By David Banisar In the name of improving cyber security, corporations are pushing for
exemptions to the U.S. Freedom of Information Act (FOIA) that are
unnecessary and dangerous. These will result in crucial information being
suppressed without improving security.
There are two bills pending before the Congress -- HR 2435, the Cyber Security Information Act, introduced by Reps. Davis and Moran, and S. 1456, the Critical Infrastructure Information Act, introduced by Senators Bennett and Kyl.
The Senate bill defines "critical infrastructure" as almost every possible
imaginable system: "physical and cyber-based systems and services essential
to the national defense, government, or economy of the United States." It
then exempts from FOIA, and also prevents the government from using for
other purposes, broad categories of information including assessments; risk
audits and evaluations; and insurance and recovery plans submitted by
companies about critical infrastructure systems.
Industry claims that without these exemptions, it will not share
information, because of fears that it will become public. But these broad
exemptions are totally unnecessary. Trade secrets are already well protected
Section 552 (b)(4) states that records that are "trade secrets and
commercial or financial information obtained from a person and privileged or
confidential" and not subject to the FOIA. That is not exactly a high hurdle
to jump. The courts have been very expansive of this and there are no
credible examples of confidential information of this nature being released.
'Corporations are trying to ensure that evidence of their ineptness is kept
out of the spotlight. 'David Banisar is a research fellow at the Harvard
Information Infrastructure Project at the Kennedy School of Government at
Harvard University and Deputy-Director of Privacy International.
So why push so hard for FOIA exemptions?
The wide list of exemptions from use by government agencies is interesting.
What is supposed to be confidential? Why insurance and recovery plans? It
sounds like the corporations are trying to ensure that evidence of their
ineptness is kept out of the spotlight, not because of concerns about the
release of information causing more harm, but to cover their own butts. They
don't want the government using the info to smack them around when they
And saving themselves from public embarrassment by having something that
covers everything, not just confidential information, is a nice bonus.
One of the major problems with creating this gaping hold in FOIA is the
nature of some of the information likely to be suppressed in the name of
security. When the Congress enacted an exemption in 1996 to information
related to security and safety of airlines, the FAA used it as an excuse to
block the release of information on racial-based profiling and the legal
basis for requiring that all flyers show government I.D. before boarding a
BUSH'S SECRECY MANIA.
Imagine all the materials relating to cyber security that have been obtained
by groups such as EPIC over the last 10 years that the government would have
loved to have hidden: the Clipper Chip, Digital Signature Standard, the
Communications Assistance to Law Enforcement Act (CALEA), Carnivore, FIDNet,
and Echelon. FOIA was used to reveal how these systems worked, and allowed
for better informed public debate on them. Would we really be better off if
none of these documents had been released?
It's no surprise why Bush announced in October that he supports more FOIA
exemptions. It fits in well with the general campaign by the Administration
to gut access to information, especially post September 11. Thus far,
Attorney General Ashcroft has issued a directive on FOIA calling on agencies
eliminate the old presumption in favor of releasing information; Bush has
turned the President Records Act on its head to prevent Reagan
Administration files (such as his father's) from being released; and Bush
hid his own governor's records at his father's Presidential library to
prevent access. We can also expect the return of the Official Secrets Act
bill that Clinton vetoed.
Senator Bennett agreed in December to delay moving his bill forward,
following a protest led by environmentalists, doctors, librarians and others
who saw the bill as allowing companies to limit disclosure of information
about toxic releases and other health data. But the good Senator, who is a
champion of industry-sponsored bills that hurt the public, claimed that the
groups misunderstand his bill, telling the Salt Lake Tribune, "It sounds as
if they are talking about a different bill." Funny that he said essentially
the same thing to the remarkably anti-privacy "medical privacy bill" he
introduced a few years ago. Must be something in the water in Utah ...
James Madison, one of our founding fathers, once said, "Knowledge will
forever govern ignorance, and a people who mean to be their own governors,
must arm themselves with the power knowledge gives. A popular government
without popular information or the means of acquiring it, is but a prologue
to a farce or a tragedy or perhaps both."
These bills do nothing to improve security, and they harm the public's
ability to find out what is going on. Congress has better things to do than
to hold the hand of industry and give it another free pass on weak security. David Banisar is a research fellow at the Harvard Information
Infrastructure Project at the Kennedy School of Government at Harvard University and Deputy-Director of Privacy International.