The Institute for Composer Diversity (Probably) Still Has Your Data—And They’ve Kept It Unsecured Since 2020.
[Before we start: hi, everyone! I’ve been asked to do this on and off for a few years, but today, I’m releasing a video essay on my YouTube channel to accompany this written reporting on data vulnerabilities at the Institute for Composer Diversity. The video will be a little more casual in tone and will also provide background context for anyone who wasn’t around for the events of 2020 and 2021—but I’m putting timecodes in the description, so you can skip around as much as you’d like! I will not be doing this on a regular basis (filming and editing on this scale is a ton of work!), but if folks like having the other format, I’ll bring it back for other big things. Click on the button below to watch the video, or read on for the print version!]
On March 24, 2023, I found my deadname on an unsecured spreadsheet run by the Institute for Composer Diversity, freely available through Google Drive to anyone who had the link. And if you’re a marginalized composer, I might have found your name, too.
The spreadsheet in question was sent to several thousand composers in September 2020, when ICD switched from shameless web-scraping to an opt-in model for (living) listed composers. If you were one of the over 4,000 people whose identity data and professional websites ICD had brazenly aggregated and listed before the reorganization and subsequently disastrous internal review, you probably also got that link in their opt-in email. (Assuming it survived your spam filter, that is.) In their message, ICD asked us all to “confirm” our consent to be listed. In my reply, I told them I wanted no part in it, saying, “My own entry is wildly out-of-date, but rather than correcting it, I’d like to be removed from your listings and databases in full.”
And yet, two and a half years later, there I was, listed by deadname in row 980. All the information ICD had asked me to confirm was right there—along with 4,386 other entries. Remembering back to others in my circles who opted out at that time, I can safely assume that list contained a bunch of people I know… but it also included thousands upon thousands of strangers, all in a downloadable spreadsheet with “X”s to mark their marginalized identities.
As I stared down at my screen that afternoon, the thought was clear as day: This is a harassment list waiting to happen. So I straightened my spine, fired up my web browser, and started figuring out how to report the breach.
DISCLAIMER: to protect the shreds of privacy ICD didn’t already destroy, I’ll be using my own entry and only my own entry where examples or clarifications are needed or warranted. Also, I am not a lawyer, and this is not legal advice—find a qualified attorney in your jurisdiction for that.Read more: The Institute for Composer Diversity (Probably) Still Has Your Data—And They’ve Kept It Unsecured Since 2020.
A Data Leak By Any Other Name…
Now, to address a question I’m sure some of you already have: why not just release all the names? There’s a pretty short, two-part answer to that. First, informing affected parties is ICD and SUNY Fredonia’s responsibility. Second, I did not (and still do not) have the time, energy, and money to first get qualified legal advice as to the risks of dumping the data and then potentially retain an attorney just in case. So I apologize to the other almost 4,400 of you out there that I couldn’t get in touch myself. I did, however, make it clear to Fredonia’s Information Security Office from the day I reported the vulnerability that I would be writing about it.
And that’s the (small) upside to using responsible disclosure in this situation: even though I’m unable to do ICD’s accountability work for them, I can make sure it becomes part of our public conversation, because I enabled Fredonia’s infosec office to secure the data first. That in itself is important, because … y’all, it was a LOT.
What was Exposed?
The spreadsheet of composer identities contained full names, races, genders, LGBTQ+ status, geographic locations (city/state/country), professional websites, and genre information for composers who as of September 16, 2020 had already been listed on ICD’s Composer Diversity Database or were otherwise part of their dataset. Note that date: I received my confirmation request on September 17, 2020. I opted out a few days later, then published my reply a few days after that. On September 26, I went about as viral as one can go on Band Director Facebook as a result.
But ICD never deleted my data despite my request to be totally removed. They took it off their public database, sure. But as I speculated may be the case when analyzing the Internal Review and again in Fall 2021, my entry was still in their system in March 2023, unsecured and—get this—wrong.
