Skip to content
Sign In Subscribe
ISO AUDIT

Epstein files and PII

 and  Elena Bobkova
5 min read
Photo by Wesley Tingey / Unsplash

From the perspective of a lawyer who has taught governance and the foundations of lawmaking, and as someone who teaches data privacy and information security, what happened today falls exactly within my area of expertise.

Let me explain it in a simple (I hope), though long, way:

Today’s hearing was about redactions, exposed victim data (PII), and the protection (shielding) of data that should not be protected. The only serious answer must be built on law and proper procedure. I suggest walking through how the hearing process is supposed to look ideally under the law, and then comparing that with the real outcome.

I’ll break it into:
(1) what the governing legal standards actually are,
(2) what the right process and answer from an attorney general should look like in a case like this, and
(3) the kind of action plan and timeline victims could reasonably demand.

1. What laws and standards apply to victims’ data and redactions

For a federal case involving Epstein-type files, there are three major pillars:

  • Crime Victims’ Rights Act (CVRA), 18 U.S.C. § 3771
    • Victims have “the right to be treated with fairness and with respect for the victim’s dignity and privacy.”
    • This is not symbolic; it is the statutory basis for protecting their identifying information at every stage, including after the trial is over.
    • It includes all data considered PII — personal data that can identify a particular person.
  • Attorney General Guidelines for Victim and Witness Assistance (binding policy on DOJ personnel)
    • DOJ employees “shall respect victims’ privacy and dignity” and must protect personally identifiable information (PII) and other sensitive information.
    • Personnel with access to private victim information “should not reveal that information to anyone who does not have a need to know.”
  • Epstein Files Transparency Act (the special law that forced release of these records)
    • It explicitly states that files cannot be redacted merely to avoid “embarrassment or reputational damage” to officials or public figures.
    • Redactions are allowed to:
      • protect personally identifiable information of victims,
      • remove child sexual abuse material,
      • protect ongoing investigations,
      • remove images of death or physical abuse.

DOJ’s own explainer on implementing this Act states:

  • SDNY (the prosecutors’ office) conducted a manual review “focused on reviewing and applying redactions to protect victim information.”
  • There was a second review layer to “maximize protection of victim-identifying information” while still complying with the Act’s transparency requirement and court orders.
  • You may not hide powerful associates just to spare reputational harm.
  • You must shield victims’ identities and sensitive data as a top priority.

In simple terms: victim PII must be protected, and justice must not protect others by redacting their names.

The hearing was about understanding the standards against which files were redacted (PII), what tools were used (AI, manual review, machine learning), and who oversaw and controlled those tools and results.

2. What the “right” process and correct answers should have been

If the hearing concerns victim data exposure and redaction standards, a minimally competent and ethical process would look like this:

a. Before any public hearing

  1. Internal legal and factual audit
    • Map all applicable law: CVRA, the Epstein Act, court orders, DOJ privacy policies, and child-exploitation prohibitions.
    • Reconstruct the workflow:
      • which components (e.g., SDNY, Main Justice, IT contractors) handled review and redaction;
      • what tools (manual, AI, search-and-replace) were used;
      • where quality control and sign-off occurred;
      • how progress was tracked;
      • how redacted and unredacted files were protected from exposure and unlawful over-redaction before release.
  2. Victim-centered consultation
    • Contact all known victims whose information appears in the files and:
      • explain that files are being released under the Act;
      • outline legal privacy protections;
      • invite them or their counsel to flag documents that risk exposing identity or sensitive information.
    • Calculate and track how many files, how much PII, and how many victims’ data points were exposed - exactly as any enterprise must do in a PII incident or breach.
  3. Error review and emergency triage
    • Identify:
      • any instance where victim names, emails, images, or other PII were left unredacted - and why (AI failure, manual error, lack of oversight, or all combined);
      • any instance where non-victim abuser or associate names were wrongly redacted to spare reputational harm (which the Act forbids).
    • Immediately pull defective documents from public access and quarantine them.

All of this should happen before the Attorney General steps in front of Congress.

b. What the Attorney General’s hearing answer should cover

The hearing should address: “What were the redaction standards, who applied them, and by what oversight?”

