The security breach of Utah's Child Protection Registry is a major faux pas for the Utah Division of Consumer Protection. It also could pose a credibility problem for UnSpam Registry Services, the private company that claims that its e-mail encryption system is foolproof.
Details of the breach were revealed Thursday in court papers filed by a California adult-industry trade group that is challenging the constitutionality of the controversial registry, and later confirmed by Utah Department of Commerce Director Francine Giani. The e-mail addresses in question were listed on citations issued to violators and later obtained through an routine open records request.
Jerome Mooney, an attorney for the Free Speech Coalition, called the incident a "substantial failure" of the system. "It's not like anyone was probing the system to look for weaknesses," Mooney said. "This just underscores one of the issues the Federal Trade Commission was worried about that the benefits [of Unspam's registry] are outweighed by the risks of compromise."
Giani said the division is contacting the parents of the minors in question and urging them to cancel the e-mail accounts.
"It appears a very new member of our staff may not have followed [open records laws]," Giani said, noting she learned of the breach Thursday. "We are investigating what happened, why it happened and how we can make sure it never happens again.
"A fair amount of trust has been placed with us and this is not a good thing. I'm sick about it."
Brent Hatch, attorney for UnSpam, said he hadn't read the court filing and could not comment.
Late last month, Utah consumer protection officials cited four companies for violating the Child Protection Registry statute, a new law that requires adult-oriented Web sites and e-mailers to screen out the addresses of minors whose names appear on the registry.
Named in the citations were DOS Media Now, an Encinitas, Calif., online gambling site; Golden Arch Casinos, of Overland Park, Kan.; Smoothbeer.com, a United Kingdom beer company; and SoftestGirls.com, a Singapore company that sent pornographic e-mails to Utah minors.
After the consumer protection division boasted about the crackdown in the news media, Justin Weiss, director of legislative affairs for the E-mail Service Provider Coalition, requested copies of the citations. The state promptly complied, but neglected to redact the e-mail addresses of the children in question.
Weiss alerted state officials to the security breach Oct. 3 and urged them to inform the individuals whose personal information was compromised, according to court papers.
Utah's Child Protection Registry took effect in mid-2005. While its primary selling point with legislators was to combat pornography, it also is designed to protect registered minors from content promoting alcohol, tobacco, gambling, firearms and drugs.
Both Utah and Michigan, which has a similar registry, link mass e- mailers to Park City-based Unspam Technologies. The company charges a half-cent for each address that is removed. The registry is free for schools, parents and other guardians of minors to use.
Commercial e-mailers argue that the registry's time and cost are an unfair burden. The Free Speech Coalition - a California-based porn trade organization - is challenging the constitutionality of the Utah law in U.S. District Court.
Judge Dale Kimball has set a Nov. 9 hearing on the coalition's motion for an injunction, and the state's request to dismiss the coalition's lawsuit.
- Tribune reporter Bob Mims contributed to this story.