A quick thought about questionable data
I can’t tell you with any certainty who added my name to ICD’s database, but by September 2020, a large part of my entry was wrong (or “woefully out of date,” as I’d said at the time). Coming out meant my gender and orientation information were no longer accurate, and that’s what I focused on when I sent my opt-out in 2020. Of course, my name has also changed since then, and when I accessed the workbook in March, ICD had kept my deadname associated with my entry with no mention of my current name, which is obviously what I’d use if needing to opt out today. Time stagnates virtually all data, but especially when you’re storing data about marginalized creatives, leaving old versions out in the open can be dangerous in ways that are great for stalkers, harassers and other malevolent opportunists, and not so great for the rest of us. (Ever seen someone distraught that one of the big harassment forums found their deadname and are doxxing them? I have.)
But given that even without my late-2021 name change, my entry was already way out of whack by Fall 2020, it’s impossible to say with any confidence that there aren’t more inaccuracies on that list. Don’t you know someone whose name, gender, or other important aspect of their public identity/professional life has changed in the last two and a half years? Yet ICD’s hung onto (and, if unwittingly, publicly displayed) this questionable dataset, including information for many composers who likely never consented, for all this time.
That begs the question: how many of these composers’ entries, accurate or not, shouldn’t be here anymore?
[Before I go any further, I should be clear: as far as I could find, ICD doesn’t have any policies about data deletion or storage and security, which is kind of interesting because they probably should as someone whose visitors include Californians. So they could come back from all of this saying, “well, we never said we’d delete their data,” and that would probably be factually true, but only attorneys and judges can determine whether or not that fact is compliant with CalOPPA and CCPA in California—or GDPR in Europe.]
Defining the Land of the Living
[Note: in this section, I am rounding all values taken from the 2020 spreadsheet. As I have no idea if the spreadsheet contained errors, duplicates, or other fun technological artifacts that may have skewed the exact numbers, this is in my eyes the best way for us to get a general picture since I couldn’t go through the data with a fine-tooth comb to see what was actually going on in there.]
Without personally sorting through every name on the composer list and checking it against the current database (which again, I’d need legally binding permission in writing to even consider), the best I could do at the time was estimate the scope. However, because ICD’s current Composer Diversity Database is also instantly downloadable in full—a fact ICD advertises to educators and performers but not generally to the marginalized composers they list—I was able to do a rough comparison. After filtering out dead composers on both sheets, I subtracted the number of living listed composers as of late March 2023 from the living listed as of September 2020. This number assumes zero new living composers have joined ICD’s dataset since 2020, and even with that very conservative estimate, there are at least 2,067 entries for living composers that no longer appear on ICD’s database. (In comparison, only 1,533 are listed as living as of early May 2023. They lost well over half their living composers in 2020.)
2,067 entries. A truly staggering amount of people. And because I’d happened to note some quick numbers when writing about ICD in early 2021, I was able to take that Spring 2021 value, assume the same number of dead composers as in 2020, and hone in on an upper estimate as well. If ICD had finished re-inputting consenting composers by late March 2021 (and we don’t actually know when that was completed), then the estimate rises significantly: to almost 2,500 entries.
ICD’s own public numbers bear this estimate out pretty well. According to their 2021 Annual Report (the only “annual” report they’ve ever released), as of January 2022 the Composer Diversity Database included 1,438 living composers. If we subtract that from our approximation of 3,600 living composers in the pre-consent era, we can estimate approximately 2,162 living marginalized composers who were exposed on the 2020 spreadsheet despite ICD not having active consent to have and use their information. Although this number leans slightly in favor of the low end of our estimated range, it is comfortably within it, and it’s probably as close as we can come without year-over-year data being available.
So I started assembling my report and digging up contact information for Fredonia’s infosec team, and then I realized I should go back through my old emails and make sure there wasn’t anything else lying around from the five minutes I’d offered to help out with the still-unpublished-in-2023 Chamber Works Database way back in 2019. And you know how sometimes the universe just laughs at you?
Yeah. I found another spreadsheet.
A Second Workbook
In reviewing all the other emails I’ve ever gotten related to ICD, I discovered I also still had access to a spreadsheet from 2019, when I’d been added to a list of (at-least-temporarily-)interested volunteers to help input works for what would eventually become the Chamber Works Database. “Eventually” hasn’t yet arrived, as the database is not yet public, but the spreadsheet they stored at least part of its dataset in still was almost four years later!
While this one was mostly information for individual pieces (and likely only for currently-listed composers’ work, as my own music had been taken off), it DID also list a handful of email addresses, some of which did not match the names of the composers listed in the applicable entries. It was unclear to me if these emails belonged to those who had submitted a particular work, those who had perhaps cleaned up the formatting, or some other role entirely, but they deserve to not have their data unknowingly exposed, either—so I added it to my report.
Then I assembled prospective timelines, crossed my fingers, and sent it in.
Interfacing with SUNY Fredonia
Formally, ICD is a child organization of SUNY Fredonia—it’s housed within the School of Music, who uses it and its internships on their website as a recruiting tool for undergrads. ICD also does not list a data security officer or other point of contact for security concerns anywhere on its website. To make sure the information was disclosed safely, I looked up the contact information for SUNY Fredonia’s Information Security Office, got ahold of them, and disclosed the vulnerability.
I need to give credit where it’s due: Ben in the infosec office was able to secure both spreadsheets soon after I contacted him, and I’m grateful for his diligence and efficiency in those first few days. The top priority was always to stop the continuing exposure, and that was handled within days (possibly faster—I don’t have a more specific timeframe I can offer).
Around that same time, I started looking into points of contact for Fredonia’s IRB office so I could learn about two big things: first, what data security standards ICD is supposed to meet, and second, what consent protocols they were supposed to be following. Many of the questions I had for Fredonia are relatively straightforward, particularly if ICD has annual Human Subjects Review Board approvals as is outlined on Fredonia’s website. Some of these questions included:
- Does ICD use an informed consent or blanket consent model? (Or neither?)
- In mid-June 2020, ICD Founder and Director Rob Deemer said ICD had welcomed 88,000 site visitors since January 2019 and over 23,000 since June 1, 2020. This is way more attention than most non-celebrities’ identities receive. How is the associated risk to listed composers—of harassment or potential legal consequences in states with “Don’t Say Gay”-style censorship laws—communicated to composers who sign up in 2023?
- Today, does ICD explicitly inform the composers in their dataset that all of their listed information can be easily downloaded by site visitors before even seeing their entry?
- Why is full identity data for non-consenting and no-longer-consenting composers still being held, particularly composers who never affirmatively consented to being listed at all?
- Is there a process in place by which composers who want to be removed from ICD’s dataset entirely—including old spreadsheets—can have that removal completed in full? If so, where is that information available on ICD’s website? If not, why not?
- What responsibilities does ICD have for composers covered under GDPR, CCPA, and/or CalOPPA?
Unfortunately, the trail ran out not too far into this avenue of investigation. I was passed around several folks at Fredonia’s Human Subjects office, but none were willing to answer even basic questions about ICD’s consent framework or data and privacy policies. I also stopped getting updates from Information Security—they informed me their investigation was complete and closed the ticket for the data breach, even though to my knowledge they had never sent out a single email to those affected. (I certainly never got one; ex-ICD listees, did any of you?)
We Still Have Questions. Composers Deserve Answers.
As with most data leaks, it’s highly likely we’ll never know for sure who at ICD played what roles in what is at best an utter failure to monitor and maintain security settings within its own infrastructure. However, as with most data leaks, affected parties should be informed—especially when unconfirmed and potentially erroneous data is in the mix, and especially when a leaked document is a massive list of marginalized people and their websites. Once again, ICD is shirking its responsibility for the thousands of composers who do not consent to being part of their dataset—and, frankly, also to the composers who are still listed and deserve to know their information was exposed.
