There is an anomaly in law: privacy regulations say data should not be disclosed; freedom of information regulations say it should. The result is usually the heavily redacted release of documents (‘redacted’ in this sense simply means censored by obscuring personal information) in order to comply with both regulations.
But mistakes can and do happen. Three days ago Infosecurity reported that 171,000 different social security numbers were found on publicly available IRS Form 990s. Today the Sophos blog Naked Security notes that the Boston police released Facebook data including ‘friends’ of the ‘Craigslist killer’.
“When the Boston Phoenix was researching an article about the manhunt for the notorious ‘Craigslist killer’, they were granted access to all the case files released by Boston Police Department,” writes Sophos. This included “the entire Facebook account of the suspect, Philip Markoff.” The data was provided to the police by Facebook ‘in response to an officially sanctioned subpoena, court order, search warrant or other legal information request.’
The problem is that while some of the information provided by the Boston police to the Boston Phoenix was redacted, a hard copy printout of the entire Markoff Facebook account was not. In a separate Boston Phoenix blog, Carly Carioli noted, “And while the police were evidently comfortable releasing Markoff's unredacted Facebook subpoena, we weren't. Markoff may be dead, but the very-much-alive friends in his friend list were not subpoenaed, and yet their full names and Facebook ID's were part of the document.”
The incident raises some troubling and difficult questions. What use are European data protection regulations if US law enforcement agencies can subpoena personal data (in this case from Facebook, but the PATRIOT Act means it could be from Google, or Hotmail or Twitter or any other US-based organization), and then publicly release that data? Do any innocent ‘friends’ of Markoff (and remember that many Facebook users will simply friend anyone who asks) who may never have met Markoff or have ever known anything about him have any recourse against the Boston police? Probably not.
But as Sophos says, it “illustrates just how much information Facebook holds about you... [and] it shows just how much the bad guys would be able to access should they - eek - hack into Facebook's servers.”