One of the issues that those of us who log or compile data breaches and privacy breaches have often debated is what to do with breaches that involve “only” names or names and e-mail addresses.
There are those who would argue that such incidents are not really a huge deal as they are unlikely to lead to identity theft.
There are those who would argue that such incidents are not really a huge deal because names and email addresses are often publicly available as “directory” information in different types of directories.
Many would acknowledge, though, that there are times when even “just a name” in a particular context could potentially harm an individual. As one example, having one’s name exposed on a list of HIV clinic patients could be socially devastating or cause other problems for employment. Similarly, having one’s name exposed as a member of a political organization could be embarrassing depending on the organization and the individual’s public position or statements.
Context matters in a discussion of privacy harm. And sometimes, a breach that may not seem particularly harmful at one point in time, may be viewed differently later.
In February 2009, Ryan Singel reported that a leak of 58 WikiLeaks’ donors email addresses had been published to the WikiLeaks site after the organization had sent out a fund-raising appeal that revealed donors’ email addresses to each other. One of the recipients subsequently submitted the email to the site as a leaked file, perhaps to test the organization’s commitment to revealing leaked documents submitted to it.
The links in Ryan’s story to the files no longer appear to be working, but today Cryptome posted evidence of a second email from that same time period, involving 104 donors’ email addresses. John Young, who has been critical of WikiLeaks after initially offering it some support, redacted the email addresses before posting the email, and raises the question as to whether these email gaffes might have been intentional – to show donors that they there were part of a larger group.
But as sensitive as it might have seemed to some in February 2009 to be seen as a supporter of WikiLeaks, the question of whether the February 2009 exposures were truly accidental or an intentional decision on WikiLeaks’ part gains new importance because WikiLeaks became the target of a criminal investigation by the Department of Justice.
Have those whose names were exposed as donors suffered any harm or potential harm as a result of WikiLeaks’ revelation of their email addresses in 2009? Could they?
Could a list of email addresses provide some missing piece of datum that would permit other databases to be more accurately combined to reveal the identities of individuals who may have thought or hoped that they had achieved some degree of online anonymity or pseudoanonymity?
There have been a number of hacks of email lists recently. Many involve customer email lists and many do not involve passwords. But given that people often re-use the same username for various purposes, is it time, perhaps, to view breaches involving “only” names or email addresses a bit more seriously in terms of potential privacy harm?
Did WikiLeaks play fast and loose with their donors’ privacy? Was it really accidental that they sent out at least two emails during the same time period that revealed donors email addresses and/or names? And if it was an intentional decision at the time that they misrepresented as a mistake, do they regret it now?