Datagate redux

If you’ve been following old posts/comments (here and here), you know that I’ve been debating the release of the actual database that Norm Coleman’s Web team apparently left exposed last January. Some people think exposing the private data of others is worth it in order to press the point that Coleman should’ve (a) locked down the data when local Web sleuths found it where it shouldn’t have been and (b) should’ve followed state law by notifying people that their data had been exposed.

But did whoever leaked the database when it was discovered also contribute to the dangers that exposed data presents? InfoWorld’s Robert X. Cringley gives the Coleman campaign the “what for,” but reserves a small shot at the decision by wikileaks to post the data, even if part of it was removed.


Meanwhile, Wikileaks continues to walk a fine line between serving the public good and abetting private disasters. If my information were on either of those databases, I’d be unhappy with both Coleman and the whistle-blowers. They could have easily made their point and still redacted enough information to make it hard for thieves to get anything useful out of it.

Instead, it’s party time for Net scammers, and Hell on earth for 50,000-plus Minnesotans who were just trying to support the candidate of their choice.

Not all are Minnesotans. Political blogger Eric Ostermeier has download the data and is using part of it to analyze Coleman’s donors by occupation and geographic location and found most of them are out of state.

I asked Ostermeier on Friday whether he considered there to be an ethical considerations in using the leaked data, He responded that there are parts of the data that would be unethical to use, and parts that wouldn’t.


Regarding the aggregated state-level data I analyzed on Thursday’s blog, as well as the aggregated occupation-level data on today’s blog, all of this information is publicly available through FEC Disclosure Reports (as well the amount contributed by each individual, and the city, zip code, and date of contribution).

What my blog did was simply report, at the aggregate level, on those 4,700+ compromised donors to Coleman’s ’08 campaign.

There is some data, obviously, that I consider “off-limits” and that is the data that is not publicly available – such as e-mail addresses, credit card information etc.

Your question gets to the ‘fruits of the poison tree’ dilemma, but, in my view, the ethical considerations are fairly black and white as to what can or should be analyzed.

(Update Sunday 10:41 p.m. – Eric provides a full post on the subject.)

Meanwhile, some criticism of Wikileaks may be coming after MinnPost reported that the site sent emails to everyone on the list looking for comment about the situation, and apparently claimed it was doing so on behalf of a pool of news organizations. Some news organizations have responded that they joined no such pool.

Update 9:27 a.m. Sun – Adria Richards, who found the database, was on MSNBC.

In other media interviews, and in her own video explaining how she found the data, she points out she did not download the database. “I won’t download and acquire someone else’s information without their permission even if it is legal to do so,” she told me via Twitter.

  • http://www.minnesotacentral.blogspot.com Minnesota Central

    Let’s ignore the Coleman situation for a second and consider the potentially bigger problem.

    There are some important questions that need to be asked :

    What company did Coleman hire to collect his donations ?

    Did that company perform similar work for others ?

    If so, does(did) that company maintain “illegal” information on their databases ?

    According to WikiLeak, the information that was contained on Coleman’s files included : Unique ID number, first name, last name, city, state, zip, phone, e-mail, employer, title, type of credit card used, name on card, last four of credit card, CVV2 value of the card, donation amount, authorization code from credit card processor, AVS (address verification) match, and a timestamp.

    There is a violation of Minnesota Statute 325E.64 by retaining the card security code data.

    If the company maintained this information for the Coleman campaign, was the same information maintained by other campaigns ?

    The Coleman incident may have exposed a problem that every political campaign needs to address. Proactively, every campaign that collected monies through credit cards needs to perform an internal investigation and issue a press release if illegal information was maintained. This would include not only Minnesota campaigns, but also others that collected monies within the state such as Romney, Guiliano, et al … as well as Democrats.

    There is no reason for waiting for the FEC, FBI, Secret Service or MN Attorney General to investigate … campaigns need to be forthright and transparent.

    Second, the question of should WikiLeak have promoted this story ?

    YES. Although some may say that this is politically motivated or motivated to promote WikiLeak, my view is that this information was out there on the “underground” … it is now exposed – hence my question for the other campaigns.

    IF MPR found this “open door”, how would MPR have handled it ? I would want MPR to expose it … it can be debated if WikiLeak provided too much information or that they method was too direct, but since the story was out there since January, it did not get enough attention.

    I feel sorry for Coleman (and Franken for the innuendo) as I suspect that he is innocent of willful wrongdoing but like a company’s CEO, he is held responsible for the actions of others. That yields that last question : why did anyone maintain this information ?

  • Bob Collins
  • Paul

    It might be interesting at some point to look at how this story has been covered and my whom. I know Pi-Press devoted considerable space to it, but I haven’t been able to keep track of everyone else.

