Should Government Security System Contracts Be Exempt From Disclosure?

In May, we showed you how to obtain government surveillance contracts using FOIA. We routinely use FOIA to get copies of contracts and RFPs that we review on IPVM. Most state and local FOIA regulations have provisions that exempt them from disclosing documents related to security, but they don't use them because contracts and agreements are usually looked at as fiscal documents rather than security documents.

Last June I received my first rejection from a local government using a security exemption. The entity cited an exemption that protects information that would "jeopardize the security of a public agency."

I'd like to know your opinions:

If so, why?

If not, do you worry the information could "fall into the wrong hands?"


What, just a list of equipment and amount paid? How could that jeopardize anything? It's not like you're asking for locations, after all. Maybe it would be different if anyone invented analytics that actually worked, and you could figure out how to spoof the analytics based on known capabilities. Or something.

I agree with Ari, they should not be allowed to dismiss requests out of hand citing the too broad reason of "security concerns".

When I requested the winning contract for the 2012 Republican National Convention I got a redacted copy, which I understood, but it still had enough information to give me what I was looking for, which was what were the brands used, who did the work and how much it cost.

Sad thing is sometimes agency employees either don't know what legally they have to or not have to disclose, or maybe they don't want to bother so they just say "I can't disclose that". It's not their money if there's a challenge so sometimes the only way to get info is to get a lawyer and file suit.

Luis, what about this rejection above? Would you say the one was too broad?

It's also worth mentioning that the house just passed a new FOIA bill. The Reporter's Committee for Freedom of the Press sums it up pretty well here:

"H. B. 1211 creates a presumption of openness, allowing a document to be withheld only if an agency 'reasonably foresees that disclosure would cause specific identifiable harm to an interest protected by an exemption, or if disclosure is prohibited by law.' Current FOIA law simply instructs agencies to release non-exempt information, rather than starting from the presumption that all information should be released and only then applying narrow exemptions."

It looks like there were some yes votes. I'd be interested in hearing more from those. Feel free to comment undisclosed.

Some people still believe in security through obscurity, I guess.

I know a lot of people in the business don't want others to know the details of what they charge, sell and do made public.

Would you like an example? Avigilon Fanbois Freak Out At Carlton's Post on Dallas Airport

That brings up another good point. Once a long time ago, I requested a contract from a city agency and instead of providing the information, the agency contacted the company and gave them a heads up.

In turn, the company tried to get an injunction to block the release of the records saying that it contained private information (exec addresses and cell phone numbers) and proprietary information. In the end the documents were still released, but redacted. But companies will sometimes go great lengths to block the release of information. That wasn't the first time I've heard of that tactic.

To be honest, I'm surprised no one has tried to do that to IPVM when we request contracts.

Just finished reading that epic codec caper of an article on love field. One thing presents itself though, unless I'm reading it wrong, it lists at least 48 2u avigilon nvr's for 500 cameras. Now i know that jpeg2000 takes a whole heap more a storage that h.264(who could read that thread and forget that?!) but why so many of them servers? Do they have a limitation on storage per nvr? I read how Avigilon was roundly condemned here for only 32 nvrs per 1000? This one is 48 for 500! Isn't that the biggest over spec of all?

p.s. this probably isn't the right slot for this comment but I didn't want re-ignite those two threads and get burned.

Jim, that's just another one of the benefits of JPEG2000!

The massive bitrate per cameras not only drive storage costs but also shrinks how many cameras a server can handle. Fundamentally, server capacity is driven by throughput and throughput is based on bitrate, ergo very few super high bandwidth JPEG2000 cameras can be handled by servers.

And, yes, while Avigilon dealers go nuts about this, being able to analyze real world projects and pricing makes it far easier to understand key tradeoffs.

So should that other discussion be rebranded from "32 nvrs for 1000 cameras" to "jpeg2000: here we go again?", though I suppose we should give them credit for getting their cameras per nvr up to 30 as opposed to 10 on the love field job.

Its a long thread but it didn't seem to finger jpeg2000 as the culprit.

On a new project like that (32 recorders for 1000 cameras), it is unlikely that there are many JPEG2000 cameras, simply because most have been discontinued. That said, it certainly could be a factor but shame on anyone who is using MJPEG or JPEG2000 for recording surveillance in 2013 / 2014.

Hold up! I think you solved the mystery then, it was a h.264 job using the old jpeg2000 capacity planning matrix!

I think some of those yes votes you got presumed if there was sensitve information that could jeapordize security, then if should air on the side of secuurity. While those that answered no presumed that any compromising information would be removed or redacted, and thta you could not dismiss requests out of hand.

I think if you had a third vote option along the lines of "No, expect for security sensitive or security compromising parts are ok to be redacted", that would have gotten the most votes in my opinion.

This is sensitive information and could be used to compromise the system.

Who gets to make that determination? 'Sensitive' is a very subjective term.

"It could be used to compromise the system" is a nice sentence where literally anything could be substituted for 'it'.

The new FOIA Bill that Carlton mentions speaks to subjective determinations:

"...allowing a document to be withheld only if an agency 'reasonably foresees that disclosure would cause specific identifiable harm.."

Can you be more specific, Joe...? :)

What is sensitive?

Here is an interesting news segment from last year out of Oklahoma that illustrates the need for better open records laws and what happens when agencies use some arbitrary definition of sensitive. There is now an exemption to Oklahoma public records laws for highway patrol dashcam video because it's "sensitive." They actually wrote the exemption into the law after the Department of Public Safety asked for it. Pretty much every agency sees dashcam video as public, but for some reason in Oklahoma it'll be a problem if the public gets a hold of it.

The Highway Patrol says they keep the video secret to protect the privacy of people in the videos.