I posted the following thoughts to Politech:

One can imagine that other then those who shouldn't be on these lists, no one is more annoyed about this activity then the FBI themselves. Clueless people who self-deputize generally do more harm then good to real security efforts. The fastest way to get them to stop is to have a recognized source of authority explain to them that they do not know what they are talking about.

The FBI ought to establish a web page which clearly explains the meaning of the list, explains that there are copies of the list circulating which are out of date or inaccurate, points the reader at up to date information about who the FBI is looking for, and explains that this information is subject to change and should not be considered permanently valid. Authoritative disclaimers have been useful in the past with respect to virus hoaxes. It might be useful here. And its a lot easier then having FBI agents deal with people who've been impacted by this on a case by case basis.

If the FBI wanted list was available in XML then people who wanted to cross-reference it with their databases could do so easily and be constantly up to date. Through such an effort they could easily turn a big mess into an effective tool for them.

Of course, this is the sort of thing that keeps privacy advocates up at night. There are all kinds of pit falls here, both legal (how can one prevent the misuse of the information) and technical (how can one prevent malicious modification of the information), but the implications ought to be considered anyway because one would think that the FBI will come up with something like this sooner or later. If the self-deputies kept up to date and accurate on who the FBI is looking for this would obviously be preferable to the situation we have now with this list. Its also greatly preferable to the "information awareness" effort on many levels.

Of course, I have no idea who needs to hear all of this.

-=-=-=-=-=-

I think I ought to make one more point...

Of course, this is the sort of thing that keeps privacy advocates up at night. There are all kinds of pit falls here...

I guess the question worth asking here is: What is my expectation of privacy with respect to a consumer database (like that of a car rental company) being shared with the FBI? Is this any different from said database being shared with a marketing company? Are there material differences between sharing the whole database, and telling the FBI that you found a particular record about an individual person they have expressed interest in? What is the difference between telling the FBI that you think you found a wanted person in your database, and telling the FBI that you think you saw a wanted person in your store (which is certainly legal)?

(I have my own ideas about how to answer these questions, but they are better addressed by a lawyer in a technical way in this context.)