
The City of Seattle Accidentally Gave Me 32M Emails for $40 - bpchaps
https://mchap.io/that-time-the-city-of-seattle-accidentally-gave-me-32m-emails-for-40-dollars4997.html
======
JoeSmithson
I'm very surprised they gave out this information. I'm not talking about the
mistake, I mean the actual request. In the UK I don't think you could even get
a production order for this. Like, it's effectively getting Communications
Data simultaneously against thousands of people not suspected of any crimes??

Like, do people know that by emailing their local government their email
address is now free for scammers to request under FOI? Could I request this
data myself, then start emailing them scam emails "I know you contacted us in
June, could you call me on 555-1223 etc"

This seems totally against the spirit of FOI

~~~
ehsankia
The part I found even more strange is that people are sending their credit
card numbers and other personal information through e-mail...

~~~
jimnotgym
Are you really shocked by this? I guess you have never worked on a corporate
email system! People do this all of the time.

1) They don't realise email is not secure

2) When you explain point 1, all of the other solutions seem like too much
hassle so they email anyway.

3) You can tell your customers not to email you CC numbers, you can even
refuse them, but they will keep sending them

~~~
tzs
...and if you provide online chat with customer support or sales, people will
send credit cards in that too. If you have customer accessible support ticket
submission system, that will end up with credit cards too.

The Payment Card Industry Data Security Standard (PCI DSS) that you have to
agree to follow in order to be allowed to process credit cards requires secure
storage of all the cards you store--not just the cards that you intended to
store or just cards that come in through channels you intended for receiving
cards.

This is a serious issue to take into account when choosing your chat system,
ticketing system, and email system because you can't just ignore those wayward
credit cards. If you choose systems whose developers did not consider this and
failed to provide good tools for finding and redacting unrequested, unwanted
sensitive information _you_ will end up having to hack such tools into the
system yourself.

~~~
jimnotgym
That is a very good point

------
mkoryak
A few years ago I found a random SSD on the ground while on a walk with my
son. The drive contained unencrypted records which squarly fall under HIPPA. I
also did the right thing and returned it to the proper owner and told them
about how their mdb files were readable by anyone.

The same exact thing happened. They thanked me and then their lawyers nicely
asked me to clone my hard drive and sign a bunch of shit.

It was not fun at all. A lot of them thought that I hacked something.

~~~
rocqua
Did you actually give them that clone and sign the documents? Or did you give
push back like in the article?

It feels to me like they shouldn't have much of a leg to stand on.

~~~
mkoryak
I did consider fighting them for about 7 minutes. Then I remembered that they
had a legal team paid for by taxpayers, while I had a toddler and a pretty
decent, mostly stress free life.

The laptop that I connected thier SSD to was my coding box, so I deleted all
the code and secure erased the free space before they cloned it. They gave me
shit about it too, because their forensic people saw days without any file
activity. When I told them that it was because I removed my IP they responded
with "why don't you think you need to do that? We can keep your data from
falling into the wrong hands".

Maybe if I was some kind of an activist I would have tried to fight it.

~~~
natch
“We can keep your data from falling into the wrong hands...” just like they
did for that drive you found.

------
jacquesm
Interesting dataset. Data like this can be used to identify strong links
between contractors and government officials.

One problem is that the metadata should have only contained _anonymized_
entries for the email addresses of the counterparties of the Seattle.gov
addresses, the article leaves this unclear.

Another potential problem is that if a case of corruption or nepotism is
identified that has not been passed to the authorities for review that the
author suddenly finds himself in the possession of data that can be used to
blackmail some fairly powerful people, in fact there might be fish at a higher
than city level government in the trawl because there have to be links between
Seattle officials and state officials.

Yet another problem is that the addresses most likely contain the names of
private individuals (including employees) as well, and I am not quite sure
what to think of that but feel that the city has no business releasing that in
cleartext.

A better way for amateur sleuths and the city government to work together to
battle corruption would be to release only anonymized data to protect the
identities of the people working for the city, for instance by releasing only
hashes of the email addresses, for instance a hash@hash format where the hash
for all Seatle domains is released to the requester. All the relevant analysis
could still be done, and if something interesting was found it could be
released to law enforcement who in turn should have then used a judge to order
de-anonymization of those entries they are interested in.

