Freedom of Information Act vs Homeland Security

psyki writes "Should vulnerabilities in our public infrastructure be handled like vulnerabilities in computer security? Wired has an interesting article about the state of the Freedom of Information Act, particularly how it is becoming increasingly difficult to obtain documents from reluctant agencies in the security-conscious post-Sept 11 era. What really made me think, however, was this line: "While keeping information about security vulnerabilities out of terrorists' hands is a legitimate goal, McMasters believes the government is taking secrecy a step too far. In the end, he said, communities would be safer and better able to plan for their own protection if they were aware of potential security holes in power plants, airport terminals or other facilities.". Sounds an awful lot like the raging debate in the computer security community regarding publicizing vulnerabilities."

So you know of a security hole in the power system

[ObviousGuy]

What are you going to do about it? Pour the 15-foot thick concrete bunker around it yourself?

Two points

First, michael put a "IN SOVIET RUSSIA" joke in the byline. Though it's completely nonsensical, since you most assuredly did not get much information from the government in Soviet Russia.

Second, if there is another terrorist attack on US soil, and another one which could have been prevented by stronger security measures, the blood of the victims will be on the hands of all those who feel that relatively unimportant civil liberties (such as the liberty to steal music online) are worth more than the lives of their countrymen.

Re:Two points

[dpete4552]

I would rather have my civil liberties. And stealing music has nothing to do with them. Just some propaganda bullshit thrown in to make a persons civil liberties seem unimportant or even bad. You are also trying to say that we either have civil liberties or security, which is bullshit as well. Even if that choice had to be made, which it doesn't, I'd rather have the blood of my countrymen on my hands than lack liberty, at least I would know that they died for a country worth dying for.

Re:Two points

Your concept of liberty is pretty immature if you think it removes your responsibilities to your countrymen.

Re:Two points

[dpete4552]

I feel it is my responsibility as a countrymen to fight to protect the civil liberties of my countrymen.

Re:Two points

[sqlrob]

So, Thomas Jefferson is immature and doesn't understand liberties and responsibilities?

Re:Two points

I think you misread Jefferson.

And equating the previous poster to Jefferson is a little bit ridiculous. Even you would have to agree with that.

Re:Two points

And you do this through betraying them by exposing them to harm from enemies? The fight you are waging isn't helping anyone and is possibly hurting all your countrymen in the long run.

Re:Two points

[sqlrob]

Actually, I misremembered. I meant Franklin.

"Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety."

I would certainly place government transparency under the essential liberty, as too much will happen if it's covered up.

Re:Two points

With no sensible limits to the transparency? It may be a problem that the gov't is too secretive with some information, but the opposite end of the spectrum is requiring things down to the schematics of military weapons and installations be available for perusal by any Tom, Dick, and Ahmed.

The right path lies in the middle, but full transparency of the government is most definitely not an essential liberty.

Re:Two points

[neocon]

While a good guideline, Franklin's phrase breaks down when there is more than one liberty in play. It's easy to say that you're not willing to sacrifice the `right' to know how to break into your local nuclear plant and make it go critical, but there's a counterpoint, too:

See, if terrorists break into that plant and make it go critical, thus killing you, you've lost liberty too -- you don't see any dead people practicing the right to free speech, free press, or any of the other essential rights, do you?

This is why, in addition to setting limits on government, the Constitution also sets responsibilities for the government, including `to provide for the common defense'.

So the real question is to find a balance between these two potential losses of liberty. For over two hundred years, our system has found a pretty darn good balance, which is why we have the oldest still-functioning Constitution on the planet (older than all the current Constitutions of Western Europe combined, for example).

Re:Two points

ha ha ha ha good one

you forget to directly mention "those that died on 9-11" .. it's called the "9-11 card" and you're required to play it.

Re:Two points

[sqlrob]

True.

But let's see:
Hiding info that was previously public...
Permitting holding of prisoners without trial...
Warrantless searches...

How do those in any way increase security? Why are they worth the diminishing of any rights? How is anything they gain more than temporary, if anything at all is achieved?

Re:Two points

[Twirlip+of+the+Mists]

Which is more important, liberty or security? Men far wiser than we have been debating that question for generations. The closest thing we have to an answer is, "Neither. Or maybe both. It depends."

Fortunately, while we know of no single right answer to that dilemma, we do know of several that are wrong. And blindly repeating that old saw is one of the wrong ones.

For the fallacy inherent in that oft-quoted aphorism* is that though there can be security without liberty-- totalitarian dictatorships are notably secure-- there can be no liberty without security.

But if you want to take, for sake of argument, the quote attributed to Franklin at face value, at least get it right. "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." We're not talking about a little temporary safety. We're talking about permanent security on a grand scale, directly affecting hundreds of millions of people.

It is wise to be cognizant of your liberties and to defend them when they are challenged.. But it is the acme of foolishness to deny that we must sometimes give up a little temporary liberty to obtain essential safety.

--
* In point of fact, it appears that Benjamin Franklin never wrote nor said it. The line appears in the 1759 Historical Review of Pennsylvania, a work which was published anonymously. The work has been attributed to Franklin, but there seems to be no evidence that it was actually his work.

Re:Two points

[Moridineas]

Hi, enjoyed your post.

I was looking for evidence about that quote NOT actually being a Ben Franklin quote and couldn't find any sites (quick search). Do you happen to have any? It'd be really nice to be able to point out contextual errors when people start spouting off with that quote.

I personally don't like the quote because it's so ambiguous than any zealot can use it to back up his point of view. What exactly IS an 'essential liberty'? I'm relatively certain that the founding father's had a very different idea of that than we do today.

Thanks for the very interesting post,
Scott

Re:Two points

[dpete4552]

And you do this through betraying them by exposing them to harm from enemies?

By trying to protect my liberties I do no such thing.

I would rather live in a free United States, than a Soviet United States with an Orwellian style government, even if the latter is more secure, because the former is worth dying for. If the latter is something you are interested in go move to Communist China where everything and anything about you and what you do is able to be watched and controled by the government, and you have no access to any information regarding the government or what they have done, what they are planning, etc... Sounds like the type of country you are interested in.

This propaganda that you either have liberty or you have security is just that: propaganda bullshit.

Re:Two points

[dpete4552]

"Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty or safety. Nor, are they likely to end up with either."
-- Benjamin Franklin, one of our founding fathers

Re:Two points

[unitron]

"from the in-soviet-russia,-you-get-information-from-the-gov ernment dept."

"First, michael put a "IN SOVIET RUSSIA" joke in the byline. Though it's completely nonsensical, since you most assuredly did not get much information from the government in Soviet Russia."

Actually it's bitterly ironic since the whole "In Soviet Russia..." thing is about things there being the opposite of things here, and things here are tending towards "In the U.S. government gets plenty of information from and about you but you get precious little information from the government".

That's 'an "IN SOVIET RUSSIA" joke', not 'a "IN SOVIET RUSSIA" joke'.

I'm not so sure...

[wonkamaster]

I admit that I am a firm believer in publicizing software vulnerabilities and that it increases security. As such I believe that open systems are more secure than closed systems in the long run. In other words, I think that it's easier to hack into a closed-source system (via binary disassembly) than into an open-source system (by looking at source code).

But we're not just talking about software here. And there is no question that when an exploit is published that some individuals will take advantage of it. Publishing exploitable details could very well allow a single exploit, which IMHO is one too many.

Re:I'm not so sure...

[gilroy]

Blockquoth the poster:

But we're not just talking about software here. And there is no question that when an exploit is published that some individuals will take advantage of it.

Ahhg, I hate these complex ethical questions. In dealing with physical structures, we have to remember that you can't just issue a patch for a bridge or a tunnel. Budgetary, engineering, or other concerns might well prevent you from repairing a flaw even if it's out there. Plus, of course, physical structures are not likely to benefit from the "many eyeballs" effect: With source code, you check it because, after all, you will be using it. For a bridge or tunnel or power plant, that motivation is much removed.

