Entire
Report in PDF
Press
Release
Executive
Summary
Recommendations
Methodology
Appendix
1
Chart: Card Memorandum FOIA Requests, Summary of Agency Processing
Appendix
2
Chart: Impact of Card Memorandum, By Agency
Appendix
3
Chart: Sensitive Unclassified Information FOIA Requests, Summary
of Agency Processing
Appendix
4
Chart: Sensitive Unclassified Information, Policies by Agency
Appendix
5
Chart: Sensitive Unclassified Information, Distinct Policies
Appendix
6
Glossary of Acronyms
Related
Links
FOIA Audit Phase 1: The Ashcroft
Memo, March 14, 2003
FOIA
Audit Phase 2: Justice Delayed is Justice Denied: The Ten
Oldest Pending FOIA Requests, November 13, 2003
A
FOIA Request Celebrates Its 17th Birthday: National Security
Archive Audit Identifies
"10 OLDEST" Requests in U.S. Federal Government,
March 12, 2006
CIA
Wins 2006 "Rosemary Award"
for Worst Freedom of Information Performance by a Federal
Agency, March 13, 2006
|
EXECUTIVE
SUMMARY
Although the numerous investigations into
the September 11 attacks on the United States each concluded
that excessive secrecy interfered with the detection and
prevention of the attacks, new secrecy measures have nonetheless
proliferated. This is the first comprehensive Report to
summarize the policies for protection of sensitive unclassified
information from a wide range of federal agencies and departments
and identify the significant security, budgetary, and government
accountability risks attendant to unregulated and unmonitored
secrecy programs.
The picture that emerges from the diverse policies examined
shows little likelihood that Congress or the public will
be able to assess whether these policies are being used
effectively to safeguard the security of the American public,
or abused for administrative convenience or for improper
secrecy. Unlike classified records or ordinary agency records
subject to FOIA, there is no monitoring of or reporting
on the use or impact of protective sensitive unclassified
information markings. Nor is there a procedure
for the public to challenge protective markings. Given the
wide variation of practices and procedures as well as some
of their features, it is probable that these policies interfere
with interagency information sharing, increase the cost
of information security, and limit public access to vital
information.
The September 11 attacks on the United States and a March
2002 directive from White House Chief of Staff Andrew H.
Card to federal agencies, requesting a review of all records
and policies concerning the protection of "sensitive
but unclassified" information spurred Congress and
agencies to increase controls on information. What followed
was the significant removal of information from public Web
sites, increased emphasis on FOIA exemptions for withholding,
and the proliferation of new categories of information protection
markings.
Using targeted FOIA requests and research, the Archive
gathered data on the information protection policies of
37 major agencies and components. Of the
agencies and components analyzed, only 8 of 37 (or
22%) have policies that are authorized by statute or
regulation while the majority (24 out of 37,
or 65%) follow information protection policies that were
generated internally, for example by directive or other
informal guidance. Eleven agencies reported no policy regarding
sensitive unclassified information or provided no documents
responsive to the Archive's request.
Among the agencies and components that together handle
the vast majority of FOIA requests in the federal government,
28 distinct policies for protection of sensitive
unclassified information exist: some policies conflate
information safeguarding markings with FOIA exemptions and
some include definitions for protected information ranging
from very broad or vague to extremely focused or limited.
- 8 out of the 28 policies (or 29%) permit any
employee in the agency to designate sensitive unclassified
information for protection, including the Department
of Homeland Security (DHS is now the largest agency in
the federal government other than Defense, with more than
180,000 employees); 10 of the policies (or 35%) allow
only senior or supervisory officials to mark information
for protection; 7 policies (or 25%) allow departments
or offices to name a particular individual to oversee
information protection under the policy; and 3 policies
(or 11%) do not clearly specify who may implement the
policy.
- In contrast, 12 of the policies (or 43%) are
unclear or do not specify how, and by whom, protective
markings can be removed. Only one policy includes
a provision for automatic decontrolling after the passage
of a period of time or particular event. This is in marked
contrast to the classification (Note 1)
system, which provides for declassification after specified
periods of time or the occurrence of specific events.
- Only 7 out of 28 policies (or 25%) include qualifiers
or cautionary restrictions that prohibit the use of the
policy markings for improper purposes, including
to conceal embarrassing or illegal agency actions, inefficiency,
or administrative action. Again, this is distinguishable
from the classification system, which explicitly prohibits
classification for improper purposes.
- There is no consistency among agencies as to
how they treat protected sensitive unclassified information
in the context of FOIA. In a number of the agency
policies, FOIA is specifically incorporated-either as
a definition of information that may be protected or as
a means to establish mandatory withholding of particular
information subject to a sensitive unclassified information
policy. Some agencies mandate ordinary review of documents
before release, without regard to any protective marking.
Others place supplemental hurdles that must be surmounted
before sensitive information may be released to the public,
for example the requirement of specific, case-by-case
review by high-level officials for each document requested.
This Study finds that the procedures and regulations for
safeguarding sensitive but unclassified information that
were in use before September 11-particularly those protecting
nuclear and other major, potentially-susceptible infrastructure
information-differ markedly from the post-September 11 regulations.
The newest information protection designations are
vague, open-ended, or broadly applicable, thus
raising concerns about the impact of such designations on
access to information, free speech, and citizen participation
in governance. As these findings suggest, more information
control does not necessarily mean better information control.
The implications certainly suggest that the time is ripe
for a government-wide reform-with public input-of information
safeguarding.
Note
1. The term "classified" or "classification"
refers to information designated as protected under Executive
Order 12958, as amended by E.O. 13292.
|