Security Through Secrecy

Dec 19, 2003 12:00 PM, Beth Wade

Are we safer because we are secret? In a growing number of states, legislators are answering “Yes.”
Since Sept. 11, 2001, 39 states have expanded or amended open meetings and public records laws, limiting public access to security-related information. It is an exercise that pits public safety against the public right to know, and it challenges lawmakers to weigh intent against consequence.

Protecting Vital Information
States have long had exemptions to public records laws, and security-related exemptions were common in state codes before 2001. For example, many states have long-standing laws that protect information about computer networks – including hardware, software, passwords and firewalls – to prevent hacking.
Yet the number of exemptions has skyrocketed since 2001. In an ongoing report that tracks open records legislation, the Arlington, Va.-based Reporters Committee for Freedom of the Press (RCFP) maintains that “legislators have continued to introduce bills narrowing open records and meetings laws in the hopes that secrecy would lead to security, even though no one has shown that open government in any way exacerbated the events of Sept. 11.”
None of the states passing security-related exemptions are doing so in response to suspicious requests for sensitive data, says Charles Davis, executive director for the Freedom of Information Center at the University of Missouri’s School of Journalism. “What really fuels this kind of exemption is trying to think about bad scenarios happening,” he notes.
Preemption was the motivation behind Florida’s new exemptions, which protect information shared between law enforcement agencies, hospitals’ plans for terrorism response, facility blueprints and locations of pharmaceutical caches. “There was a definite concern in the aftermath of the [Sept. 11 terrorist] attacks that our laws be designed to ensure that information vital to an anti-terrorism effort could be protected,” says Pat Gleason, general counsel for the Florida Attorney General’s Office.
In other states, the most common of recent exemptions address public disclosure of vulnerability assessments; blueprints or engineering/architectural drawings of critical infrastructure; and emergency response plans. Many states, including Florida, also have passed laws allowing closed meetings for security-related issues. Open meetings exemptions are among the most controversial of the new Freedom of Information legislation. States are not only limiting public access to security-related meetings, but several have prohibited and even criminalized disclosure of information discussed in closed meetings.

Avoiding a Black Hole
While there has been no wholesale opposition to the new exemptions, advocates of open government are criticizing some states for passing legislation that is broad in scope. “Every time a government exempts information, there’s opposition, but I don’t think there’s across-the-board opposition [to these new laws],” Davis says. “There’s nobody out there saying, ‘I don’t think governments should do anything to protect information about critical infrastructure.’ I’m opposed to going about it in a sloppy, everything-in-the-black-hole fashion.” Ohio came under fire last year for legislation that, according to RCFP, “exempts from the definition of a public record all records that relate to security or infrastructure. Ohio may never reveal what its plans are to protect its citizens because a law prevents officials from disclosing any information shared in a meeting dealing with security issues.”
New Jersey was criticized, too, when Governor James McGreevey issued an executive order exempting more than 480 types of public records for purposes of protecting privacy and public safety. According to RCFP, the governor later amended the order “to limit closures to about 80 categories.” (The New Jersey Attorney General’s Office did not respond to Government Security's requests for an interview.)
“With public records exemptions, the question is always one of precision,” Davis says. “How much legislative exactitude is there in the language? Do we start with the proposition that everything’s open and move from there? Or do we start with the proposition that everything’s closed, and we’ll give you what you need to know?”
Precision was at issue in Maryland, when, last year, legislators proposed a law that gave the custodian of a record the power to refuse disclosure if he thought disclosure would endanger public security. “It didn’t set up categories of records or categories of danger to the public interest,” explains Robert McDonald, chief of opinions and advice for the Maryland Attorney General’s Office. “There were concerns expressed by the press and other people [that the proposal was too broad], and they got together with the Governor’s Office and the legislators and worked out a compromise.”
The resulting legislation still leaves disclosure to the discretion of the record holder, but it sets forth guidelines for decision-making. In short, the custodian can deny inspection of records relating to emergency response procedures; infrastructure blueprints and building schematics; and medical capabilities and locations of pharmaceutical caches. Furthermore, inspection can be denied only if the inspection would “jeopardize the security of any structure owned or operated by the state or any of its political subdivisions; facilitate the planning of a terrorist attack; or endanger the life or physical safety of the individual.” (Maryland Code, §10-618j)

Proving the Case
Meeting this year, in their first regular session since 2001, Texas lawmakers were mindful of the lessons learned in other states regarding open records exemptions. “A lot of states had passed [new legislation], and Texas wanted to avoid what had happened in a few states, [where] anybody who has these records can say, ‘I’m not giving them to you,’” says Katherine Cary, chief of the Open Records Division for the Texas Attorney General’s Office. “They wanted specific, narrowly tailored exceptions with the authority of the Attorney General in place to review these exceptions.”
In May 2003, the Texas Legislature passed the state’s Homeland Security Bill, which includes Freedom of Information exemptions for:

• Information regarding emergency response providers (e.g., staffing requirements, tactical plans, telephone numbers);

• Results of risk or vulnerability assessments;

• Information regarding construction or assembly of weapons (e.g., university research or information provided by government contractors to obtain permits);

• Encryption codes and security keys for communications systems;

• Information prepared for the federal government;

• Documents revealing technical details of vulnerabilities to critical infrastructure; and

• Specifications, operating procedures or locations of security systems.

