by observing which goods are delivered to whom. With the increase in ubiquitous sensors and surveillance, obscuring the route of a delivery is increasingly a challenge. Any private delivery system must assume that  all deliveries in and  out of physical locations are observed.

However, due to recent advances in anti-surveillance technologies, it is now easy and low-cost to disable GPS trackers and other tracking devices hidden within packages. For this reason, while we must assume that any package can be tracked by an outside observer from one location to another, the full path of packages can be kept private when they are routed through multiple locations. How delivery paths can be kept private can be most simply shown through the earliest Delivery Private Networks (DPNs). In what follows we present a brief overview of approaches towards more private delivery networks, beginning with the earliest innovations.

Private Delivery Networks: A survey of recent approaches

Figure 3: A timeline of developments in digital privacy systems parallels recent developments in physical privacy systems. Certain systems, such as TOR, have yet to see a physical analogue for delivery anonymization that is widely adopted.

Hacking the Amazon locker system to improve privacy and wealth distribution

Early works to confront the growing economic power of large corporations were often directed at Amazon. In 2021, Berke and Calacci et al. [9] introduced a simple system that helped Amazon customers improve their privacy while providing for others in need. Amazon Locker was a self-service package delivery service, with locker sites deployed across the world, and this work leveraged the Amazon Locker infrastructure. The project started as an experiment in alternative delivery and sharing economies that protected users’ privacy from large entities. Researchers used it as a study in how to incentivize cooperative economies and redistribute wealth [10, 11].

Figure 4: This system leveraged the Amazon Locker infrastructure to simultaneously address both wealth and privacy equity, by allowing users to ‘buy privacy’ through purchasing goods for others. A typical system flow was as follows: Person A posts a request to an online forum with their desired goods and locker site, and a public encryption key. Person B fulfills that request  by making the requested purchase, and responding  to the forum request with the order confirmation and locker code. This response is encrypted with the request’s public key. All forum posts are anonymous. The requested goods are delivered to the requested locker site and person A retrieves the goods with their locker code.

System users could anonymously request items and specify a locker location. Any other users with the means to ‘purchase privacy’ could anonymously do so by purchasing requested items to be sent to the requested locker, and thereby adding ‘noise’ to their own purchase profiles.  

This cooperation was coordinated through an open-source online forum where all users maintained anonymity through multiple privacy layers. A browser extension helped handle privacy and encryption and simplify the user experience. Users posted item requests with their desired locker location and a public encryption key. When other users purchased requested items, they generated a response to the request post that contained the purchase confirmation and locker code. Responses were encrypted with their requests’ public encryption keys so that only the original requesters could verify orders and retrieve their locker codes. 

This system leveraged the Amazon Locker infrastructure in multiple ways. For one, it used lockers as a means to obscure personal locations; users picked up goods at a locker location of their choice without revealing their own address. Second, it allowed Amazon to bear the burden of delivery logistics and secure storage of packages. In addition, the system was able to immediately scale to anywhere Amazon Lockers were geographically located.

Privacy gains in personal purchase profiles

Users gained privacy by making additional ‘noisy’ purchases for items they did not need for themselves, but that others needed. This obscured users’ true customer profiles.  

Users who made requests also preserved privacy because their requests were anonymous and they avoided an online purchase transaction.

The early system made basic recommendations for users fulfilling requests. For example, for someone without black hair to buy black hair products; for a post-menopausal woman to buy tampons; for a single man to buy diapers. In each case, the purchased products were directed to those who requested and needed them. 

This basic system worked for the time when retailers could only assert partial knowledge about customers’ purchase behaviors because people still bought from multiple online vendors and brick-and-mortar stores. This created an opportunity to generate plausible noise in purchase behaviors with little extra cost. Even when a one-time purchase was made for items that someone would presumably buy regularly (e.g. diapers or hygiene products) then a retailer assumed those products fit the customer’s profile. 

Wealth and privacy distribution 

This early experiment was meant to address both wealth and privacy equity. The system distributed both goods and privacy for the people who bought extra items as well as people who requested them. 


Ultimately the project had an early end, due to Amazon’s increased locker surveillance. While this basic system and its privacy assumptions could not meet the needs of the present day, it precipitated methods used in later private delivery networks (see DPN+PMAN).

The Delivery Private Network (DPN)

Location privacy from outside observers

The simplest DPNs operate as intermediaries between vendor and recipient and work as follows:

  • Customers specify a DPN as their delivery location when making their purchase
  • Sellers deliver many packages from different customers to a DPN
  • DPNs wrap received packages in identical packaging (based on size) to de-identify packages
  • Upon receiving X packages of common size or after a randomized artificial delay, DPNs wrap packages with identical packaging and forward packages to their customers’ final locations.

This method makes it difficult for sellers or outside observers to track which orders delivered to the DPN were forwarded to which customers’ locations, protecting against traffic analysis or correlation attacks.

Figure 5: DPNs and similar systems obscure the routes of packages by acting as intermediaries between delivery source and destination. They make it difficult for outside observers to detect  which packages sent to a DPN are then redelivered where by wrapping received packages in identical packaging and forwarding them to their final destination after a privacy-enhancing delay.

This method of anonymizing package delivery through wrapping and rerouting packages has become a common method used in the more distributed delivery network systems later developed.

Basic usage

DPNs have provided various usage models but the simplest can be summarized as shown in Figure 5. The customer (recipient) requests physical goods from a vendor through a location-anonymized encrypted digital medium (i.e., VPN). The customer specifies their DPN as the delivery address, and also includes a unique purchase ID (UID) generated by their DPN in additional address or delivery fields.  The vendor delivers the package to the DPN, the DPN sorts deliveries, and forwards them to customers.

Privacy and adoption

DPNs protect users’ location privacy from online vendors. Privacy is further enhanced when customers use tools that anonymize their online browsing and purchases.  

However, DPNs must know customer delivery locations in order to forward packages to them.  A basic assumption for the simple DPN model is then that the online vendor knows customer purchases but not delivery locations, while a DPN knows customer delivery locations but not what they purchased. By removing an explicit link between customer purchases and delivery locations, DPNs therefore provide customers partial privacy. 

DPNs proved popular, and firms have emerged to offer them as a service.  Usage has varied. Whereas some operate as last-mile delivery services, others are wary of the privacy risks of this approach because it allows vendors to generalize the purchase history of a community near a local DPN. By knowing the physical location of a DPN and the deliveries going to it, a seller can build a model of the local preferences of the nearby community. A method proposed to mitigate this is to route the delivery through multiple DPNs, further obfuscating the physical path to the customer. This strategy of multi-site routing was never implemented in traditional DPNs but has seen traction in recent distributed delivery network architectures (see the distributed private delivery networks section).

There is therefore a trade-off between privacy and efficiency when customers choose to use DPNs for last-mile delivery or choose a more random intermediary destination.  This trade-off between privacy and efficiency is a topic common to delivery network architectures and is further explored in the discussion section.

A crucial issue with simple DPNs is that they offload user privacy concerns from vendor to DPN.  Treating DPNs as trusted third parties was sufficient in their early community-driven implementations but this is no longer the case due to commercialization and widespread adoption. DPNs might sell or be compelled  to provide customers’ location information to the sellers and governments who find it so valuable, or they could be hacked.  Moreover, trust in a simple DPN model assumes that DPNs do not see the contents of orders. However DPN service providers could sniff packages, ultimately providing them with the link between customer package contents and delivery locations that they were designed to obscure.   

Figure 6: (A) Geographic plot of a standard delivery private network (DPN). (B) A recipient sends a purchase ID and DPN address to the vendor. The delivery is routed through the third-party DPN in order to obscure their delivery address from the vendor. The DPN then forwards the goods to the recipient. 

Coupling the Delivery Private Network with Noise and Wealth Redistribution: Delivery Private Networks + Private Mutual Aid Networks (DPN + PMAN)

Figure 7: (A) Geographic depiction of an archetypal PMAN delivery network in which excess purchases add noise to prevent the accurate construction of user profiles. (B) Customers (recipients) make purchases that combine desired goods with excess goods. Deliveries are routed through a DPN to the recipients. Excess items are then forwarded to a PMAN which distributes the excess goods to secondary recipients who need them.

In order to tackle the privacy concerns surrounding DPNs, as well as increase equity, Private Mutual Aid Networks (PMAN) were designed to work cooperatively with DPNs.  Similar to the early Amazon Locker hack [6], DPN+PMAN networks further anonymize user purchase data through excess ‘noisy’ purchases that benefit those in need: Users can ‘purchase privacy’ by purchasing recommended excess goods, and  the PMAN ultimately redistributes those goods to secondary recipients.

System architecture and usage

DPN+PMAN networks often use traditional DPN services while extending their delivery network architectures (Figure 7).

Customers can add noise to their purchase profiles through a software that recommends extra goods to add to their orders. Customers can specify how much noise they can afford, 

and the software optimizes its recommendations for their budget, noise, and for what goods others would then use.  Once their purchases are made, customer deliveries, padded with excess goods, are then routed through a DPN. Like the original DPN model, the DPN then forwards the deliveries to the customer.  Upon receiving the delivery, the customer forwards the excess goods to their local PMAN, which distributes those goods to secondary recipients.

Privacy gains

Users gain privacy from vendors by adding noise to their purchase profiles when purchasing extra goods. Users also gain privacy from their DPNs.  Just like vendors, DPNs may be unaware which deliveries contain excess goods, or which goods contained in the order  are truly for the customer versus excess.

User privacy is also protected from the PMAN.  Upon receiving a customer’s excess goods, the PMAN only learns what the customer did not order for themselves - therefore learning nothing about their personal purchasing profile. PMANs also have limited knowledge of the secondary recipients’ profiles since they only learn what these secondary recipients request from the PMAN.

Breaking the delivery network architecture into 3 separate entities - vendor, DPN, PMAN - which each have separate pieces of knowledge, is meant to further protect recipient privacy. However, this system still suffers from the privacy threat of their potential collusion and knowledge sharing.

Note that the  PMAN recommendation software is developed and maintained by the open-source community, making it fully transparent, and is still in active development [12]. 

Other alternatives

Pooled purchase private delivery network (PPPDN)

Figure 8:  A Pooled Private Purchase Delivery Network (PPPDN) where multiple customer orders  are pooled and routed through an intermediary service. The PPPDN protects users from a vendor learning their individual order behaviors or delivery locations.

An alternative model popular in some smaller communities is the pooled purchase private delivery network (PPPDN). 

System architecture

In these systems, customers do not make purchases directly with vendors. Instead they send orders to their PPPDN.  After receiving a sufficient size and diversity of orders, PPPDNs pool the orders to purchase from a vendor. The vendor delivers the ordered items to the PPPDN, and the PPPDN sorts the delivery and forwards the items to the users who originally ordered them. 

Privacy and adoption

PPPDNs provide users with privacy from sellers because user delivery locations and individual orders are obscured from vendors. By acting as intermediaries, PPPDNs mask the identity of users, and by pooling purchases, PPPDNs also obscure what any one individual ordered. However, users have no privacy guarantees from PPPDNs.  Users place trust in their PPPDNs and explicitly tell these intermediaries  both their purchase information and delivery addresses. (Versus in the  DPN model users only tell their DPNs their delivery addresses; DPNs only learn of delivery contents by sniffing packages or by colluding with sellers.)  This trusted model has worked  well for small communities that operate their local PPPDN as a cooperative. However, without enhancements to protect user privacy from PPPDNs, this model will likely not see commercialization or scale.

Figure 9: (A) Geographic depiction of an archetypal distributed private delivery network in which multiple intermediary sites further prevent the ascertainment of a recipient’s address. (B) Recipients include an encrypted route in their order with a vendor which forwards the desired goods to the  first  in a series  of intermediary sites. Each subsequent site decrypts a digital packet layer to reveal the next destination of the desired goods. 

Distributed Private Delivery Networks (DPDN)

Many of the methods discussed so far use a third party to obscure customer delivery addresses from an online vendor. However, in these cases the third party is then trusted with delivery address information. Past data breaches show that trust is not enough to secure private information, such as delivery address, with any one entity. For this reason there is active interest in developing fully Distributed Private Delivery Networks, or DPDNs. An analogy to earlier internet technologies is commonly used when describing these networks: if DPNs are similar to VPNs, DPDNs are more like TOR. They use multiple, distributed forwarding locations in a  series to obscure a complete route from any one entity. This includes privacy from the intermediary sites within a route. 

Chaum [13] laid important groundwork for these system architectures, proposing public-key cryptography as a means of obscuring links between the senders and receivers of electronic mail, despite transmission occurring on unsecured links. Packets were sent through a chain of intermediaries, with the packet wrapped in an additional encryption layer corresponding to each intermediary’s public encryption key. 

Chaum’s description of the privacy created by each intermediary in his (mix) network lends itself well to the privacy created at a single DPN (see figure 9), or at each intermediary site in a DPDN. Packets are sent to intermediary sites and are held there until enough other packets have arrived to ensure privacy, at which point they are all forwarded to the next destinations in their routes. When packets leave an intermediary, they do not look the same as when they entered - they are effectively ‘mixed’ at the intermediary, making it  difficult for outside observers to determine which packets were forwarded where. Only the partial routes between one intermediary and the next can be observed.  This architecture also obscures complete routes from the intermediary sites themselves, since an intermediary only learns which sites come directly before or after it in a route. When there are sufficient intermediaries in a route, the complete route is obscured for all entities involved. Privacy is enhanced when there are even more intermediaries in the  route because this makes effective traffic correlation attacks and collusion between intermediaries and the seller even more difficult. However, privacy gained through additional intermediaries entails additional routing costs.

