Report about data privacy laws not protecting public servants

A

Welcome to State Scoop's Priorities podcast. I'm Keely Quindlen, a reporter with State Scoop. This week I interviewed Justin Sherman, interim vice president of the Public Service Alliance's Security Project, to discuss a recent report that he authored that evaluates why state consumer data privacy laws do not offer public servants adequate protections from either digital or physical threats. But first, here's what's happening in state and local government technology news this week. In a report published last week, the Minnesota Technology Advisory Council recommended that the state begin preparing for the emergence of quantum computing, which could pose new security threats to the state's sensitive data. The annual report notes that quantum computing introduces a new class of risk to traditional encryption methods that protect the state's most sensitive financial and health data. A Romanian national this week pleaded guilty to selling credentials for a network operated by the Oregon Department of Emergency Management. The initial access broker, who went by the online handle inthematrixone, pleaded guilty to one count of obtaining information from a protected computer and one count of aggravated identity theft. He is expected to be deported as the United States prepares to host part of the 2026 FIFA World cup this summer, New York Governor Kathy Hochul this month announced that the state will receive 17.2 million in federal funding to combat illegal or unsafe drone flights in June and July. The event's matches will be played in Canada, Mexico and in 11 US cities. I recently interviewed Justin Sherman of the Public Service alliance to take a deep dive into the intersection of data privacy and public service. His report examines the 19 state comprehensive privacy laws on the books. Sherman found that not one of those laws grants public servants, from local school board members to state legislators, judges and emergency responders the right to legally compel state agencies to redact their personal data from public records or to force data brokers to stop selling data once they've acquired it from those public records. Sherman told me that gap in protection isn't just a regulatory loophole, it's a doorway to doxing threats and real world violence against people who keep our communities running.

B

I've been studying and writing on privacy for some time now and doing that at the same time as we see such an uptick, which I'm sure we'll get into in growing violent threats towards public servants and growing degrees of political violence and other related problems. It strikes me right that there's which there is such an interesting but often underexplored intersection between the two of those those subject areas we have for some time now known, or really for at least three decades, that having someone's personal information in a stalking and gendered violence context has been a really horrific way for individuals intending to do harm to locate and then hunt down and then harm particular people. And so while this study is focused on state privacy laws and the degree to which they protect public servants from violence, so not necessarily the same group as the one to which I just referred, it's kind of the same thought process. Right. Which is in this era of growing violent threats towards public servants and this era of growing political violence, what's the role of personal data in facilitating the ability for an individual who wants to hurt a school board member or a teacher or a state legislator or someone in the federal civil service? Or we could go on. Right. What kind of data is out there that could enable them to harm that person? And what are the safeguards that we do or do not have in place to prevent one of the worst things that can happen with data, maybe arguably the worst thing that can happen with data from happening. Right. Which is that somebody is seriously physically injured or even potentially loses their life.

A

Yeah, absolutely. And I'm curious about what surprised you most as you were reviewing all of these 19 state comprehensive privacy laws. They're also distinct, but also have a lot of similarities. So what, what does that reveal, though, about who these laws were really designed to protect?

