Security researcher Chris Vickery has a knack for finding unprotected databases, but this time it\u2019s an especially explosive discovery, as he came across a \u201cterrorism blacklist\u201d that contains the names of 2.2 million \u201cheightened-risk individuals and organizations.\u201dVickery asked Reddit if he should share a copy of the Thomson Reuters World-Check database from mid-2014. He wrote, \u201cThis copy has over 2.2 million heightened-risk individuals and organizations in it. The terrorism category is only a small part of the database. Other categories consist of individuals suspected of being related to money laundering, organized crime, bribery, corruption, and other unsavory activities.\u201dAs Vice News previously pointed out about the \u201cterrorism blacklist\u201d (pdf), \u201cit is used by over 300 government and intelligence agencies, 49 of the 50 biggest banks, pre-employment vetting agencies and nine of the top 10 global law firms. It provides \u2018an early warning system for hidden risk.\u2019\u201d A current version of the database lists 93,000 people suspected of having ties to terrorism.While Vickery didn\u2019t reveal the precise details of how he found the unsecured database, or name the third-party organization that took zero precautions to protect it, he said he didn\u2019t obtain the database by hacking. (He usually uses Shodan to find exposed databases that people recklessly put online without any security to protect them.) He called it \u201cmore of a leak than anything, although not directly from Thomson Reuters.\u201dVickery laid out some of the pros and cons for releasing the database, which is reportedly compiled from public sources. Releasing it would give innocent people, as well as actual bad guys, a heads-up about being listed in it. Both the BBC and Vice have reported on how inaccurate the terrorism database can be. For it to become public, Vickery suggested there could be harmful fallout for innocent individuals mistakenly listed.Then there is the fact that Thomson Reuters most likely wouldn\u2019t like it if its high-dollar list became free public knowledge. Indeed, Thomson Reuters saw the post, contacted Vickery and then looked up the notification he submitted to the company about finding the leak. Thomson Reuters took exception to the \u201cblacklist\u201d characterization and claimed not just anyone can subscribe to World-Check; there is a vetting process for those who can afford to subscribe.Vickery told The Register, \u201cAs far as I know, the original location of the leak is still exposed to the public internet. Thomson Reuters is working feverishly to get it secured.\u201dIt\u2019s unknown if Vickery will release the \u201cterrorism blacklist\u201d to the public. Many comments on r\/privacy suggest handing it over to reputable news outlets to be vetted. As is often the case, however, certain reporters get to see all the leaked documents while reporting only on some of them.Other people want to know if they have been wrongly labeled in a database that they can\u2019t see but law enforcement and other entities can. If it goes public, then it gives everyone the chance to see. Yet some others believe the risk to people's privacy is too great. As you can see from the example given in Thomson Reuters risk-screening documentation, a great deal of personal information is included in a named individual\u2019s profile.Even if the database is 2 years old, if it is like government watchlists, then once you get put on it, it is nearly impossible to get off. So do you think he should share it with the public?Whether he does or doesn't, Vickery wrote:At the very least, this should jump-start a little online conversation regarding the appropriateness of having private entities maintain lists utilized by government agencies and banks.