~~~
kasey_junk
I'm not sure I could disagree with you more. At least in the US there is a
_very strong_ expectation that communications between governmental employees
is non-private except in very special circumstances. You'll note Matt says
that the Police and Human Services departments have not responded, I'd guess
thats not an accident because police records and personnel/medical records are
largely exempt from FOIA requests.

Further, the idea that sleuths (amateur seems pejorative in this case) are
working _with_ city governments to battle corruption does not hold up to
Matt's (or other journalists) experience. By and large the governments only
provide the data because they are _required_ to, and we have made sure they
are required to by representative legislative action.

Had the IT dept. in Seattle not made an obvious mistake this would likely have
not been a story at all and the data would have been an interesting data set
for informed democratic functions.

~~~
jacquesm
> between governmental employees

The request contains the names of private individuals through BCC and CC
headers requested and exactly when they communicated with which government
officials.

~~~
kasey_junk
Yes. When I say “between governmental employees” I mean between them & anyone.

This is a normal expectation to the point where there are lots of rules about
what public servants can even use private email addresses for. This was a big
deal of course in the 2016 campaign.

This is likely a cultural difference, I view the data that Matt requested as
_mine_ because that governmental agent is acting in _my_ name.

------
newsbinator
> After that call, I asked my lawyer to reach out to their lawyer and was
> pretty much told that Seattle was approaching the problem as if they were
> pursuing Computer Fraud And Abuse (CFAA) charges. For information that they
> sent. Jiminey Cricket..

------
daenz
Somewhat related, I'm constantly shocked (maybe I shouldn't be anymore) at the
tech ineptitude of cities that are supposed to be big tech hubs. I live in
Seattle, and my regular tech complaint is we can't get the buses connected to
an app that is accurate within +-10 minutes. I know it doesn't sound like
much, but how much tech brainpower is here, and why isn't that tech shining
more clearly?

~~~
TeMPOraL
Because the problem isn't tech, but business models. No amount of tech
brainpower can help when bus operators think of their schedules as data to be
sold instead of given away for free.

~~~
techsupporter
At least in Puget Sound, every transit operator (except for Community Transit)
makes their real-time bus arrival data publicly available for free via Sound
Transit's Open Transit Data service, OneBusAway:
[https://www.soundtransit.org/Open-Transit-
Data](https://www.soundtransit.org/Open-Transit-Data)

(OneBusAway is the name of the app that shows information to end users and the
name of the API service that developers can query.)

I know that this service is widely available and free because I've had an API
key for years and have (accidentally) pummeled the service with requests and
have heard nary a peep from Sound Transit asking me for money.

~~~
TeMPOraL
Good for you and your city. My hometown apparently made an exclusive deal with
a startup, which I hear is why we still can't see bus schedules on Google
Maps.

------
quickthrower2
The writer has fessed up to reading a lot of the emails. As evidenced by
summarizing the content (e.g. cheating spouses, zabbix etc.). Wouldn't the
responsible thing to do be stop reading the emails once you realise what is
going on?

~~~
0xfffff
I had the same thought - he seems to have indulged in the data quite a bit to
come up with such a thourough analysis.

~~~
danso
What was thorough about his analysis? He mentions a few things that could
easily be detected with grep within a corpus of millions of messages.

------
pnathan
> The passive aggression is thick.

From this I can accurately deduce that you really were talking to a person in
Seattle. /local-in-joke.

Pretty amazing story; Seattle, collectively, always tends to _mean_ well, but
so often they stumble.

------
nickysielicki
> Seattle was approaching the problem as if they were pursuing Computer Fraud
> And Abuse (CFAA) charges. For information that they sent. Jiminey Cricket..

> So, I deleted the files.

Isn't it great to live in a country where we have generic felonies that
governments can apply to just about anything involving a computer and ruin
your life?

Land of the "free" and the home of the 'fraid.