  • Bob Collins

    MnIndy has probably given it the most ‘ink.’ But it’s not advancing at all, really. There was a lot of online chatter about whether it constituting “hacking” or not, but that’s not much of s 2nd-day lede. Nobody, other than InfoWorld and me has weighed in on the best way to handle private data that’s found in the public. And, so far, nobody has — as far as I know — directly questioned any of the initial folks who were pushing the story with the question “are you the person who downloaded it and gave it to wikileaks?,” nor whether the original intent was to create enough distrust to cut off a source of funding for Coleman to inhibit his ability to challenge Franken’s victory in the recount, nor whether the company that ran the Web site has other databases exposed for other candidates, nor on the larger question outside of the political realm which is it worth it to trust ANYBODY online who accepts credit card payments.

    In the coming week, I’ll try to contact the Electronic Frontier Foundation on some of the latest snooping efforts by various software. that’s an entirely separate issue, of course.

  • Ryan Melena

    Boy is this getting tired. The same arguments again and again each time willfully ignoring key points of what the other side is actually saying.

    You fail to mention the new info from the Infoworld article that the Coleman campaign password protected the database file the same day the Independent reported the leak. That confirms they KNEW about the issue 6 weeks ago and didn’t inform the victims!

    You also fail to mention that Ostermeier’s quote directly contradicts the argument you were making in your last two posts, namely that there are no circumstances under which it would be ethical to release ANY of the information.

    It seems to me you’re amazingly critical of people who disagree with you but don’t exercise that same critical analysis toward people you believe bolster your point of view.

    Instead, it’s party time for Net scammers, and Hell on earth for 50,000-plus Minnesotans who were just trying to support the candidate of their choice.

    What data that Wikileaks released made it “party time” for Net scammers? Do these scammers have some magic ability to pull the first 12 numbers of the victims credit cards out of thin air?

    Are we to assume Net Scammers couldn’t get a hold of the data (in fact, the unfiltered data) if not for Wikileaks? If that is your argument I think it shows a bit of naivety about the net.

    “I won’t download and acquire someone else’s information without their permission even if it is legal to do so”

    That is a completely nonsensical statement with respect to the database file. How would you know you were downloading someone else’s info unless you first downloaded the file?

  • http://butyoureagirl.com Adria Richards

    @bcollinsmn

    Thanks for embedding the video! I’m happy that I was able to share, on national television, how easy it was to find the website and database. My goal is to raise awareness that this is a world wide problem.

    Check out how 80,000 current and retired police officers in New York City had their Social Security Numbers and direct deposit information stolen by a civilian employee who worked in the pension department March 4th, 2009

    http://tinyurl.com/databreachlist

    The only reason they caught him was because he disabled the security cameras at the warehouse where he stole the backup tapes from.

    @Ryan Melena

    That was my reply on Twitter so it was hard to answer Bob’s question with just 140 characters; I didn’t know he would quote me.

    ==============

    Twitter Conversation

    ==============

    bcollinsmn: @adriarichards Noticed again you pointed out that you didn’t download the database. Why not?

    adriarichards: @bcollinsmn remember the YouTube video “Produce Paradise” w/ the two brothers at the A&P? http://tinyurl.com/b9kp9x

    bcollinsmn: I watched it. so you’re saying you thought you’d get in trouble if you did?

    adriarichards: @bcollinsmn I won’t download and acquire someone else’s information without their permission even if it is legal to do so. I’m not a lawyer

    bcollinsmn: BTW, you have a great camera presence. You should do more. Maybe become an on-air tech analyst for a net.

    Thanks,

    Adria Richards

    Organic Technology Consultant

    ——————————————

    Visit the website http://adennetworks.com

    Visit the blog: http://butyoureagirl.com

  • Bob Collins

    Yes, Ryan, it’s almost as if I didn’t provide links to any of the articles that I talked about above, any of the comments that I’ve made, and it’s almost as if I care whether Eric Ostermeier has a right to an opinion and the right to have that disseminated in this space even though I disagree with it.

    Just so I’m clear here on your use of the term nonsensical to describe Adria Richards’ statement, you’re saying she lying? She certainly seems to have full explained in her video and blog the process she used to uncover the flaw.

    I’m not much of a techhead, so I do have to consider what people who are techheads say, including those techheads who seem to agree with you almost point for point on the focus on the Coleman campaign, the need to release data etc. One of them, I noticed — Aaron Landry — referred to the InfoWorld column as one of the best synopsis of the controversy yet.

    Given that he’s the one who started all of this by exposing a claim that the Coleman Web site crashed, which led Ms. Richards to investigate, which led her to find the database, which led her to report it on Twitter, which started a feeding frenzy of chatter about it, which led the emerging media to report on it, which led to Wikileaks to leak it which led to people like you commenting on it, boy… I’d have to say their assessments carry at least a little bit of weight to be considered, even those with which I may (or may not) disagree on an ethical basis.

    And that’s primarily where you and I disagree, is on ethics and we have two different standards there. Is one better than the other? That’s for people to decide on their on. I don’t believe what one can do and what one should do are necessarily the same thing.

  • Paul

    Bob,

    I don’t know anyone who thinks there is no difference between what one can do and what one ought to do. To the extent they we’ve been able to have a discussion here about ethics, it’s always been about what should be done, not what can be done. I think one thing that’s happened here is the consensus isn’t as clear as you thought it was, you seemed to think you could just point to the SPJ code and that would be that. At times it seems like you’ve been unwilling to defend your propositions beyond to pointing to something else, and that’s been a little frustrating.