ICD isn’t a nonprofit, but it benefits from grant funding thanks to its fiscal sponsor, the Fredonia College Foundation. We can’t appeal to a board of directors for accountability, but neither (it seems) can we access critical information about its IRB regulatory status or lack thereof from the governing body which determines that status. And if it’s not IRB-regulated, we have no avenue to understand why, even though ICD does not stipulate composers must share already-public information and does position itself as maintaining its dataset as a jumping-off point for other research. It is an “institute” devoid of accountability mechanisms or public oversight that’s received over $125,000 in publicly trackable funding since 2019, yet it pays its research fellows $10 an hour and hasn’t even upgraded its data protection beyond unsecured Google Sheets.
How are composers supposed to be better off when ICD keeps data it does not have permission to hold and doesn’t even bother to secure it? How does ICD continue billing itself as a leader in DEI efforts when it cares so little for the composers whose data is the only reason it’s relevant? When will ICD release public policies about how they use our data and how they (should) keep it safe so composers can at least try to make an informed decision about existing in their dataset? When will ICD start taking our yearslong concerns regarding its data security seriously enough to transparently act on them? When will the Institute—and now SUNY Fredonia and the Fredonia College Foundation—stop sweeping major issues under the rug in the hope that the band and choir directors ICD courts won’t notice?
What does accountability mean to an organization that cannot be formally challenged by the people it objectifies?
[Fun fact: in its plea for donations through the Fredonia College Foundation’s website, ICD has long claimed part of its goals for fundraising included investing in better data storage. They’re perfectly aware they should be prioritizing this. They just don’t.]
What You Can Do:
Before publishing this essay and my accompanying video essay, which you can find on my YouTube channel, I asked ICD and SUNY Fredonia for comment about the exposed spreadsheets, ICD’s data security practices, and a number of specific questions I thought they may want to speak specifically to (some of which you saw earlier). All the information I’ve gotten from the sum total of those folks I’ve spoken to has been included here. You now have as much as I have, and let’s be real: it’s not much.
Still, this can’t go unanswered. ICD has over 3,500 emails to send out informing affected parties that the Institute has continued irresponsibly handling their data. It has shown no inclination toward actually doing that. That means, once again, that it’s up to us to seek out those answers for ourselves. As a (somewhat) easily accessible location, I’m happy to store any new information that comes in from reputable sources, but as we all do our own digging to get a bigger picture, here are some things I recommend. In any of these cases, if you learn anything that may benefit everyone affected, please let me know (if you’re comfortable doing so), and with your permission, I’ll share your findings here with appropriate attribution!
If you used to be listed on ICD (or may have been) and want to find out if your data was exposed:
Because we don’t have a listed security contact for ICD, it’s probably best to go to the person with the most permissions: Rob Deemer, Founder and Director of ICD. The Institute lists his email address on their website as firstname.lastname@example.org. If you’d like to inquire within Fredonia, you might want to try the Information Security office, though sending them emails at their listed address just puts you into their ticket system—and they may not acknowledge you at all. Their phone number is available on their webpage. For information about your rights as someone whose data ICD has (or may have) used, the Human Subjects Research Committee should be the folks with answers (email@example.com), but I’ve had trouble getting through to someone there. If you are attached to an institution, you may be better served by asking your own IRB or equivalent governing body.
I’d also recommend checking any email you’ve used professionally in the past several years for a message sent in September 2020 for the subject line “Institute for Composer Diversity Listing”. If you have that email, you have the link that worked until late March 2023—and theoretically, you were on the list. You should also look for a second email in or around November 2020 with the subject line “Institute for Composer Diversity UPDATED Composer Profile [RESPONSE REQUESTED]”. This email would’ve contained only your personal entry details, but it was also issued while the database was down, so if you got either or both of these emails it’s pretty likely your name and (some version of your) personal information were on the exposed spreadsheet. Also keep an eye out in the coming days for anything from emails ending in “@composerdiversity.com” and “@fredonia.edu”—if we do finally get a notification, it’ll probably come from one of those two domains.
If you have a personal website that tracks what sites refer people to you and you still retain that data from December 2020 and earlier, check for any hits from composerdiversity.com. Any referrals from this period would indicate you were at some point listed in their dataset.
If you want ICD to protect and appropriately care for its composers’ data, whether you’ve ever been listed or not:
Everything on this list is a great step for literally anyone to take, whether you’re a composer or not. Because so much of ICD’s target audience is ensemble directors and performers, folks in those specific roles may be particularly impactful as you lend your support. But no matter if you’re a musician or just an onlooker who thinks holding ICD accountable is important, your voice is a valuable tool in this matter!
One of the most effective ways to get through to ICD is, of course, by contacting them directly. Email Rob Deemer at firstname.lastname@example.org and members of ICD’s database and analysis teams at email@example.com and firstname.lastname@example.org to share your concerns. If email’s not really your thing, try DMing their Facebook or Instagram.
ICD has long had an Executive Advisory Council that it doesn’t seem to actually use very much. The membership of this council is listed on the Institute’s website. Know someone on there? Drop them a line and let them know ICD has been carelessly handling data they may not have ever had permission to aggregate and use. Ask them what they can do in their role (or if it’s someone you know well and you’re comfortable doing so, consider asking them if they want to continue associating their name with an institution that takes this approach to storing personal data).
To express your concerns about ICD to the institution who’s supposed to be overseeing them (at least nominally), tell SUNY Fredonia’s School of Music you expect their institution to safely and securely store and dispose of composer data. You can reach Dr. David Stringham (Dean of the School of Music) at David.Stringham@fredonia.edu. (As far as I can tell, Dr. Stringham is the incoming Dean. Be cognizant of that when sending your email.) You might also call Jennifer Darrell-Sterbak (School of Music Community Relations Associate) at the phone number listed on Fredonia’s staff profile, email Dr. Sarah Hamilton (Interim Associate Director) at Sarah.Hamilton@fredonia.edu, and reach Jeffrey Woodard (SUNY Fredonia’s Campus Media Contact) by email at Jeffrey.Woodard@fredonia.edu. Keep in mind that ICD is used as a marketing tool on the composition department’s undergrad information page; ask them if these practices are reflective of how they want their students conducting themselves in the professional world.
To help marginalized composers who may not know their data was exposed:
Check in with your friends. Marginalized composers, some of y’all are going to hear about this from a billion people as a result of this paragraph, and I apologize—but it’s the only way I know to get the word out when ICD seems so loath to do it themselves. Folks, I’m not going to just blithely ask you to share my writing or video with your networks. I’m not doing this for clicks; use whatever method(s) of communication you deem best for the people around you. I’m happy to be a centralized source of information to the extent that we have any, but it’s more important to me that marginalized creators who may have been on the workbook can grapple with that possibility on their own terms. Whether the right path for you and yours is DMing, emailing, forum posting, timeline-wide announcements, Discord chats, snail mail, ASL or other sign languages, Braille, Morse code, or any number of other communication media, please do check in with your colleagues and empower them to follow up with ICD and/or Fredonia if they believe they may have been affected.
If you are (or were) listed and live in California or the EU:
I am—yet again!—not a lawyer, so I can’t tell you what to do about your legal position, but you should look into your rights under CCPA and CalOPPA (in California) and GDPR (in the EU). Even if they’re not useful here, it’s always good to know what you’re entitled to! And if you’re so inclined, consider asking ICD how they’re maintaining compliance with those statutes to the extent that they may be required to. (Remember, even though ICD may look too small to be bound by these, they’re part of SUNY Fredonia, and it’s much bigger. Never hurts to ask!)
