back to article Cops fined £80,000 for revealing childhood abuse victims' names

Gloucestershire Police has been fined £80,000 for failing to blind-copy an email that contained the names and email addresses of victims of child abuse. The Information Commissioner's Office handed down the penalty after investigating the bulk email error, which took place in December 2016 and exposed the names of 56 people – …

  1. MiguelC Silver badge

    Bring Clippy back

    "I see you're trying to send a bulk e-mail, would you like some assistance with filling the BCC field?"

  2. Anonymous Coward
    Anonymous Coward

    <FTFY>

    Gloucestershire Police has taxpayers have been fined £80,000 for police failing to blind-copy an email that contained the names and email addresses of victims of child abuse.

    </FTFY>

    Fines do nothing but feed a voracious regulatory beast with hidden tax monies purloined from the taxpayers. Real change will come when offenders lose their jobs or are charged with criminal offenses.

    1. deive

      Personally I think it is the MANAGERS of those responsible who need to face the music. For not providing the correct training/software to do the job. Outlook should never be used for this sort of thing.

    2. Anonymous Coward
      Anonymous Coward

      Fines do nothing but feed a voracious regulatory beast with hidden tax monies purloined from the taxpayers

      ICO "fines" go to the treasury, and I doubt that many people would call the ICO "voracious" nor a "regulatory beast". In many respects, enforcement would be better if the ICO were funded from fines - they'd have more incentive to collect, and to proactively investigate.

      1. Teiwaz

        ICO "fines" go to the treasury, and I doubt that many people would call the ICO "voracious" nor a "regulatory beast". In many respects, enforcement would be better if the ICO were funded from fines - they'd have more incentive to collect, and to proactively investigate.

        One Government body fining another is a rather pointless round-robin anyway. Gloucester plod is hardly going to be allowed to go under like a badly run business.

        Dismals and or court action, it's the only way, or they'll only offend again.

  3. Blockchain commentard

    Why email them in the first place? You've a website. Put updates on that or *shudder* on social media. You're emailing journalists so the content is not that private.

  4. adam payne

    and that the force was taking action to improve its technical and organisational measures.

    So you are retraining people in the use of the BCC field, seriously?

  5. Dan 55 Silver badge
    Facepalm

    "before the force recalled the mail"

    Has that ever been known to work when the email gets sent outside the organisation.

    1. peterb

      Re: "before the force recalled the mail"

      It's the best known method for making me read the 'recalled' mail very carefully.

    2. Alan Brown Silver badge

      Re: "before the force recalled the mail"

      "Has that ever been known to work when the email gets sent outside the organisation."

      It usually doesn't work INSIDE the organisation. I can point to at leats a half dozen ways of ensuring that attempting it not only wont work but will highlight the message.

  6. GnuTzu

    Fines by way of Payroll Deduction -- at Management Level

    Just my two cents on the discussion. I hope that fine tunes it somewhat.

  7. Lt.Kije

    So no actual personal sanction for the dolt who did this??

    1. Anonymous Coward
      Anonymous Coward

      of course not, the police are above the law in this country.

      police, nhs & other government bodies data breaches should result in jail time, not fines.

  8. GnuTzu

    Outlook Needs Some Options

    Making email safe is a tough challenge. Email DLP is a weak filter, as are other such controls, and they are minor protection from wet-ware bugs. I would definitely be in favor of having completely different systems for communicating with those whose personal details need to be kept private.

    As for Outlook, there are enhancements that do help. One's I have yet to see, though, would include an option to always show the BCC line or hide the CC line. There are those that tag the subject line as external for incoming emails, and I'd like to see a better warning when replying all when external emails are present. Yes, there are warnings for this, but it's just not prominent enough. There should be an option to prompt with a list of external address, along with the option to delete email in that prompt, instead of just that little warning that's way too easy to overlook.

    1. Alan Brown Silver badge

      Re: Outlook Needs Some Options

      " an option to always show the BCC line"

      That assumes that users KNOW what "Bcc" means - in my experience most of them don't even understand "CC" until it's explained slowly, using small words

  9. Anonymous Coward
    Anonymous Coward

    Pedantry

    I was told once that the standards require the contents of the Bcc field not to be revealed to the recipients in the To and Cc fields, but they do not require that Bcc recipients not be revealed to each other. See sections 3.6.3 and 5 of RFC 2822 and see if you agree. However, even if it is allowed, it would be very unhelpful to implement this in the unexpected way, and these days nobody pays any attention to the RFCs in any case, so I don't know why I bother to mention this.

    1. Mystereed

      Re: Pedantry

      'The "Bcc:" field (where the "Bcc" means "Blind Carbon Copy") contains

      addresses of recipients of the message whose addresses are not to be

      revealed to other recipients of the message.'

      Seems pretty explicit?

      1. VinceH

        Re: Pedantry

        "Seems pretty explicit?"

        On first reading 3.6.3 I thought the same - however, now read section 5, then go back to 3.6.3, and you'll pick up on something you may have missed the first time.

        Specifically. it describes three ways a BCC field can be used, and you need to look at the second.

        In the second case, recipients specified in the "To:" and "Cc:" lines each are sent a copy of the message with the "Bcc:" line removed as above, but the recipients on the "Bcc:" line get a separate copy of the message containing a "Bcc:" line.

        I initially interpreted 'a "BCC:" line' to mean one containing just that recipient's address, and didn't register what the next sentence said:

        (When there are multiple recipient addresses in the "Bcc:" field, some implementations actually send a separate copy of the message to each recipient with a "Bcc:" containing only the address of that particular recipient.)

