Sara Kelley is a Reference Librarian at Georgetown University Law Library, where she acts as bibliographer on national security topics and maintains a web-based research guide on national security law. Prior to joining Georgetown she was a research librarian at the University of Maryland Law Library, where she frequently researched civil liberties and national security law issues for the University of Maryland-Baltimore’s Center for Health and Homeland Security.
According to the General Accountability Office, sensitive but unclassified information is “information generally restricted from public disclosure but that is not classified.” U.S. Gen. Accountability Office, GAO-05-677, Transportation Security Administration: Clear Policies and Oversight Need for Designation of Sensitive Security Information 1 (June 2005) (described below). Various federal agencies recognize numerous categories of sensitive but unclassified government information, including “sensitive security information” (a designation used by the Transportation Security Administration (“TSA”) to denote information related to airline and other transportation industry security practices, 49 C.F.R. Part 1520), and “Controlled Unclassified Information” (a designation used by the Department of Defense, e.g. 32 C.F.R. Part 249). Openthegovernment.org’s Secrecy Report Card 2005 lists 50 separate designations for sensitive but unclassified information in government hands, and acknowledges that this is not a comprehensive list.
Most varieties of sensitive but unclassified information are government information. A special type of sensitive but unclassified information is “critical infrastructure information:” information that is “not customarily in the public domain,” but is related to the security of “critical infrastructure,” 6 C.F.R. § 29.2, and voluntarily submitted by private industry to the Department of Homeland Security, 6 C.F.R. 29.1. (Critical infrastructure is defined as “systems and assets . . . so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety.” 6 C.F.R. § 29.2.)
Information professionals should be concerned about the number of categories of protected unclassified information, the vagueness of agencies’ definitions of the various protected categories, and the sheer volume of information that could potentially be deemed non-disclosable. In a 1994 report cited below, a “Joint Commission on Security” convened by the Secretary of Defense and Director of Central Intelligence estimated that as much as 75% of all information held by the federal government might be considered sensitive but unclassified. Another cause for concern is the fact that there are no procedures for systematically making sensitive but unclassified information available to the public when it becomes less sensitive. Such procedures do exist for classified materials. (See, for example, Exec. Order No. 12,958, 60 Fed. Reg. 19,825 (as amended by Exec. Order 13292, 3 C.F.R. 197 (2004), part 3 of which governs declassification.)
Particularly troubling to many openness advocates are the critical infrastructure information protections of the Homeland Security Act of 2002, Pub. L. 107-296, §§ 211-215, 116 Stat. 2135, 2150-55 (codified as amended at 6 U.S.C. §§ 132-134), because they include not only a new and arguably unnecessary FOIA exemption, but also a ban on the direct use of such information in civil litigation. (See the articles by Steinzor (2003) and Stohs (2002), described below.) It must be admitted, however, that even a commission appointed by President Clinton in the late 1990s found that private sector sharing of infrastructure information with government agencies is an essential component of critical infrastructure protection, and that businesses were reluctant to share such information because they feared its disclosure to the public.
As an aid to those who wish to become familiar with the issues surrounding government restrictions on the dissemination of sensitive but unclassified information, this bibliography provides summaries, citations, and links to scholarly articles and significant government, think tank, and public interest group reports on the subject. This bibliography does not provide summaries of relevant statutes, regulations, executive orders, and directives, which have been admirably covered in Federal Research Division, Library of Congress, Laws and Regulations Governing the Protection of Sensitive But Unclassified Information (2004).
Sara Bodenheimer, Comment, Super Secret Information? The Discoverability of Sensitive Security Information as Designated by the Transportation Security Administration, 73 UMKC L. Rev. 739 (2005).
Bodenheimer considers the practical issue of the discoverability of sensitive security information (“SSI”) in civil law suits that allege discrimination as a result of airline passenger screening practices. She begins by discussing the current Transportation Security Administration (“TSA”) definition and protection scheme for SSI, including how the SSI determination is made in litigation. Observing that prior to September 11, 2001, FAA (rather than TSA) regulations prohibited public disclosure of SSI, the author analyzes both pre- and post-9/11 cases in which the discoverability of SSI was at issue. She concludes that disagreement among district courts in the post-9/11 era shows that this is an issue ripe for litigation, and suggests several approaches to discovering SSI.
