FWIW I think you should not have done that, though I understand the temptation.
At the first indication that the data was not what you requested and contained more than you - or they - bargained for you should have stopped looking at it and alerted both the sender and the relevant data protection authorities in so far as those are a functioning entity where you live to tell them they have an 'accidental disclosure' on their hands. Essentially your blog post documents something that is pretty strong proof you are not able to deal with confidential information properly.
Fair. Though, in my defense, the last time I tried to report a similarly large leak (completely different circumstances), it wasn't until I was very explicit in what I found that the report was taken seriously and sent to the appropriate place. Otherwise, I think reports like this are just added to a pile of other complaints.
In this case, it took about a week for them to take it seriously. Like last time, it wasn't until I was explicit that they took it seriously.
>If someone accidentally sends me information I owe them no duty of confidence
This simply isn't true. If someone accidentally sends you information that you know you shouldn't be privy to, you should delete it. Unless perhaps you are Nelson Muntz.
Just curious, are there established guidelines that are broadly accepted and that lay out how to proceed? Or is it really just down to the "I think you should" on Hacker News? (No snark intended here.)
Accidental disclosure is a gray area, and once you are aware of it being an accidental disclosure you will want to make sure that you do not make things worse through your actions.
There are a number of moving parts here:
- The disclosure was clearly not the intended result
- The recipient could - and in fact did - realize this
- The recipient was in contact with the sender
- The recipient had some easy means to redress the situation
Given all of the above, if you then dig in and start looking at the data I think you are crossing a line. At a minimum a legal professional should have been consulted before further examination of the data, once it became obvious something was wrong.
In the end it would have been down to a judge to decide whether that crosses the line in a criminal sense but I would be loathe to find out the hard way. Pick your battles and all that.
There is a huge difference between releasing the information to the public and having IT workers under NDA with the ability to access it. And depending on their set-up that could be a lot harder than it might seem from the outside. Though, in truth I doubt it was set up properly, but absent evidence we can't make assumptions either way.
One citizens communications with the city should not automatically result in disclosure of the fact that that person communicated with the city to other citizens.
The fact that a communication took place in itself is information, and correlated with things like timestamps and who in the city was contacted a large amount of sensitive information will leak out.
At the first indication that the data was not what you requested and contained more than you - or they - bargained for you should have stopped looking at it and alerted both the sender and the relevant data protection authorities in so far as those are a functioning entity where you live to tell them they have an 'accidental disclosure' on their hands. Essentially your blog post documents something that is pretty strong proof you are not able to deal with confidential information properly.