An amendment has been proposed to Delaware’s Freedom of Information Act legislation, and Mark Headd, a tech exec who specializes in open government and civic access, thinks it could be problematic for open data transparency.
First, here’s what the proposed amendment says about § 10002(l)(17)a., Title 29 of the Delaware Code (the new stuff is underlined):
(l) ”Public record” is information of any kind, owned, made, used, retained, received, produced, composed, drafted or otherwise compiled or collected, by any public body, relating in any way to public business, or in any way of public interest, or in any way related to public purposes, regardless of the physical form or characteristic by which such information is stored, recorded or reproduced. For purposes of this chapter, the following records shall not be deemed public:
(17)a. The following records, which, if copied or inspected, could jeopardize the security of any structure owned by the State or any of its political subdivisions, or could facilitate the planning of a terrorist attack, or could endanger the life or physical safety of an individual:
Information technology (IT) infrastructure details, including but not limited to file layouts, data dictionaries, source code, logical and physical design of IT systems and interfaces, detailed hardwareand software inventories, network architecture and schematics, vulnerability reports, and any other information that, if disclosed, could jeopardize the security or integrity of an information and technology system owned, operated or maintained by the State or any public body subject to the requirements of this Chapter.
“I just really sort of raised my eyebrows a bit when I read it,” Headd said. “It’s going through the General Assembly, and at the same time, the governor is saying we’re going to push forward with open data.”
What’s troubling to him, Headd said, are the phrases “file layouts, data dictionaries and source code.”
“Data dictionaries are very useful, essential for open data sets, and file layouts, if you’re using an open data set, you need a file layout,” he said.
Source code is also a helpful tool with open data, he said, noting that the City of Philadelphia has been using GitHub extensively to release source code.
The phrase “software inventories” also concerns him. “While it is certainly possible for someone to request a list of software being used by state agencies as a potential attack vector, it seems pretty unlikely,” Headd wrote in an email. “There are lots of other ways to scan for vulnerabilities in software and systems that don’t require someone to submit a FOIA request.”
And FOIA-ing a list of the state government’s softwares could be helpful, he added, to shine a light on agencies needlessly buying the same kind of software from different vendors or buying software from politically connected vendors.
Ryan Harrington, an organizer of Open Data Delaware, talked with Headd about it and says Headd has a point about the bill’s language possibly posing problems. “His logic makes a lot of sense,” Harrington said. “I can see how SB 258 could be overreaching, though the spirit of the bill still makes sense.”
Headd said he doesn’t take issue with what the intent of the bill was, but wonders if the wording might be reconsidered: “It seems like the language could perhaps be reviewed in a little more general way … so that the intent is matched with the language here.”