Leslie Gielow Jacobs, A Troubling Equation in Contracts for Government Funded Scientific Research: “Sensitive But Unclassified” = Secret But Unconstitutional, 1 J. Nat’l Security Law & Pol’y 113 (2005).
Jacobs discusses the constitutionality of government attempts to restrict the dissemination of sensitive but unclassified (“SBU”) information that results from scientific research undertaken by private individuals with government funding. She begins with an overview of government impacts on the dissemination of scientific knowledge. Next, she examines the First Amendment issues relevant to the validity of SBU secrecy clauses. She concludes that “the current SBU secrecy clause imposed on funded researchers impermissibly encroaches on free speech,” then “suggests some minimum features of a constitutional system of SBU information control.” (p. 116)
Cara Muroff, Note, Terrorists and Tennis Courts: How Legal Interpretations of the Freedom of Information Act and New Laws Enacted to Prevent Terrorist Attacks Will Shape the Public’s Ability to Access Critical Infrastructure Information, 16 U. Fla. J.L. & Pub. Pol’y 149 (2005).
Muroff addresses both federal and state efforts to legally limit disclosure of critical infrastructure information (“CII”) by analyzing two federal cases (Coastal Delivery Corp. v. U.S. Customs Service, 272 F. Supp. 2d 958 (C.D. Cal. 2003) and Living Rivers, Inc. v. U.S. Bureau of Reclamation, 272 F. Supp. 2d 1313 (Utah 2002)) and several Texas Attorney General letter rulings involving post-9/11/2001 statutory disclosure requests. The author admits that CII access restrictions could be effective terrorism prevention tools, but worries that even if appropriately applied they could also prevent the public from monitoring government efforts to attend to known critical infrastructure weaknesses. (p. 174)
David Pozen, Note, The Mosaic Theory, National Security, and the Freedom of Information Act, 115 Yale L. J. ___ (2005) (forthcoming). (Currently available for download by subscribers to the Legal Scholarship Network.)
This article traces the history and current application of the “mosaic theory” in FOIA jurisprudence and national security law. The mosaic theory, which is often used to justify the non-disclosure of unclassified government information, basically holds that pieces of information that may individually be of little or no value can become quite significant and useful when combined with other pieces of information. Pozen argues that while the mosaic theory is basically valid, it is susceptible to abuse in the FOIA context.
E. Herman, A Post-September 11th Balancing Act: Public Access to U.S. Government Information Versus Protection of Sensitive Data, 30 J. Gov’t Information 42 (2004).
Herman introduces the topic with a detailed analysis of United States v. Progressive, 486 F. Supp. 5 (D. Wis. 1979), a case in which the federal government sought to enjoin the Progressive magazine from publishing an article about the public-domain availability of information on hydrogen bomb construction. The author then describes and evaluates possible uses of public information by Al Qaeda, examples of public information that the government recalled after 9/11, and the National Infrastructure Protection Center’s “common sense” guidelines for evaluating materials prior to their publication on the web. The article concludes by proposing alternative guidelines based on Executive Orders 12958 and 13292 and the U.S. Geological Survey’s Product Access and Distribution Guidance (Dec. 2002).
James T. O’Reilly, FOIA and Fighting Terror: the Elusive Nexus between Public Access and Terrorist Attack, 64 La. L. Rev. 809 (2004).
O’Reilly outlines legislative and executive branch contributions to the current federal FOIA policy favoring non-disclosure in the name of terrorism prevention. He argues that access to public health information will be hit particularly hard by current policies, and that health systems accountability will suffer as a result. The article also discusses practical difficulties with application of the Homeland Security Act of 2002‘s critical infrastructure information provisions.
Elizabeth Tutmarc, Comment, The War on Cyberterror: Why Australia Should Examine the U.S. Approach to Critical Infrastructure Protection, 13 Pac. Rim L. & Pol’y J. 743 (2004).