B

Yeah. So, and just to step back for a moment and kind of, kind of finish fleshing out what we were just discussing, the reason we focus in this study on state privacy laws is because there are a growing number of cases where, as I mentioned, has happened for decades in the stalking and gender and violence context where individuals who want to harm a public servant, send them a death threat, show up to their kids, school, try and kill them at work, or something else are using personal data to do so. Right. Which, if you think about it, makes a lot of sense in that you'll need to know where the person works to be able to show up to their office. Right. If someone is trying to harass someone's phone line, they'll need to know their phone number. If they're trying to show up to their house with a firearm, they'll need to know what the street address or apartment number is. Right. So, but, but this is the reason to look at the state privacy laws is in a growing number of cases, we've seen individuals who want to commit violence against public servants are turning to data sources to do so. Sometimes that's a data broker. These are companies in the business of buying and particularly selling our data. So literally selling. Right. It's not like a social media platform, right? We all know they track us where they collect our data and sort of hide it behind a firewall and run some ads. And I'm being a bit simplistic about social media on purpose, but these data brokers really are actually sell the data sets and the data sheets. And so we've seen in a number of cases that these sites have been connected in some way to acts of violence. There was a horrific attack on the home of a New Jersey federal judge in 2020. An individual showed up with a weapon, killed the judge's 20 year old son, seriously wounded the judge's spouse. And this individual had used these data broker websites to find information about where she lived and to track this judge. More recently we've seen when the individual showed up overnight to the home of Supreme Court Justice Brett Kavanaugh. Justice Kavanaugh had by that point in time been doxxed repeatedly. So had his information, private information revealed online repeatedly. His data was also widely available on these data broker websites. And then I'll give one more example, which is the another horrific one. The murder last year of Minnesota state legislator Melissa Hortman and her husband Mark, along with the attack and serious wounding of two other individuals, a state legislator and his wife. The individual who allegedly murdered Melissa Hortman and her husband had, according to the FBI affidavit, a number of the data broker names written down in his notebook, noting where, you know, you could get information on the people he was hunting down. So it's a bit of a long lead up. But I say all that to say part of what we tried to look at, why we looked at these state privacy laws was because we know a sometimes these data broker websites are a way for people trying to hurt a public servant to find out where they live, where they work, who their kids are. And also because there are other data sources, right? Political candidate might disclose their work address or home address in a campaign filing. They might have a property record. A lot of these are public records that state agencies hold on to. Property filings, voter registries, marriage certificates that also have this home address and other data. So also say in looking at the 19 states with consumer data privacy laws, or pretty broad consumer data privacy laws, anyway, what was most sort of shocking, I mean not shocking if you know, know this space, but most shocking when you go through and code it, is that these 19 state privacy laws don't really perform too well in dealing with the issues we just discussed. Perhaps we can run through the four specific criteria I looked at in the study. But if you look at these privacy laws, not with the lens of how do we prevent digitally enabled discrimination or how do we prevent targeted ads to kids or something, all of those are really important. I've written about those a lot too. But if we look at it with the lens of how do we prevent the acquisition of data by an individual who intends to commit violence against another person? These laws unfortunately fail in a number of respects to actually. Which is sort of the shocking takeaway to actually seriously mitigate the risk of that violence happening towards a public servant.

A

Yeah, gosh, I just got chills hearing you talk about the suspect in the Hortman's unfortunate murder. Had that information written down about the data brokers. I was unaware of that. So, you know, to go back to what you said, kind of about the four criteria that are touched on in the report, I'm curious about how we ended up with privacy laws that protect residents as consumers. Right. But not as government workers. I hear a lot of conversation about, you know, these, these laws being comprehensive consumer privacy laws, but what is missing in terms of protecting public servants?

