If you hunted or fished in Connecticut in 2023, chances are Inside Investigator has not only your name and email address, but also your residential address, even if you don’t live in the state, and even if you don’t live in the country. We can see whether you hunted with a rifle, shotgun, muzzleloader, or bow, fished in freshwater or saltwater, and if you own a boat. All we had to do was ask to have it delivered to us via email, something anyone could do.

Inside Investigator used the Freedom of Information Act (FOIA) to request email lists associated with various government services, including hunting and fishing licenses, parking permits, and building permits. And we received personally identifiable contact information, including residential addresses, details about what home improvements you did, how much they cost, who did the work, and other details about the lives of hundreds of thousands of individuals who either live in the state or have used state services.

The Data

Working on several tips about the ability to obtain residential addresses by requesting email lists, Inside Investigator submitted a series of FOIA requests to a number of state agencies and municipalities.

One request was directed at the Department of Energy and Environmental Protection (DEEP) and sought copies of email lists the department uses to communicate with hunting and fishing license applicants.

In response, we received data associated with over 360,000 entries, including names and residential addresses, and in some cases email addresses, for individuals who had requested a variety of licenses for hunting, fishing, and also watercraft operation.

Because nonresidents can obtain hunting and fishing licenses, the data included not only personal information on Connecticut residents but also addresses located in states across the country. It also included residential addresses located in over 40 different countries: Turks and Caicos, Switzerland, New Zealand, Great Britain, Australia, Japan, Barbados, Belgium, Brazil, Belize, Canada, Chile, China, Colombia, Czech Republic, Denmark, Ecuador, France, Spain, Hong Kong, Honduras, Kosovo, Hungary, Ireland, India, Italy, Japan, Lithuania, Latvia, Mexico, the Netherlands, Peru, Poland, Puerto Rico, Romania, Croatia, Sweden, Singapore, Taiwan, Ukraine, Uruguay, and South Africa.

Another request was directed at the Hartford Parking Authority and sought the email list used to communicate with parking permit holders. The data that was turned over also included the residential addresses of individuals, both who live in and out of the state, who currently hold or have recently held parking permits.

Use and Abuse

Any time personably identifiable information (PII) is leaked, whether by hacks of private companies or public entities with inadequate data security practices or victims of ransomware attacks, it’s obviously cause for alarm.

The consequences of someone else obtaining your personal data can range from the merely obnoxious to the catastrophic.

With an individual’s name and email address, scammers and other malfeasant actors can:

Spoof password reset messages and use them as a way to trick individuals into giving up personal data, or take over an account

Sign someone up for marketing messages from an organization an individual finds offensive or doesn’t agree with as a form of harassment

Register for accounts and memberships with various organizations

Impersonate someone on social media or in other online forums

With a full address, the degree of harm scammers can cause is far greater. It includes:

Submit a change of mail request and have your mail, including sensitive mail, rerouted

Bypass security protocols at certain customer service lines if they use this information to verify your identity

Swat your home

Sell your information to data brokers

Create targeting phishing scams and fake offers sent to you home through the mail that are designed to trick you into giving up more sensitive information

The good news, according to James Lee, chief operating officer of the Identity Theft Resource Center, is that the risk your identity will be directly stolen as a result of PII obtainable through FOIA is low. A name and address alone are not enough to commit identity theft. And, in many cases, most of the information you can obtain through FOIA is already available.

However, that information can be used by malicious actors to obtain more sensitive information that can be used for identity theft.

“The reality is, for any adult residing in the United States, most of that information is already in the water and already available, for free in many cases.” Lee told Inside Investigator. “Both in public forums, in open identity forums, and as well as on the dark web, but increasingly most information bought from identity criminals isn’t done on the dark web. It’s done on the open web. The reality is, people should be aware, should be cautious, but most individuals aren’t the target of identity criminals. They’re most interested in scale and automation. It’s hard to attack individuals one at a time.”

According to Lee, in most states, public agencies don’t have the authority to redact PII.

“It’s sort of an ongoing issue, for a long time, where you draw the line between public right to know and individual right to privacy.” Lee said. And while he says a lot of states are passing more comprehensive privacy laws , most of them exempt public records or don’t address them at all.

“It’s the classic case where government lags behind where individuals are on personal privacy and concerns on it.” Lee added.

