Security Through Secrecy

Are we safer because we are secret? In a growing number of states, legislators are answering “Yes.”

Since Sept. 11, 2001, 39 states have expanded or amended open meetings and public records laws, limiting public access to security-related information. It is an exercise that pits public safety against the public right to know, and it challenges lawmakers to weigh intent against consequence.

Protecting Vital Information

States have long had exemptions to public records laws, and security-related exemptions were common in state codes before 2001. For example, many states have long-standing laws that protect information about computer networks — including hardware, software, passwords and firewalls — to prevent hacking.

Yet the number of exemptions has skyrocketed since 2001. In an ongoing report that tracks open records legislation, the Arlington, Va.-based Reporters Committee for Freedom of the Press (RCFP) maintains that “legislators have continued to introduce bills narrowing open records and meetings laws in the hopes that secrecy would lead to security, even though no one has shown that open government in any way exacerbated the events of Sept. 11.”

None of the states passing security-related exemptions are doing so in response to suspicious requests for sensitive data, says Charles Davis, executive director for the Freedom of Information Center at the University of Missouri’s School of Journalism. “What really fuels this kind of exemption is trying to think about bad scenarios happening,” he notes.

Preemption was the motivation behind Florida’s new exemptions, which protect information shared among law enforcement agencies, hospitals’ plans for terrorism response, facility blueprints and locations of pharmaceutical caches. “There was a definite concern in the aftermath of the [Sept. 11 terrorist] attacks that our laws be designed to ensure that information vital to an anti-terrorism effort could be protected,” says Pat Gleason, general counsel for the Florida Attorney General’s Office.

In other states, the most common of recent exemptions address public disclosure of vulnerability assessments; blueprints or engineering/architectural drawings of critical infrastructure; and emergency response plans. Many states, including Florida, also have passed laws allowing closed meetings for security-related issues.

Open meetings exemptions are among the most controversial of the new Freedom of Information legislation. States are not only limiting public access to security-related meetings, but several have prohibited and even criminalized disclosure of information discussed in closed meetings.

Avoiding a Black Hole

While there has been no wholesale opposition to the new exemptions, advocates of open government are criticizing some states for passing legislation that is broad in scope. “Every time a government exempts information, there’s opposition, but I don’t think there’s across-the-board opposition [to these new laws],” Davis says. “There’s nobody out there saying, ‘I don’t think governments should do anything to protect information about critical infrastructure.’ I’m opposed to going about it in a sloppy, everything-in-the-black-hole fashion.”

Ohio came under fire last year for legislation that, according to RCFP, “exempts from the definition of a public record all records that relate to security or infrastructure. Ohio may never reveal what its plans are to protect its citizens because a law prevents officials from disclosing any information shared in a meeting dealing with security issues.”

New Jersey was criticized, too, when Governor James McGreevey issued an executive order exempting more than 480 types of public records for purposes of protecting privacy and public safety. According to RCFP, the governor later amended the order “to limit closures to about 80 categories.” (The New Jersey Attorney General’s Office did not respond to Government Security‘s requests for an interview.)

“With public records exemptions, the question is always one of precision,” Davis says. “How much legislative exactitude is there in the language? Do we start with the proposition that everything’s open and move from there? Or do we start with the proposition that everything’s closed, and we’ll give you what you need to know?”

Precision was at issue in Maryland, when, last year, legislators proposed a law that gave the custodian of a record the power to refuse disclosure if he thought disclosure would endanger public security. “It didn’t set up categories of records or categories of danger to the public interest,” explains Robert McDonald, chief of opinions and advice for the Maryland Attorney General’s Office. “There were concerns expressed by the press and other people [that the proposal was too broad], and they got together with the Governor’s Office and the legislators and worked out a compromise.”

The resulting legislation still leaves disclosure to the discretion of the record holder, but it sets forth guidelines for decision-making. In short, the custodian can deny inspection of records relating to emergency response procedures; infrastructure blueprints and building schematics; and medical capabilities and locations of pharmaceutical caches. Furthermore, inspection can be denied only if the inspection would “jeopardize the security of any structure owned or operated by the state or any of its political subdivisions; facilitate the planning of a terrorist attack; or endanger the life or physical safety of the individual.” (Maryland Code, §10-618j)

Proving the Case

Meeting this year, in their first regular session since 2001, Texas lawmakers were mindful of the lessons learned in other states regarding open records exemptions. “A lot of states had passed [new legislation], and Texas wanted to avoid what had happened in a few states, [where] anybody who has these records can say, ‘I’m not giving them to you,’” says Katherine Cary, chief of the Open Records Division for the Texas Attorney General’s Office. “They wanted specific, narrowly tailored exceptions with the authority of the Attorney General in place to review these exceptions.”