B

It's a really important question. And ditto, of course, on the horrifying nature of these cases. I'll just add. Right. Sometimes you can go on these data broker websites. I mean, I've studied data brokers a long time, but you can go on these data broker websites in some cases and type in a name and for maybe 50 cents, get someone's whole profile, kids names, home address, phone numbers with no background check. So it's really sort of horrific. Lowering of the barrier to violence, the four criteria. Yes, as you mentioned. So I'll list the four criteria and then we can talk about your important point of how did we get to this state of affairs? The four criteria we looked at in this study were, one, does the law in question give someone the right to compel a state agency to redact their identifying information in a public record? So an example might be. Lots of states have big public records databases around who owns which property. So maybe you could say, okay, we will allow the public record to say that a state legislator indeed lives in the county in which they're supposed to live to hold that office. But we're going to in that public record. So if someone goes to the office to pick it up, we're going to just retract, black it out, delete it, replace it with smiling emojis and clip art, I don't know. But we're going to redact their exact Home address or apartment number. So that's an example. The second criteria was then if a data broker, as they often do, goes to that public record, they scrape all of the property records, marriage certificates, voter registries, DMV records, other documents from a government, and then digitize them so they can sell it. This happens all the time. Can you in that case say to the data broker, do not sell, I do not consent to the sale of that particular data. And then the last two criteria were if a data broker does that same thing, they're selling someone's personal information, but they're not doing it based on a public record, they're selling it from a source, they another source, they got it somewhere else, right? Maybe you bought something at a retail store or responded to a mailer or got a digital ad and they know where you live that way, right? Can you have them stop selling that? And last but not least, does the law in question have a private right of action? Right. So if a company is violating the law, especially knowingly violating the law, can you, as an individual, including a public servant acting in their private capacity as a citizen, sue that company in addition to whatever state attorney general enforcement might be, but can you sue that company for a violation of the law? So just to re summarize, right first, can you compel the state agency to redact your public record number? Two, can you compel a data broker to stop selling data from a public record? Three, can you stop that data broker from selling data from other sources? And four, do you have a private right of action? So Those are the four criteria. None of the 19 states allow anyone to redact public records data. None of the 19 under that law, at least none of the 19 states allow in their so called comprehensive consumer privacy law you to redact in a data broker's record or stop a data broker from selling data it got from a public record? All of them do provide some rights. They're different, they're narrowed in some cases to prevent a data broker from selling data from other private sources, non public record sources. So that was a yes across the 19 laws. And then with respect to a private right of action, they all fail as well. In this case because California does have a private right of action under its privacy regime, but it's focused on a very specific subset of cases mainly focused on data breaches and explicitly does not allow you to sue for, let's say, a data broker ignoring your opt out request. So all to say they don't fare well. Just to close out my response here, you Made a really important point, which is, well, how did we get to this place where A, the privacy laws fail in this way and B, the privacy laws don't adequately protect public servants? Well, in response to the first one, we got to this place because for years, in my opinion, and as is written in the report, states have ignored or decided not to have a complicated but important conversation about public records privacy. Public records, until only a few decades ago were only. I mean, computers have not been around that long either. Right. So digital computers. So for a long time, public records were only kept in physical hard copy form. If you move to a new state and I'm trying to locate you, I'd have to know exactly which town you moved to already. So I could go to that specific office to try get your record in person and then I go in person and then I apply and then I. Right, They've really changed with digitization and they've really changed with data brokers now selling this data left and right for $2 $1.50, five bucks on a public servant, on a, on a woman, on a kid. Right. So in my view, that's really a root of. Part of the problem is states have not really thought about that, that issue. The second thing is point B, public servants, right? Why do they not protect public servants? I want to preface this by saying that, and anyone who has read anything I've ever written knows this. You know, this report is by no means saying, nor am I by any stretch saying that public servants should be the only ones getting privacy protections. Right. I mentioned the stalking, gendered violence problem. There's a lot out there on that. I've written on that a long time as well, about all of the ways that other groups are made vulnerable because people can find their data and locate them. In this case, though, it's also true that different groups experience different privacy harms in different ways. And in this case, given the uptick in threats against public servants, according to data from the capitol police, the U.S. marshals Service, data by the great folks at University of Nebraska, Omaha and Princeton's Bridging Divides Initiative and Chapman University, I can keep going on. Right. The PSA team partnered with a group called the Impact Impact Project that had this data. There's so much data on growing violent threats to public servants that it's really also important to understand that these state laws are written to capture sort of top level priority issues to the population broadly. And a lot of the time they can fail like they do here to dig into acute problems that are outside of the traditional window of how people think about privacy, but really seriously impact different groups. In this case, public servants are one of the groups that is definitely disproportionately impacted compared to the broader population. Although of course not the only one impacted. I'm not saying they're the worst ones impacted, but certainly impacted here because of their data being so available.

