This article originally appeared on VICE US.
When Jayne checked her email on the morning of February 13, she didn't expect to find anything particularly exciting. The 34-year-old, who asked her real name be withheld out of fear that speaking out could affect her housing benefits, was enjoying a rare moment of relative peace on a snow day in a household with five kids. But when she opened the attachment from a note sent by the Seattle Housing Authority, she did not see the routine newsletter she anticipated. Instead, she was staring at a list of names, addresses, e-mail addresses, and tenant code numbers for the more than 500 clients of the city’s Scattered Sites low-income housing program, which includes low-income complexes that are typically smaller and more family-oriented than bigger housing projects. Jayne's own name and personal information were included on the list.
Americans, of course, are no strangers to data collection. The last few years have featured some of the largest and most potentially damaging data leaks in history, like the Equifax credit breach. But low-income Americans often find themselves trading personal information for access to benefits ranging from food to housing to childcare. Clients of Seattle's Scattered Sites program, which is part of the Seattle Housing Authority and receives both federal and city funding, for example, report being asked to provide employment pay-stubs, birth certificates, and social security cards for everyone in their household, and health records if they are claiming disability status as part of their application. In exchange, they receive reduced-cost permanent apartment units that are, according to the website, "located near transit, with easy access to shopping, parks, schools, and neighborhood services that meet the needs of low-income residents."
It's a trade many residents are glad to make, especially when the alternative might be homelessness. But when a privacy breach occurs, it raises the question: what exactly are the poor giving up in order to survive, and what are the potential consequences?
“For low-income people, the stakes [of a data breach] are higher,” said Michele E. Gilman, director of the Saul Ewing Civil Advocacy Clinic at the University of Baltimore, and a former Department of Justice civil rights attorney. She cited examples of former clients whose utilities were shut off after someone opened a false account in their name and failed to pay, or who were picked up on warrants for crimes committed by someone else under their name. For people without money to quickly reinstate a utility service or hire a criminal attorney, those types of errors—even if eventually rectified—can have long-lasting consequences, including job loss or child protective involvement.
Those fears hit home when Jayne saw her name on the list that day.
"I was really shocked at first," she said. "And then I was insulted…. I felt like my identity or whatever didn't matter to them."
On the same day of the original email, the Seattle Housing Authority sent the list-serv a follow-up note asking the attachment with names and addresses be disregarded. It would not be until February 19, almost a week after the email was sent out, that the Seattle Housing Authority acknowledged the specific kind of error that occurred, and apologized.
"The file did not contain what is referred to as 'personally identifiable information' (social security numbers, birth dates, etc.)," that subsequent note stated. "However, we sincerely apologize for the error and ask that you please delete any copies of the Excel file that may still be on your device."
But Joseph Nameth, a security analyst at Cvent, a large events software provider, suggested personally identifiable information should be properly understood to include addresses, full names, and e-mail contacts, which were included in the mistakenly-sent file. He also argued the SHA incident sounds like "a little bit of negligence, especially assuming they're dealing with PII [personally identifiable information], and a fair amount of PII. In my opinion, that's an organization not doing proper diligence for that kind of data."
Alex Muentz, senior security adviser at Leviathan Security Group, a private information securities firm, suggested this specific type of mistake could be avoided using a fairly common technology called Data Loss Prevention (DLP). "What it does is before you’re able to move a document out off one system to another, it looks through the document automatically and looks for types of information that are controlled." Essentially, the DLP program should flag an email before it's sent if it includes information that it has been pre-programmed to protect.
Kerry Coughlin, the communications director at Seattle Housing Authority, said the agency does use an email security system, but that it was only configured to prevent the release of data like social security numbers, credit card info, and driver's licenses. So the attachment, which did not include that type of information, did not raise alarms, at least initially.
"It was one of those human error things," Coughlin said. "It wasn’t really a data breach or anything like that; the data was handled properly, the person who was doing it is experienced and well trained in data handling. They just literally attached the wrong file." She explained that the Scattered Sites newsletter was e-mailed out to the list-serv in two batches. One batch did, in fact, receive the newsletter, a .pdf file that included information about a staff change, mold prevention, and online rent paying. A second batch of recipients, which included Jayne, instead received an Excel file with clients’ names, addresses, e-mail addresses, and tenant codes—an internal figure Coughlin described as "a completely meaningless, random code," but which Jayne said she was required to include on all of her rent checks and had been used to look up her file in the past. (Coughlin noted the Excel document was only sent to 150 recipients total. )
For her part, Gilman argued that many times, names and addresses can be enough to commit the types of identity fraud she has helped her low-income clients battle. “It can cost time and money to clean up the effects of identity theft because low income people are already living on the economic margins, any loss of funds can be catastrophic," she said.
"You have less privacy as a poor person," Muentz added. "Privacy is becoming a luxury.”
Of course, it's not all that often that Americans hear about something like last year's Medicare and Medicaid security breach, or the Department of Housing and Urban Development's 2016 blunder, when the agency publicized the personal information—including social security numbers—for more than 425,000 public housing clients. But that doesn't mean these types of mistakes aren't happening. Security breach notification laws require disclosure when information like bank accounts or social security numbers get leaked. But if it's addresses, contact info, or the fact of whether someone uses public assistance, such leaks do not necessarily have to be disclosed (specific disclosure laws vary by state).
So even though basic personal information could be damaging if collected, clients may not know that it's been publicized. In fact, Muentz suggested organizations that serve marginalized populations were more susceptible to poor security protocols precisely because they could get away with it. "If someone's data has to be breached, breach the poor person because there's lower chance of repercussion," he said wryly. "It's harder for someone with a lot of stuff going on to pursue a complaint."
The experience of Denisha Jones, a mother of four who has been an SHA client for over a decade and whose information was included in the mistaken attachment, bolstered Muentz's theory. "It did give me concern," she said of the recent email incident, "like, ‘Dang, my info is that easily breached,' but I don't have too much time to be concerned." She had been working as a nursing assistant at Swedish Hospital, a leading medical provider in Seattle—until she was forced to leave her job when her husband was incarcerated on a probation violation last November, she said. Now she is struggling just to keep her family clothed, housed, and fed. She's bothered by the leak—but she doesn't have the time to pursue those feelings. (So far, she hasn’t seen any negative outcome as a result of the leaked personal data.)
Not that low-income communities are ignorant about this issue. A 2017 survey by Data & Society, a New York based research institute, suggested that people making less than $20,000 annually were both aware of and highly concerned about their data vulnerabilities. One especially serious concern, which Jayne cited on behalf of her neighbors, is that some clients of low-income housing programs might be fleeing domestic violence. Targets of intimate partner violence are often also subject to financial abuse—one study found that as many as 99 percent of domestic violence survivors were also abused financially—leaving survivors disproportionately in need of public services. And it is well documented that domestic abuse survivors are at heightened risk of being murdered by their abuser when trying to escape them.
“In most cases where we are aware of a domestic violence situation, the person will give us an alternative email or alternative mailing address,” Coughlin, the communications director at the Seattle Housing Authority, said, though she added that she couldn’t say this was true for certain of every domestic violence survivor in the program.
In reality, the February e-mail sent by the Seattle Housing Authority with the wrong file might not have any grave repercussions. It was relatively small in scope, and did not include financial information or the kind of sensitive data that is most commonly used to defraud someone. But the event highlights a larger issue: Poor people in this late capitalist moment have little control over what information they must give out to survive, and what happens to it once it's in the hands of the government or some other entity, well-intentioned or otherwise.
Follow Elizabeth Brico on Twitter.