Re:I'm not so sure...

[thx2001r]

I agree with you in practice.

The thing is, while it is ultimately better for the greater security that the public knows of these security holes so they can demand they are fixed there is an element of bureaucracy that slows or halts the correction of flaws.

In the computer world this is also clearly possible, but it seems that Open Source Software projects typically transcend sophomoric bickering to quickly address security issues and correct them.

In the government world... while I'd love to believe that everyone knowing of security problems would force governments (particularly the one I live in, the U.S.) to immediately plug the holes in security, this is not likely to be the case.

Can you imagine as a security issue is widely publicized, the government sets up an exploration committee to see if people really care about it enough so if they budget for its repair it will not hurt them politically?

Also, a major issue here is that security problems outside of the computer world require time to implement! The cement trucks don't start mobilizing the second information is posted on the web to plug (physical) holes in walls! They don't roll until someone pays them and before that, until someone decides what to do. Even when that happens, physical security is not something that can always be immediately plugged!

So, to surmise, no, I'm not comfortable knowing that security problems exist and are simply kept secrets, but at the same time, at least in dealing with factors such as I've discussed above, I think that making all of it publicly available will not help in the way that is ideologically thought by the original poster of this story.

The success of such practices in the computer world are largely in part to the existing infrastructure of, for instance, Open Source Software projects. They allow this system to work.

For this to work with other systems, it would require some fundamental changes to how the bureaucracy of such systems works and has "set up shop". This will take some time (and first and foremost, *strong* reasons to demand such a change).

there's a difference

[Ry+R.]

The difference is that FOIA covers the government while the debate about security vunerabilities is in the private sector.

The analogy is a good one but let's not confuse private industry's interest in profit with our interest in an open government.

The arguement can be made that Microsoft is so vital that it has to be as equally transparent as the government is (supposed to be). But, as influencial and omnipotent as Microsoft is, it isn't government, it is owned by Bill Gates and stock holders not a voting public.

Re:there's a difference

[MrWa]

There is a difference but I don't see how bringing Microsoft (other than because we always have to bash Microsoft) into the argument is valid.

The difference is that open source software can be fixed by whomever knows that there is a problem. Making this information more widespread supposedly helps fix the problem faster.
In closed source software it has often been the case that threatening to go public with the information aids in getting the fix out faster. Once the fix is created, spreading the news as far and as fast as possible helps those that need the information receive it faster.

If someone publishes that there is a security breach that allows terrorists to obtain nuclear weapons from the U.S. government, there is very little likelihood that letting YOU know about it will help the problem be fixed faster. The difference is that in the computer security industry there are orders of magnitude more people able to fix the problem than there are people able to fix security issues in government facilities. I suppose the threat of going public could help fix the problem faster, but if the threat that the security breach will be utilized isn't enough then I don't know what would be.

Re:there's a difference

I'll use your own words here

"If someone publishes that there is a security breach that allows terrorists to obtain nuclear weapons from the U.S. government, there is very little likelihood that letting YOU know about it will help the problem be fixed faster"

Yet if they didn't publish it there would be NO chance of you working to fix the problem and the terorrests would get thier nukes and use them without you even knowing how they managed to blow up your city.

If the problem is the curruption of the government the people need to know. They need to know so they can work to impeach, remove and imprison the bastard who has put the profit of selling nukes to terrorests over the lives of the people he has sworn to protect.

The fact is the government should NOT be allowed to hide any fact it sees fit from your views, if you give them the ability to work in secret there is no way for you to spot, let alone fight against, curruption. Curruption is a dangerous thing and no one is immune to it. We would like to beleave those sworn to protect us are above the usual folly of human nature but they are not and as it has before been said "every one has thier price."

Where do we draw the line should be the question. How much information should we allow the government to hide away from the eyes of the people? Look towards what they want and you will see a long list of curruption developing regulations. The fact they want to make it impossable to find out information on a corperate head that might be transfereing enviromently toxic chemicals from A to B under the possablility it could be used for terrorism.