A

Yeah, absolutely. And you kind of walked us through the scenario in which, or how a public servant's personal data moves from public record into the hands of a data broker and then how that potentially can escalate into harassment or worst case, you know, violence. And you know, the report also links data exposure to these rising threats. And you just noted that there's a growing volume of data supporting the correlation between data availability and doxing and physical safety risks. Would you mind talking a little bit more about how strong this connecting evidence is? Because I, I hear those examp examples of, you know, obviously such horrific violence, you know, in Minnesota, New Jersey and then, you know, Supreme Court Justice. But I can, I can almost hear and anticipate hearing from somebody listening to this going, well, that's just, those are just three cases. That's just anecdotal evidence. You know, how would you kind of combat that mindset about this?

B

It's a really great question. I'll rattle off a couple statistics on violence broadly and let's, let's double click on that data point. So as you mentioned, as I mentioned, there are a number of studies at this point from a number of, of widely respected nonpartisan organizations or law enforcement organizations about rising violence against public servants. And when I say public servants, I want to be really clear here. This is not just, this is not only, which is also concerning, but this is not only death threats or violent attacks on members of Congress or even state legislatures, state legislators, which is still, well, both legislatures and legislators, which is horrific too. It's also school board members, public educators, 911 call center operators in the vein of this being a family program. I won't say them, but I could rattle off a number of incredibly disturbing profanity and other horrible word laden examples of what the actual threats sound like. Right. There's a bunch of news stories and indictments and stuff where you can go read the actual things that people say to public servants, including their children or about their children or their spouses or their parents. So it really is disturbing. But just as a few, a few examples, right? So the U.S. capitol Police recently put out their threat data for 2025. There is a 58% year over year increase in threats from 2024. And this is one of the highest, by the way. This is now at an all time high with at least in recent years with the threats to members of Congress and their staff and their families. But this is also the highest year over year relative increase in like a decade. So this is really a spike in threats, you know, about 15,000 or so threats that they investigated last year. And this is only threats that meet a certain threshold, right? This doesn't even count, probably all the tweets and other, you know, things that they track. Between 2019 and 2024, the U.S. marshal Service investigated more than 1,000 serious attacks on federal judges. Data from Princeton's Bridging Divide initiative shows that nearly 90% of state legislators have experienced a violent attack, a threat or some form of abuse, which includes stalking, from 2021 to 2024. And most recently, BDI also did a survey showing that almost 75% of local office holders at the end of last year were less willing to engage in political life, whether that's working on a topic or running for office, because they were afraid of violence, including against their. So really horrifying stats. In terms of the data connection, you make a great point there, right? Some might say, well, you just named three examples, Justin, what are the rest of them? And there's two points. One is there are many more examples. You can go find them online. They also are not compiled though, is part of the challenge. And this is, I will say this is similar to the issue with tracking this in the stalking and gendered violence space, which is if you work with, you know, I've separately worked with some of those groups. If you, as we do at psa, work with public servants every day to try and keep them safer and make sure they can do their jobs without worrying about their family's security, you certainly encounter these kinds of conversations, right? And I'm obviously not going to disclose anything too specific here. But all to say, right, any listener can understand that if you're actively facing a death threat, you might not go write a whole op ed about it, right? Much like if you're facing doxxing or something else, you might not go on TV to talk about it. So also say what ends up happening? And maybe this is an unsatisfying answer, but what ends up happening is a lot of these cases don't get reported. People, it's very difficult to actually compile proper peer reviewed empirical data on the scale of this problem. In terms of how often is data or data broker data related to these violent incidents. Because again, in lots of cases, people don't report it, they're not willing to talk about it, or they don't understand the data connection. Right. You might get, as one state public servant did, a fake pipe bomb thrown through their window, or you might get, as an Indiana judge and his family did, recently targeted for essentially what appears to be alleged execution by a gang, allegedly that the judge was overseeing a matter related to. I don't know or not if those two examples involved the kind of data we're talking about, but that's the point is the fact that it's out there. Someone has to find the home address somehow. You have to find the, you know, if someone's targeting a public servant, you have to get this data somehow. And so, yes, you could follow them, you could physically tail them, you could get it somewhere else. But a lot of the time it's quite possible this comes back to the broker data. I'll also mention New Jersey has a law, Daniel's Law, that is meant to address this, named after the son of Judge Salas, who Daniel was murdered, as I mentioned, in 2020 in a horrific attack on their home. And same thing in New Jersey's Daniels Law. You can go read. There's a wide variety of news stories and allegations there as well of different public servants, including local law enforcement coming forward and talking about the degree to which their home address being available has, has facilitated potential violence. So, yeah. So all to say, it might not be a satisfying answer. I, unfortunately, I wish I could. Right. And I, we, this is something we remain interested in at PSA is as much rigorous, fact driven data as possible to understand this problem. And we're working on that. But for the time being, it also is hard, right, when people are threatened to really calculate and compile all that data. It takes, you know, it takes a lot of time and it takes working with those public servants that are facing these threats to really log those examples.