The reality is, FOIA requests aren’t the only way PII is obtainable through public databases. Anyone who’s ever donated money to a political candidate participating in Connecticut’s Citizens Election Program (CEP) has had to fill out a form detailing their name, residential address, and employment information. All that information is publicly available through the State Election Enforcement Commission’s eCRIS online database.

But donating to a political candidate is a choice that individuals are free to make, with knowledge ahead of time that they’re submitting information that will be collected and made publicly available.

Having to get a parking permit in order to safely and conveniently park near your home or place of employment is a different story. And while hunting and fishing licenses are not essentials for a majority of people, most people probably don’t expect information on them to be publicly available in that level of detail.

And it’s that level of detail that’s the problem.

“The point of [FOIA] is you’re supposed to be able to see government activity, see what government is doing in providing services to the public.” Aaron Mackey, the director of free speech and transparency litigation at the Electronic Frontier Foundation, told Inside Investigator.

And while the ability to see who has a parking permit in a particular town, or the number of people who annually apply for certain types of hunting and fishing licenses, do provide useful public information about public services, Mackey suggests releasing PII like email addresses and residential addresses in these instances doesn’t accomplish much.

“What is this disclosure of public information showing about government? It’s not showing much, I don’t think.” Mackey said.

There are certainly instances where publicly disclosing PII, including addresses, does reveal something useful about government function. As an example, Mackey pointed to parking permit records that might show a public official’s residence to be something different than they are claiming, affecting their eligibility for office.

Mackey also pointed to an example from California, where public records revealed that sheriffs were requiring political patronage before issuing gun permits.

“Sometimes just the names of individuals are newsworthy. Addresses, phone numbers, other personal information that’s collected doesn’t necessarily need to be disclosed to address concerns.” he said.

But there are also cases where disclosure of PII, especially addresses, not only doesn’t do anything to promote the public interest but can actively harm people.

“Imagine you’re a victim of domestic violence and you move, can a perpetrator find you easily because they know you have a dog, or check public permit parking? I think there are a variety of ways in which information can be used and put people in danger that doesn’t serve the public interest of knowing what government is up to.” Mackey stated.

There are other scenarios that could create jeopardy for people whose information is exposed through these lists. It stands to reason that individuals who have applied for hunting licenses own guns, and likely keep them in their homes. Having access to gun owners’ addresses could make those individuals the target of swatting, protests, or harassment from individuals who disagree with private gun ownership.

Where to Draw the Line?

A good test of where something falls on the line between public interest in government information and protecting personal privacy according to both Lee and Mackey, is whether the information being disclosed contributes anything to public knowledge of how government operates.

“A good exercise for any legislative group to look at is, what’s the real purpose of making information available can you protect both people’s privacy and the right to know?” Lee said.

“Why is this information being disclosed? There’s no doubt some of the information needs to be disclosed for it to do business, but I don’t think it necessarily follows that the public needs to know that information just because they used it. There might be public information in knowing someone applied for a permit, but I don’t think the depth of information being disclosed drives at that.” Mackey stated.

“Generally speaking, when it comes to privacy of information there’s supposed to be a balancing test. Does the public interest in disclosure outweigh the privacy interest of individuals? It doesn’t sound like [Connecticut] is doing much of that public balancing.” Mackey continued.

There are some instances where disclosure of email lists, whether intentionally or unintentionally, weighs more favorably for public disclosure.

A FOIA request Inside Investigator submitted for email lists for parking permits from the city of Norwalk contained considerably less PII than the information Hartford turned over. It included only the names, city, state, and postal code belonging to individuals who had submitted a request for parking permits.

We also sought email lists associated with pool permits from a number of municipalities. Pool permitting information, like building records, tends to fall into a category of information that is inherently more public than other types of permitting Inside Investigator sought.

Information on building permits is frequently available upon request, even without FOIA. For the most part, the information Inside Investigator received seemed to reflect this.

Data we received from Rocky Hill included the address for which permits were requested and information about what type of work was done. For the majority of records turned over, the name of the person who had submitted the permit was not provided.

We also requested the same information from Essex. The records they provided for pool permits also include the address the permit was provided to, the owner’s name, and information about the work. Unlike Rocky Hill, the majority of entries include the homeowner’s name.

However, the data they turned over for a FOIA request Inside Investigator submitted related to burn permits also includes email addresses.

We also requested information on pool permits from Waterbury. While the data they provided includes standard information, including names and addresses, they provided records for all building permits issued in the town going back the past decade.

Since building permit information is generally available, this is hardly egregious. But in cases where potentially sensitive information PII is involved, oversharing of information not specifically requested may potentially raise issues.