    I’m not complaining, I’m just saying. Frustration sometimes provokes great things.

  • Bob Collins

    Adria, I’m not following your response to Ryan or your response that I quoted you out of context or that you didn’t know I would quote you at all.

    As you know Twitter is an open form of communication, I don’t hide who I am there and the messages between you and I were not DMs (private messages), but conversations out in the open that anybody could — and did — see.

    I noticed on your video explaining how all of this was uncovered that you relayed a conversation you had right away with @chuckumentary on Twitter, and I note also that you’ve pointed out you uploaded screenshots and publicized them via Twitter to get the word out, so I don’t think the suggestion of impropriety in these communications as if they were private e-mails. They were not.

    As far as the question, you mentioned at 1:57 of the video (which you promoted via Twitter and on your blog) that you could not confirm that the private data that Coleman is “apologizing for” (to quote Maddow) is the same data that was in the database file because you didn’t “download the file.” It seems clear to me that you recognized it as private data based on the numbers of folders on the server.

    And I don’t think this is a question of what constitutes “downloading” because her original question only asked — basically — about your knowledge of what was in the database file and you appeared to say you didn’t know.

    When I asked why you didn’t download the database (via Twitter), your response was “I won’t download and acquire someone else’s information without their permission even if it is legal to do so.”

    When Ryan appeared to suggest that you’re not being truthful, you said that your response was taken out of context, but you didn’t provide any further explanation about your answer.

    I realize that some people on Twitter have suggested I’m trying to “trap” you or to get you to agree with me, but I truthfully don’t care whether you agree with me on this issue or not. Nor have I raised any issue regarding questions about your role in the discovery. I have reserved that for the question of whether disseminating private information (even pieces of it) is faithful to the concepts so many tech pros practice. Frankly, I’d love it if someone would engage in that question, but nobody else has, and nobody — other than the InfoWorld columnist — is bringing it up..

    You’ve done — as I said — a great job skillfully explaining the step-by-step process of how you uncovered the sloppy handling of private information by Coleman, you’ve willingly and patiently allowed yourself to be interviewed by a number of people as you mentioned on your blog, and you appeared on MSNBC the other night to do the same thing.

    They asked a lot of questions; I’ve asked only one.

  • Bob Collins

    Thanks, Paul. I pointed to the SPJ code as an example of why *I* have questions about the ethics of the journalism involved.

    And I still have those questions, obviously. “There’s no “that would be that” about it.

    I am not aware of a single journalist in the Twin Cities who has waded into an examination of the ethics involved here.

    So you’re most certainly right that we may well have different standards or ethics that were applied in the decision and that those decisions were vetted through some sort of editorial process and questions were raised about the decision to provide access to the data.

    We haven’t yet heard what standards they used in making those individual determinations. I suspect we will when they’re ready to talk about that aspect of the story.

    In the meantime, you’ve done a great job of pressing the discussion on their behalf.

  • http://butyoureagirl.com Adria Richards

    Bob,

    The problem I had is that because you “quoted” something I said on Twitter, I feel Ryan didn’t have the full picture.

    All he saw was what I could squeeze into 140 characters.

    I’m not concerned or worried that anyone thinks I’m lying. I’ve been transparent since the beginning. All my clients know what’s going on as well.

    What I don’t like is that you act as if I provided the Twitter comment in some sort of interview format AND didn’t tell me you were putting on News Cut.

    Write your own history and version of events as you like.

    Adria Richards

    Organic Technology Consultant

    ——————————————

    Visit the website http://adennetworks.com

    Visit the blog: http://butyoureagirl.com

  • Bob Collins

    I’m sorry you feel that way, Adria.

    I can’t find any indication that I presented my question to you in an interview format (I linked to the actual thread above for anyone who wants to see). As far as I know, the only question I asked — and the only one I indicated I asked — is why didn’t you didn’t download the data. I didn’t ask any other questions because after watching the video, that’s the only one I had.

    Your answer seemed pretty straightforward and honest to me, but if you feel you were somehow shortchanged in the opportunity to respond, or if you feel Ryan got an incomplete picture, Here is certainly a space to do that.

    I don’t really see the controversy in that question. And I don’t see why it makes a difference whether your comments are on an open forum on Twitter or on an open forum on News Cut. Blogs are full of references to what people have said on Twitter and other social networking sites.

    I’m not interested in writing a history than is anything other than how it happened. That’s why I’ve posted on this blog, both videos you provided; the one on your blog, and the one on MSNBC. I’m not aware of relaying the order of events in any way other than the way you described them.

    If you feel I have, I’d appreciate your informing me about it specifically rather than using innuendo to suggest I have. Similarly, I’d be interested in hearing the full picture in your answer to my one and only question that you feel Ryan didn’t get rather than just hearing I didn’t allow you to provide the full picture. If it’s out of context, please provide the context you believe was missing.

  • BJ

    @everyone – I had a big post to everyone because this was getting heated, but it boils down to – Chill, attacking bad, questioning good.

    @Bob – keep on, keeping on….