I'm very surprised they gave out this information. I'm not talking about the mistake, I mean the actual request. In the UK I don't think you could even get a production order for this. Like, it's effectively getting Communications Data simultaneously against thousands of people not suspected of any crimes??
Like, do people know that by emailing their local government their email address is now free for scammers to request under FOI? Could I request this data myself, then start emailing them scam emails "I know you contacted us in June, could you call me on 555-1223 etc"
The Washington State Public Records Act, which this request was made under, states its spirit very unambiguously:
The people of this state do not yield their sovereignty to the agencies that
serve them. The people, in delegating authority, do not give their public
servants the right to decide what is good for the people to know and what is
not good for them to know. The people insist on remaining informed so that
they may maintain control over the instruments that they have created. This
chapter shall be liberally construed and its exemptions narrowly construed
to promote this public policy and to assure that the public interest will be
fully protected. In the event of conflict between the provisions of this
chapter and any other act, the provisions of this chapter shall govern.
Beautifully put. This information is _there_ whether we like it or not. I’d rather have as much access to it as a government employee than none at all.
I have never assumed that an email address I gave the government would be protected. I would also not assume that the contents of any email I sent would be in any way protected either. The government is collectively owned. Your police record, where you live, who you're married to, and whether or not you voted last election are publicly available. I would rather all of that be protected in some way, but I think it's common knowledge that a lot about you is made public to anyone who wants to walk down to the courthouse. In fact, if you want to take a trip to Hawaii, you can drop in and see a copy of Obama's famously "missing" birth certificate. I am rather shocked that credit card numbers are being emailed about.
> Your police record, where you live, who you're married to, and whether or not you voted last election are publicly available.
This is highly country specific. For the marriage record, I checked the laws in Germany, and (except for your own records) you have to present a "legal interest", which seems to be stricter than a "legitimate interest" (i.e. probably you need the information to enforce your rights, not just because you want to do genealogy). I'm pretty sure the others would count as particularly sensitive personal data too.
In the UK, as far as I know of those only marriage records is open. Police records can be obtained by your employer, but even then most minor (sentence less than 4 years) offenses are eventually considered spent and not disclosed to most roles. The electoral role (addresses) is open by default, but you can opt-out (though can still be used for certain narrow purposes), and as far as I know there is no way to check if someone voted (I've never heard of it happening, and searching doesn't give any information about it)
When governments in the EU started digitizing their data like 20 years ago, it used to be that lots of personal data would end up published on official websites, either in the form of scanned PDFs that Google would gladly OCR and index, or in directly readable formats. Since then, the EU has cracked down on all of that, and you can no longer search for someone's phone number in order to get their full name, address, date of birth and ID. Even data that used to be available just 10 years ago, now has been removed.
> I have never assumed that an email address I gave the government would be protected. I would also not assume that the contents of any email I sent would be in any way protected either.
I have similar assumptions, but what about the less technically inclined citizens?
Moreover, I wouldn't be surprised if the ploy described by the OP:
> Could I request this data myself, then start emailing them scam emails "I know you contacted us in June, could you call me on 555-1223 etc"
would work on me. Really, it would take me checking DKIM and/or SPF to notice such an email. And from this story it seems likely the city of Seattle doesn't actually implement DKIM or SPF.
> I have never assumed that an email address I gave the government would be protected. I would also not assume that the contents of any email I sent would be in any way protected either.
That's because you're not corresponding with case officers and police officers.
I worked at a polling company out of college owned by a Standford professor. My first task: After a poll is finished online, match that with voter records (using emails and addresses).
My first question was: "Well, that is a cool idea, but, there is no way the government would release a huge database of every california voter and their party affiliation. Let alone, the users entering in online poll information would extend that database to include their actual vote. There is no way this is possible.... right?"
Standford professor's response: "Do you want it in CSV?"
Voter registration is considered public information in many states. Some states even provide the entire database on their website to download. However, voter registration does not include who a person voted for in an election. You are free to augment the database with your own data, of course.
