By David Banisar
In the name of improving cyber security, corporations are pushing for exemptions to the U.S. Freedom of Information Act (FOIA) that are unnecessary and dangerous. These will result in crucial information being suppressed without improving security.
There are two bills pending before the Congress -- HR 2435, the Cyber Security Information Act, introduced by Reps. Davis and Moran, and S. 1456, the Critical Infrastructure Information Act, introduced by Senators Bennett and Kyl.
The Senate bill defines "critical infrastructure" as almost every possible imaginable system: "physical and cyber-based systems and services essential to the national defense, government, or economy of the United States." It then exempts from FOIA, and also prevents the government from using for other purposes, broad categories of information including assessments; risk audits and evaluations; and insurance and recovery plans submitted by companies about critical infrastructure systems.
Industry claims that without these exemptions, it will not share information, because of fears that it will become public. But these broad exemptions are totally unnecessary. Trade secrets are already well protected under FOIA.
Section 552 (b)(4) states that records that are "trade secrets and commercial or financial information obtained from a person and privileged or confidential" and not subject to the FOIA. That is not exactly a high hurdle to jump. The courts have been very expansive of this and there are no credible examples of confidential information of this nature being released. 'Corporations are trying to ensure that evidence of their ineptness is kept out of the spotlight. 'David Banisar is a research fellow at the Harvard Information Infrastructure Project at the Kennedy School of Government at Harvard University and Deputy-Director of Privacy International. So why push so hard for FOIA exemptions?
The wide list of exemptions from use by government agencies is interesting. What is supposed to be confidential? Why insurance and recovery plans? It sounds like the corporations are trying to ensure that evidence of their ineptness is kept out of the spotlight, not because of concerns about the release of information causing more harm, but to cover their own butts. They don't want the government using the info to smack them around when they screw up.
And saving themselves from public embarrassment by having something that covers everything, not just confidential information, is a nice bonus.
One of the major problems with creating this gaping hold in FOIA is the nature of some of the information likely to be suppressed in the name of security. When the Congress enacted an exemption in 1996 to information related to security and safety of airlines, the FAA used it as an excuse to block the release of information on racial-based profiling and the legal basis for requiring that all flyers show government I.D. before boarding a plane.
BUSH'S SECRECY MANIA. Imagine all the materials relating to cyber security that have been obtained by groups such as EPIC over the last 10 years that the government would have loved to have hidden: the Clipper Chip, Digital Signature Standard, the Communications Assistance to Law Enforcement Act (CALEA), Carnivore, FIDNet, and Echelon. FOIA was used to reveal how these systems worked, and allowed for better informed public debate on them. Would we really be better off if none of these documents had been released?
It's no surprise why Bush announced in October that he supports more FOIA exemptions. It fits in well with the general campaign by the Administration to gut access to information, especially post September 11. Thus far, Attorney General Ashcroft has issued a directive on FOIA calling on agencies eliminate the old presumption in favor of releasing information; Bush has turned the President Records Act on its head to prevent Reagan Administration files (such as his father's) from being released; and Bush hid his own governor's records at his father's Presidential library to prevent access. We can also expect the return of the Official Secrets Act bill that Clinton vetoed.
Senator Bennett agreed in December to delay moving his bill forward, following a protest led by environmentalists, doctors, librarians and others who saw the bill as allowing companies to limit disclosure of information about toxic releases and other health data. But the good Senator, who is a champion of industry-sponsored bills that hurt the public, claimed that the groups misunderstand his bill, telling the Salt Lake Tribune, "It sounds as if they are talking about a different bill." Funny that he said essentially the same thing to the remarkably anti-privacy "medical privacy bill" he introduced a few years ago. Must be something in the water in Utah ...
James Madison, one of our founding fathers, once said, "Knowledge will forever govern ignorance, and a people who mean to be their own governors, must arm themselves with the power knowledge gives. A popular government without popular information or the means of acquiring it, is but a prologue to a farce or a tragedy or perhaps both."
These bills do nothing to improve security, and they harm the public's ability to find out what is going on. Congress has better things to do than to hold the hand of industry and give it another free pass on weak security.
David Banisar is a research fellow at the Harvard Information Infrastructure Project at the Kennedy School of Government at Harvard University and Deputy-Director of Privacy International.