National Association for Gun Rights Leaking Personal Information

The National Association for Gun Rights (NAGR) is an organization that I’ve heard nothing good about and that hasn’t changed with the most recent news I came across via Shall Not Be Questioned. It turns out that the NAGR has been leaking information submitted to their contact page:

On Friday evening we were contacted by Jeff Hulsey, a retired gunsmith from the Gulf Coast region of Texas. Jeff had a problem. Starting back in August of 2013 He began receiving emails at his personal email inbox, which is through the popular Gmail domain, that it did not appear were intended for him.

[…]

What concerns Jeff is the fact that even though he is trying to point out the fairly obvious error that they are making that they are leaking personal information to an unknown source. We asked Jeff if these emails were truly unsolicited. He replied, “Absolutely unsolicited. The only dealings I’ve ever had with the NAGR were to score a couple of stickers for the side of my toolbox. I’m not even a member.”

When asked if the rest of the emails looked like the email he provided to us he stated, “Yes. It’s random questions from people who visited their “Contact Us” page, then forwarded by someone within their organization for follow-up or review. Some of them contain some very specific personal information, like the USPS worker who details which facility he works at in pursuit of an answer to a legal question.”

If you’re advertising yourself as a gun rights organization you need to realize some accepted practices within the gun rights arena. What may be the most important practice is privacy. Gun ownership is under constant attack by politicians and gun control activists. Because of this gun owners tend to desire privacy. Unless you’re willing to respect the privacy of gun owners you’re unlikely to gain much ground as a gun rights organization. But what makes this apparent misconfiguration or mishandling worse is the NAGR’s response:

To Jeff, this looked like a simple mistake. It looked like someone had the wrong email address and was forwarding him email incorrectly. He tried to contact NAGR and got no response. He has since received about one email a month from them following the same pattern.

Misconfiguration an e-mail forwarder or mishandling data, although bad, are mistakes that any system administrator in a hurry can make. Failing to acknowledge and correct the problem after it has been pointed out is unacceptable.

Handling personal information isn’t trivial. There are a lot of mistakes that can lead such information be leaked to unauthorized individuals. We see this even with well reputed organizations such as Target. What I find most telling about an organization is how to respond to their mistakes. The lack of response from the NAGR shows me that the organization is either disorganized or unconcerned. If it’s too disorganized to fix a simple mistake how can it expect anybody to trust it with fighting for gun rights? Political fights require a great deal or organization. On the other hand the NAGR may be unconcerned about its users’ privacy. If that’s the case how can anybody trust the organization to be seriously concerned with gun rights?

I haven’t supported the NAGR because I’ve never heard anything positive about the organization. But news like this leaves me urging people not to support or interact with the organization. Any information you give the NAGR, including payment information for all we know, could end up in unauthorized hands.