I don't even understand why party affiliation is tracked by the state. What's that good for other than entrenching the two party state? Parties should have their own member lists.
There are states with ‘closed primaries’, where certain elections are only open to registered party voters - ie a Democrat would not be allowed to vote in the Republican primary and vice-versa.
This, and ‘because that’s how we’ve always done it’ are probably the main reasons party affiliation is part of voter registration.
If a party wants to hold a closed primary, can't they do that themselves without help from the government? Why would the government be involved in a party-internal election?
It always interests me how much of the US electoral system is just obviously completely broken from the perspective of outsiders, and it seems strange that people within the US see procedures like this and view them as normal and legitimate.
I'm curious what you see as "obviously completely broken" about the current primary process. Previously, party candidates were chosen via convention, which effectively left the selection process to party elites.
Deleted my previous comment as it didn't directly address your question. I don't know all the history behind it, but in terms of "can", I'm assuming that no, parties were unable to effectively hold a closed primary in a way that was well-run and accessible. And a poorly run primary vote defeats the purpose of having any primary in the first place. Using the state infrastructure and schedule makes the voting process much easier for the average voter, without being a burden to the state political parties.
As to "why" the government should feel obligated to subsidize the process -- because the government has the ostensible goal of facilitating fair and proper elections, and presumably the primary process -- which is not Constitutionally-enshrined -- is a net benefit to the general election, at least compared to selection-by-party-convention. In the future, political parties may decide that it's better to have open primaries, but that's orthogonal to the government providing the voting infrastructure and logistics.
Primaries aren't enshrined in the Constitution, but they became state business in the 1970s because there was a desire to let the average voter have more say in the selection process, which had previously been done via party conventions.
My (very uninformed) guess is that this is cultural. When democracy spread, Europe already had a good system of tracking people. The church was keeping records of every family for hundreds of years already. In contrast, the USA is a country of immigrants where new people without a history came in all the time. Tracking who votes where could not rely on an established system.
Reflect on the fact that 'didn't vote recently' is being used as we speak to suppress voting in the upcoming election. For non-US readers, every state has a Secretary fo State who rather than doing any kind of foreign affairs work like the federal office of that name, primarily oversees paperwork and particularly elections. These Secretaries of State are elected offices and highly politicized, since officeholders can heavily impact the conduct of elections. In Georgia, for example, one of the candidates for Governor is currently Secretary of State, and has put the eligibility of tens of thousands of voters into question in a way that just happens to massively impact likely voters for his opponent.
I agree, and in that context, having name, party affiliation, and last_voted_at be public record would be the only way for an independent organization to gauge the impact per party of the disenfranchisement.
Yes, you are as far as I can see correct. The request should have been rejected as overbroad and against data privacy laws (in so far as they exist), or the purpose of the request could have been verified and then they might have seen whether or not there was another way to let the requester do their work without giving them the data they requested (see another comment of mine for one suggestion).
That's not how FOIA works. It's a good thing too. Government employees almost always fight FOIA requests. There aren't many subjective tools (e.g. overbroad) and you're certainly not required to say why you're making the request.
Data privacy laws in the US are unfortunately minimal. The bigger problem comes from imbalance -- if the government and corporations have lists of names, people need them to in order to be able to work together and organize.
If you don't think this information should go out in FOIA requests, the tool to accomplish that is data destruction. Government could wipe old emails once no longer relevant.
Email is really difficult because retention law and regulation is based on a topic.
To meet federal requirements, information about procuring equipment with certain grants must be maintained for 10 years. Caseworker notes for a minor who is a ward of the state may be required to be kept for 20 years after the 18th birthday.
If a record is deemed in scope and topical, an employee could be committing a crime by deleting that email. As a result, the easy answer is retain.
Commercial organizations at least are known to implement maximum allowed retention strategies, such as having their staff not keep archived email beyond three months, presumably so it doesn't embarrassingly show up when it's legally unfavorable. Not quite the same, but along the same lines.
No, the Washington State law does not allow for agencies to reject requests on the basis of being overly broad or against data privacy laws. There are specific exemptions (e.g. library records), and for records that may contain personal info (like someone emailing the mayor and including their own credit card number), it is up to the agency to redact such info. However, the agency can charge the requester for that work.
Moreover, the requester is not required to give a reason for the request.
Ok, so in that case redaction would have been the way to go here. But the request as it is actually harms the privacy of large numbers of individuals which is not what the FOI laws are supposed to be used for.
Also, of course Seattle could reject the request, they could simply say: "Without an explicit court order to release this information we will not do so", and that would be that. It would then be upon the petitioner to ask the courts to force the release of the information requested, if the petitioner felt his rights had been violated. In the present situation the city is opening itself up to liability because of the privacy of all the people they have exposed (and more so because of the mistake). FOI does not mean 'every piece of data the government has should be released to the requester', the goal is increased transparency of government, not privacy violation of citizens using the FOI requests as an end-run around any kind of privacy law.
There is a tension between those two and typically the legal branch will determine where exactly the line is, when in doubt: go to court.
But Seattle cannot summarily reject the request -- they have to follow the law, and the law does not require FOI requesters to get an explicit court order, e.g. a subpoena, for this information or for any other valid request. I mean, yes, the city of Seattle could try to reject the request, and the requester could sue and win in court after the judge finds that the city acted illegally. But that's like saying Seattle police "can" just arbitrarily arrest and imprison people, and fight the subsequent lawsuits.
Because the FOI law exists, the city does not open itself to liability in releasing records, except when it accidentally releases records that are mandated to be private, which I'm not even sure is the situation here.
Increased transparency is almost always a tradeoff with privacy. I don't disagree with you that the law may be abused for commercial or malicious intent, but it is up to the legislature to propose a bill that curbs FOI. Until then, the government cannot just deny valid requests because they don't approve of the requester or the requester's purported motives.
That's the key bit right there. So, if you are not sure - and they are also not sure - then they could ask for a ruling before releasing. Err on the side of caution is good practice when it comes to releasing data.
I just looked at the dataset and it is full of information that I would normally consider to be private, which private citizens contact which government officials and when is in principle not something that should be disclosed to all callers in a format of their choosing.
What's to stop you from asking for stuff that infringes other people's privacy? I'm all for a more open government but 'anything goes' FOI requests are only a little bit less dangerous than non-transparency.
Sorry, what I'm not sure about is whether an agency is liable if it releases exempt information. Exemptions allow an agency to deny a request, but the agency still has discretion whether or not to follow the exemption.
> So, if you are not sure - and they are also not sure - then they could ask for a ruling before releasing. Err on the side of caution is good practice when it comes to releasing data.
Again, that is simply not how the law works. Some years ago, elected Washington state legislators and the governor decided the law should make these tradeoffs between transparency and privacy. And until subsequent legislators get together and decide otherwise, that is the law of the land. Washington government agencies do not have discretion to reject requests based on requester identity or motivation, period, nor can they make up their own reasons for exemptions.
The "middle ground" has already been decided -- that's ostensibly how the law got written and signed in the first place. Your line of argument would allow literally any government employee to make arbitrary rejections -- the law was codified to prevent exactly that situation.
Your concerns are no different than concerns raised about freedom of speech and the press (and of course, the right to bear arms, but let's not follow that tangent for now) -- e.g. "I'm all for people being able to express themselves, but what if those people say incredibly hurtful and damaging things?". The legislature can pass laws that limit those rights (e.g. defamation laws), and courts interpret whether those laws follow the Constitution, but it is not up to the executive branch (i.e. government agencies) to ignore the law because they disagree with it.
No, but they should decide based on the data requested. And in this case the data requested is none of the requesters business since it involves the privacy of other citizens.
Which definitely could be in contravention of other laws and in cases like that judges usually get to decide which weighs heavier. If I were a civil servant faced with a request that releases information that I felt would infringe on some other law I would definitely not decide to be the one to make the call and release it without a sign-off.
I agree with this -- of course a request can be rejected if it requests something that is explicitly exempted in the law. The metadata of emails to public agencies is currently not exempt from Washington state law.
> And in this case the data requested is none of the requesters business since it involves the privacy of other citizens.
OK, but that is not your or the state government's decision to make. The law does not allow for the government to make a unilateral judgment on whether something is "none of the requesters business" -- isn't it patently obvious how this could be abused?
> If I were a civil servant faced with a request that releases information that I felt would infringe on some other law I would definitely not decide to be the one to make the call and release it without a sign-off.
Sure, if you don't know the law exactly (most employees don't), then you consult your agency's FOI officer, who would then tell you whether the request is valid. If it is valid, and you decide to reject it anyway, you'd probably be fired (I don't think most state FOI laws provide criminal penalties for violating FOI).
I'm not a Washington historian, but I'm assuming the FOI law was passed because legislators had actual scenarios and use-cases in mind. For example, being able to request the emails sent and received by a government employee is useful if you want to know who contacted that employee about an issue, such as a regulatory enforcement action. Maybe there are clear-cut cases where a received email is obviously not work or issue-related, such as emails from that employee's mom. But what if the mom is herself a lobbyist or other influential official? Or how about an email from a guy talking about going golfing and getting a few beers? Is that just personal? What if the guy emails every week about going golfing on his dime, and the guy happens to be a businessperson waiting for regulatory approval on some project?
Apparently, the myriad of ways for unwanted behavior to be expressed via email are so plentiful that legislators decided to err on the side of transparency, because it would be too easy for officials to shut down requests and deny transparency all but to those with the means to sue (usually, corporations and journalists). It is not up to a civil servant to decide otherwise; likewise, the law protects the civil servant from liability for following a lawful request.
Say an ex finds the new address of a former partner then goes around and shoots them dead.
BTW I am not being hyperbolic here there was a case where this happened when I worked for BT - someone as a favor looked someone's new address up for a friend which resulted in a murder.
The scenario you propose is possible through using Google, and/or many other services that collate public records of people's names and addresses. Try Googling your name and one of your cities of residence some time.
> someone as a favor looked someone's new address up for a friend which resulted in a murder.
A government employee who looks up someone's address for a friend is not covered by FOI laws. Just as FOI doesn't protect cops who use the DMV database to look up other cops they like/hate:
FOI is a law mandating these public records be provided on request -- with various exemptions and allowances for redacting information that could be reasonably seen as a violation of privacy. It's not about being "somehow better", because legislators have deemed that bureaucrats cannot be trusted to decide whether transparency is a good thing.
Consider the example you brought up -- it is against the law for a state employee to send a friend that kind of information, and I imagine that that law exists because politicians feared that kind of murderer scenario. How exactly does that murderer use a cache of email metadata and redacted messages to go after his victim?
I have filed both US and UK FIO requests. (But I am not a lawyer.)
I think you are right in the UK. The US law is different and seems to allow this sort of broad request. I have been told before when filing in the US that others may request my contact information, and I have seen lists of FOIA requests received via the FOIA including contact information for requesters.
In the UK, requests need to be fairly narrow as I recall. And the time frames in which the request will be processed also are narrow: 20 business days as I recall. If it would take longer than that you probably would be asked to narrow the request. This is good for me as I typically request individual documents, not huge swarths of data. I requested a classified UK technical report and received a redacted copy within a month as I recall. Much faster than in the US.
> Any agency, as defined in s. 119.011, or legislative entity that operates a website and uses electronic mail shall post the following statement in a conspicuous location on its website:
> Under Florida law, e-mail addresses are public records. If you do not want your e-mail address released in response to a public records request, do not send electronic mail to this entity. Instead, contact this office by phone or in writing.
I suppose they treat e-mail addresses as street addresses. Public and not tied to anything else by default (you know it exists but not who is assigned to)
The answer is that no, that request should not be filled, and certainly not in that way.
From a FOI POV, email is tough because it straddles a line between “record”, deliberative material and conversation. Everyone hates sharing email because it is always trouble.
In this case, they didn’t have a good process in place and nobody did a privilege or other review. The hint there is the police material — most police records are trivially made exempt from foi in most places.
But to your point, there are many categories of communication with government where there is literally no expectation of privacy. If you email the zoning board something, you should fully expect to see the entire email in a public record somewhere.
In practice, the bad guys are not getting credit card numbers by monitoring unencrypted plain text email connections. They're doing it by getting the information in bulk straight out of databases at the destination (either by hacking or by getting unscrupulous employees to sell them data dumps). My opinion is that the risk factor in sending a CC number over email is much smaller than the risk of giving it to the destination organisation in the first place. And even if you do get unlucky, as a consumer you don't usually end up out of pocket for fraudulent transactions on your card.
I think it's very hard to anticipate how every given person in a large population uses communication tools. When former Florida governor Jeb Bush began his campaign for presidency, he released all the emails he sent/received as governor. This is something mandated by Florida's very open public records laws:
As it turned out, the cache of thousands of emails contained things that are hard to anticipate. Including people emailing their SSN, or talking about their employment/medical issues; the former is possible to filter out computationally, the latter would require manual review and judgment. Bush was criticized, and in response, he took down the emails temporarily until employees could clean them up. But AFAIK, he didn't do anything illegal, because he mirrored exactly what was available from the state official archive which, again AFAIK, did not alter its copy.
This is similar to AOL's release of its search logs. It thought anonymizing user identities would provide anonymity, but they did not realize that some users write very personal things into the search box: https://en.wikipedia.org/wiki/AOL_search_data_leak
...and if you provide online chat with customer support or sales, people will send credit cards in that too. If you have customer accessible support ticket submission system, that will end up with credit cards too.
The Payment Card Industry Data Security Standard (PCI DSS) that you have to agree to follow in order to be allowed to process credit cards requires secure storage of all the cards you store--not just the cards that you intended to store or just cards that come in through channels you intended for receiving cards.
This is a serious issue to take into account when choosing your chat system, ticketing system, and email system because you can't just ignore those wayward credit cards. If you choose systems whose developers did not consider this and failed to provide good tools for finding and redacting unrequested, unwanted sensitive information you will end up having to hack such tools into the system yourself.
People laugh at most DLP solutions. I know I used to. But then, I used to think the target was smart people trying to exfiltrate data.
But then I implemented one on a busy mail system, and I started seeing credit card numbers very regularly. I mean, consistently. Even after people have been told why their emails are being bounced and no, I give an "ETA on when it will be fixed".
It's not strange, I too send my cc number and personal information through email because I consider the risk is sufficiently small. Likewise I told people who want to send me these information to just use email
Imagine you are a secretary working at a company where HR is physically located across the country. HR needs you to fill out "Government Form 27" which requires personal information.
You fill out the form, how do you transmit it back to HR? You're probably going to email it. Very few companies have a "secure document transfer system" and very few people understand the risks of emailing personal information.
> Could I request this data myself, then start emailing them scam emails
Yes, bad actors can find malicious uses for a dataset. Not sure what that has to do with FOI. Are you suggesting that people who email the government expect their email to remain private, even as that email may be forwarded to a number of agencies and employees?
Some state laws do not restrict commercial usage [0] amd AFAIK, there is nothing in the federal FOIA law that prevents using information for marketing or other commercial purposes. That wasn't my point, though. The parent commenter talks about the potential danger of phishers using public data as being "against the spirit of FOI". Yes, I agree that using FOI to find info that facilitates a crime is not FOI's intended usecase. But the potential drawback has not been determined by legislators to outweigh all the potential benefits of transparency.
Like, do people know that by emailing their local government their email address is now free for scammers to request under FOI? Could I request this data myself, then start emailing them scam emails "I know you contacted us in June, could you call me on 555-1223 etc"
This seems totally against the spirit of FOI