~~~
giancarlostoro
Where police treat you as fully guilty if you're a suspect despite you having
to be thought of as innocent until proven guilty. A number of people have gone
to jail because they knew not to keep their mouths shut and told cops too much
that made them sound like criminals and guilty. Most people don't know where
they were 2 hours ago, let alone the night of December 5th, 1957 at 2:05 AM,
like SERIOUSLY?

------
OrwellianChild
I can't tell whether this is a testament to the incompetence of public IT
operations or an indictment of public records keeping practice. Maybe both?

~~~
btrettel
Also has a good example of hostile FOIA officers. I have filed about two dozen
FOIA requests, and the vast majority were fine, though usually slow. Earlier
this year one longstanding request of mine was rejected because they claimed
the document I wanted was export controlled. Two months later I sent in an
appeal where I showed that the document in question was not export controlled
(I filed another FOIA with a separate agency to check), and I suggested that
they lied to me. Never got an apology, though they seem to be processing the
request for real now.

~~~
c3534l
Never attribute to malice that which is adequately explained by stupidity.

~~~
anigbrowl
I used to abide by this until it dawned on me that malicious people often use
stupid people as a cat's paw to conceal liability. A careless disregard for
the truth is itself a form of dishonesty. This argument is laid out very
effectively in philosopher Harry Frankfurt's delightful short book _On
Bullshit_.

------
mr_vile
This whole exercise seems more damaging than constructive, and I don't really
like the author's smug tone, as if he deserves praise.

~~~
warent
Disagree. Obviously there was a bug in the system, the author simply uncovered
it. I'd rather have a smug white/grey hat than a malicious black hat. Now the
system is all the more secure thanks to his actions.

------
lsiebert
So they accidentally included the first 256 characters for all the emails?
yikes.

------
pontifier
I was quoted almost $200k for a similar request for emails. I was trying to
investigate a shady real estate deal, and they made it as difficult as
possible. I was never actually able to get the information I requested.

I'm completely disgusted and fed up with corruption.

~~~
rocqua
Perhaps try and sell the story with some of the investigative podcasts /
blogs? An apparent cover-up gets as much attraction as uncovered corruption.
(As well it should).

~~~
pontifier
I'm now convinced that there is no amount of evidence of wrongdoing that will
actually harm crooked politicians. They control the narrative, and the courts.

I don't want to end up bone saw murdered, and it feels more likely every day.

------
notafraudster
In case Matt Chapman is reading this -- the contact email at the bottom of the
page (matt@mchap.com) is probably not correct, given that the domain mchap.com
redirects to an australian photographer.

The alternative is that the email address is correct and Matt is redirecting
his domain to another Matt Chapman, which would be totally hilarious.

~~~
bpchaps
Ah! Thanks!

------
doctorless
To me, the most interesting thing in this entire post is the following:

> Funny enough, in the middle of that question, my internet died and
> interrupted the call for the first time in the six months I lived in that
> house. Odd. It came back ten minutes later, and I dialed back into the
> conference line, but the mood of the call pretty much 180’d.

I find that when strange things happen like this, they’re hardly coincidence.
Did you run a traceroute after the disconnect anywhere? Did you see an IP
address change? If so, was it a significant change in the CIDR block it was
within?

~~~
jacquesm
That's speculative without any proof and I personally think it is a weak point
in the article. I do conference calls several times per week and the number of
times I've been accidentally booted out of the room are numerous.

Also, once they realized they had left the room _of course_ they would
continue to discuss the case and it is obvious they had to consider all
possibilities, including the recipient releasing the information to others,
hence the 180.

~~~
bpchaps
Er, why the doubt? My internet completely died. My room mates were also
affected.. Not sure how I can give proof.