Tutmarc compares Australian and United States critical infrastructure protection efforts, noting that the U.S. protection strategy is older and has had more time to evolve. She then argues that the Homeland Security Act of 2002‘s FOIA exemption for CII was necessary to persuade private industries to voluntarily submit such information to the Department of Homeland Security. According to Tutmarc, although FOIA already included exemptions for confidential business information and information related to national security and law enforcement, the new exemption does more to reassure private businesses that the information they submit will not be disclosed.
Christina E. Wells, “National Security” Information and the Freedom of Information Act, 56 Admin. L. Rev. 1195 (2004).
Wells observes that the Computer Security Act of 1987, which marked the first federal statutory use of the term “sensitive but unclassified,” was concerned only with protecting access to government computer systems that housed such information and not with information disclosure pursuant to FOIA. She goes on to opine that federal agencies’ current definitions of terms like “sensitive but unclassified” are chaotically varied and sometimes conflicting, and that the Homeland Security Act of 2002‘s definition of “critical infrastructure” is too vague to circumscribe the Department of Homeland Security’s application of the “critical infrastructure information” designation.
Keith Anderson, Note, Is There Still a “Sound Legal Basis?”: the Freedom of Information Act in the Post-9/11 World, 64 Ohio St. L.J. 1605 (2003).
Anderson discusses the Bush Administration’s post-9/11 FOIA policy of aggressive support for agency decisions to withhold from FOIA disclosure any potentially sensitive information, which was expressed in memos by former Attorney General John Ashcroft (10/12/2001) and Whitehouse Chief of Staff Andrew Card (3/19/2002). He argues that, although open government remains important after 9/11, courts should defer to the decisions of law enforcement agencies to withhold information requested under FOIA (including sensitive but unclassified information) in order to “promote greater homeland protection.” (p. 1605.) Anderson observes that “Anytime there is a term or phrase that must be interpreted, there can be cause for concern. The ‘sensitive but unclassified’ declaration, however, is not out of line with the spirit of FOIA considering present security concerns.” (p. 1627)
Harold C. Relyea, Government Secrecy: Policy Depths and Dimensions, 20 Gov’t Information Q. 395 (2003).
In this article, Relyea describes federal and state agencies’ early efforts in the aftermath of 9/11 to remove documents from public web sites and libraries. He also discusses the major change in FOIA policy (to restrict formerly discretionary disclosures in situations involving the application of exemptions) signaled by the Ashcroft and Card memos, and criticizes sections of the Homeland Security Act of 2002 and the E-Government Act of 2002 that require the protection of “sensitive but unclassified” information without defining the term.
Rena Steinzor, “Democracies Die Behind Closed Doors”: the Homeland Security Act and Corporate Accountability, 12 Kan. J.L. & Pub. Pol’y 641 (2003).
The author examines the critical infrastructure information provisions of the Homeland Security Act of 2002, providing both “optimistic” and “pessimistic” scenarios for the provisions’ implementation by the Department of Homeland Security. She concludes that the Act’s critical infrastructure protection provisions, which include a FOIA exemption and a ban on the direct use in civil actions of information voluntarily submitted in good faith to government agencies by the private sector, will probably be applied in a manner that impairs corporate accountability and limits citizens’ access to information that could help them protect themselves from danger.
Kristen Elizabeth Uhl, Comment, The Freedom of Information Act Post-9/11: Balancing the Public’s Right to Know, Critical Infrastructure Protection, and Homeland Security, 53 Am. U. L. Rev. 261 (2003).
Uhl traces the histories of both the Freedom of Information Act and the Homeland Security Act of 2002, and argues that the latter Act’s new FOIA exemption for critical infrastructure information was unnecessary because the previously existing exemptions were sufficient to protect critical infrastructure information.
Brett Stohs, Protecting the Homeland by Exemption: Why the Critical Infrastructure Information Act of 2002 Will Degrade the Freedom of Information Act, 2002 Duke L. & Tech. Rev. 18.
In this article written before enactment of the Homeland Security Act of 2002, the author argued that the Act’s critical infrastructure information provisions were unnecessary in light of existing FOIA exemptions and might be exploited by corporations more concerned with liability protection than terrorism prevention.
