The FOIA Exemption: No More Secrets

The proposed Office of Homeland Security's massive attempt to protect the country includes legislation designed to create open, yet secure, lines of communication between the government and the private sector. To do that, federal officials plan to exempt information that businesses provide to the government about security breaches, hacks and other critical infrastructure vulnerabilities from the Freedom of Information Act (FOIA).

FOIA requires the government to disclose requested records, but the proposed exemption would specifically protect the private sector from security and infrastructure disclosures. FOIA private sector exemptions were approved by the House in late July, and the Senate is expected to review the legislation this month.

Debate over the exemption has been heated. Technology advocates say the exemption is critical for encouraging the voluntary reporting of confidential information. But privacy advocates feel that the exemption is excessive and instead will encourage corporations to keep more secrets from shareholders and customers.

David Sobel, general counsel for the Electronic Privacy Information Center (EPIC), says existing exemptions contained in FOIA already provide protection. For example, currently under FOIA, if a company considers information confidential, it can oppose the release of that information. Sobel claims exemption proponents have yet to cite an instance where the government has disclosed information against the wishes of a company.

Open knowledge of security flaws is the fastest way to correct them. We should not sweep this information under the rug, says Sobel, who testified before Congress that "if a company is willing to fudge its financial numbers to maintain its stock price, it would be similarly inclined to hide behind a 'critical infrastructure' FOIA exemption."

But Harris Miller, president of the Information Technology Association of America (ITAA), disagrees, calling the exemption "the linchpin between breaking down the walls of information sharing and private business."

According to Miller, several companies claim that current exemptions do not cover security information, and they worry that the sensitive information they give to the government will end up on the front page of The Wall Street Journal.

Legislators say their intention is to achieve openness, not let people off the hook for corporate blunders. A House Select Committee statement reports that "when individuals and businesses provide new information to the [Office of Homeland Security] so that the secretary [of that office] can assess vulnerabilities, that information will be protected"a bold statement considering that the government is frequently unable to keep its own security secrets, let alone someone else's.

Related:

Copyright © 2002 IDG Communications, Inc.

The 10 most powerful cybersecurity companies