In May 2003, the Texas Legislature passed the state’s Homeland Security Bill, which includes Freedom of Information exemptions for:

• Information regarding emergency response providers (e.g., staffing requirements, tactical plans, telephone numbers);

• Results of risk or vulnerability assessments;

• Information regarding construction or assembly of weapons (e.g., university research or information provided by government contractors to obtain permits);

• Encryption codes and security keys for communications systems;

• Information prepared for the federal government;

• Documents revealing technical details of vulnerabilities to critical infrastructure; and

• Specifications, operating procedures or locations of security systems.

With the exception of two categories (weapons construction and information prepared for the feds), the exemptions apply only to:

• information that is “collected, assembled, or maintained by or for a governmental entity for the purpose of preventing, detecting, responding to, or investigating an act of terrorism or related criminal activity” or

• information that identifies “the technical details of particular vulnerabilities of critical infrastructure to an act of terrorism.” (Texas Legislature, 78th Regular Session, House Bill 9, §418.176-418.183).

The terrorism qualification prevents blanket refusal of information, Cary says. “If you are going to withhold blueprints, for example, you are going to have to tie it to a vulnerability to the act of terrorism,” she explains. “If you say, ‘A bridge could fall down in a Category 4 hurricane,’ that’s not terrorism, so you can’t use [the critical infrastructure exemption] to keep that confidential.”

Unlike many states, Texas requires agencies that invoke the new exemptions to funnel denials through the Attorney General’s Office. “If they want to withhold anything, they have to prove [that the denial is based on vulnerability to terrorism],” Cary says. “They have to prove each document, each time, and [the decisions] don’t carry over.”

Already, Cary has been asked to decide about the exemptions. For example, when the Austin Police Department refused a request for a personnel list (basing its decision on the emergency response provider exemption), Cary decided in favor of the requestor. “You can still get a list of every officer at the police department, but [the department] can redact the titles if [leaving them in] would organize the list in such a manner that you could tell which people just worked on terrorism or emergency response,” Cary explains.

She made a similar decision when the University of Texas refused a press request for the locations of the school’s security cameras. The university “did not prove that [the refusal] was terrorism-related,” Cary says. “We told them the [security systems] exemption did not apply.” The university is suing to overturn the decision.

Unintended Consequences

According to Davis, while security-related exemptions are intended to thwart terrorism, they could, at the same time, hamper public watchdog efforts and obstruct public knowledge of safety issues that are unrelated to terrorism. “Part of the difficulty in this is trying to see the unintended consequences,” he explains. “In the energy sector, for example, if you’re going to hide records about the security of systems or equipment used in the production of energy, then you’re talking about the location of pipelines; information about the pressure at which gas and oil are stored in pipelines; vulnerability reports; and maintenance reports.

“A lot of that data is used in the public interest, every day, by a whole lot of people, to find out what [the industry] is doing with pipelines, gas systems, the grid,” he notes. “There’s a lot of pressure on industry, be it energy or anybody else, to explain hazards, leaks and accidents, and that information brings a lot of public pressure to bear to tighten up those systems.”

By exempting information regarding critical infrastructure, are states interfering with the public’s right to know about system hazards, safety and environmental compliance? “Probably the biggest part of the debate [surrounding exemptions] has been achieving that happy medium, making sure that people do have appropriate information about the safety of their water supply, for instance, both in the sense of physical security and in the sense of knowing what’s in the water,” says Cathy Atkins, program principal for the Environment, Energy and Transportation Program at the Denver-based National Conference of State Legislatures. “Legislators didn’t want these laws to be taken as a way of preventing necessary information from getting out [to the public].”

Florida faced its own unforeseen dilemma when agencies asked the Attorney General’s Office whether releasing building plans to contract bidders violated the state’s new blueprints exemption. In a 2002 advisory opinion, former Attorney General Robert Butterworth wrote, “a governmental entity may disclose and distribute documents … such as building plans, blueprints, schematic drawings and diagrams, in order to comply with statutory requirements for competitive negotiation or competitive bidding.” He also noted that, “as required by statute, the entities or persons receiving such information shall maintain the exempt status of the information.”

