This week, when I got the latest emails from former School-Board candidate Ulrich Hoffmann in which he once again expresses his reservations about paying taxes to support the local public school, I happened to look back over the history of emails from him. And I noticed something peculiar: He's using the email list compiled by the Future for Westport organization for his political mailings. He even sent out his literature campaigning for School Board to the list.
Yesterday I emailed him to ask about this and he confirmed that yes, he was using that list. His position seems to be that any email address that has ever arrived in his inbox, even as a cc on an email sent by a third party, is fair game for his bulk sendings.
The email list of the Future for Westport was compiled in a spirit of openness and forward-looking collaboration. The Future for Westport is almost not an organization at all, but more a social network initiated for the betterment of the community.
So it is understandable that emails sent out to those of us who had volunteered to serve on its many committees were sent out as cc's rather than concealed by the sender. But there are some basic principles of privacy practice that, in hindsight, probably should have been observed. They are called "Fair Information Practice Principles." The US Federal Trade Commission summarizes the matter thusly:
Over the past quarter century, government agencies in the United States, Canada, and Europe have studied the manner in which entities collect and use personal information -- their "information practices" -- and the safeguards required to assure those practices are fair and provide adequate privacy protection.(27) The result has been a series of reports, guidelines, and model codes that represent widely-accepted principles concerning fair information practices.(28) Common to all of these documents [hereinafter referred to as "fair information practice codes"] are five core principles of privacy protection: (1) Notice/Awareness; (2) Choice/Consent; (3) Access/Participation; (4) Integrity/Security; and (5) Enforcement/Redress.
Regarding the first point, Notice/Awareness, the FTC remarks:
The most fundamental principle is notice. Consumers should be given notice of an entity's information practices before any personal information is collected from them. Without notice, a consumer cannot make an informed decision as to whether and to what extent to disclose personal information.(29)
Never mind that "Notice" was not given that our email addresses might be provided to the entire group (which in effect means the entire town and then some), I don't think that in those enthusiastic moments when we were all rushing to write our names on the big yellow sheets of paper to sign up for committees anyone had given much thought to exactly how the personal information collected was going to be used. And since it hadn't been thought through, no notice was possible.
The FTC's second item is "Choice":
The second widely-accepted core principle of fair information practice is consumer choice or consent.(42) At its simplest, choice means giving consumers options as to how any personal information collected from them may be used. Specifically, choice relates to secondary uses of information -- i.e., uses beyond those necessary to complete the contemplated transaction. Such secondary uses can be internal, such as placing the consumer on the collecting company's mailing list in order to market additional products or promotions, or external, such as the transfer of information to third parties.
(43) Choice can also involve more than a binary yes/no option. Entities can, and do, allow consumers to tailor the nature of the information they reveal and the uses to which it will be put.(44) Thus, for example, consumers can be provided separate choices as to whether they wish to be on a company's general internal mailing list or a marketing list sold to third parties. In order to be effective, any choice regime should provide a simple and easily-accessible way for consumers to exercise their choice.
Mr. Hoffmann takes the position that because he will remove people from his email list if they ask him to, he is ethically in the clear. I don't think so. Since those on this email list were given neither Notice nor Choice regarding possible uses of their information by the collecting organization, his argument that he has the right to use these email addresses unless asked to stop by the recipients is dubious.
Regarding item 4, Integrity/Security, the FTC explains:
Security involves both managerial and technical measures to protect against loss and the unauthorized access, destruction, use, or disclosure of the data.(49) Managerial measures include internal organizational measures that limit access to data and ensure that those individuals with access do not utilize the data for unauthorized purposes.
In the current case, insuring that information collected is used only for its intended purpose involves not just sending it out to two hundred people.
In any event, I hope that this is for us collectively a teachable moment in which we can improve the way we deal with electronic communications. I would suggest that all of the local organizations consider drafting and publishing privacy policies that are in the spirit of these FTC guidelines.
See also my post on Hoffman's candidacy for school board which was written when he first brought himself to my attention. I didn't notice at the time what email list he was using.