        Some implementations do what I automatically interpreted the preceding part as meaning - but if it's mentioning that as something that some implementations do, it follows that some systems may allow some BCC'd recipients to see other BCC'd recipients' addresses.

        And then the key bit from section 5:

        When the second method from section 3.6.3 is used, the blind recipient's address appears in the "Bcc:" field of a separate copy of the message. If the "Bcc:" field sent contains all of the blind addressees, all of the "Bcc:" recipients will be seen by each "Bcc:" recipient.

        It's effectively saying this is a bad way to do it - but it prompted me to go back and read the 'second method' again, and pick up what I missed.

        1. Alan Brown Silver badge

          Re: Pedantry

          "On first reading 3.6.3 I thought the same - however, now read section 5, then go back to 3.6.3, and you'll pick up on something you may have missed the first time."

          Which is that RFCs (Particularly older RFCs) are generally written in badly formed american colloquial english, with an assumption that the reader is already familiar with the subject in question and easy access to the RFC author for clarification (because they're just down the hall)

          The number of ambiguous phrases in RFCs is a constant source of amusement and annoyance. I've been told of non-native english speakers _screaming_ in RFC authors faces that their interpretation of the RFC is perfectly valid, despite it being the polar opposite of that the authors intended.

          Very few RFCs are actually standards - the ones that are, are called STD{XX} - and even those ones are badly written.

  10. This post has been deleted by its author

    1. GBE

      Re: What good does this fine do?

      I mean, basically the government is now handing out a fine to an institution which got paid with... government money (aka: the taxpayers money!) in the first place. Could someone please explain to me how exactly this is going to have an effect?

      It can have an effect because the PHB of government department X takes if very seriously if a chunk of money is deducted from his budget and moved to the budget of some other department's PHB. The basic goal of managers in government is to maximise their department's budget and/or headcount. Taking money away and giving it to "the competition" stings.

      1. Anonymous Coward Silver badge
        Holmes

        Re: What good does this fine do?

        It'll just mean that in the next round of funding there will be an even bigger 'our police are underfunded' mantra, coupled with some 'terists* and pedos* are getting away with it because we're not giving the police enough money' from the Daily Wail.

        (* spolling is deloberate)

        When it comes to government organisations, the concept of being more efficient with money doesn't apply - they just need more of it.

      2. MachDiamond Silver badge

        Re: What good does this fine do?

        "The basic goal of managers in government is to maximise their department's budget and/or headcount."

        Taken from "Dogbert's Guide to Management"?

    2. Alan Brown Silver badge

      Re: What good does this fine do?

      "Oh wow, the cops are fined 80,000 pounds, as if this will actually affect them..."

      It would if the law contained provisions for personal liability.

  11. Chairman of the Bored

    I'm floored

    The few law enforcement information systems I've been around use formal configuration and content management subsystems to segregate "Law Enforcement Sensitive" information from Official Use Only and releasable... And I would fervently hope that identities of assault victims would be accorded such protection.

    It takes a deliberate act to transmit LES information over email, and LES identities are in separate contact lists to avoid precisely the fsckup this law man committed.

    Not foolproof, but at least its a speed bump.

    Then again, for every procedure I can find you an idiot that will overmatch it...

  12. Anonymous Coward
    Anonymous Coward

    For only £10,000 I'll sell you a box

    A box that does nothing except relay outgoing email and bounce anything going to more than 10 people in the CC field to the chief constable.

    1. Prst. V.Jeltz Silver badge

      Re: For only £10,000 I'll sell you a box

      He'll love that, after the first 10 he'll either start just pressing ok without looking , or order you to take your box away.

    2. Alan Brown Silver badge

      Re: For only £10,000 I'll sell you a box

      "bounce anything going to more than 10 people in the CC field to the chief constable."

      For £500 I'll reconfigure the email server to reject more than 3 in the Cc: list and limit the number of total recipients to 10.

      More than that should use a mailing list.

  13. Alan Brown Silver badge

    Someone _really_ doesn't understand email.

    " the force recalled the mail "

    If this is the level of knowledge of people using email, then I despair.

    I'd really like email clients to include a snarky message under the "recall message" menu option, saying "If you wanted to do that you should have thought about it before hitting send or "I'm sorry Dave, it's impossible to do that and everyone's now laughing at you"

  14. Chairman of the Bored

    I want an electromechanical system built...

    ... into every workstation that reaches up and slaps offenders in the face with a rotten fish, when the offense is one of the following:

    (1) idiots that 'reply all' telling idiots doing a 'reply all' to a group email that they shouldn't 'reply all'

    (2) guys who 'reply all' to emails I BCC'ed on and out the fact I BCC'ed

    I take some responsibility for (2); I no longer simultaneously use Bcc and Cc list, too risky

  15. FlamingDeath Silver badge

    Hopefully the victims have the means to take the police to court, by that I mean they are wealthy enough.

    What a shitshow British justice is

  16. Anonymous Coward
    Anonymous Coward

    Sensitive data + unencrypted email = fail

    More to the point, why was email being used to send this sort of sensitive information in the first place, regardless of idiotically blabbing everyone’s names and email addresses?

    I’m assuming that the actual email body must have been unencrypted, because the chances of ordinary people and most journalists (let alone, as we see, many police employees) knowing how to set up and correctly use encrypted email are slim to non-existent (and I include myself in that list: I could probably do it if I really set my mind to it, but as virtually no one I communicate with would know how to, it would be pointless).

    We urgently need to replace email with a secure, easy to use, open standard and open source universal messaging system, and we need it by 1995, if not sooner...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like