I ask you, what has happened more.. a spill or a hyjacking? Also the freedom of information does NOT make one relax security in any way, meaning even though they have to tell you they are moving the stuff it doesn't mean they have to with hold security while moving the stuff. Definly if they beleave there is a risk of it being targeted, they can easily up security to the breach without needing the secrecy.

This works for the nuke plant one too. They don't need to disclose all the information then sit back and let anyone enter as they see fit, they could easily add more security till the problem is fixed.

But on the other hand I beleave there is such information that should be with held from the general public. Insteed a group should be formed, one that can be monatored and watched but doesn't need to diclose its findings to the public. They could review so called 'security risk' documents to see if they are real risks or just the government covering up its own curruption without the risk of such information falling into the hands of terrorests

-Jinx dragon, just passing through.

Ahem

[Twirlip+of+the+Mists]

Civil liberties are the bedrocks of our society; however, the Constitution is not a suicide pact. Discuss.

Re:Ahem

[Dannon]

Quite correct, the Constitution is not a suicide pact, it is a binding on Government.

Civil liberties are merely natural rights codified into law. If it is suicide to have possess these rights/liberties written into law as civil liberties, it would be just as much suicide to possess them as uncoded natural rights.

I'm sure I'm going somewhere with this, but I have to run, got errands that must be done this morning.... I'll think about it during the day. Or, maybe this can at least serve as a start to someone else's train of thought.

Re:Ahem

[ArsonPanda]

Personally, I disagree.
The Constitution and Bill of Rights are such fundamental underpinings of our (our? cue bitching about us-centric views here) country and society, that to surrender them in the name of security would be a sort of sociatal suicide. If keeping them did mean death, literally or figuratively, I'd rather die standing... Patrick Henry's line springs to mind.

Re:Ahem

[Twirlip+of+the+Mists]

You're making it out to be an all-or-nothing proposition. That's called a false dichotomy. We're not talking about abolishing the Constitution and establishing a totalitarian dictatorship. We're talking about slightly altering the existing balance between security and liberty.

Just for sake of argument, let's say today we have 90% liberty and 50% security. Of course, these things can't be quantified, but this is just to make the point. We're not talking about going to 0% liberty and 100% security; we're talking about going to 88% liberty and 75% security. In other words, we're talking about a significant increase in security in exchange for a sacrifice of liberty that the vast majority of Americans will never even notice. After all, when's the last time you went to the records building to pull the blueprints for the local power plant?

Re:Ahem

[ArsonPanda]

we're talking about going to 88% liberty...
Correct me if I'm wrong, but I think the Colorado river took more than a day to carve the Grand Canyon. Errosion is a slow, but steady proccess. 2% today, 1% tommorrow, hey, another 2% Friday will gain us another 3% saftey.
What you have to keep in mind is that one variable is not strictly dependant of the other. What should be done, to use your quantifications, is set the slider for freedom at 98% (only 98%? there has to be some restrictions, "no stealing my car, no killing people," etc. I'm not promoting anarchy) and do what ever it takes to maxamize safty without losing liberty "points".

when's the last time you went to the records building to pull the blueprints for the local power plant?
About three weeks ago. They weren't amused. But seriously, did the 14 on those planes have blueprints for the WTC? Did McVeigh have the plans for the Murrah federal building? Of course not, no need for them. It's the concept of "we have to (ban | eliminate access to) that (item | information) because it could be used for badness. Well, yes it could, but so could a (chain | car | box cutter).

We're not talking about abolishing the Constitution and establishing a totalitarian dictatorship
You might want to check w/ Ashcroft on that, I get the feeling he wouldn't mind too much.

Re:So you know of a security hole in the power sys

[Com2Kid]

• What are you going to do about it? Pour the 15-foot thick concrete bunker around it yourself?

Demand that the government FIXES it rather than just relying on security through obscurity. . . .

