Paper Chase

I was listening to a Wired podcast in the car today, and the subject of the Chicago Police Department sharing data on certain people with the Federal Department of Homeland Security. The two journalists hosting the podcast kept referring to this information sharing as a "data breach."

And this is why I dislike listening to many news-related podcasts; journalists can be as partisan as anyone else, and that partisanship tends to manifest itself in, let's call it a certain sloppiness with terminology. The sort of intentional sharing of information that the CPD had engaged in was not a data breach. DHS did not break into the CPDs systems and exfiltrate the data without authorization. The collection and sharing of the data may have been inappropriate, even illegal, and it certainly ran afoul of the host's sensibilities, but there was no intrusion or compromise of systems involved. Proper or not, the data was formally requested, and given over.

There is a lot of data floating around out there that many younger people have come to regard as some sort of state secret, when this simply isn't the case. Law enforcement agencies routinely share data. There is nothing out of the ordinary here. Referring to the sharing as a breach is to imply that the Chicago Police Department had an affirmative duty to keep the information in strict confidence and that it failed to do so due to a failure of data security procedures. But that isn't what happened. Rather, the CPD was keeping an internal database on people, and sharing that with DHS. Casting this as a breach casts the issue as a problem without actually needing to delve deeper into whether compliance lapses actually posed a data breach, where people who were unauthorized to access and view the data actually did so.

While mishandling of data can lead to data being breached, mishandling is not, in and of itself, a breach. Wired never explained who viewed or used the data who was not supposed to be, only that the data was not deleted in accordance with instructions to do so in a timely manner.

To be sure, I don't expect all journalists to be certified information privacy professionals. But they should be conversing with people who have that sort of background before publicly calling out incidents; if only to ensure that they have their terminology straight.