@INFO.POLICY

Why ponder new, needless FOIA exemptions?

Robert Gellman

No one knows how many exemptions exist to the Freedom of Information Act. The law itself has nine, but there are hundreds of other laws that exempt specific types of information from disclosure.

Exemptions are not necessarily bad things, but each one needs a careful evaluation.

Requests for new FOIA exemptions arise all the time. I spent much time during my years on Capitol Hill fighting unnecessary exemptions hidden in other legislation. As the 106th Congress draws to a close, two proposed FOIA exemptions are of interest to GCN readers.

The Defense Department wants an exemption to cover foreign government information given to the United States in confidence. This information can be classified and protected under existing rules, but DOD doesn't want to be bothered with the trouble and expense of classification. It just wants an easy way to deny public access.

This proposal makes little sense. DOD has enough trouble with the existing system for classifying national security information, and it produces too many needlessly classified documents. DOD does not need another category of almost-classified information. The result would be less protection rather than more, because information owners are likely to take the easy way and avoid the hassles of the classification system.

If the information has any real sensitivity, it will not receive the protection it deserves. After all, public disclosure under FOIA is not the only threat to legitimate confidentiality interests. Data can be disclosed in other ways, and the lack of proper classification may make it difficult or impossible to punish those who mistreat it.

The case of Wen Ho Lee, the former Los Alamos National Laboratory scientist accused of copying nuclear information, is instructive. It appears that at least some of the information he supposedly mishandled was not actually deemed restricted data'the classification term for nuclear data. Instead, officials marked it 'protect as restricted data.'

The marking resulted in less protection for the data, legally and technically. It is hard to punish someone for mishandling classified data when it wasn't properly classified in the first place.

Creating new categories of classified and almost-classified data undermines respect for classification and for legitimate security needs. Agencies have enough trouble protecting fully classified data, as anyone following the missing State Department notebook PC follies already knows.

The second FOIA exemption is found in HR 4246, the Cyber Security Information Act. The bill is intended to encourage companies to share with the government information about computer security and critical infrastructure protection.

The premise is that the private sector is dying to turn over to the government information about highly sensitive security activities. But, the line continues, the mere possibility that this information might escape under FOIA is preventing that cooperation.

Give me a break! Companies have long cited FOIA as a reason for not giving data to the government. The law is a convenient excuse for not sharing information that someone doesn't want to share anyhow. No company can watch the government's inability to protect classified information and feel comfortable in voluntarily sharing its informational crown jewels.

FOIA is just a fig leaf. Exempt the information from FOIA, and companies will concoct another reason for not cooperating.

Sensitive matter

Besides, sensitive security information voluntarily shared with the government is almost certainly exempt from FOIA already. The law broadly exempts corporate information and especially information voluntarily shared. Is there a possibility of a request and an eventual disclosure? Sure, but a new exemption won't help.

The scope of the proposed new exemption is unclear and the proposed definitions filled with vague terms easily misused by agencies and companies to hide other information.

Companies have been complaining'without supporting facts'about disclosure of their secrets under FOIA for years. Politicians and many federal workers are no better. They are always looking for a new excuse to hide their mistakes from the public, claiming efficiency or national security rather than sloppiness or inertia.

I hope Congress will give these proposals the treatment they deserve.

Robert Gellman is a Washington privacy and information policy consultant. His e-mail address is rgellman@cais.com.

inside gcn

  • IoT security

    A 'seal of approval' for IoT security?

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above