The U.S. Government seems intent on the idea that if they HIDE the security flaws that those flaws will not be exploited by terrorists. (and of course as a bonus side effect they don't have to hear the public keep on bitching about those security holes either!)

Well first off, it is fairly hard to stop people from WALKING THROUGH public places. Second off, copies of plans still exist in archives unscrupulous individuals (a category which terrorists definitely fall into the category of) are more than willing to find ways to gain access to.

So does hiding the security flaws make any difference? No, shit will still get blown up. The only difference is that the people won't get to realize how much danger they are in and thus will not be able to force their legislators to FIX those problems before those problems ARE exploited.

Democracy relies on the principle of a populous educated on issues pertinent to society. Kind of hard to have an EDUCATED populous when the government keeps on taking away the relevant data!

Keep things in perspective

[clonebarkins]

This is a response to several posts made here.

I've seen several posts so far that deal primarily with terrorists causing nuclear plants to meltdown, but really that's an extreme point of the kind of information that is being held back. One poster said, basically, that a dead man doesn't have any civil liberties, and that's certainly true and there are some things that the government should keep secret, like the locations of military weapons depots and our own nuclear arsenal. But the article isn't about just nuclear plants and military weapons. It's about all sorts of ways that communities could make themselves safer. Maybe folks could brainstorm some things that the government should be telling us, and then we can get of this extremist example.

To refer to another post, somebody asked if "you would pour the concrete yourself," presumably in reference to making some sort of architectural structure safer in the event of a terrorist attack. There are a lot of people out there who know how to pour concrete, and I would bet quite a few of them would be willing to provide their knowledge and experience to help make their communities safer.

Finally, a lot of words have been given to the comparison of community security issues to open vs. closed software. Well, I have to say that it's simply not true that secrecy is the best policy because, as any Thursday-night sitcom can tell you, no matter how "secret" you keep something, it's going to be found out sooner or later. Last year sometime I remember hearing a report on NPR about how the government was trying to get libraries to remove from circulation CDs that contained information about reservoirs and water supply sheds, etc., because this information could be used to make a terrorist attack. But the problem with this, besides the fact that the information is already "out there" (you can't close Pandora's box, at least not effectively), is that terrorists obviously do their research, and they're gonna find the reservoirs they want anyway. Heck, all they need to do is read Stephen King's "Dreamcatcher" to take care of greater Boston...perhaps we should ban that! But it's not just about terrorist attacks. People should have the right to know where the water they drink comes from. Sure, a lot of people will do nothing with the information, but should the day come that they need it, god forbid the info isn't there!

Essentially, I do believe that some things should be kept secret, but not many things. Plans for WMDs? Certainly! The structural integrity of the bridge I drive over everyday to go to work? Certainly not!

Irresponsible

[schmaltz]

suicide pact

You say "suicide pact" without offering any meaning or definition. That's every bit as fear-mongering and irresponsible as the current U.S. govt's actions have been of late.

Is it suicidal to want to know that the government is doing its job? Is an opaque government to be trusted? Will elected and appointed officials perform their duty to protect us? What if they slack off? Will we know before its too late?

It's called accountability. Our safety is dependent upon it.

Unaccountability is the not-too-secret wet-dream of conservatives and big business. Welcome to unaccountability legislated (Patriot Act and siblings) and decreed (Ashcroft's FOIA directives and Bush's executive orders.)

Re:Irresponsible

[Twirlip+of+the+Mists]

You say "suicide pact" without offering any meaning or definition.

Suicide pact: an agreement made among two or more parties that will result in the death of all involved. Seemed to me that the meaning would be obvious.

Is it suicidal to want to know that the government is doing its job?

It might be. For example, let's say the government has established a network of civil defense shelters and whatnot to help save lives in the event of a large-scale chemical attack on our cities. Some wise guy invokes the Freedom of Information Act and discloses the fact that the shelters in Cleveland, Boise, and Orlando aren't scheduled to be completed for another year. The next day, a UAV flies over Boise and unloads a metric assload of aerosolized VX nerve agent. Thousands die.