~~~
jacquesm
Because it is just the timing that makes you say this, and I highly doubt the
city of Seattle can - on a moments notice, no less - pull the plug on any
residential internet connection.

 _If_ true, that would be a far bigger news item than the rest of your story.

~~~
bpchaps
Who knows. It was strange for me, too.

~~~
jacquesm
Think about it: you see your internet connection dying as proof when they
could have just as easily booted you from the conference call raising much
less suspicion. I see it as proof of the opposite, they had a far easier and
more direct means at their disposal to achieve the effect you say they
desired. So I really do not believe that it was anything other than bad
timing, all that it would take for this to happen is for your provider to
reset a router somewhere.

My residential connection here is pretty good, even so it goes up and down at
least once every week or so whenever some firmware update is pushed to the
router.

~~~
bpchaps
My phone was dead at the time, so I was using my desktop with google hangouts
for the call. I was not booted from the call. My internet died. End of story.

I work from home, so my internet going down is a big deal for my livelihood
and all that. I'm not saying that something suspicious happened, but I figured
it was an interesting thing to happen. You're frankly thinking into it too
much.

~~~
jacquesm
> You're frankly thinking into it too much.

I think that was my line.

~~~
bpchaps
Pot kettle black, I guess.

------
amingilani
I'm simultaneously impressed and saddened by how fast the responses for these
FOIA requests were proceeded by the government.

And here in my country, I needed a court order to get _at least_ an
acknowledgement of my FOI request.

And now I'm petition court intervention to get the FOI processed in accordance
with the law.

------
marklyon
This could have been an extremely valuable dataset for the legal community.
The Enron data is currently guiding much of our machine learning validation,
simply because it's available.

~~~
HeadInTheClouds
As a general point, I totally agree with this. The Enron dataset released over
~15 years ago is still used by EDiscovery and other legal vendors along with
other researchers.

There have been a huge number of papers using this dataset and there are not
many other datasets of its type or size available and despite its age is one
of the best we have. If people are aware of legally released datasets with a
similar size and content I would be interested to hear about them.

------
catchmeifyoucan
I'm confused, why was he looking for this information?

~~~
Pfhreak
My guess? To look for government employees whose networks are tightly coupled
to a special interest or significant person/party.

------
petecooper
FTA:

>Seattle's first response included a bit of gobsmackery that I’ve almost
become used to

Brit here. I'm always amused that 'gobsmack' and its derived words are still
used these days, more so across the Atlantic.

Roughly translated: lost for words, typically for a short time.

------
atomical
> Especially with the use of Excel, which would be useful for removing
> duplicates, etc.

Excel can only handle about 1 million rows, right?

~~~
philipodonnell
Nah its not limited except by memory anymore AFAIK.

~~~
atomical
Ah, spinning beachball time then.

------
nickthemagicman
Mental note to self.

Instead of reporting data breaches turn it into a torrent and make it public.

------
nzealand
The dump includes email addresses, both government and private. That does not
seem good.

There is a surprisingly little spam. Either that is about to change, or spam
didn't get included in the FOIA.

------
kerng
Interesting read to learn of challenges cities have and what mistakes they
make along the way, but the author comes across as defensive and quite
arrogant.

------
kristofferR
Awesome work! I'm glad we have people willing to go through all the hassle, so
we can keep our governments responsible.

------
united893
I find the writer to be a bit of a dick in his responses. Yes, the city IT may
not be at the same level as Google engineers, but there’s no need to mock
their ballpark estimates, and after the mistake there’s no need to be a jerk
about it. Be forthright about the error.

Consider being on the other side of this, due to a careless mistake the data
for many people is exposed on a random strangers hard drive. Asking for an
independent third party verification is reasonable.

Bringing lawyers in the mix was also unnecessary. And if more people follow in
the authors actions then the state level FOIA laws may be put at risk over the
long term.