A proper answer must include:

  1. Who did the redactions and under what rules?
    • Which office had primary responsibility and which conducted secondary checks.
    • What written standards governed them: CVRA, AG guidelines, and the Epstein Act.
    • How “victim” was defined for redaction purposes.
  2. What criteria governed each redaction decision?

Four categories must be clearly separated:

  • Category 1: Victims and child sexual abuse material
    • Names, faces, contact details, and explicit imagery must be redacted.
  • Category 2: Non-victim witnesses and third parties
    • Protect PII except where disclosure is legally required.
  • Category 3: Alleged perpetrators, co-conspirators, enablers
    • Under the Act, you may not redact merely to avoid embarrassment or reputational harm.
  • Category 4: Law enforcement methods
    • Limited redactions tied to concrete harms, not political comfort.
  1. How did you fail, and how many victims were affected?

The AG should provide exact numbers:

  • total documents released;
  • number of defective redactions;
  • types of failures (names, emails, images, charts that indirectly identified victims, SSNs, credit card numbers);
  • number of documents with excessive redactions shielding enablers.

DOJ admitted that “several thousand documents and media” had to be retracted for re-redaction because of errors, describing them as “occasional errors.”

The numbers must reflect all exposures because PII breaches are serious.

  1. What legal duties were breached and how are you correcting them?

Tie failures to:

  • CVRA rights to dignity and privacy;
  • AG guidelines;
  • the Act’s anti-embarrassment rule.
  1. Should the AG have met exposed victims?

Under CVRA, victims have the right to fairness and respect. Where DOJ’s release harmed them, a reasonable interpretation is that the AG or senior designate should offer to meet each affected victim and collaborate on corrections.

3. What a proper corrective action plan should include (that what we supposed to hear from the GA):

a. Immediate (0–30 days)

  • Assess the damage: exact numbers of wrongly redacted files and exposed PII.
  • Remove problematic documents.
  • Notify victims within 7–14 days.
  • Offer support (credit monitoring, safety planning, legal assistance).
  • Establish a dedicated legal-tech review team.
  • Formalize a 24–36 hour “flag → remove → fix → repost” protocol.

b. Short-term (1–6 months)

  • Commit to a full re-review of the corpus by a clear deadline.
  • Publish version histories.
  • Correct wrongly redacted abuser names.
  • Implement double-review safeguards.
  • Invite independent audit and publish findings.

c. Ongoing (6+ months)

  • Permanent victim consultation channel.
  • Updated internal protocols for high-volume sensitive releases.
  • Periodic written reports to Congress.

4. What victims can reasonably ask for

They can demand:

  • transparency about redaction standards and oversight;
  • meetings with senior DOJ leadership;
  • a written, time-bound action plan with reporting metrics.

What actually happened

DOJ released about 3.5 million pages under the Act, with systemic redaction failures exposing nearly 100 survivors across thousands of documents.

After victims’ lawyers went to court, DOJ:

  • removed several thousand documents and media containing identifying information;
  • implemented a “flag → remove → fix → repost within 24–36 hours” workflow;
  • described errors as affecting about 0.001% of materials;
  • reached a court deal to protect identities going forward.

However, most corrective steps were driven by victims and court pressure, not proactive DOJ action.

The AG did not:

  • present a detailed, time-bound action plan;
  • fully explain redaction logic, tools, and oversight;
  • commit to a complete structural reform.

Using the “ideal” checklist:

  • Process transparency: ~20%
  • Victim-centered approach: ~1%
  • Compliance clarity under the Act: ~0%
  • Action plan transparency: ~30%
  • Accountability and reform: ~1%

Overall: roughly 20% of an ideal outcome — largely achieved through pressure from victims and their lawyers.

In plain language:

Legally, victims forced technical corrections and emergency fixes into existence.


Politically, the hearing exposed failures in PII handling and legal procedures. The main point is what we MUST see behind the embarrassing GA behavior is... that her intended goal was fully achieved: no any progress was made in that hearing.

Comments

Related

Latest