Your Email Address Isn’t as Private as You Think

It’s almost football season again. Crisp fall air, bright blue skies, half-grilled/half-frozen brats, cold beer and the slow march of despair from week one to week seventeen that every Cleveland Browns fan experiences—at least this year with the training camp injuries and suspensions, we’ll get a head start on that journey. It also means a plethora of unsolicited emails from companies who scraped my email address off the Cleveland Browns’ website to offer me a myriad of NFL branded products – ranging from the useful (inflatable tailgate chairs with TWO cup holders) to the obnoxious (officially licensed vuvuzela/cowbell combo instruments for the football fan you already hate). We understand that email marketing is an effective tool to reach potential targeted customers. But we also know that a Wild West mentality toward email addresses doesn’t benefit anyone who wants to sell their product, services or even candidate when there’s a high level of competition for audience’s eyeballs.

With that thought in mind, I was extremely disappointed to come across a Minnesota Public Radio article about our state’s Data Practices Act and the lack of privacy for email addresses. The Minnesota Data Practices Act (DPA) deals specifically with access to government data and the presumption that government data is accessible to the people, much like a state level Freedom of Information Act. While I highly recommend everyone read and think about the article, the short summary is that an individual recently requested the email addresses of people from a number of cities who signed up to receive alerts about local government happenings. It revealed that based on the DPA, the information is considered public and cities are legally required to disclose the email addresses to the requestor. There’s only speculation as to why these email addresses have been requested. However, since the person asking for them is married to someone running for political office, campaigning is probably a safe assumption. But what if he wants to sell them? Or operate a very focused local phishing scam? Or in requesting all of those email addresses he is able to find the one he wants for other nefarious purposes? In this instance, I highly doubt that is the case. However, as Mat Honan discussed in Wired, it doesn’t take a whole lot of data for a pretty vicious hack to occur. If a previously undisclosed email address can be coupled with just a few other pieces of an individual’s data, a whole Pandora’s Box of private information can be opened up.

Now that I’ve gotten my scare tactics out of the way, this is really a question of state policy and its relationship to openness. One would hope our legislators would err on the side of caution when it comes to divulging people’s electronic information. That said, the reason we have the DPA is to prevent the government from hiding its doings from the public. Specifically then, legislators have chosen to exclude specific types of information as protected and then assume anything not explicitly protected is open for disclosure. That’s the rationale in this scenario, since personal email addresses aren’t excluded, they aren’t protected from DPA requests. Cities then have no choice but to comply with the DPA. So while I might wish the state would be judicious with access to personal data, there’s a very real reason the DPA supports the ability to disclose/supply more information rather than less. On one hand, it’s a question of privacy, on the other it really gets to the modern technology question of time, money, effort and accountability related to using government collected data. Let’s frame the problem this way. If I want to reach out to an entire community of people (say 5,000), there’s a cost associated with each attempt to contact every person. Be it making phone calls or the printing and postage expense to send a mail piece, there’s time, effort and money baked into each contact attempt. Email is a little different. If you are doing the deployment yourself, you have time and money spent on the software, designing the email and setting up the email list, but after that, costs drop significantly with each deployment. It’s a lot cheaper to send an email a day to a list for ninety days than it is to send a postcard daily over the same time period. It’s problematic. However, just because I want to get snow emergency notifications via email so my car isn’t towed, I don’t want to then expose my email address to any myriad of people with unknown other intentions.

While I certainly come down on the side of minimal disclosure when it comes to personal email addresses, there is some space for debate where it might be acceptable. I just can’t predict what that need might be–which is the crux of the problem where laws and policy lag behind technology.

If the courts haven’t decided if a Facebook “like” constitutes protected First Amendment speech, it’s easy to understand how complex it is to decide if signing up for snow emergency notifications or city council meeting agendas makes your email address public information. The solution isn’t simple and debate on the issue is essential to getting it right. However, in the meantime we shouldn’t just hand them out willy-nilly to anyone that asks. Unexpected benefits would be fantastic, but it hardly outweighs the inadvertent consequences that could come from disclosure.

Now if you’ll excuse me, I have to email a guy about the officially licensed Cleveland Browns mood rings (they are just a solid brown color designating sad resignation).

Share

Leave a Reply