The American Civil Liberties Union is under fire for making the very same privacy gaffe it has lambasted other groups and companies for: Revealing personal e-mail addresses to everyone on a mailing list.

The advocacy organization that crusades for the protection of privacy rights sent its online "Safe and Free Newsletter" out to about 860 people last week but mistakenly made every recipient’s e-mail address available to everyone else.

The ACLU sharply criticized pharmaceutical giant Eli Lilly for making a similar error two years ago. Last May, Eli Lilly agreed with the Federal Trade Commission to submit to audits and upgrade its privacy and security practices, among other orders, after sending out a mass e-mail with the  personal information of every subscriber to its Prozac information service.

"To the extent that [ACLU leaders] are pointing fingers at private companies, they really are throwing stones at glass houses," said Jim Harper, editor of Privacilla.org, a Web-based think tank devoted to privacy. "They took a holier-than-thou attitude and then turned around and did the same thing."

Complicating matters further, the ACLU just settled with the New York state attorney general’s office in January for another privacy violation involving contact information for people who bought products through their Web site. As part of the settlement, the ACLU agreed to pay $10,000, upgrade its Internet privacy and security systems and submit to audits.

New York Attorney General Eliot Spitzer is investigating the current situation. At issue is whether the ACLU was in violation of its own privacy policy, which promises that e-mail addresses and other contact information will be kept confidential.

"We’re quite concerned in light of the recent enforcement action," said Paul Larrabee, a spokesman for Spitzer’s office. "We have reached out to the ACLU and are trying to assess what was the cause of this and why it was allowed to happen."

The ACLU did not return calls seeking comment. But spokeswoman Emily Whitfield e-mailed an apology to the technology Web site politechbot.com.

"We are truly sorry that the recipients of our debut Safe and Free Newsletter
received a communication that revealed the e-mails of other recipients," Whitfield wrote.  

Shane Ham, senior policy analyst at a technology think tank called the Progressive Policy Institute, said the organization tried to undo what it had done shortly after the first e-mail was sent out — but wound up revealing all the recipients’ addresses a second time.

"That’s two big privacy violations in 25 minutes," he said. "They compounded the error."

He thinks the ACLU dug an even deeper hole when it tried to explain what happened. The advocacy group said it had solicited the e-mail addresses on its own, rather than taking them out of the existing database. If true, the assertion would mean that their privacy policy doesn't apply.

"We created the database from scratch, and we got the e-mails by calling around to these organizations and asking for them, as anyone could do," Whitfield wrote on politechbot.com.

But Ham, who was on the list and didn't get a call asking for his e-mail address, doesn't buy the explanation.

"I believe it’s not true," said Ham. "This is going to be one of those situations where the cover-up is far worse than the crime."

For now, the attorney general’s office is reserving judgment on what happened.

"At this point, we have not reached any conclusions," said Larrabee. "We’re attempting to determine the facts."

Harper believes last week's incident is evidence that the ACLU should stick to what it does best — tackling civil rights violations at the hands of the government — rather than trying to regulate private businesses.

"Their real strength has been and always will be fighting privacy invasions by government," he said. "This episode shows they’re out of their league when dealing with commercial privacy issues."