Pennsylvania removes email database of public employees
Spotlight PA is an independent, nonpartisan, and nonprofit newsroom producing investigative and public-service journalism that holds the powerful to account and drives positive change in Pennsylvania. Sign up for our free newsletters.
HARRISBURG — Pennsylvania officials have removed a searchable, online database of state employee emails, narrowing the ways the public can reach the people who work for commonwealth agencies.
The state Office of Administration, which oversees cybersecurity for state government agencies, took down the directory in May because it posed a security risk, said communications director Dan Egan.
“Having every Commonwealth employee email address publicly available in a searchable directory represents a cybersecurity risk and is not a best practice since phishing emails are increasing in frequency and represent the number one threat vector Commonwealth employees face today,” Egan wrote in an emailed statement.
The state still provides an online phone directory of state employees, and department websites feature some general email addresses and contact forms for public use.
The email directory launched in 2012, and gave the public a way to directly contact employees who work for various state departments.
But making thousands of email addresses easily accessible also opened up employees to phishing attacks, Egan said. Phishing attacks use trick links to gain access to credentials or sensitive data. Phished government accounts can put state services and finances at risk.
“Today’s bad actors are increasingly sophisticated in their tactics and often conduct research on specific individuals to craft targeted phishing messages,” he said.
Filters on Pennsylvania email accounts blocked 400 million potentially malicious messages in the past 12 months, according to Egan, a total that represents nearly half of all mail government employees received.
Malicious emails can include phishing emails, scam emails, and other unwanted or unsolicited messages, Egan said.
Data breaches originating with a government’s own employees are a top concern among cybersecurity officials, said Susan MacManus, a political scientist whose research has examined the tension between transparency and security in local governments.
That concern has only grown as individual employees of state and local governments have come under increased scrutiny for their part in administering controversial policy or politicized processes like elections, MacManus said.
“That's the essence of the cybersecurity issue,” she said, “individual rights versus the right of the public to know, which means you have the right to privacy versus the public's right to have transparency.”
There are protections, such as filters that disable links and attachments, that government agencies can deploy against email-based cyber attacks, said Herbert Lin, a cyber policy and security researcher at Stanford University.
But cybersecurity measures are inherently inconvenient, Lin said, and attempts to thwart “the bad guy” can also hinder a member of the public. Plus, they cost money.
“So, there is a sense in which it's fundamentally an unresolvable dilemma,” he said. “The only thing you can do is to strike a balance…and how you choose to balance them is a question of politics and policy.”
While the Pennsylvania email directory is no longer available, other government agencies still provide employee contact information online. The website of the Office of Open Records, for example, lists contact information for agency open records officers in every state department, county, and municipality.
Before accessing the email addresses, users must pass a CAPTCHA test to prove they’re a human being and not an automated program seeking to harvest data for nefarious purposes. The more emails a user tries to access, the more complex the tests become.
The former statewide directory also included a simpler CAPTCHA test before the site was taken down, and limited the number of emails that a search could return, Egan said.
“This made it more difficult, but not impossible, to compile a large number of email addresses using the application,” he said. “Because of this, we decided to remove this directory.”
Beyond access to public servants, the decision could have implications for requesting government records.
In 2013, Commonwealth Court ruled that government-issued email addresses count as personal information under the state Right-to-Know Law, and thus do not have to be disclosed. Two years later, however, the same court found that email addresses that are already “held out” to the public as a way to contact government employees are subject to the law and should be provided upon request.
Closing the directory effectively curtails that access even if a member of the public files a request seeking contact details, said Terry Mutchler, former director of the Office of Open Records and a transparency law attorney.
Phone numbers might not be sufficient for Pennsylvanians whose schedules don’t dovetail with government business hours, Mutchler said.
“We need to recognize that more access is better than less access for the average citizen,” she said. “I recognize that cybersecurity is a very real threat, but if we look around at business, and we know Pennsylvania is open for business, we see technology advancing to protect information, not remove it.”
Decisions regarding changes to access should involve advocates for both transparency and security, MacManus said.
“It cannot be a singular decision without every person that both uses and protects the data at the table to discuss,” she said. “That's why you have to have the chain of decision-making well laid out.”
Democratic Gov. Josh Shapiro’s administration has taken a number of steps since taking office to control the flow of information and tighten public access to government activity.
His transition from attorney general to governor was unusually secretive: Shapiro did not disclose the donors who underwrote his inaugural party and transition team members had to sign nondisclosure agreements.
He also does not publicize his daily calendar, a break from his predecessor and fellow Democrat Tom Wolf.