@Info.Policy: Enough with FOIA-weakening bills
- By Robert Gellman
- Jul 10, 2002
I am tired of seeing bills to exempt company information from the Freedom of Information Act.
There are several floating around or rumored, including one that would apply to information a company shares with the government about computer security vulnerabilities. I want to try to drive a sharp stake in the heart of such arguments.
Proponents argue that the exemptions are needed because companies won't disclose information voluntarily to the government. Let's compare the risks from FOIA disclosures to other disclosure risks.
Under FOIA, confidential business information is already exempt from disclosure. Each agency must contact a business submitter before disclosing its information. An unhappy submitter can go to court to block the release. That constitutes three levels and types of protection.
Now let's consider the myriad other disclosure possibilities.
First, regardless of FOIA, an agency can disclose information that it has on its own motion at any time. Of course, trade secrets have legal protections, but they are also under FOIA.
Second, agency personnel can leak information at whim. Leaks come with no advance notice, and little can be done to prevent them. Agencies can't protect their own secrets, so I can't imagine why any company thinks its secrets would be secure.
Third, agency information can be more easily obtained by Congress. Once any data is in the hands of Congress, it can be made public at any time. Under the Constitution's Speech and Debate Clause, a member of Congress cannot be held accountable for official statements. Not to mention leaks.
Fourth, information can be disclosed through bribery. Remember the FBI's Robert Hanssen and the CIA's Aldrich Ames? They sold some of the most sensitive government information ever, including data that got their foreign counterparts killed. Can any company think its valuable corporate data isn't open to the same treatment? Most government workers are trustworthy, but a few are not.
Fifth, study after study has shown that government computers are vulnerable to hackers. Add to this the possibility that an agency might by accident put some sensitive corporate data on a public Web site. This has happened.
Sixth, a government worker who has legitimate access to sensitive corporate information can always quit or retire and go to work for a competitor of the submitter. Companies can protect against disclosure by their own employees, but they cannot force government workers to sign nondisclosure agreements.
My point should be clear. A company worried about sharing sensitive data with the government has more to worry about than FOIA.
Corporate data doesn't need new FOIA protection. It is already adequately protected both substantively and procedurally. Anyone who argues that a new FOIA exemption will protect a company's data doesn't understand the issue or is hiding the ball.
What are they hiding? Perhaps an immunity provision or antitrust exemption. Look hard enough and see if you can figure out what is really happening. Robert Gellman is a Washington privacy and information policy consultant. E-mail him at firstname.lastname@example.org.