A federal judge in San Francisco has ordered (.pdf) the Department of Homeland Security's Bureau of Customs and Border Protection (CBP) to give me additional documents on a cyber attack that shut down portions of the national border screening system last year.
The government had argued that releasing more than six partially-blacked-out pages on the August 2005 incident would make the sensitive US-VISIT system vulnerable to computer intruders. After reviewing the 672 pages of documents the government has in its possession, U.S. District Court Judge Susan Illston is unconvinced.
The $400 million US-VISIT program is a network of Windows PCs and mainframe servers that takes fingerprints and digital photos of travelers as they enter the country, and checks each visitor against scores of national security and criminal watchlists.
In August, the system mysteriously crashed at some major U.S. airports, leading to long queues as international visitors waited to be screened. But the outage was only tersely, and inconsistently, explained to the public: DHS initially said a computer virus had infected one of the backend mainframe servers. Later, the agency reversed itself and claimed there was no virus, and described the outage as a routine computer crash.
By that time, I'd already filed a request for documents pertaining to the incident under the Freedom of Information Act. In response, CBP called me and asked me to voluntarily withdraw my inquiry. When I declined, the agency lost my request. I refiled it, CBP denied it in full, then didn't respond to an administrative appeal.
After I filed a federal lawsuit, represented by the Stanford Law School Cyberlaw Clinic, CBP turned over six pages (.pdf) of documents. While heavily redacted, the documents revealed that the Moroccan-born Zotob virus infected agency computers after CBP personnel made the strategic decision to hold off on installing a Microsoft security patch that would have blocked it. I did a story in April.
How an internet virus got into a supposedly secure network responsible for keeping terrorists from coming through Customs remains a mystery outside of DHS -- and perhaps inside as well.
I don't expect to learn that tidbit from the documents Judge Illston just ordered released. But the pages might provide the first full accounting of how severely US-VISIT was compromised.
The court rejected our argument that CBP didn't conduct a thorough enough search of its records, and found that some of the information was properly withheld as either too trivial to release, or genuinely in danger of aiding criminals.
The most important element of the ruling is probably Judge Illston's rejection of one broad government claim: that most of the 672 pages of documents are exempt from disclosure under FOIA exemption 7, which protects information "compiled for law enforcement purposes."
Under the government's interpretation, virtually any document produced by an agency with a law enforcement function could be withheld from the public. The court said, no way.
The ruling potentially challenges the current Department of Justice's press-hostile FOIA policy, which urges agencies to push the boundaries of exemption 7, "mindful that the courts have properly given deference to agency expertise in this area -- particularly in post-9/11 judicial decisions, which repeatedly advert to the tragic events of that day and to how 'American life [has] changed drastically and dramatically.'"
The government can appeal the decision. If it doesn't, it has until October 6th to turn over another 57 pages about the computer attack it once denied ever took place.
Related posts:
