Clean up Net files before they are demanded

Here is a question: Can
a Freedom of Information Act requester obtain a copy of a federal employee’s cookie
file stored in the employee’s Web browser? A cookie file lets a Web server operator
tell a browser to store certain information and to give it back on subsequent visits to
the same server.


Not all Web pages use cookies, but many do. The cookie file on a user’s computer
may contain information about a user’s activities on the Internet, passwords and
other data.


In Tennessee, the editor of a newspaper, the Putnam Pit, asked for cookie files on
government computers in the town of Cookeville. The request was rejected under the
state’s open records law. The state attorney general ruled that the files are exempt
from disclosure as temporary records or working files. Under the federal FOIA, no directly
comparable exemption exists.


Nevertheless, there may be grounds for denying access to at least part of a cookie
file. For example, a denial would be in order if the file contains a password that permits
access to a restricted Web site.


But other information in a cookie file might not be so easily withholdable. And the
cookie file is not the only file that reflects local network usage. In fact, more
interesting files exist. Browsers maintain caches of downloaded images. These cached files
could also be requested, and it would take a file-by-file review to determine if any could
be withheld.


Who knows how many X-rated images could be found in federal computer caches.


Other examples are the history and bookmark files maintained by browsers. The history
file identifies every Web page a user has accessed. A bookmark file contains a list of the
sites whose addresses were saved for future reference by the user. These two files contain
a wealth of data about Web use.


So are these files available under FOIA? There is no easy answer.


It is hard to argue that the files are wholly personal, because they are on a
government computer that is supposed to be used for official business.


You could use FOIA’s internal personnel rules and practices exemption and
intra-agency memorandum exemption to argue for withholding in certain circumstances. But
the arguments would be pretty weak.


A blanket ruling that all files on all federal computers are exempt from disclosure
seems unsupportable. Just a request for the records would be troublesome. Imagine if a
requester asked for the cookie, history, bookmark and cache files of every senior
executive service employee at the Justice Department.


Don’t look for help from the 1996 Electronic FOIA amendments. The law brought the
FOIA into the computer age, but not into the network age.


Even worse, the law requires an agency to make reasonable efforts to search for an
electronic record—except when such efforts would significantly interfere with the
operation of the agency’s systems.


This exception is one of the worst features of E-FOIA and is likely to become the last
refuge of a rogue or a lazy FOIA officer.


So whether the files are disclosable or not, the first task would be to collect all of
the files from all of the computers used by those in the senior executive service.
Depending on the nature of the department’s computer network, that could require a
computer-by-computer review. And although cookie, history and bookmark files are
relatively small, caches can contain many megabytes worth of files.


I expect that some agencies—and surely Justice—will try to use the procedural
exemption.


I doubt that the argument will work, at least for narrowly focused requests. It will be
hard to argue that retrieving one or even 10 history files will significantly interfere
with anything.


Federal employees should think about the trail they leave when surfing the Internet at
work. Browsers give users tools to control the information maintained in bookmark, cookie
and history files as well as caches. Any federal employee doing something on the Net that
would not look good in a Washington Post article should learn how to use those tools.


On the other side, enterprising reporters should make their FOIA requests before too
many federal employees learn how to hide their Internet trails. It may be a race to see
who can act first, the requesters or the erasers.  


Robert Gellman, former chief counsel to the House Government Operations
Subcommittee on Information, Justice, Transportation and Agriculture, is a Washington
privacy and information policy consultant. His e-mail address is rgellman@cais.com.

inside gcn

  • Congressman sees broader role for DHS in state and local cyber efforts

    Automating the ATO

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above