SHERROD BROWN aa Wnited States Senate BANKING, HOUSING, AND URBAN AFFAIRS WASHINGTON, Dc 20510 - 3505 IWANCe July 31,2017 ‘VETERANS’ AFFAIRS Donald MeGahn White House Counsel 1600 Pennsylvania Ave., NW Washington, DC 20500 Dear Mr. McGahn: We write to express concern and seek information related to the decision made by the White House to publish emails containing personal information of citizens that wrote to the President's Advisory Commission on Election Integrity (the “Commission”. The White House recently published over 100 pages of emails sent to the Commission by citizens who voiced opinions about the Commission’s work, including concerns about the attempt to gather and publish data on millions of American voters. The data the Commission sought to collect included party affiliation, election participation history, birthdays, and partial social security numbers of all voters since 2006. The emails echoed the sentiments shared by millions of Americans in that they raised privacy and security concerns with the Commission’s plan to gather and publish personal data on American voters. Secretaries of State for over forty states also share those concerns, and they refused to provide all or part of the information requested by the Commission. Many of the published emails contained personal information on the original senders, including names, physical and email addresses, phone numbers, and some of the emails contained employment information. The White House received as many as half of these emails before it issued the Federal Register Notice soliciting comments on the Commission and before the Commission website went public, both of which include warnings that names and contact information may be published. However, the White House published dozens of emails sent by citizens that received no warning or explanation of the White House’s disclosure policies, and the White House neglected to redact those emails before publication, making public the personal information of dozens of Americans. In today’s digital world, where personal information in the ‘wrong hands can lead to unwanted intrusions into people's lives, we find it particularly concerning that the White House would intentionally release personal information without express consent and without adequately informing people that their information would be released. Especially so soon after the personally identifying data of nearly every U.S. voter belonging to the Republican National Committee was exposed online. Elected officials across this nation, at every level, encourage citizens to engage and communicate with their government leaders as a means to promote transparency and involvement in government, This is a hallmark of our democratic system of government and allows people thatdo not hold office to have input in government beyond just their vote. Since our nation’s founding, whether by mail, phone, or email, people have contacted their elected representatives to voice their opinions. At no time have Americans contacted their elected representatives with the expectation their representatives would subsequently publicly disclose their personal information without permission. The decision by the White House to publish the emails commenting on the Commission without redacting personal information demonstrates, at best, a lack of sensitivity to and simple disregard for the very concerns raised in many of emails. At worst, the decision to publish is a vindictive action taken to harm individuals that spoke out against the Commission’ efforts to gather and publish personal data on every American voter. Regardless of the White House's intent, this incident warrants answers from the Administration as to why this personal information was published and clarification as to the White House policy on the publication of personal information contained in communications sent by private citizens. We therefore respectfully submit the following questions and requests for information to the White House: 1. What is the White House policy for publishing, releasing, or otherwise making public personal information contained in communications sent to the White House in written correspondence? Please provide a copy of all relevant written policies Does the White House provide any public notice, on its website or otherwise, that informs citizens who send correspondence to the White House of what information may be made public? If yes, please provide a copy of any relevant written policies. What is the White House understanding of the consent people provide when sending written correspondence to the White House? What is the basis of this understanding? 4. Did the White House warn or otherwise notify the senders of the now-published emails in advance that the White House would make public the personal information contained in such emails? Has the Administration amended, altered, or otherwise changed, formally or in practice, any White House policy of disclosing personal information contained in written correspondence sent to the White House by citizens? If yes, please provide a copy of all relevant written policies. 6. Has the White House rescinded any privacy or personal information disclosure or publication policies since January 20, 2017? If yes, please provide a copy of all relevant written policies. 7. Did the White House publish all email comments it received regarding the Presidential Advisory Commission on Election Integrity (the Commission)?10. uN 12. 14. ‘Who made the decision as to which emails to release and what standards were used in making such determination? ‘Was the release of personal data in any way retribution for criticism of the Commi: ‘What guarantees can be made that personal information in future comments from citizens, critical of the Administration will be protected? Does the White House follow the Federal Trade Commission (FTC) standards for the privacy and security of sensitive data provided to them by United States citizens? (https://www.fte.gov/site-information/privacy-policy) Does the White House follow National Institute of Standards and Technology (NIST) standards on the maintenance and security of personal information provided to it by United States citizens? (https://www.nist.gov/privacy) Can the White House assure our European trading partners that it is committed to Privacy Shield, given the upcoming review period and the fact that this disclosure could be considered a breach if any of the individuals affected by the above-referenced data release are dual US-EU nationals? (https://www.privacyshield.gov/welcome) Will the White House provide or pay for credit monitoring services for the individuals whose personal information was shared by the White House after commenting on the Commission? Ensuring the security of personal information is of paramount importance, and we appreciate your prompt response to this letter. out Sincerely, M Bow Vm io Sherrod Brown: janne Feinstein United States Senator United States Senator Ron Wyden United States Senator