It’s only February, and already this has been a busy year on the open government front. Two cases have come to light involving problems with “controlled unclassified information” (CUI) markings. Both cases involve the Department of Homeland Security’s (DHS) use of its CUI marking “sensitive security information” (SSI), and both cases highlight the need for improved policies regarding the public release of government information.
While we have all heard of classified information and realize the need to protect legitimately sensitive information, CUI fits into a very gray area. The use of the CUI marking rose dramatically after 9/11 as a way to manage all unclassified information in the executive branch that requires safeguarding or dissemination controls. However, such markings have grown in number and use, and some inside the government are questioning the need for all of them and their use to conceal embarrassing government information.
The Transportation Security Administration (TSA), in particular, is in the hot seat with its use of the SSI designation.
Recently, a DHS Inspector General (IG) report sharply criticized the way TSA screened a draft IG report. The IG wrote to TSA Administrator John Pistole questioning the decision to mark several items in the report as SSI and noted the conflict that the “very same office that initially and improperly marked the information as SSI” was the office that affirmed the original redactions to the report. The DHS IG also wrote:
I believe that this report should be released in its entirety in the public domain. I challenged TSA’s determination because this type of information has been disclosed in other reports without objection from TSA, and because the language marked SSI reveals generic, non-specific vulnerabilities that are common to virtually all systems and would not be detrimental to transportation security. My auditors, who are experts in computer security, have assured me that the redacted information would not compromise transportation security.
The report was redacted for public release and an unredacted version was sent to Congress.
That criticism follows the bizarre case involving Robert MacLean, a TSA whistleblower who has just won his case before the Supreme Court. A read of the Court’s opinion raises major concerns about SSI markings and how those markings impact the Freedom of Information Act (FOIA). Specifically, the Court cited the statutory authority (49 U.S.C. § 114(r)(1)) allowing DHS to create a regulation to prohibit the disclosure of certain types of information, including information requested pursuant to a FOIA request. But the Court didn’t speak to whether the authorizing statute had the level of specificity required to prohibit MacLean’s disclosure as the Court of Appeals for the Federal Circuit had found.
Additionally, the Supreme Court did not point out that the same statute allowing the establishment of SSI cannot be used to 1) conceal a violation of law, inefficiency, or administrative error; 2) prevent embarrassment to a person, organization, or agency; 3) restrain competition; or 4) prevent or delay the release of information that does not require protection in the interest of transportation security. That certainly seems like the situation in the MacLean case. Despite overturning its decision to remove air marshals from flights back in 2003, on August 31, 2006—four months after MacLean’s termination and three years after his disclosure to national media that proposed TSA operational changes would undermine aviation security—the TSA issued an “Agency Final Order” which retroactively marked the information he disclosed as SSI. The agency’s handling of this situation is more rooted in justifying MacLean’s firing than in safeguarding sensitive information.
DHS efforts to withhold information from the public goes even further: it told the Merit Systems Protection Board that its opinion in the MacLean case was SSI. The MSPB didn’t challenge that designation, and it was only after MacLean’s attorney, Tom Devine from the Government Accountability Project, protested DHS’s claim that DHS gave MSPB permission to release the decision.
TSA’s use of SSI labels has come under fire in the past, too. Last year, the House Committee on Oversight and Government Reform released a joint report detailing concerns about SSI markings. The Committee found inconsistent application of the designation and the improper use of SSI. The report highlighted one case in which TSA “used the SSI designation to prevent the release of documents to FOIA requesters related to Whole Body Imagers.” Former SSI Office Director Andrew Colsky testified that he
personally overheard where there was information in the responsive documents that was not by any stretch of the imagination at all SSI, but was either embarrassing or was something that they just didn’t want the other side to know. And there was extreme pressure from again I’ll use the term ‘front office’ to mark it as SSI.
President Obama has weighed in on CUI markings in an executive order, attempting to standardize the process and emphasize that “[i]f there is significant doubt about whether information should be designated as CUI, it shall not be so designated.” However, the National Archives and Records Administration(NARA), the agency tasked with improving CUI practices, is moving at a snail’s pace. The proposed regulation should be out in early 2015, but, don’t expect the government to change its ways anytime soon. According to NARA, based on the spread of markings and agencies’ unwillingness to move too quickly, implementation of the improved CUI system won’t occur until FY 2018-2019 at the earliest. Let’s hope that NARA moves things along much more quickly and that TSA and other federal agencies that use CUI are held accountable for any misuse of the quasi-classification markings.