I read this as GoDaddy releasing her email address only. In theory, isn't an email address only personally identifiable if the address owner has done some action linking it to a real world identity? I assume that's the argument GoDaddy would make.
However, it should have been made abundantly clear to someone reporting spam that their email address may be disclosed to the accused party.
That may be true if your email address is pm@example.com, but less so if it is philip.mclelland@example.com. For example.
And no, reporting abuse should not carry the expectation of having anything about the reporter disclosed to the abuser. That would severely discourage the reporting of abuse.
Except of course if you deal in any way whatsoever with GoDaddy you should always expect the worst possible outcome.
So hypothetically speaking you'd be OK with receiving a message from a hosting provider you did business with accusing you of spamming an unspecified person at an unspecified e-mail address and threatening to terminate your account, leaving you with no way of knowing what actually happened?
The opt-in argument is useless since there is no way to verify that the user subscribed in the first place, giving them the address or not. All you do is providing value to the spammer since they have now verified that the email is indeed real and read by a person. When reporting abuse you can already forge any email out of nothing, and you cannot prove that the email was forged unless they have a trace of the email being sent by their server (logs), and if they have that trace they can see easily see a pattern of mass distribution and start an investigation by contacting the other recipients on that list, or just wait for more reports to come in. Guess it's been a while since I worked at an ISP, but I have never heard of a spam abuse investigation strategy that involves forwarding the address to the suspected spammer.
If I am innocent, I will tell the ISP that fist.last@example.com opted in, and I will be telling the truth. If I am a spammer, I will say the same, and I will be lying. So what difference does it make?
If GoDaddy released the email address, then all the person had to do was go Google that email address and most likely they would have found it. Or, they could find it using DomainTools whois lookup (if they didn't use whois privay on ALL domains they own at all times), or use Gmail or Google Plus to find out who is associated with that email address.
Once the email address is given out, then it's just as if someone had all their personally identifiable details.
Yes, I agree, even if it is firstname dot name @ whatever, you still can just google that email address and even get more information or look it up online to get photos, address information, etc. etc.
However, it should have been made abundantly clear to someone reporting spam that their email address may be disclosed to the accused party.