The Institute for Composer Diversity continues to use its dataset of marginalized composers to build its clout while neglecting the fundamental need to treat those creators with the dignity and respect they deserve. They allowed a list of thousands of our names, identities, and professional websites to circulate separately from their published database for two and a half years, and when discovered, they didn’t even have the decency to inform us. Especially in 2023, as legislatures across the United States and around the world are working hard to limit the rights of marginalized people (especially Black, Indigenous, and queer people) to celebrate their identities, remain connected to their cultures, live full lives, and exist in public, historically underrepresented composers deserve to know when our information is spread from a source that may put us at increased risk. That includes public databases (like ICD’s) and data leaks (like ICD’s)—because all of us, including composers who opt into listings like those the Institute offers on its website, should know when our risk exposure may be increasing. That’s the whole point of notifying users of security vulnerabilities!
ICD has raked in massive amounts of funding that it could have used long before this to protect, secure, update, and delete data as appropriate. Its 2021 Annual Report lists its total income from 2019-2021 at $135,670.80 against just $33,520.06 of administrative expenses during that same three-year period. At the beginning of 2022, the Institute was sitting on somewhere around $102,000—between five and fifteen years of funding based on their prior expenses—yet they clearly haven’t invested in robust data security infrastructure, software and personnel that would enable them to offer data deletion to all composers, OR actual living wages for their research fellows. (The staff don’t get paid well either, but that’s a separate conversation.) That $100,000 grant alone should have opened up massive pathways for ICD to strengthen its backend; even if every cent of it was allocated to specific projects, the Institute should have taken that opportunity to devote its other, theoretically-unallocated funds toward making sure they’re not screwing over composers who never agreed to store their data in its Google Drive, among other things. So many of us are acutely aware of our risk profiles both online and in the corporeal world, and to see an “institute” that bills itself as a leader in diversity and inclusion treat us all so callously is appalling beyond what I can articulate in words.
And just so we’re clear, ICD has spent the last two years promising transparency that never materialized, establishing specific steps it should take to improve and then abandoning almost all of them, and scrubbing its website of those commitments the moment it thought no one was looking (or, possibly, after the departures of various staff who were the driving forces behind those efforts). The Institute deletes stuff all the time. But it’s apparently decided that even if composers demand privately and publicly to be fully removed from its dataset that it not only doesn’t have to honor that but also can put that data out in the open for years on end. Our data is what makes ICD valuable; us and our security should be its first priority every day of the week. We should not have to find our deadnames—or any other personal information we don’t want ICD possessing and sharing—on a spreadsheet that another 3,600 people theoretically have the link to. We should not have to suffer the indignity of an organization claiming to help us directly going against our wishes time after time, particularly in an era when so many of us are looking carefully at what we share publicly online.
To my beloved composer and music-creator colleagues in all forms: I hope, as you digest this news, that you’re able to take any actions that will allow you agency over your own data, no matter what that looks like. Though I will not be able to tell you if your name was on either of the workbooks I identified, if anything I’ve said here needs clarification, I’m happy to chat and answer what I can. Though I am not personally optimistic, I fervently hope ICD and/or SUNY Fredonia steps in soon to begin to right this wrong by disclosing to each and every individual named on those spreadsheets exactly what information of theirs was shared. And while I do not believe ICD would voluntarily do this of their own accord, I do believe in our collective power to demand accountability and enact change. We’ve done it before. We can do it again.
Let’s see if ICD chooses to do right by us all.
My Works Cited will be shared in a subsequent post. Internal links are all still good at the time of posting, but in the event anything gets deleted, I have Wayback Machine archives for most items. Thanks, y’all!
Thanks for reading! If you learned something from this post and would like to tip me, head on over to my Ko-fi page. For more analysis and commentary like this in your life, check back again soon, and consider subscribing to my mailing list (at the bottom of the page or in the sidebar) for quarterly update emails on my biggest projects. To support the long-term work I do as an artist and advocate, you can find me on Patreon and @honestlyeris on Instagram.
[A note from 2023 Eris: As my writing about the Institute for Composer Diversity (unfortunately) continues to expand, I’ve given up and created an entire blog category for these analyses. You can now find all my posts focusing on ICD by clicking here. Posts that mention them in passing but do not focus on their actions specifically will still be tagged, but you’ll need to search “ICD” in the bar at the bottom of the page—and likely scroll a little—to find those. Thanks!]