U.S. Gen. Accountability Office, GAO-05-677, Transportation Security Administration: Clear Policies and Oversight Need for Designation of Sensitive Security Information, (June 2005).
In this report, the GAO criticizes the lack of TSA guidance and procedures for determining what constitutes “sensitive security information” or who has the authority to make that designation. The report also criticizes the lack of internal controls for assuring that the “sensitive security information” designation is applied consistently throughout the TSA.
Harold C. Relyea and Jeffrey W. Seiffert, CRS Rep. No. RL32597, Information Sharing for Homeland Security: A Brief Overview (Jan. 10, 2005).
This 35-page report on programs for information sharing between the private sector and federal and state agencies includes an analysis of protections for classified, sensitive but unclassified, and critical infrastructure information in the context of information sharing arrangements. (pp. 15-22.)
Genevieve J. Knezo, CRS Rep. No. RL31845, “Sensitive But Unclassified” and Other Federal Security Controls on Scientific and Technical Information: History and Current Controversy (Feb. 20, 2004).
This extensive and thoroughly researched report traces the history of controls on sensitive but unclassified information from 1977’s Presidential Directive on Telecommunications Protection Policy (PD/NSC-24) (which required protection of sensitive but unclassified communications “that could be useful to an adversary”) to the Ashcroft and Card FOIA policy memos and the Homeland Security Act of 2002. Ms. Knezo provides summaries of and citations to numerous federal agencies’ definitions of “sensitive but unclassified” and similar designations, including those of the State Department, the U.S. Agency for International Development, the Department of Defense, the Department of Energy, and the General Services Administration.
Mitchell A. Sollenberger, CRS Rep. No. RL32425, Sensitive Security Information and Transportation Security: Issues and Congressional Options (June 9, 2004).
Sollenberger begins with an overview of the TSA’s sensitive security information regulations and their statutory authority. He then examines differences between SSI and classified National Security Information, reviews the tension between public access to information and the security of transportation infrastructure, and concludes with analysis of six congressional “SSI Policy Options.” The six options reviewed are “accepting the existing SSI regulations, giving greater specificity to the agency’s protection requirements, setting time conditions for ending protection, seeking expert advice, requiring periodic congressional briefings, and establishing an oversight board.” (p. 10). The report briefly weighs the pros and cons of each option.
Special Investigations Div., Minority Staff of House Comm. on Government Reform, Secrecy in the Bush Administration: Prepared for Rep. Henry A. Waxman (Sept. 14, 2004).
This report discusses the Bush administration’s penchant for secrecy in a variety of contexts, including chapters on FOIA policy and the expansion of protections for sensitive security information. The FOIA chapter analyzes the Ashcroft and Card FOIA policy memos, the inappropriate use of FOIA exemptions to withhold unclassified information, and the creation of a new exemption for critical infrastructure information.
John D. Moteff and Gina Marie Stevens, CRS. Rep. No. RL31547, Critical Infrastructure Information Disclosure and Homeland Security (Jan. 29, 2003).
Provides an overview of three FOIA exemptions that might apply to CII held by federal government agencies, then discusses various legislative proposals and public interest group objections leading up to the Homeland Security Act‘s creation of a specific exemption for CII.
President’s Commission on Critical Infrastructure Protection, Critical Foundations: Protecting America’s Infrastructures: the Report of the President’s Commission on Critical Infrastructure Protection (1997).
Five years prior to the enactment of the Homeland Security Act of 2002, which actually created a FOIA exemption for critical infrastructure information voluntarily submitted by private businesses to government agencies, this report urged Congress to consider enacting such an exemption. In a chapter entitled “Establishing the Partnership,” the Commission noted that “Infrastructure representatives expressed reluctance to share information about vulnerabilities because they fear it might be made public, resulting in damage to their reputations, exposing them to liability, or weakening their competitive position.” (p. 28.) The report then recommended that “The proposed Office of National Infrastructure Assurance [ONIA] require appropriate protection of specific private-sector information. This might require, for example, inclusion of a b(3) FOIA exemption in [the ONIA’s] enabling legislation.” (p. 31.) The report also recommended that the U.S. Security Policy Board and the proposed ONIA consider methods for protecting aggregated, otherwise unclassified private sector information on critical infrastructure vulnerabilities, including classification. (pp. 32, 41.)
