Subscriber Discussion

Should Government Security System Contracts Be Exempt From Disclosure?

CP
Carlton Purvis
Feb 27, 2014

In May, we showed you how to obtain government surveillance contracts using FOIA. We routinely use FOIA to get copies of contracts and RFPs that we review on IPVM. Most state and local FOIA regulations have provisions that exempt them from disclosing documents related to security, but they don't use them because contracts and agreements are usually looked at as fiscal documents rather than security documents.

Last June I received my first rejection from a local government using a security exemption. The entity cited an exemption that protects information that would "jeopardize the security of a public agency."

I'd like to know your opinions:

If so, why?

If not, do you worry the information could "fall into the wrong hands?"

Avatar
Ari Erenthal
Feb 27, 2014
Chesapeake & Midlantic

What, just a list of equipment and amount paid? How could that jeopardize anything? It's not like you're asking for locations, after all. Maybe it would be different if anyone invented analytics that actually worked, and you could figure out how to spoof the analytics based on known capabilities. Or something.

Avatar
Luis Carmona
Feb 27, 2014
Geutebruck USA • IPVMU Certified

I agree with Ari, they should not be allowed to dismiss requests out of hand citing the too broad reason of "security concerns".

When I requested the winning contract for the 2012 Republican National Convention I got a redacted copy, which I understood, but it still had enough information to give me what I was looking for, which was what were the brands used, who did the work and how much it cost.

Sad thing is sometimes agency employees either don't know what legally they have to or not have to disclose, or maybe they don't want to bother so they just say "I can't disclose that". It's not their money if there's a challenge so sometimes the only way to get info is to get a lawyer and file suit.

CP
Carlton Purvis
Feb 27, 2014

Luis, what about this rejection above? Would you say the one was too broad?

It's also worth mentioning that the house just passed a new FOIA bill. The Reporter's Committee for Freedom of the Press sums it up pretty well here:

"H. B. 1211 creates a presumption of openness, allowing a document to be withheld only if an agency 'reasonably foresees that disclosure would cause specific identifiable harm to an interest protected by an exemption, or if disclosure is prohibited by law.' Current FOIA law simply instructs agencies to release non-exempt information, rather than starting from the presumption that all information should be released and only then applying narrow exemptions."

CP
Carlton Purvis
Feb 27, 2014

It looks like there were some yes votes. I'd be interested in hearing more from those. Feel free to comment undisclosed.

Avatar
Ari Erenthal
Feb 27, 2014
Chesapeake & Midlantic

Some people still believe in security through obscurity, I guess.

JH
John Honovich
Feb 27, 2014
IPVM

I know a lot of people in the business don't want others to know the details of what they charge, sell and do made public.

Would you like an example? Avigilon Fanbois Freak Out At Carlton's Post on Dallas Airport

CP
Carlton Purvis
Feb 27, 2014

That brings up another good point. Once a long time ago, I requested a contract from a city agency and instead of providing the information, the agency contacted the company and gave them a heads up.

In turn, the company tried to get an injunction to block the release of the records saying that it contained private information (exec addresses and cell phone numbers) and proprietary information. In the end the documents were still released, but redacted. But companies will sometimes go great lengths to block the release of information. That wasn't the first time I've heard of that tactic.

To be honest, I'm surprised no one has tried to do that to IPVM when we request contracts.

JH
Jim Hall
Mar 04, 2014

Just finished reading that epic codec caper of an article on love field. One thing presents itself though, unless I'm reading it wrong, it lists at least 48 2u avigilon nvr's for 500 cameras. Now i know that jpeg2000 takes a whole heap more a storage that h.264(who could read that thread and forget that?!) but why so many of them servers? Do they have a limitation on storage per nvr? I read how Avigilon was roundly condemned here for only 32 nvrs per 1000? This one is 48 for 500! Isn't that the biggest over spec of all?

p.s. this probably isn't the right slot for this comment but I didn't want re-ignite those two threads and get burned.

JH
John Honovich
Mar 04, 2014
IPVM

Jim, that's just another one of the benefits of JPEG2000!

The massive bitrate per cameras not only drive storage costs but also shrinks how many cameras a server can handle. Fundamentally, server capacity is driven by throughput and throughput is based on bitrate, ergo very few super high bandwidth JPEG2000 cameras can be handled by servers.

And, yes, while Avigilon dealers go nuts about this, being able to analyze real world projects and pricing makes it far easier to understand key tradeoffs.

JH
Jim Hall
Mar 04, 2014

So should that other discussion be rebranded from "32 nvrs for 1000 cameras" to "jpeg2000: here we go again?", though I suppose we should give them credit for getting their cameras per nvr up to 30 as opposed to 10 on the love field job.

Its a long thread but it didn't seem to finger jpeg2000 as the culprit.

JH
John Honovich
Mar 04, 2014
IPVM

On a new project like that (32 recorders for 1000 cameras), it is unlikely that there are many JPEG2000 cameras, simply because most have been discontinued. That said, it certainly could be a factor but shame on anyone who is using MJPEG or JPEG2000 for recording surveillance in 2013 / 2014.

JH
Jim Hall
Mar 04, 2014

Hold up! I think you solved the mystery then, it was a h.264 job using the old jpeg2000 capacity planning matrix!

Avatar
Luis Carmona
Mar 03, 2014
Geutebruck USA • IPVMU Certified

I think some of those yes votes you got presumed if there was sensitve information that could jeapordize security, then if should air on the side of secuurity. While those that answered no presumed that any compromising information would be removed or redacted, and thta you could not dismiss requests out of hand.

I think if you had a third vote option along the lines of "No, expect for security sensitive or security compromising parts are ok to be redacted", that would have gotten the most votes in my opinion.

JW
Joe Walker
Mar 02, 2014

This is sensitive information and could be used to compromise the system.

Avatar
Marty Major
Mar 02, 2014
Teledyne FLIR

Who gets to make that determination? 'Sensitive' is a very subjective term.

"It could be used to compromise the system" is a nice sentence where literally anything could be substituted for 'it'.

The new FOIA Bill that Carlton mentions speaks to subjective determinations:

"...allowing a document to be withheld only if an agency 'reasonably foresees that disclosure would cause specific identifiable harm.."

Can you be more specific, Joe...? :)

CP
Carlton Purvis
Mar 03, 2014

What is sensitive?

Here is an interesting news segment from last year out of Oklahoma that illustrates the need for better open records laws and what happens when agencies use some arbitrary definition of sensitive. There is now an exemption to Oklahoma public records laws for highway patrol dashcam video because it's "sensitive." They actually wrote the exemption into the law after the Department of Public Safety asked for it. Pretty much every agency sees dashcam video as public, but for some reason in Oklahoma it'll be a problem if the public gets a hold of it.

The Highway Patrol says they keep the video secret to protect the privacy of people in the videos.

New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions