FOIA requests for software
Christopher Sean Morrison
that pertain to software and FOIA requests.
Air Force
DoD Regulation 5400.7/Air Force Supplement
DoD Freedom of Information Act Program (24June2002)
http://www.foia.af.mil/shared/media/document/AFD-070702-060.pdf
p.131: "NOTE: Some electronic data requests may include a request for
software. You may have to release government-developed software that
is not otherwise exempt, if requested under the FOIA. Exemptions 1 -
classified software, 2 -testing, evaluation, or similar software, 3 -
exempt by statue, 5 -deliverative process/priviliged software, and 7 -
law enforcement operations software may apply, based on the nature of
the requested software."
Army
Army Regulation 25-55
The Department of the Army Freedom of Information Act Program
(1November1997)
http://www.army.mil/usapa/epubs/pdf/r25_55.pdf
p.9: 1-402. Agency Record: "2.b: The following are not included within
the definition of the word 'record:' ... Normally, computer software,
including source code, object code, and listings of source and object
codes, regardless of medium, are not agency records. ... Exceptions to
this position ... are in 2.c: In some instances, computer software may
have to be treated as an agency record and processed under the FOIA.
These situations are rare, and shall be treated on a case-by-case
basis. Examples ...."
Navy
SECNAV Instruction 5720.42F
Department of the Navy Freedom of Information Act Program
(2January1999)
http://foia.navy.mil/secnavinst5720/5720_42f.pdf (this one annoyingly
is a horrible ocr'd scan)
p.79: FOIA exemption for "(c) computer software, the release of which
would allow circumvention of a status or DON rules, regulations,
orders, manuals, directives, or instructions. In this situation, the
use of the software must be closely examined to ensure a circumvention
possibility exists."
So the Air Force explicitly thinks they are, the Army says "usually
not", and Navy doesn't say much at all except the standard exemption
clauses that all three mention.
A few more interesting DoJ references that influenced the 1996 FOIA
amendments to cover electronic data:
http://www.justice.gov/oip/foia_updates/Vol_XV_4/foiaelectronic.htm
http://www.justice.gov/oip/foia_updates/Vol_XV_4/foia4.htm
They unambiguously state that software is a record.
Cheers!
Sean
Christopher Sean Morrison
Risacher was referring to as a precedent that software are not
records. On the DoJ's 2009 FOIA Guide, they specifically refer to a
series of court litigations that supported both sides of the issue:
Page 11 gets to the heart:
http://www.justice.gov/oip/foia_guide09/procedural-requirements.pdf
"The question of whether computer software is included within the
definition has been decided according to the particular nature and
functionality of the software at issue. [63]"
Footnote 63 identifies three court cases:
1) Gilmore v. DOE: "software .. was not a record under FOIA
because ... it does not illuminate anything about [agency's] structure
or decisionmaking process"
2) Cleary, Gottlieb, Steen & Hamilton v HHS: "software program was a
record because it was 'uniquely suited to its underlying database'"
3) Cf. Essential Info, Inc. v. USIA: suggesting internet addresses are
not records but means to access records
So, basically, it depends what the software does. If it doesn't
influence decisions or indicate organizational structure, you might
have a hard time getting a FOIA request through. Thoughts?
Wheeler, David A
http://cendi.gov/publications/09-1FAQ_OpenSourceSoftware_FINAL_110109.pdf
makes some statements.
I will say that in general, if a citizen wants to get software released, there can't be any harm in filing a FOIA request. Sometimes the law will require a release under the FOIA rules. Sometimes a department or agency may establish policies or interpretations that require release, even if the law doesn't specifically require it. And a program may decide that, even if they are not *required* to release under FOIA, they will release it anyway. Obviously, such a request will be denied if it's classified, etc., but that would be true anyway.
--- David A. Wheeler
================== From CENDI ========================
6.7 Is software considered an agency record covered by the Freedom of Information Act (FOIA)?
Generally, no, although in some instances, computer software may have to be treated as an agency record and disclosed under the FOIA. These situations are rare, and should be reviewed on a case-by-case basis to determine whether the data on the software requires that it be treated as an agency record subject to FOIA.
Releasing open source software under FOIA may be problematic if it contains sensitive or critical data. Thus, in addition to the security concerns discussed in FAQ 4.0, agencies should also consider whether software that they use or distribute under an open source licensing arrangement would be considered an agency record.
Specific examples of computer software treated as an agency record that may be processed under the FOIA include software that: (1) contains an embedded database that cannot be extracted and is itself releasable under the FOIA; (2) reveals information about agency policy, functions, decision making, or procedures; or (3) is so related to such an accompanying database that the database itself would be unintelligible or unusable without the software. In the first scenario, both the data and the software must be reviewed for release or denial under the FOIA.
See relevant regulations and cases addressing this issue, such as 32 C.F.R. 518.10 (c), Gilmore v. Department of Energy, 4 F. Supp 2d 912 (N.D. CA 1998), and DeLorme Pub. Co. v. NOAA, 907 F. Supp. 10 (D. Me 1995).
Christopher Sean Morrison
On Aug 18, 6:10 pm, "Wheeler, David A" <dwhee...@ida.org> wrote:
> CENDI's document on OSS has some stuff about FOIA. Question 6.7 from:
>
> I will say that in general, if a citizen wants to get software released, there can't be any harm in filing a FOIA request. Sometimes the law will require a release under the FOIA rules. Sometimes a department or agency may establish policies or interpretations that require release, even if the law doesn't specifically require it. And a program may decide that, even if they are not *required* to release under FOIA, they will release it anyway. Obviously, such a request will be denied if it's classified, etc., but that would be true anyway.
CENDI FAQ takes a rather pessimistic deterministic tone, concentrating
on the problems instead of the solutions and making requests seem
practically impossible. The DoJ's FOIA guide does not take that
position and I would consider the DoJ more authoritative than CENDI on
the matter.
Those court cases also long predate the 2007 openness memo that
directs a culture change no longer defaulting to 'no'. "The
presumption of disclosure should be applied to all decisions involving
FOIA." They also predate the 2005 headliner news topic surrounding
the FBI's Carnivore and Omnivore codes (the latter was released under
FOIA).
More importantly, as you note many organizations will respond to a
FOIA request for software regardless, so why not try.
Cheers!
Sean
Christopher Sean Morrison
On Aug 18, 7:21 pm, Christopher Sean Morrison <brl...@mac.com> wrote:
> Those court cases also long predate the 2007 openness memo that
> directs a culture change no longer defaulting to 'no'. "The
I've apparently been reading too many regulations today, cross-
checking dates.
Daniel Risacher
I concur: Gilmore vs. DoE case was the one I was referring to, based
on discussion at the CENDI OSS workshop. It looks like the door isn't
as shut as it was presented to me, but it's not very open either.
On Wed, Aug 18, 2010 at 7:24 PM, Christopher Sean Morrison
> --
> You received this message because you are subscribed to the Google Groups "Military Open Source Software" group.
> To post to this group, send email to mil...@googlegroups.com.
> To unsubscribe from this group, send email to mil-oss+u...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/mil-oss?hl=en.
>
>