These were not the only requests Inside Investigator submitted. We also sought email lists relating to pet licenses from the towns listed above, as well as additional requests for pool and burn permits from other municipalities. Those requests were still pending at the time of publication, as was a request seeking email lists used to communicate with licensed caregivers in the state’s medical marijuana program.

The requests Inside Investigator received show uneven applications of concern for privacy, which may be the result of different municipalities following different, local standards in the absence of state guidance.

But even without any state guidance on how privacy should be protected through records requests, if you’re a private citizen, FOIA offers your PII lesser protection than it does public officials.

While there are exemptions to FOIA that prevent private citizens’ PII from being requested, they are limited and usually situation-dependent, for example, if you’re the victim of a crime or involved in a certain police investigation that is unsubstantiated. A proposed bill from the recent legislative session would have expanded these for certain vulnerable classes of individuals.

Student and minor records are generally protected, as are many inmate records. Connecticut’s FOIA also does have a specific carveout prohibiting the disclosure of addresses and names of individuals enrolled in senior center programs administered by public agencies.

Inside Investigator submitted FOIA requests to both the Connecticut State Library and the Department of Motor Vehicles seeking email lists and both agencies upheld the law by denying the requests on the grounds that information is protected.

But that ban exists for everyone, not just private residents. In short, there’s a discrepancy between how FOIA protects private residents’ information and public officials. In cases where private citizens’ information, it’s by default and exemptions, such as for driver’s license information, apply equally to everyone. In cases where public officials’ information is protected, it’s the result of a special provision within law, which exists by nature of someone’s position.

In short, there’s a blanket ban on the addresses of certain government employees being disclosed through FOIA but no such ban exists for private residents’ addresses.

Inside Investigator ran into this exemption in data we received from our request to the Hartford Parking Authority.

“Please note that certain information contained within the responsive records was redacted according to Connecticut FOI Law. More specifically, addresses of City of Hartford emergency services personnel and students currently enrolled in either public school or college were redacted.” Jill Turlo, chief executive officer of the Hartford Parking Authority, wrote in an email providing responsive records.

The residential addresses of firefighters are exempt from disclosure under FOIA, as are the names and addresses of students enrolled in public schools without written consent.

Nor are they the only public employees to whom privacy is extended. The residential addresses of a number of other categories of public employees are exempt from disclosure under FOIA:

Federal court judges and magistrate; state supreme court, superior court, and appellate court judges; family support magistrates

Sworn law enforcement officers in municipal police departments, in the Division of State Police, and in the Department of Energy and Environmental Protection

Departments of Correction employees

Attorneys who represent the state in a criminal prosecution

Attorneys and social workers employed by the Division of Public Defender Services

Division of Criminal Justice inspectors

Employees of the Department of Children and Families, Board of Pardons and Paroles, Commission on Human Rights and Opportunities, and the judicial branch

Department of Mental Health and Addiction Services employees who provide direct patient care

State marshals appointed by the State Marshal Commission

Attempts to reform FOIA in recent years have also largely focused on giving more privacy to public employees.

A bill from the most recent legislative session would have added employees in the attorney general’s office to this list, but it did not make it through final passage before the General Assembly adjourned sine die.

Another bill, SB 436 , which was voted approvingly out of the Government and Administration and Elections Committee but never received a floor vote, would have struck language limiting the agency employees whose addresses are exempt from disclosure and added language making the residential addresses of all public employees, except where residency was a condition of employment, exempt from FOIA. It also would have deleted a reference in statute that limits the exemption on disclosing covered employees’ addresses to their employing agency.

The bill received support from a number of unions representing classes of state workers, including Connecticut branches of SEIU, AFL-CIO, and the AFT. Supporters of the bill argued that allowing public employees’ residential addresses to be accessible through FOIA subjects them to abuse of the act and allows them to potentially be targeted by disgruntled residents.

“Knowing the location of a public employee’s residence does not improve government transparency. Redacting a home address does not restrict access to the substantive information the public has a right to know. Failure to act on this legislation may cause dedicated servants to leave public service, believing their personal safety will be better protected if they were employed in the private sector. The state cannot afford that loss.” Ed Hawthorne, the president of Connecticut AFL-CIO, wrote in testimony supporting the bill.

“We are not asking for special treatment or trying to hide from accountability, but like the other people whose addresses are exempted from release, we just want to keep ourselves and our families safe.” Carl Chisem, president of SEIU Local 511, wrote in his testimony.