Have you ever heard the expression, "Loose lips sink ships?" Sometimes it can be true.

Unaccountability is the not-too-secret wet-dream of conservatives and big business.

I find it astounding that you can accuse me of fear-mongering and then jump from a slight increase in operational security of civilian government agencies straight to words like "unaccountable" and "opaque." Positively astounding.

Re:Irresponsible

[schmaltz]

heh, from "suicide pact" to "slight increase in operational security of civilian government"? Well, paint me black and white! Will martial law make you happy?

FOIA is all that stands between opacity and accountability, in many departments of the US govt. Ashcroft began nailing the coffin lid shut on FOIA around the same time he nightmared up PATRIOT. Ashcroft has an unbroken record for refusing Congressional information requests about PATRIOT's implementation details.

If we had an accountable government, today we'd know some of the reasons why 9/11 happened in the first place. For example, why FAA didn't follow standing doctrine (in place since the 50's) and send up escort jets when four planes went off flight path is still a mystery. This hasn't been investigated by our govt, and journalists' requests for clarification have turned up little. Why haven't the decisionmakers for those flights' well-being been fired? (Yes, these assertions have details to back them up.)

Bottom line, the USA has always been under terrorist threat, and will continue to be so for the duration of its existence. 9/11 was more shocking than it was surprising. Not many people I knew expressed surprise that it happened, only that it had taken this long. So long as the US continues its policy of manipulating and mucking around in the affairs of other nations, it will continue to be under threat. When it learns to behave as a good global citizen, then it'll probably become a safer place.

Iraqi files

Ronald Reagan signed orders that his papers be released 20 years after leaving office. This is customary, and usually includes GOOD AND BAD things about presidents and their entourage.

This is why presidents like to wait 20 years before releasing papers. :-)

However, many of the SAME people under Reagan are now under Bush Jr. with Very Important Jobs. They don't WANT those papers released, so many Reagan papers marked for release have been re-classified as National Secrets.

How many folks know that Donald Rumsfeld shook Saddam Hussein's hand?

How many folks know that Donald Rumsfeld wrote in 1985 - in a memo - that Saddam was ruthless enough to use chemical and biological weapons, and after coming to this conclusion, decided to sell VX, anthrax, West Nile and Botulin technologies to Iraq.

Or, how many people know the Reagan/Bush government sold satelite photos of Iran's troop deployments, so Iraq would know where to launch their gas attacks?

How many people know the binLaden family is business partners with the Bush family via Carlysle Group. Osama Bin Laden's family is laundering money for him, and does so in Bush's company.

All of this has been published or leaked by pro-democratic forces within the US government. Much of this information was obtained through Freedom Of Information act. But all of it was released as a trickle... ... imagine how embarrased the Bush administration would be if recent events caused this to become news again? Say, an anthrax attack on US troops is analyzed and genetically determined to have come from US weapons stockpiles? Oops.

Some of these folks are on record saying things that put them right in the same fascist ballpark as the terrorists they're inspiring.

Where are the US Founding Fathers when you need them??

Pro/Con

[4of12]

It can be logically argued about exactly where the point of balance should be between full information disclosure about public vulnerabilities and total secrecy.

Like many, I believe that the optimum lies between the two extremes. And I think every situation is different in terms of the trade-offs between the value of public disclosure in warning the public, getting them to take the threat seriously, and the flip sides of inducing needless panic, giving saboteurs a helpful roadmap, etc.

The key issue in my mind is

Who ends up moving the disclosure point and do they have a conflict of interest?

Often it is the government who decides the level of disclosure.

And the problem is a conflict of interest, because sometimes helpful disclosure of information for the public good may make the government, people in the government, or friends of people in the government look bad.

Consequently, you can guess then that the level of disclosure is generally going to be less than the optimum if the government has made bad embarrassing choices in the past, but the level of disclosure may be very high if the government has generally been making good decisions.