~~~
newman8r
I'm curious what his actual legal exposure would have been if he hadn't
folded.

I feel like they should have offered to compensate the author for his time in
their initial request - if someone wanted to perform forensic scans on my hard
drives it would be a huge inconvenience.

~~~
jacquesm
Pretty massive. An accidental release where the party released to is known and
unwilling to perform a remedial action can go anywhere from a slap on the
wrist to a criminal investigation. That doesn't mean there will be a
conviction, but de-escalation would seem to be a wise course of action in such
cases.

~~~
sokoloff
De-escalation? Sure.

Allow a third-party forensics company hired and beholden to a presumed-hostile
counterparty unfettered access to your hard drives because of their own lack
of care or incompetence? Hell no!

------
nzjrs
TIL there is a genre of people who call themselves FOIA nerds and who appear
to be unpleasant, doing this sort of fishing for fun.

------
Markoff
more than dollar per email address doesn't sound like very good deal to me

------
daodedickinson
It's clear they didn't have expertise to do it, and I'm tired of reading
people that know way more looking down at others over it and assuming they
don't want to comply. If they hiding something and malicious, the end result
wouldn't have been to send way too much, but I don't see the author realizing
this fast enough.

~~~
sanotehu
Agreed. You're putting an overworked, underpaid public servant in a "damned if
you do, damned if you don't" scenario. They complied with a far reaching
request and got told their response was too far reaching? I'd quit my job if
faced with a legal minefield like that, especially one not actually related to
the job itself

~~~
Aeolun
Why do you think complying with these requests is not part of the job for
Seattle IT?

I would think it’s pretty cool to retrieve this massive amount of data that I
wouldn’t otherwise get to play with.

------
edoceo
Author of article has no background/understanding of the "sunshine" laws in
effect in WA. Those laws may (do) explain a lot of why things go this way with
any/all FOIA in WA.

Source: 100s of FOIA requests to various WA government agencies.

~~~
Johnny555
Can you provide more details? What is it about WA sunshine laws that make the
government misunderstand a request, overestimate the cost of providing the
requested data, and then provide data that was not requested resulting in a
breach of disclosure laws?

~~~
edoceo
Remember when Shoreline had to pay out ~$500k because of mistakes they made on
a FOIA request?

[https://www.rcfp.org/browse-media-law-resources/news/city-
mu...](https://www.rcfp.org/browse-media-law-resources/news/city-must-
pay-538555-public-records-suit-over-e-mail-metadata)

It's because Washington agencies are required to cover reasonable attorneys
fees for their opponents after losing open records lawsuits (one of the
factors in our FOIA laws)

So when Author sent the request to Seattle, they have this above cited example
(and 100s of others across the the State) where a mistake could create a
lawsuit the costs this loads of money.

Did you know that the burden is on the agency to establish that its denial of
inspection is proper?

Did you know that the court could award you an amount between $5 and $100 a
day for each day that access to the records was denied.

So, if they don't give you everything you ask for you can sue. And it's easy
(relatively) to win in WA for that because of our FOIA laws, then the agency
has to pay for the lawyers and a penalty for delay of the records. For emails
that means $5 * (Days of Delay) * (Number of Records).

In short, if Seattle fucked up this FOIA request, denied or delayed -- that
could have cost them millions of dollars.

The author didn't understand that and (like a fool) blames the city and city-
workers.

~~~
danso
> _In short, if Seattle fucked up this FOIA request, denied or delayed -- that
> could have cost them millions of dollars._

Sorry, but that sounds like bullshit. The Washington law provides for agencies
to take reasonable time on a request, especially one a request that is
complicated and broad. In fact, unlike the FOI law for federal and other
states, the Washington law does not proscribe the number of days that an
agency must respond by, only that they be made "promptly":

[http://app.leg.wa.gov/RCW/default.aspx?cite=42.56.520](http://app.leg.wa.gov/RCW/default.aspx?cite=42.56.520)

The city of Shoreline did not have to pay out $500K "because of mistakes they
made on a FOIA request", not according to what you posted:

> _The City of Shoreline will have to reimburse $438,555 to cover the
> plaintiffs ' costs as Washington agencies are required to cover reasonable
> attorneys fees for their opponents after losing open records lawsuits.
> Shoreline also agreed last year to pay a $100,000 statutory penalty after
> the court found that the city violated the state public records act._

They paid $438K for fighting the request _for seven years_. They paid an
additional $100K penalty because they were have found to _violated the law_.
They did not pay for "mistakes", at least not mistakes in good faith.

~~~
edoceo
SEATTLE – The Washington Supreme Court has upheld a $502,000 penalty for
Public Records Act violations by the state Department of Labor and Industries,
in a ruling which affirms that judges can calculate such fines based on each
page of a withheld record.

Another example in WA, the kind of thing that scares public sector employees.

I have direct personal experience with this, and direct knowledge of others
receiving payout from government (in WA) for similar violations (almost had to
start another suit this month).

Your narrow interpretation is splitting hairs. The danger is real to the
government workers executing these requests

Edit: two more easy to find examples

[https://www.aclu.org/news/judge-fines-tacoma-police-
departme...](https://www.aclu.org/news/judge-fines-tacoma-police-department-
withholding-public-records-about-invasive-surveillance)

www.spokesman.com/stories/2016/mar/24/justices-uphold-502000-public-records-
fine-against/?amp-content=amp

~~~
danso
Sorry, I don't understand what your argument is. Both articles you link to
refer to large penalties imposed against government agencies for withholding
the requested records, over a long period of time.

In your original comment [0], you suggested that employees feared of making
innocent mistakes that would lead to open records lawsuits. None of the
examples you've provided describe that situation. Instead, they involve
agencies (and their lawyers) who have decided to refuse a request and fight it
out in the courts. What does that have to do with being a danger to employees
who handle these requests?

[0]
[https://news.ycombinator.com/item?id=18267039](https://news.ycombinator.com/item?id=18267039)

~~~
edoceo
Well, spend some time with those employees, they know about these cases.

This means that these employees frequently send more, faster to avoid a big
public issue.

The point is that individual people feel pressure and make decisions based on
these articles (and many not so public cases) that in retrospect are not that
great.

And then some blogger makes foolish claims, as if it was incompetence rather
than fear.

I'll not comment further

~~~
danso
I've sent quite a few FOI requests myself when I was a reporter, and my
experience biases me against thinking there's a significant problem of state
employees sending out FOIAs quickly/prematurely out of fear. In fact, I've
never dealt with an employee who broke protocol -- for non-routine requests,
the vast majority of them consult with their FOI officer/legal counsel. And
they have no incentive to rush things because most FOI laws allow for a delay
in response time -- Washington's law doesn't even have a set time limit in
which the government has to respond.

> _The point is that individual people feel pressure and make decisions based
> on these articles_

That is literally the situation of every public servant -- as just about any
police officer will tell you. The difference with FOI is that the law provides
ample protection for government employees to take their time to get it right,
and every investigative journalist I've ever worked with puts up with those
delays -- it's only when the delay goes into months/years such that it's
tantamount to a rejection that legal action is threatened, because the lawsuit
itself takes months to resolve.

The only example lawsuits you've found were ones in which the agencies refused
to fulfill the request. Until you can show a single instance in which a state
employee, or even an agency, was punished because they were late while trying
to respond in good faith, I don't think we should assume you know what you're
talking about when you claim the author has "no background/understanding" of
WA's public records laws.

It's especially absurd that you're trying to argue that the mistake the city
of Seattle made in his case was done out of hurried fear, when the author
provides correspondence that shows he and the city emailed back-and-forth from
April to August before they sent him the data. A technical screwup (via
internal miscommunication) is the most plausible explanation by far, as no one
in the IT or FOI office had any reason to rush this request.