And there are merits to these arguments. While individuals who seek public office or public service are rightfully subjected to a much greater degree of public scrutiny, it doesn’t mean they give up their privacy entirely.

Over the last couple of years, protests have increasingly taken to the private homes of all sorts of public officials. In May, for example, pro-Palestinian students and New Haven residents protested outside the home of Yale University’s president.

As streets are public property, many such protests are protected First Amendment activity. But they can also turn dangerous. On the national level, the Federal Bureau of Investigation has been tracking a rise in swatting incidents, involving a fake call of an emergency to someone’s address, which can turn deadly, targeting politicians.

But there are also legitimate reasons someone might seek records containing public records containing public officials’ addresses. Public records recently helped inform Pennsylvania voters about residency questions around David McCormick, who lost a Republican primary to Dr. Oz in 2022 and is currently running against Democratic incumbent Bob Casey for the 2024 election. McCormick owns a home in Pittsburgh and also rents a home in Westport. How much time he spends in which state—and whether he spends enough in Pennsylvania to represent constituents there—is an open question relevant to voters. Access to public records involving McCormick’s travel and residency are legitimate and contribute to knowledge of government actions.

SB 436 was opposed by the Freedom of Information Commission (FOIC) and ACLU-CT on grounds reflecting the transparency interests in such information being public.

FOIC executive director Colleen Murphy referenced a 2012 law that eliminated restricting access to addresses in voter records, land records, and grant lists in her testimony.

“This was done in recognition of the reality that a complete prohibition on disclosure of certain residential addresses is unworkable, impossible and ignores the public policy behind numerous provisions within Title 9 that require the disclosure of residential addresses.” Murphy wrote.

She also noted the bill created a process by which public employees whose residential addresses are exempt from disclosure could request their business address be substituted for their residential address. This clause was added because the bill also narrowed ways in which covered employees were protected by allowing any records containing their addresses and originating in all agencies except for the one that employed them subject to disclosure under FOIA.

This approach strikes more of a balance between the public’s right to know and respect for privacy.

But there’s still a problem with it, and that is the uneven application of privacy, which is extended to public officials but not to private citizens. Any generalized privacy protections that exist, such as for data from the Department of Motor Vehicles, benefit both public and private citizens.

Where there are specific carveouts in FOIA for privacy, those more greatly benefit public employees. Public employees can qualify for protections based on their job and also have the additional benefit of being able to register if they don’t want their address shared and can provide a business address.

Private citizens don’t have that advantage.

“To say there’s a greater interest in protecting the disclosure of public officials’ information seems to be privileging certain people whose only difference is being employed by a public agency or elected to public office. It’s not recognizing holistically that everyone is deserving of privacy protection.” Mackey said.

Personal Privacy

Recent public opinion polling reveals that Americans are worried about data privacy. According to Pew Research, 81 percent of Americans are concerned about how companies use data they collect and 71 percent of Americans are concerned with how the government uses data it collects.

With TikTok, artificial intelligence, and online safety for children frequently making headlines and frequent targets of government regulation, it’s little surprise concern about private actors’ actions outpaces concern about how government uses data.

That’s certainly been the case here in Connecticut. Before the federal government banned the app in the United States by passing a law in April forcing ByteDance to divest itself of the platform or cease or cease operations, Connecticut Attorney General William Tong joined a broad coalition of states seeking to force TikTok to comply with an investigation into whether it had violated consumer protection laws. Connecticut also recently passed a data privacy act , which is largely targeted at protecting consumer data against private actors.

But social media, online retailers, and banks aren’t the only entities that collect personal information. The government also requires residents to turn over identifying information as part of a variety of services and there’s a lot less in FOIA to protect people’s privacy than there is in regulation targeted at private companies.

Where privacy protections go from here, Lee suggests, is up to policy makers.

“A good exercise for any legislative group to look at is, what’s the real purpose of making information available and how can you protect people’s privacy and the public’s right to know?” Lee said. He suggested more nuanced mechanisms that “look not just at the role of particular individuals but anyone who might fit a risk profile.”

“The discussion is one that is needed as so much information is available at this point that there is precious little individuals can do to control information and what’s available and how it’s used. It’s important when we do have opportunities that we have thoughtful discussion at a policy level and individuals take advantage of any tools given at a policy level.” Lee said.

The post It’s Personal: How your information is being exposed through FOIA appeared first on Connecticut Inside Investigator .