SALT LAKE CITY, UT – Fulfilling the predictions of some critics of the state’s Child Protective Registry, the Utah Division of Consumer Protection accidentally disclosed the email addresses of four children from the registry.According to a report in The Salt Lake Tribune, details of the security lapse were revealed in court documents filed by the Free Speech Coalition (FSC), which is challenging the constitutionality (among other things) of the registry. The Tribune also reports that Francine Giani, Director of the Utah Department of Commerce later confirmed the accidental disclosure.
The email addresses at issue were originally listed on citations issued to alleged violators of the state’s Child Protection Registry law and were subsequently obtained through a standard open records request.
“It appears a very new member of our staff may not have followed” open records laws, Giani told the Tribune. “We are investigating what happened, why it happened and how we can make sure it never happens again.”
“A fair amount of trust has been placed with us and this is not a good thing,” Giani added. “I’m sick about it.”
Critics of the Utah registry, and a similar registry in use in Michigan, have long maintained that such registries, well-intended though they may be, actually increase the risk of children’s email addresses being distributed and children being exposed to harmful material.
Jerome Mooney, the attorney handling the FSC’s lawsuit challenging the Utah registry law, told the Tribune the incident represented a “substantial failure” of the system.
“It’s not like anyone was probing the system to look for weaknesses,” Mooney noted. “This just underscores one of the issues the Federal Trade Commission was worried about that the benefits [of the registry] are outweighed by the risks of compromise.”
In September, after Utah officials cited four companies with violating the Child Protection Registry statute, Justin Weiss, director of legislative affairs for the E-mail Service Provider Coalition, requested copies of the citations. According to the Tribune, the state quickly complied, but failed to redact the email address of the minors whose addresses had been mailed to in alleged violation of the law.
Weiss informed Utah officials about the security lapse on October 3rd, and urged them to contact the people whose personal information had been disclosed, according to court documents obtained by the Tribune.
Two weeks prior to the breach, Matthew Prince, the president and CEO of UnSpam, the company that provides the registry service, stated that such a breach was impossible – a statement that UnSpam’s attorney says the company still stands behind.
“Even if ordered by a court or held at gunpoint, there is no feasible way that I, any Unspam employee, or any state official could provide you even a single address that has been submitted for compliance by any sender,” Prince stated in an affidavit, according to the Tribune.
Brent Hatch, an attorney representing UnSpam, told the Tribune that Prince was speaking only of email lists submitted to his company and that the state got the emails it accidentally divulged from the parents of children who complained about their children receiving allegedly illegal email solicitations.
“This has nothing to do with the registry,” Hatch claimed, adding that the registry is “completely secure.”
“The Free Speech Coalition got it flat wrong,” Hatch added. “We stand behind Mr. Prince’s statement.”