A

Oh, absolutely, yeah. And it sounds like y' all have your work cut out for you just after hearing those statistics. I, it's kind of unbelievable and it's really difficult to like wrap your mind around what that actually means, you know. Of course, your report also recommends, as you mentioned earlier, private right of action and broader takedown authority as being, as being things that can really be added to these privacy laws to strengthen them so these kinds of things stop happening. Right. But if you had to pinpoint the most like, consequential gap in current state privacy laws in terms of protecting public servants and their data. Right. What is it and why does that matter?

B

Most challenging to pick between, between the private right of action and the public records issue. But I'm going to say the public records issue and that's because as with any law, always, right, you're going to have companies that don't comply out of a lack of awareness or lack of understanding. You're going to have companies that don't comply out of outright malice or negligence. But on the whole, one would hope that the majority of companies at least make some effort at compliance with what the law says, right. So that said, right. And private rights of action are absolutely vital. It's bad for privacy and consumers writ large. These laws don't have them. But here the real concern to me, the top concern is the public records issue. Because if you are a, and this is true if you're a consumer generally in these states, but I'm just going to say public servant in this instance, if you're a public servant who lives in Colorado, maybe you work at the 911 call center, maybe you're a state health worker in Indiana, maybe you're a law enforcement, you know, you're the local sheriff in Kentucky or you know, you're in New Jersey and you're a prosecutor, right. And I'm mentioning these examples because these are states as covered in the report that have these statewide privacy laws we're talking about, right? If you're one of those public servants and you go to the data brokers and say could you please stop selling my data because I'm worried about violence against my family. I'm already experiencing it maybe, and that data is based on a public record under the state privacy law, the state comprehensive privacy law, they can decline that request. They can say no, this is from a public record. Public records are completely exempt. Publicly available information, as these laws say, it's completely carved out. We don't have to do that too bad, right? And this actually does happen. And then related to that right in those same states, if you go to, again, under the statewide privacy law, if you go to that, that state agency holding your public record, whether that's, you know, in your county or at the state level or what have you and make a similar request and say, you know what? I, you know, not saying throw my public record in the incinerator, but could you please black out, you know, my exact apartment number, could you, could you please redact my phone number, my non public phone number or something of that sort? That's also Not a right that you have. So you know, again, I mention these because a home address is going to be the most concerning here in terms of violence along with work address and kids school information. But the other stuff is too a phone number, right. Or something else that you could then use to look up their data somewhere else. So to me that's the top problem we have is until we get to a place where groups can say, because in my view it's too reductive. Right. Public records are really important, let's be clear about that. Public records enable transparency in a democratic country, such as with court records. We're certainly seeing that right now. Public records are vital for journalistic reporting. They're important for accountability watchdog groups. I mentioned the semi fictitious example of let's say a legislator who's spending time in one county and then another county and the group wants to check they're running in the right district. Those are all real reasons to have access to public records information. But to me there's often a binary view where folks say, oh well, keep it all up or take it all down and that's it. And rather than saying, well hold on a minute, we can have journalistic reporting, democratic transparency, First Amendment protected speech activities, et cetera, at the same time as we can have basic safety and security for public servants. Right. Again, as an example, maybe you allow that property record to say the county a public servant lives in, but do you need to print their apartment number where they live with their two year old son? I don't know. I mean, you don't have to is my point. Right. So I just think tackling the public records piece of this will be really huge because again, lots of groups are affected by this. Public servants are certainly targeted a lot through this kind of data or exposed through this data. And you know, but it would, it would be good for these states writ large to have those protections in place.

