Over on Massachusetts Data Privacy Law Blog, John H. Lacey writes:
The pinheads over at LulzSec have crossed a major line. They hacked into the Arizona Department of Public Safety and published the names, addresses and other personal information of police officers (including their wives’ names and email addresses). They also published a lot of privileged material regarding ongoing operations, training and intelligence.
As a prosecutor, your home address is sacrosanct. You are sometimes viewed as the “reason” some defendant is going to jail. It gets personal, sometimes real personal. On September 25, 1995, Paul McLaughlin, a prosecutor in Boston, was murdered by a gang member he was prosecuting. He was killed in the parking lot of a commuter rail station. He was on his way home and the murderer knew which train he took. The murderer probably didn’t know where he lived.
It’s one thing to shut down a website, annoying, yes, can be costly, yes, but does anyone get physically hurt? No.
I actually went and looked at the information that LulzSec stole and posted. They posted the actual names and home addresses of Arizona law enforcement officers and their wives and all their contact information. That is incredibly dangerous. I don’t mean a little scary, I mean it’s downright dangerous. There’s a major incident occurring in that part of the country. The Mexican Cartels are killing 30,000+ people to preserve their drug trade. They kill indiscriminately and prefer to kill law enforcement whenever possible. These animals are insane, do you think they would even hesitate going to a residential neighborhood and killing all the inhabitants of a house? And right now members of the Arizona Law Enforcement community are probably organizing round the clock security for their officers (or at least they should be seriously considering it).
[…]
Clearly, Mr. Lacey is angry and concerned. And I share his hope that those whose details were published publicly do not come to harm because of the data breach. But what about others’ safety? I’ve been blogging for years about the dangers of breaches. I am concerned about dissidents who might be jailed or killed for their political views, abortion doctors whose lives are endangered from fringe elements, women who have tried to escape abusive spouses, porn actors whose families may be harassed by the publication of their names and addresses, confidential informants and law enforcement officers, and immigrants whose personal information was illegally revealed to law enforcement and to media by the actions of Utah state employees. All of those people have been put at risk of physical harm as a result of data breaches.
What message did Utah send when it let people who revealed immigrants’ information off so lightly? Are there two sets of data protection and privacy laws, where if you’re among the protected group, your privacy and physical safety are taken seriously, but if you’re not, too bad and hope you don’t get killed or attacked by anti-immigrant wingnuts?
Yes, I’m angry, too. We’ve known the risks of data breaches leading to harm for years and yet neither the federal government nor states have imposed stringent data protection/security requirements or serious penalties for violators. Will this breach be a wake-up call? I doubt it. If the hackers are ever caught, they will be prosecuted under existing statutes but we still will not deal with the risk of non-financial harm. Until our government truly recognizes that it needs to deal with more than just financial harm, victims of such crimes will continue to have inadequate protection and redress.
That said, it strikes me as hypocritical for people to express shock and rage over a hack that may endanger one group of people while remaining silent when other groups of people are put at risk of harm by hacking. I hope Mr. Lacey and all others who are concerned about law enforcement officers in Arizona will not remain silent in the future when other groups or individuals are put at risk of physical or psychological harm because of data breaches.
I think the question becomes an issue if they are a higher risk of being hurt or not. I would say that both groups of people are at equal risk seeing the same information is being exposed. Granted one group is law enforcement and the other is not, but anyone can follow a person to there home, that is not illegal. Many places like the white pages show addresses of normal people and law enforcement. And there are perfectly legal companies that collect information on you for social advertising, just look at the little bar code key fob on your supermarket discounts.
I would have to agree that it is hypocritical. The laws are not set up where technology is concerned.
In today’s world there is no privacy. it is a fog that can be seen through.
I agree with much of what you wrote here. It is a far superior post to the simplistic (but pages long!) Boing-Boing post on the same topic, @Lulzsec and AZDPS.
Only issue I had was with your ending comment:
I agree with you regarding the behavior being hypocritical. However, I would consider the AZDPS as a target to be particularly wrong for the reason that these people choose jobs that protect people and public safety (often for less money than they could earn otherwise).
Yes, yes, there are bad policemen, and Arizona gets a lot of negative publicity for many reasons. But here’s something sort of analogous. In New York City, the ONLY murder charges designated as first-degree apply exclusively to employees of the City of New York. I’m uncertain if it applies only to Firemen, Police, District Attorney’s Office employees, or all. Other murder charges are second-degree by definition in the five boroughs of NYC. I won’t blather on about the social welfare nature of the distinction. (I don’t think the sentencing lengths are different for 1st versus 2nd degree charges, so it is not valuing the life of some people higher than others).
I felt similarly disproportionate anger over the @LulzSec incident regarding NPR. NPR does much good for so many people. They are non-profit, no “evil corporation” (that’s how they were referred to in some of the comments on Sophos Security blog, not by Sophos though). NPR programming was largely responsible for my little brother learning to read, as no one wanted to bother to help him. Those NPR shows help many people who aren’t very visible or empowered. By @LulzSec targeting them, and their affiliate stations, it will make those stations less likely to work with NPR, and that hurts everyone.
I live in Arizona. The AZDPS protected me from harm when I worked late nights downtown as an employee of the Office for Children with Special Health Care Needs, directly supporting clinicians. If fewer people become policemen because of this incident, or the calibre of police decline, I would likely be negatively impacted, as would those children whose interests I served. More reasons why this data breach, and the NPR data breach, are so wrong, because of the wider negative impact on public welfare at large. (Welfare as in well-being, not the program, so I don’t get flamed by the neo-cons ;@) )