Joint Security Commission, Redefining Security: A Report to the Secretary of Defense and the Director of Central Intelligence (Feb. 28, 1994).
Although this report dealt primarily with classified information, a brief section of Chapter 2 entitled “Dealing with Sensitive But Unclassified Information” estimated that as much as 75% of all government-held information may be “sensitive.” (p. 75.)
Reports by Public Interest Organizations and Think Tanks
Openthegovernment.org, Secrecy Report Card 2005.
The last two pages of this 10-page report are entitled, “Sensitive But Unclassified: An Incomplete Encyclopedia,” and list 50 separate federal government designations for sensitive but unclassified information.
Reporter’s Committee for Freedom of the Press, Homefront Confidential: How the War on Terrorism Affects Access to Information and the Public’s Right to Know (6th ed. 2005).
This 84-page report addresses a variety of media law issues arising out of the war on terror. It includes a 14-page chapter on freedom of information that traces the development of legal impediments to FOIA disclosure since 9/11, among them: the issuance of the Ashcroft and Card FOIA policy memos; passage of the Homeland Security Act of 2002 with its “critical infrastructure information” and “sensitive but unclassified” protection provisions; the Department of Homeland Security’s promulgation of critical infrastructure regulations; the expansion of protection for “sensitive security information” to cover security information related to other modes of transportation; and the removal of unclassified information from government web sites.
Rand Corp., National Defense Research Institute, Mapping the Risks: Assessing the Homeland Security Implications of Publicly Available Geospatial Information (2004).
Concludes that publicly available geospatial information would probably not be terrorists’ information resource of choice for assistance with target selection because “potential attackers, such as terrorist groups or hostile governments, are more likely to desire more reliable and timely information, which is often available via other means, such as through direct access or observation.” (pp. xxi-xxii.) The report also observes that opportunistic attackers like terrorists have the advantage of being able to adjust their attacks to accommodate the amount of information available to them. (p. xxii.)
Common Cause, Follow the Dollar Report: Agenda for Secrecy – The Homeland Security Act Was Passed to Fight Terrorism But It May Also Shield Corporate Wrongdoers (Mar. 14, 2003).
After a brief survey of open-government advocates’ criticisms of the Homeland Security Act of 2002‘s critical infrastructure information protection provisions, this report describes three major industry groups that lobbied for those provisions and their campaign contributions to members of Congress who were instrumental in passing the Act.
OMB Watch, Sensitive But Unclassified Provisions in the Homeland Security Act of 2002 (rev. June 11, 2003).
In this brief report, OMB Watch analyzes sections 891 and 892 of the Homeland Security Act of 2002 (codified at 6 U.S.C. §§ 481 and 482), observing that they require the President to establish procedures for “identify[ing] and safeguard[ing] homeland security information that is sensitive but unclassified” without defining “identify,” “safeguard” or “sensitive but unclassified.” OMB Watch opines that these provisions “could prove more damaging to access to government information than the Critical Infrastructure Information subtitle.” (p. 1.) [Note: In Exec. Order 13311, 68 Fed. Reg. 45149-45150 (July 31, 2003), President Bush assigned this responsibility to the Department of Homeland Security, which has still not proposed any regulations on the subject.]
Electronic Privacy Information Center, Critical Infrastructure Protection and the Endangerment of Civil Liberties (1998).
This report reviews the early history (1984-1997) of critical infrastructure information policy, then criticizes the recommendations of the report Critical Foundations: Protecting America’s Infrastructures: the Report of the President’s Commission on Critical Infrastructure Protection (1997), described above under Government Reports. It states that “Congress should ensure that the FOIA . . . [is] not amended in any way that would inhibit the public’s right to access unclassified information held by the government, regardless of the information’s origin.” (http://www.epic.org/security/infowar/epic-cip.html#_Toc433094478.)