A

Absolutely. And you know, I just listening to all of this is, I feel like I've learned so much and a lot of it is very worrisome. But I want to try to end this podcast on a little bit more of an upbeat note. So over the next year, what should reporters and privacy experts and technologists, what should we be watching for in terms of movement in this space towards adding and bolstering those protections? Will it be through litigation or legislative fixes, data broker enforcement, or do you think that we'll start facing new threats? Where do you think that this goes next?

B

The threats by all accounts are unfortunately look like they're going to keep rising. I mean, I hope they don't. And lots of wonderful organizations, I just mentioned many of them, PSA among them is, you know, we're doing work to try and ensure that, you know, public service is safer and no American is forced. Right. Because this is really what this is about, right. Is that people should not be forced to choose between serving their community and protecting their family. That is crazy to even say out loud that that's what's going on. So that's really the goal. But what's most likely to happen, I think one, we're going to see a lot of great success. As I talk about in the report, with California's new drop system, this is a one stop shop, free, government built platform where essentially as a resident of California, you can go in, fill out a form, submit it and they will take that for you and blast that to every registered data broker in the state, as mentioned, that doesn't cover public records. There are also other ways that the law could be made broader. But I'll just say it's an important, important step. Right. And it's a really great investment by California. So that's going to be one area where I think we'll see movement and maybe other states will look to that. Right. I mean, there have been conversations for years at the federal level in Congress about potentially pursuing such a kind of system at the FTC in the federal case as well. The second thing I'll say is Daniel's Law, I mentioned this in New Jersey, is an important piece of legislation. It provides some of the rights that we're talking about, in fact, to some categories of public servants, such as public defenders, prosecutors, law enforcement officers and their families. And Daniel's Law, because it provides these rights, has really irritated the data broker industry who quite frankly, in my opinion would prefer to just keep selling all kinds of data all the time and never have to delete or redact any of it. And so the data brokers have not been happy with Daniel's Law. But that is another area of great interest. Right. Because as that law has been challenged a number of times in the courts and as of last fall seems like it may be upheld TBD on the specifics there, but we'll know in the coming months. That could be really interesting that there is a model to say, hey, we can have First Amendment protected speech, we can have public records and so forth with the right exceptions and carve out some protections for public servants. The last thing I'll mention is we're obviously at a time where the federal government is stepping back from a regulatory posture vis a vis privacy, at least in the way that it historically has across Democratic and Republican administrations for the last several decades. So as a result, as we're already seeing lots of states and PSA is a nonpartisan organization, but I'll also just throw out this is also happening across blue and red states, which is sort of interesting, right? But many different states, ranging from California to Texas to Maryland and list keeps going on, are pursuing these kinds of state privacy enforcement actions that they want to be seeing that maybe the federal government used to bring and now states are really stepping up. So the third thing, especially given the great focus of this show on the state policy and the role of states in our great national project, that is certainly something that's very encouraging, is seeing how many states and how many residents across the country really do care about privacy issues. And I think that's something that will really drive a lot of this action in the coming year.

A

That was Justin Sherman with the Public Service Alliance's Security Project. We are sending our many thanks to him and his organization organization for their participation in that conversation. You can subscribe to the priorities podcast@priorities podcast.com and wherever you get your podcasts while you're there, be sure to leave a review or a rating on the podcast page. That small extra step helps more people like you find the show. This podcast is a production of Scoop News Group in Washington, D.C. adam Butler and Carlin Fisher helped to put it together. Until next week. I'm Keely Quinlan. Thanks for listening.