Texas laws governing confidentiality and vendors work similarly to those in Florida. Information belonging to the government, yet held by a vendor, is subject to the same exemptions that apply to information held by a government entity.

“Public information isn’t confined to information of the government,” Cary says. “It’s also information that the government of Texas owns or has the right of access to. So let’s say John Smith Computer Co. is paid to do a vulnerability assessment [for a government agency]; that document and all the documents related to it belong to the state. The Public Information Act says that, if you’re a governmental body in Texas and you have the right of access to information that your vendors hold, then [those vendors] fall under the same limitations [as the governmental body does],” she says.

Like many states, Texas also has provisions for the reverse situation, in which a vendor asks the government to maintain the confidentiality of information critical to the vendor’s business. A vendor hired by the government is required to provide to the government all documents relating to performance of the contract. However, the vendor can ask the government to preserve trade secrets outside the public record.

Imperfect, But Workable

While most states have passed new legislation affecting public access to records and meetings, they have shown some restraint. For every 1.25 exemptions that have passed, one has not. Several states, including Alabama, Minnesota, Mississippi, Montana and Hawaii, have either rejected new proposals altogether or determined that existing exemptions are sufficient to protect security-related information.

“There are some good exemptions out there and some really broad ones,” Davis says. “There have been attempts to put in some god-awful things, but, overall, there was debate on the floor of houses all over the country. Most of this stuff has been done very thoughtfully, with a great deal of sensitivity.”

“Is it perfect? No,” Atkins says. “There’s at least an understanding that, right now, some of this needs to be done. And many of the laws do have sunset provisions so they can be revisited.”

‘I Sent It To the Feds’

Is information provided by states to the Department of Homeland Security forever beyond public access? “We don’t know whether, by the sheer nature of that sharing, those records are suddenly transformed magically into federal records,” says Charles Davis, executive director for the Freedom of Information Center at the University of Missouri’s School of Journalism. “If they are, they’re going to be forever secret because of the critical information exemption in the Homeland Security Act.”

At least one state — Texas — has taken steps to preserve open records outside the federal information sharing process. “In most states, if you send information to the feds, and the feds say, ‘Confidential,’ [the states] say, ‘Okay.’ That’s not necessarily so here,” says Katherine Cary, chief of the Open Records Division for the Texas Attorney General’s Office.

In its 2003 Homeland Security Bill, the Texas Legislature outlined the circumstances in which security-related information supplied to the federal government would be kept confidential at the state level. The state maintained openness of financial records and limited confidentiality to information that:

• is part of a report to an agency of the United States;

• relates to an act of terrorism or related criminal activity; and

• is specifically required to be kept confidential because of a federal statute or regulation; as a condition of participation in a state-federal information sharing agreement; or to obtain federal funding.

“The open government community was very interested in limiting this exemption to very specific situations where the government had to give information to keep its funding or to keep up legal requirements,” Cary explains. The criteria ensure that state agencies will not withhold information from the public simply because they shared the information with the federal government.

“You can’t say, ‘I sent it to the feds, and that makes it confidential,’” Cary notes. “You can’t say, ‘It’s confidential because the feds say so.’ You have to prove that there’s some legal obligation to keep it confidential. On top of that, financial information was completely excluded, so, even if the feds would keep it confidential, you’re not going to be able to withhold financial information such as costs of projects or [amounts of funding received].”

States That Have Passed Exemptions

Since Sept. 11, 2001, the following states have passed legislation that amends public records and/or open meetings laws to protect security-related information. (Source: Reporters Committee for Freedom of the Press, Arlington, Va.; and National Conference of State Legislatures, Denver)

Alabama
Alaska
Arizona
Arkansas
California
Colorado
Connecticut
Delaware
Florida
Georgia
Idaho
Illinois
Indiana
Iowa
Kansas
Louisiana
Maine
Maryland
Massachusetts
Michigan
Nevada
New Hampshire
New Jersey
New Mexico
North Carolina
North Dakota
Ohio
Oklahoma
Oregon
South Carolina
South Dakota
Tennessee
Texas
Utah
Vermont
Virginia
Washington
West Virginia
Wyoming