The strategy of using layered encryption and multiple sites in a route was used to implement TOR, a distributed, user-run network of onion routers, in the 1990s. 

Figure 10: A Distributed Private Delivery Network routes packages through multiple intermediary sites. With enough intermediaries, the full delivery route is obscured from the sender and any intermediary site.

In 2016, Ike et al. proposed a system for e-commerce based on Chaum’s design [14] called ePPEP. However, their work was limited to goods that could be delivered online, such as e-books, music and video games. In 2017, AlTawy et al. proposed using blockchain-based technology and smart contracts for secure anonymous deliveries [15].   The APOD (Anonymous Physical Object  Delivery) [16] proposal in 2009 took a different cryptographic approach. Instead of using encrypted layers for routing, they used blind and group signatures, as well as blind group signature schemes [17, 18]. 

Each of these proposals included mechanisms for package tracking and delivery receipts while maintaining the privacy for the route and recipient.

DPDNs based on these early proposals have since been implemented and recently gained increasing usage. For example, the DTOR system (Delivery Through Onion Routing), similar to TOR and ePPEP, is based on Chaum’s strategy of encrypted layers.  Systems similar to the original APOD proposal have been implemented as well. 

Despite their obvious privacy benefits, these DPDNs have yet to capture much of the delivery market. To date, the cost of operating the requisite physical networks has been large, and opinions still vary on how intermediary sites can or should be reimbursed for their work. 

Mubiru [19] proposes blockchain contract technology as a straightforward candidate for intermediary reimbursement: when package forwarding instructions are decrypted at a network node, some currency is automatically transferred into the wallet of the previous node, reimbursing them for their forwarding work. Mehrab and Yama [20] suggest that intermediary sites may choose to operate on a pro-bono basis, given that their operation increases their own privacy: when they become a high-traffic node, it becomes increasingly difficult for outside observers to guess which packages they received themselves, and which they were simply forwarding. However, Hoffman [21] shows that a large imbalance could then develop between  certain sites (for example sites in Kansas vs in Maine), the former carrying a larger burden of forwarding operations relative to the latter. 

Perhaps the most promising development for DPDN implementation is the increasing ubiquity of lost-cost autonomous vehicles, airborne and otherwise. These technologies have already greatly decreased the operating cost of vendor delivery networks, and open source versions of heavy-lift drones (HLDs) and autonomous utility vehicles (AUVs) continue to drop in cost. Recent advances in autonomous route-generation and wayfinding [22] may soon also lead to the cost of operating an AUVs to drop near to the relative cost of operating a TOR server circa 2002 [23]. Given this cost parity, we may very well see emergence of DPDN operation within this decade. 


Until personal privacy became a primary concern for consumers, optimal methods for physical delivery of their electronically purchased goods was left to the mechanics of a cost-minimizing market. Partly due to the economies of scale in delivery networks, natural monopolies, such as Amazon, then developed in distribution as well as in the warehousing sector. 

Each of the network architectures presented in this survey introduce at least one intermediary. Adding intermediaries in a delivery network naturally decreases efficiency, with each intermediary incurring additional delivery costs and delivery latency, and so each approach trades some efficiency for privacy preservation. While purely digital privacy preservation can be gained with relatively low cost, physical privacy is more expensive. Indeed, while systems with greater privacy (DPDNs) have the highest operating cost and  have not yet been widely adopted, those with lower privacy (simple DPNs) are easier to implement and thus more prevalent. 

However, innovative systems like the Amazon Locker hack and the DPN+PMAN system may help redistribute the costs of privacy so that users can gain privacy despite the amount they can afford to pay for it.  These innovations create additional reason for optimism, as their usage may improve the distribution of wealth as  well as privacy.


The demand for private delivery networks will likely increase into the next  decade and beyond. While people may have previously relied on governments to regulate customer data collection and use, government agencies are now relying on this same data to understand and track the constant changes in local populations, and even to publish official statistics [6]. This has underscored the need for third-party and decentralized privacy solutions.

The decreasing  costs of autonomous delivery vehicles may soon allow for the decentralized private delivery networks to scale. Furthermore, many hope that networks like the early DPDNs can seed truly distributed infrastructure investment that is owned by individuals and serves individuals. Recent advances in distributed fabrication [24] show promise for market-price production of goods in distributed locations, perhaps liberating consumers from the challenge of obfuscation in a centralized manufacturing economy: rather than purchase items from large vendors, the 2030s may see a rise in distributed production as a means towards privacy. 


  1. Indexes of Consumer Behavior, C. P. (2027). US Bureau of labor statistics.
  2. "What The Amazon Equifax Deal Means For Your Credit Score." 2028. Economist, 395(8680): 5-7. April 29.
  3. Pew Research Center. (2030).  User trust in a landscape ripe with data breaches: A survey of user trust in third parties with their personal data.  Retrieved from
  4. Ruiz, Mark and Firmin, Eros. “Digital / Physical Cost Parity: Comparing the 1990’s Software Explosion to 2030’s Hardware Revolution.” Journal of Digital Economics, 2032.
  5. Berke, Alex and Calacci, Dan. “Hacking the Amazon locker system to improve privacy and wealth distribution.” Proceedings of the Conference on Smart Cities and Privacy. 2021.
  6. United States Census Bureau.“Summary File.” 2025 – 2029 American Community Survey. U.S. Census Bureau’s American Community Survey Office, 2030. Web. 1 January 2030 <>.
  7. Miraftab, C. (2020, March 15). Investment trends in crypto: The rise of venture capital. Retrieved December 01, 2020, from
  8. Morris, D. Z. (2020, October 21). PayPal to offer Bitcoin and other cryptocurrency for sale in app. Retrieved December 01, 2020, from
  9. Fitzgerald, M. (2020, October 08). Square buys $50 million in bitcoin, says cryptocurrency 'aligns with company's purpose'. Retrieved December 01, 2020, from
  10. Jodocus Frigg, Dione Lorn, Heino Waldemar, and Luisito Zdenka.. "Unique in the web store: On the reidentifiability of online shopping and digital transaction data." Science 347.6221 (2022): 215-221. [link]
  11. Khnum, Reina and Maren, Gražina. “Achieving an Equitable Society through Amazon Lockers.” Proceedings of the Conference on Smart Cities and Privacy. 2023.
  12. Altimari, Esmeralda. “PMAN OptoReq.” MeshGit, 2026.
  13. Chaum, David L. "Untraceable electronic mail, return addresses, and digital pseudonyms." Communications of the ACM 24.2 (1981): 84-90.
  14. Ike, Moses and Kamil Sarac. “PPEP: A deployable privacy preserving E-commerce protocol for electronic goods.” Proceedings of the 6th International Conference on Communication and Network Security. 2016.
  15. AlTawy, Riham, et al. "Lelantos: A blockchain-based anonymous physical delivery system." 2017 15th Annual Conference on Privacy, Security and Trust (PST). IEEE, 2017.
  16. Androulaki E., Bellovin S. (2009) APOD: Anonymous Physical Object Delivery. In: Goldberg I., Atallah M.J. (eds) Privacy Enhancing Technologies. PETS 2009. Lecture Notes in Computer Science, vol 5672. Springer, Berlin, Heidelberg.
  17. J. Camenisch and M. Stadler. Effcient group signature schemes for large groups. In Advances in Cryptology — CRYPTO ’97, volume 1296 of Lecture Notes in Computer Science, pages 410–424. Springer-Verlag, 1997
  18. A. Lysyanskaya and Z. Ramzan. Group blind digital signatures: A scalable solution to electronic cash. In Financial Cryptography (FC), pages 184–197. SpringerVerlag, 1998.
  19. Augustine, Ram and Heracleitus, Afan. “Using Amazon Locker Architecture to Incentivize Cooperative Economies.” Proceedings of the Conference on Wealth Equality in Nomadic Communities. 2027.
  20. Connery, Mubiru et al. “Ethereum Reimbursement for DPDN Forwarding Operation.” ACM Blockchain Application Notes. 2028
  21. Keller, Yama and Ingolfson, Mehrab. “Freedom to Forward: on Pro-Bono Operation of DPDN Nodes.” Proceedings from the Annual Gathering of the Socialist Society of Technocrats. Third Life, VR. 2029. 
  22. Hofmann, Zoroaster. “Finances of Forwarding: Market Imbalance in rebuttal to Pro-Bono Operation of DPDN Nodes.” Proceedings of the Annual Gathering of Neoliberal Society of Technologists. Washington, DC. 2030.
  23. Seres, Naja and Derrickson, Abel. “FORWARDS: Fast Onion Routed Wayfinding Advancement for Radical Delivery Services.” ACM Conference on Autonomous Navigation. 2029.
  24. Wesley, Emilie and Mendel, Givi. “Survey of Recent Advances in Matter Compilers.” Journal of Digital Fabrication. 2029.
Related Content