No clear rules exist for use of some government secrecy stamps
From the Fall 2004 issue of The News Media & The Law, page 14.
By Kirsten B. Mitchell
Five years ago, when Steven Aftergood wanted a Department of Defense phone book, he strolled into a Government Printing Office bookstore, handed the clerk some money and walked out, directory in hand.
Since Sept. 11, 2001, it’s no longer sold at government bookstores, nor is it available online as are some government phone lists. Instead, the directory is marked FOUO — For Official Use Only.
That means someone at the Pentagon has deemed the directory — which is unclassified — inappropriate for public release. But an FOUO stamp does not mean that the information is automatically exempt from the Freedom of Information Act, said Aftergood, director of the Project on Government Secrecy for the Federation of American Scientists in Washington, D.C.
FOUO is just one example of the veritable alphabet soup of acronyms tied to government secrecy.
“I’m mostly flabbergasted by the number of the them,” Aftergood said.
Seven years ago, a U.S. Senate panel on government secrecy reported “at least 52 different protective markings being used on unclassified information, approximately 40 of which are used by departments and agencies that also classify information.” That number has swelled since Sept. 11, 2001.
A huge problem with FOUO and many other secrecy acronyms is that unlike the clearly classified labels “Top Secret,” “Secret” and “Confidential,” there is no consistency in their application to government documents.
“If there’s an FOUO stamp you might think it means one thing. The guy at the next desk might think it means something else. This is a microcosm that’s not controlled by the agency,” said Robert Gellman, a privacy and information consultant in Washington.
“The whole area is a mess. . . . You have to wade through the different categories. Just because something is SBU [Sensitive But Unclassified], doesn’t mean you can’t get it under the Freedom of Information Act,” he said.
With no clear definition for many of the terms, the same document might be stamped two ways by two agencies, Aftergood said.
“Agencies withhold information because they consider something sensitive. It could be because it’s embarrassing. It could be because it’s politically inopportune. Or it could be because it would generate media coverage and controversy,” he said. “Agencies end up making up the rules as they go along.”
That’s the case for SSI — Sensitive Security Information. A law protected “sensitive information” held by the former Federal Aviation Administration. Congress expanded the protection of “security information” to any mode of transportation in legislation enacted in 2001. Ultimately the law applied to the Transportation Security Administration in the Department of Homeland Security.
Congress did not define SSI . “Whatever the administrator of the Transportation Security Administration thinks should be withheld will be withheld,” Aftergood said. “It places it entirely on the administrator’s state of mind. . . . Congress should have spelled out exactly what it is talking about.”
Two congressmen asked the Government Accountability Office, the investigatory arm of Congress, to study the procedures agencies use when withholding information from the public under the SSI label.
In a Sept. 14 letter asking GAO to investigate, Reps. David Obey (D-Wis.) and Martin Olav Sabo ( D-Minn.) pointed out inconsistencies in the use of SSI.
The Transportation Security Administration, the lawmakers wrote, “provided written responses to the Homeland Security Subcommittee that it designated as SSI. However, one month earlier, the agency did not treat this same information as sensitive. In another example, TSA identified that certain information related to the electronic screening of checked baggage at airports as SSI when that same information had already been reported in the public domain. Another example is that a recent DHS [Department of Homeland Security] executive telephone list sent to staff by DHS was stamped ‘Sensitive but Unclassified.’ We are baffled as to how a telephone list, containing only government phone numbers, can be determined to contain sensitive information.”
The problem isn’t new. Gellman, who worked in the late 1970s for the Subcommittee of House Government Operations, remembers a report the panel issued 30 years ago blasting the use and abuse of the markings.
The following is a list of the most-used stamps and other government acronyms related to secrecy that reporters are likely to run across:
CII — Critical Infrastructure Information. Information about telecommunications, banks, dams, water and sewer plants, nuclear power plants, ports, public utilities and other entities necessary to the nation’s well-being which, if incapacitated or destroyed, could jeopardize security, public health or safety.
The Homeland Security Act of 2002 protected CII, shielding it from the public in order to entice private companies to voluntarily provide information to DHS for use in spotting vulnerabilities that might be exploited by terrorists. Disclosure restrictions pre-empt all state and local open records laws if the information is shared with them.
CEII — Critical Energy Infrastructure Information. Computer data and other information relating to the production, generation, transportation, transmission or distribution of energy that could be useful to someone planning an attack.
Exemptions to the FOI Act may or may not apply to CEII. If information is denied, an agency must cite an FOI Act exemption.
Much of the information in this category was available online and through the FOI Act before Sept. 11, 2001. The Federal Energy Regulatory Commission has opted to release the information under non-disclosure agreements with homeowners and journalists who use it only for general background, not as a direct source.
CNSI — Classified National Security Information. There are three categories. Top secret is information that if released could reasonably be expected to cause exceptionally grave damage to national security. Secret information, if released, could reasonably be expected to cause serious damage to national security. Confidential information, if released, could reasonably be expected to cause damage to national security.
CUI — Controlled Unclassified Information. Used by the Department of Defense for unclassified information subject to limited access or distribution by federal laws, policies or regulations. Agencies must identify FOI Act exemptions to protect requested information from disclosure.
DHS — Department of Homeland Security. Created in the Homeland Security Act of 2002, DHS brought into one department a range of government agencies including the Coast Guard, Customs Service, Federal Emergency Management Agency, Immigration and Naturalization Service, Secret Service and the Transportation Security Administration.
FACA — Federal Advisory Committee Act. Created by Congress in 1972 to ensure that advice given to the executive branch by advisory committees, boards, commissions and task forces be objective and accessible to the public. An average of 1,000 of these groups a year meet and advise the administration.
FERPA — Family Educational Rights and Privacy Act. Also known at the Buckley Amendment. Created by Congress in 1974 to keep private student education records. Applies to all schools receiving federal funds.
FISA — Foreign Intelligence Surveillance Act. Created by Congress in 1978, it established procedures for secret court authorization for electronic surveillance and searches of people engaged in espionage or international terrorism against the United States. Seven federal district court judges appointed by the chief justice of the U.S. Supreme Court comprise a special secret court. The records and files of the court are sealed, closed even to people whose prosecutions are based on evidence gathered under FISA warrants.
FOIA — Freedom of Information Act. Created by Congress in 1966, the act gives the public access to records of all federal agencies in the executive branch unless those records are within one of nine categories of exempt information that agencies are permitted — but generally not required — to withhold.
U.S. Attorney General John Ashcroft announced a new standard in October 2001 that encourages federal officials to fully consider reasons for invoking FOI Act exemptions and assures them that the Justice Department will fully defend legally defensible exempt material. The Ashcroft memo replaced a 1993 instruction from then-Attorney General Janet Reno that agencies avoid the use of “discretionary” exemptions unless they could point to a “foreseeable harm” resulting from disclosure.
More information is at www.rcfp.org/foiact
FOUO — For Official Use Only. Document designation used by the Department of Defense and other federal agencies. Unclassified information that could fall into one of nine exemptions to the FOI Act and that a federal agency deems inappropriate for public release because disclosure would cause foreseeable harm. Each agency is responsible for determining how the designation is used.
FRD — Formerly Restricted Data. The Departments of Energy and Defense jointly determine that information once considered “restricted data” under the Atomic Energy Act relates primarily to military use of atomic weapons and can be protected as classified defense information.
HIPAA — Health Insurance Portability and Accountability Act. Authorized by Congress, the act went into effect in 2001, with full compliance required by 2003. HIPAA was intended to protect patients’ medical privacy and give them more control over their health information and how it is used.
ISOO — Information Security Oversight Office. A government office housed in the National Archives and Records Administration that oversees classification throughout the federal government.
LOU — Limited Official Use. Pre-1995 Department of Justice term for unclassified information of a sensitive, proprietary or personally private nature. Information in this category is now called SBU.
NARA — National Archives and Records Administration. An independent federal agency that oversees the management of all federal records. NARA’s 34 facilities contain more than 8 billion pages of records from the federal government, 18 million aerial photographs and about 4 billion data records.
NSI — National Security Information. See CNSI above.
NTK — Need to Know. A prospective recipient of such information must require such information to perform his or her official duties. Determination is made by an authorized holder of such information.
OUO — Official Use Only. See FOUO.
RD — Restricted Data. Defined in the Atomic Energy Act of 1954 as data concerning the design, manufacture or use of atomic weapons, the production of special nuclear material or the use of special nuclear material on the production of energy. Protected by law from disclosure.
SBU — Sensitive But Unclassified. Not defined in federal law and no uniformity among federal agencies as to how the term is used. Agencies have discretion to define SBU in ways that serve their particular needs to safeguard information, according to a July 2003 report by the Congressional Research Service. Agencies may also establish penalties for improper release of such information, the report says.
Department of Justice guidelines make clear that SBU information can be withheld from FOI requesters only to the extent that exemptions to the FOI Act apply.
SCI — Sensitive Compartmentalized Information. Classified information that is so secret it is more secret than “Top Secret.” See CNSI.
SHSI — Sensitive Homeland Security Information. Includes law enforcement data and information about critical computer threats or vulnerabilities that is not routinely released to the general public.
SSI — Sensitive Security Information. Post Sept. 11, 2001, term coming out of civil aviation rules. Information about security programs, vulnerability assessments, technical specifications of certain screening equipment and objects used to test screening equipment and other information. Exempt from disclosure by law.
SUI — Sensitive Unclassified Information. Another name for Sensitive But Unclassified. See SBU.
UCNI — Unclassified Controlled Nuclear Information. Its meaning depends on which agency is using the term. In the Department of Energy, UCNI includes unclassified facility design information, operational information concerning the production, processing or utilization of nuclear material for atomic energy defense programs, safeguards and security information, nuclear material, and declassified controlled nuclear weapon information once classified as Restricted Data (RD), according to the Texas A&M Research Foundation.
In the Department of Defense, UCNI is unclassified information on security measures — including security plans, procedures and equipment — for the physical protection of nuclear material, equipment, or facilities. Information is labeled UCNI only when it is determined that its unauthorized disclosure could reasonably be expected to have a significant adverse effect on the health and safety of the public or the common defense and security by increasing significantly the likelihood of the illegal production of nuclear weapons or the theft, diversion, or sabotage of nuclear, equipment or facilities, according to the foundation.
USA PATRIOT Act — Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism. Signed into law Oct. 26, 2001, the Patriot Act grants broad new powers to government agents investigating terrorism and may make previous statutory protections for newsrooms almost irrelevant when it comes to terrorism investigations. The law expands the FBI’s ability to obtain records through secret court orders and gives government investigators greater authority to track e-mail and telephone communications and to eavesdrop on those conversations. Though aimed at terrorists, the law could ensnare journalists and compromise their ability to report on terrorism.
More information is available at https://www.rcfp.org/homefrontconfidential/usapatriot.html