With the exception of two categories (weapons construction and information prepared for the feds), the exemptions apply only to:

• information that is “collected, assembled, or maintained by or for a governmental entity for the purpose of preventing, detecting, responding to, or investigating an act of terrorism or related criminal activity” or

• information that identifies “the technical details of particular vulnerabilities of critical infrastructure to an act of terrorism.” (Texas Legislature, 78th Regular Session, House Bill 9, §418.176– 418.183).

The terrorism qualification prevents blanket refusal of information, Cary says. “If you are going to withhold blueprints, for example, you are going to have to tie it to a vulnerability to the act of terrorism,” she explains. “If you say, ‘A bridge could fall down in a Category 4 hurricane,’ that’s not terrorism, so you can’t use [the critical infrastructure exemption] to keep that confidential.” Unlike many states, Texas requires agencies that invoke the new exemptions to funnel denials through the Attorney General’s Office. “If they want to withhold anything, they have to prove [that the denial is based on vulnerability to terrorism],” Cary says. “They have to prove each document, each time, and [the decisions] don’t carry over.”
Already, Cary has been asked to decide about the exemptions. For example, when the Austin Police Department refused a request for a personnel list (basing its decision on the emergency response provider exemption), Cary decided in favor of the requestor. “You can still get a list of every officer at the police department, but [the department] can redact the titles if [leaving them in] would organize the list in such a manner that you could tell which people just worked on terrorism or emergency response,” Cary explains.
She made a similar decision when the University of Texas refused a press request for the locations of the school’s security cameras. The university “did not prove that [the refusal] was terrorism-related,” Cary says. “We told them the [security systems] exemption did not apply.” The university is suing to overturn the decision.

Unintended Consequences
According to Davis, while security-related exemptions are intended to thwart terrorism, they could, at the same time, hamper public watchdog efforts and obstruct public knowledge of safety issues that are unrelated to terrorism. “Part of the difficulty in this is trying to see the unintended consequences,” he explains. “In the energy sector, for example, if you’re going to hide records about the security of systems or equipment used in the production of energy, then you’re talking about the location of pipelines; information about the pressure as which gas and oil are stored in pipelines; vulnerability reports; and maintenance reports.
“A lot of that data is used in the public interest, every day, by a whole lot of people, to find out what [the industry] is doing with pipelines, gas systems, the grid,” he notes. “There’s a lot of pressure on industry, be it energy or anybody else, to explain hazards, leaks and accidents, and that information brings a lot of public pressure to bear to tighten up those systems.”
By exempting information regarding critical infrastructure, are states interfering with the public’s right to know about system hazards, safety and environmental compliance? “Probably the biggest part of the debate [surrounding exemptions] has been achieving that happy medium, making sure that people do have appropriate information about the safety of their water supply, for instance, both in the sense of physical security and in the sense of knowing what’s in the water,” says Cathy Atkins, program principal for the Environment, Energy and Transportation Program at the Denver-based National Conference of State Legislatures. “Legislators didn’t want these laws to be taken as a way of preventing necessary information from getting out [to the public].”
Florida faced its own unforeseen dilemma when agencies asked the Attorney General’s Office whether releasing building plans to contract bidders violated the state’s new blueprints exemption. In a 2002 advisory opinion, former Attorney General Robert Butterworth wrote, “a governmental entity may disclose and distribute documents … such as building plans, blueprints, schematic drawings and diagrams, in order to comply with statutory requirements for competitive negotiation or competitive bidding.” He also noted that, “as required by statute, the entities or persons receiving such information shall maintain the exempt status of the information.”
Texas laws governing confidentiality and vendors work similarly to those in Florida. Information belonging to the government, yet held by a vendor, is subject to the same exemptions that apply to information held by a government entity.
“Public information isn’t confined to information of the government,” Cary says. “It’s also information that the government of Texas owns or has the right of access to. So let’s say John Smith Computer Co. is paid to do a vulnerability assessment [for a government agency]; that document and all the documents related to it belong to the state. The Public Information Act says that, if you’re a governmental body in Texas and you have the right of access to information that your vendors hold, then [those vendors] fall under the same limitations [as the governmental body does],” she says.
Like many states, Texas also has provisions for the reverse situation, in which a vendor asks the government to maintain the confidentiality of information critical to the vendor’s business. A vendor hired by the government is required to provide to the government all documents relating to performance of the contract. However, the vendor can ask the government to preserve trade secrets outside the public record.

Imperfect But Workable
While most states have passed new legislation affecting public access to records and meetings, they have shown some restraint. For every 1.25 exemptions that have passed, one has not. Several states, including Alabama, Minnesota, Mississippi, Montana and Hawaii, have either rejected new proposals altogether or determined that existing exemptions are sufficient to protect security-related information. “There are some good exemptions out there and some really broad ones,” Davis says. “There have been attempts to put in some god-awful things, but, overall, there was debate on the floor of houses all over the country. Most of this stuff has been done very thoughtfully, with a great deal of sensitivity.”
“Is it perfect? No,” Atkins says. “There’s at least an understanding that, right now, some of this needs to be done. And many of the laws do have sunset provisions so they can be revisited.”

Want to use this article? Click here for options!
© 2012 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue