Jeb Bush, the former Governor of Florida, is laying the groundwork for a presidential campaign and he’s making personal transparency a central plank of his platform. Bush – the son of one former President and the brother of another – has promised to release 10 years of tax returns to the public.
This week, the former governor went a step further: publishing e-mail messages he received during his time as Governor of Florida – tens of thousands of messages in all.
Bush’s team created a web site to host the e-mails, jebemails.com to host the content, giving visitors the ability to look up e-mail content by date or download full Outlook .PST files for each year.
Image via jebemails.com
The gesture was striking for its openness: setting a new, high bar for presidential candidates. But it has also landed Bush in hot water. Contained in those tens of thousands of e-mail messages is a wealth of sensitive and personal information of constituents and Florida government employees – from e-mail addresses (obviously) to phone numbers, address information and sensitive content related to the status of minors involved with the juvenile justice system or in state care. No effort was made to scrub sensitive information from the e-mail prior to release.
The reaction to the release was swift. “Jeb Bush’s email transparency experiment goes horribly wrong,” read an article on the site engadget, noting the inadvertent disclosure of personal information.
Within hours, the Bush team responded: removing links to the Outlook PST files and starting the job of redacting personal information from the e-mail that was accessible from the web page search function. Bush’s team said, in a statement, that it had “redacted personal information we have been able to locate.”
The release raises some important questions about openness and what does (and doesn’t) constitute a “data leak.” On the one hand, Bush’s web site merely made records that were already in the public domain publicly available. Florida has some of the U.S.’s most liberal “sunshine” laws, requiring almost every aspect of public life to be accessible by the public. And Bush can be seen reminding correspondents that the information they send him via email constitutes a public record.
On the other hand, Florida – like most every other state – doesn’t simply dump public records online just because they’re technically “public.” Individuals who wish to peruse them need exert energy (and often money) to do so. Citizens must make a request for specific public records under the state’s sunshine law and then custodians decide whether the record in question can be released. Typically, the answer is “yes,” but in certain cases public meetings and their minutes can be protected – such as discussions with attorneys regarding pending legal matters or meetings to discuss collective bargaining with public unions. And even when the answer is “yes,” the request must be targeted at specific communications and – in some cases – a fee must be paid to reproduce the document. “Send me all the governors email” probably wouldn’t get a quick response.
By simply dumping that e-mail online, however, former Governor Bush has turned “public records” into a “public common”: anyone with Internet access could (at least for a few hours) download and peruse the former Governor’s inbox. That allows individuals without any pointed interest in public records to peruse all the same – including individuals with nefarious plans.
What does this mean, practically? For individuals who wrote to the governor, there are any number of attacks that could follow from information gleaned from the e-mail: from phishing attacks that target their e-mail address, to identity theft scams that use information provided in the messages to try to hijack accounts. In just one recent example of similar attacks, Turbo Tax was forced to temporarily suspend e-filing of state tax returns using its tax preparation software after detecting a marked increase in fraudulent filings. Hackers figured out that they could use leaked Social Security Numbers and other personal information dredged up online to file bogus claims for tax refunds.
Does Bush’s move constitute a data breach? Almost certainly the answer is “no” – under Florida’s data breach law and many others. Those laws require the leak of data to be “inadvertent” and access to it to be “unauthorized.” But when you make something free to download on the Web, you’re waiving the whole notion of “authorized” versus “unauthorized” access. In short: where there’s no effort to secure data, there can be no data leak.
Still, in an age of rampant data leaks and of online crimes that feed off that leaked data, it is – at the very least - naive to dump such a large volume of data (some of its sensitive and personal) without taking any steps to protect the privacy of individuals. Mr. Bush’s effort at transparency wouldn’t have been at all damaged by taking the time to scrub his email of personally identifiable information prior to its release. His failure to do so, however, could cost him dearly.
About Paul Roberts
A Data-Centric Approach to Federal Government Security
Learn how government agencies can design and execute a strategy that ensures security travels with the organization’s sensitive data.
Related ArticlesEDPB Issues Draft Guidelines for Data Breach Notifications
The guidelines are supposed to help data controllers when it comes to deciding how to handle data breaches and what factors to consider during risk assessment.Friday Five: 10/27 Edition
Catch up on all the week's InfoSec news with this roundup!Friday Five: 3/2 Edition
Government data breaches, healthcare software vulnerabilities, and more -- catch up on the week's infosec news with this roundup!