And there was everything: investigations by the FBI and the police, credit cards and passwords, correspondence of lovers and personal documents.
Matt Chapman is a researcher and internet activist who has been trying in one way or another to use the American Freedom of Information Dissemination (FOIA) to obtain data for his research since 2014. Under this law, US government agencies are required to provide certain data to citizens who request them – it is understood that such a law makes the work of government agencies as transparent as possible. But, like all laws, FOIA does not always and often does not work as expected.
Work with data
Chapman was already working with the big data received from the government. In 2016, he requested information from the Chicago City Hall on all parking tickets issued since 2009 in order to identify the most problematic places in the city. The data was given to him , but it turned out that they were stored in a terrible format, and no one had corrected typos made by the inspectors when entering data into the PDA.
In 2014, the researcher requested from the Chicago City Hall metadata of voice calls made to or from government phone numbers to determine if there was a collusion during the mayoral election. To get the data, he had to spend a year and a half on various requests, communication with lawyers and mostly waiting.
After that incident with the issuance of call metadata, Chapman decided to check how well FOIA works well in the USA in terms of issuing this kind of data. He sent two requests to each of the 50 states of the United States, but received information from only two – Houston and Seattle.
The request to the Houston City Hall was processed quickly, and Chapman received 6 million email metadata — that is, the senders and recipients (including all copies, including hidden ones) and the time of sending the messages. But with Seattle all came not easy.
From 33 million to 40 dollars
Chapman requested the data on April 2, 2017 by writing a short letter to the address of the IT department of the Seattle City Hall.
For all mail sent to or from an address belonging to Seattle in 2017, please provide the following information:
field 2. To field
addresses 4. BCC copy
At the city hall, they first answered that over the past 90 days, 5.5 million letters had been sent to the seattle.gov addresses, and more than 26 million letters were received for them, and they would need to be checked for a very long time before they could be provided. Chapman realized that he was perceived incorrectly, and in a reply letter he once again indicated that we are talking only about metadata, and not about the correspondence itself.
In response to the second letter of Chapman, the cost of such a service was calculated. The city hall again ignored that we are talking only about metadata, and estimated the verification of 32 million letters at 33 million dollars. According to the IT department, each letter would need to be checked for secret information from 30 seconds to two minutes, and it would take 320 years of work, which was estimated at such an amount.
However, the letter did not refuse to provide the service – it said that the first data could be issued since May 29, 2017. And Chapman continued.
On June 5, the researcher recalculated: the mayor’s office finally realized that it was metadata, and they requested only $ 1.25 every two days, for which data had to be provided. Chapman immediately sent 14 separate checks to the mayor’s office, 13 of which were for $ 1.25: in total, the request cost him about $ 40. But then they didn’t answer him for a long time, and the researcher thought that his request could not be fulfilled.
Investigations, correspondence and credit card numbers in 32 million letters
On August 22, Chapman accidentally added his email address to a new smartphone and, having checked it, found the answer from the city hall. It turned out that they formed a report for him, uploaded to a special website and sent him login details for the server.
When Chapman began to download the archive, divided into 400 separate files, he saw that in addition to the metadata of letters, the mayor’s office provided the first 256 characters of each of the 32 million letters. These short lines were enough for Chapman to see:
- Usernames and passwords;
- Credit card numbers;
- Social Security and Driver License Numbers;
- Ongoing police investigations and detention reports;
- Messages changing spouses to their lovers and mistresses;
- FBI investigations;
- Notifications from the Zabbix remote administration service.
In other words, they have just leaked me a huge database with intimate-level private information. In addition, they are likely to have violated many laws, including the 1974 Privacy Act and many public data laws. Honestly, I still have no words.
Chapman tactfully hinted to the mayor’s office that they had sent the wrong data, but there they understood the tragedy of the situation only from the second message. After exchanging a few letters with the open data department staff, Chapman ended up on a conference call with the technical director of the Seattle City Hall and the head of data security.
During the conversation, City Hall employees thanked Chapman for informing them about the problem. Toward the end of the conversation, the researcher asked if he could leave the data to himself: “Why not at least ask, yes?”
At that moment, the Internet was disconnected at his home (for the first time in six months). Ten minutes later, when the connection was restored, he returned to the conversation, but the tone of the mayor’s office staff changed: they demanded that all files be deleted, and the hard drives on which they were stored were handed over to Kroll for study. Only under the fulfillment of both conditions, Chapman was guaranteed legal immunity.
“It was not even close to what I could agree with, so we ended the call in a couple of minutes, agreeing that our lawyers would continue to communicate,” added Chapman. After a month of negotiations, the researcher agreed to delete the files.
The story was made public only in early October 2018, when the local TV channel KIRO7 asked for a comment on the situation from the mayor’s office. During the investigation, it turned out that the municipality did not even notify its employees about the leak, and did so only after the appeal of journalists.