1 Memorandum To: From: Date: Re:
TBD Jetmir Troshani Date goes here
Freedom of Information Act Outline
1. Freedom of Information Act (FOIA) A. Brief background B. Benefits associated with FOIA C. Risks associated with FOIA 2. Recommendations on how to improve FOIA A. Organizational structure and manning B. Staff training C. Resources and backlog 3. Computer abuse A. What it entails B. Examples of computer and internet crimes C. United States legislations on computer abuse D. United Kingdom legislations on computer abuse E. Singapore legislations on computer abuse F. Combined legislative approach Freedom of Information Act (FOIA) The Freedom of Information Act (FOIA) is a federal law that was ratified by the United States Congress in 1966 (Pozen, 2005, p.634). Under this law, the federal government agencies (i.e. FBI, CIA, etc) are legally compelled to provide information to the public on a need basis (Kreimer, 2007, p.1149). Any individual, including, US citizens, academic institutions and organizations (as well as foreign nationals) can file a FOIA request. In 1974, the Act was modified to enhance agency compliance. It was also revised in 1996 to allow better access to electronic information (National Security Archive, 2009, par 1). Benefits associated with FOIA
2 FOIA requests are more suitable for those individuals and organizations that want to make large requests that comprise numerous dissimilar types of confidential and non-confidential documents. Whereas confidential documents are subject to Mandatory Declassification Review (MDR), FOIA covers both confidential and nonconfidential materials. In case a FOI request is denied, the requester can appeal the decision within the federal agency and then institute legal proceedings against the agency in the court of law. However, the requester is barred from instituting legal proceedings in the court if the duration for processing his/her MDR request has not expired. Under the FOIA, federal agencies have precise time requirements as well as prospects for an accelerated review and fee waivers. FOI requesters are advised to seek MDR only if they have adequate knowledge about the record they need (National Security Archive, 2009, par 5).
Risks associated with FOIA There are a number of problems that a requester can encounter during the FOIA process. These include: Delays. For undisclosed reasons, a number of FOIA offices experience a backlog of request which may result in a substantial delay for a FOIA requester. Thus, requesters are advised to submit precise requests that will make it easy for the FOIA officers to locate the required document swiftly (National Security Archive, 2009, par 11). Operational File Exemption. A certain law, enacted in 1984, permits the CIA to exempt its operational files from the review requirements of FOIA. Other federal organizations that enjoy operational files exemptions include: National Security Agency (NSA);
3 National Geospatial-Intelligence Agency (NGA); and National Reconnaissance Office (NRO). These organizations are allowed by this law to exempt whole or part of their operational files from being subjected to the search/review requirements as stipulated by FOIA (National Security Archive, 2009, par 12). Dubious Secrecy. FOIA has homogenized language as well as precise directives for redaction processes. However, differences might emerge, in relation to decision to hold back information, both within and between federal agencies. These discrepancies may exist during the appeal process and follow through to a final decision (National Security Archive, 2009, par 13). Recommendations on how to improve FOIA Although the FOIA program provides a useful avenue with regard to information dispensation, it is highly decentralized and has numerous and different DOD Components missions, functions, organizations and locations. As a result, there are a few selected areas that must be improved. These include: organizational structure and manning; training; and backlogs/resources (Donley, 2006, p.11). Organizational structure and manning. A majority of FOIA offices are located within numerous dissimilar institutional elements. For example, some FOIA Offices are found within a functional institution such as IT systems which do not contribute to the overall mission of FOIA. Thus, the first step should be to ascertain the current locations of all FOIA offices in order to establish homogenous standards within the DOD. This will optimize the efficiency of all FOIA offices (Donley, 2006, p.11). Staff training. According to one study, only 76% of Freedom of Information Act staffs have obtained some form of FOIA training. In addition, it has been established that
4 senior FOIA leaders are not conversant with the FOIA requirements. Thus, there is an urgent need to develop a training program (i.e. FOIA Officer Certification Programme). The residential training program must be tailored for staff attorneys, senior leaders as well as FOIA personnel on a biennial basis (Donley, 2006, p.12). Resources and backlog. FOIA Offices have limited manpower resources to handle numerous requests. It is imperative that the required manpower is determined to minimize the backlogs in the FOIA Offices, especially those with a backlog that exceed 50 requests. Some of the remedial measures to be implemented include: identification of FOIA Offices with backlogs that exceed 50 requests; provision of adequate resources to FOIA Offices with heavy backlogs; and development of a staffing program for the identified FOIA Offices (Donley, 2006, p.18).
Computer Abuse Law Computer and internet usage has escalated in the recent years given the low costs associated with procuring a computer and internet connectivity. What’s more many people and different organizations nowadays prefer to carry out personal and/or business transactions via computers and automatic agents. However, given the anonymity associated with computer/internet usage, computer-related crimes are on the rise. Computer abuse entails crimes committed against the computer, the information/materials enclosed therein (i.e. data and software) as well as its uses as a processing device. Examples of computer abuse include cyber sabotage, unlawful use of computer services, and hacking. On the other hand, cyber crime entails unlawful
5 activities carried out via electronic communication media. One the major concerns facing individuals and organizations relates to identity theft and cyber-fraud that are committed via illegal use of online surveillance technology, spoofing and hacking. There are also other types of criminal activities carried out via online platform such as industrial espionage, cyber-terrorism, pornography, defamation and sexual harassment (Kunz & Wilson, 2004, p.3). Many countries have enacted several laws to curb computer-based crimes. It is worthy to mention that computer crimes are somewhat new phenomena associated with the digital era. What’s more, such crimes have adverse impact on the role of computer and internet as valuable resources that transcend physical frontiers with regard to communication and information sharing. It is against this backdrop that new unified legislations are urgently needed to protect and enhance a systematic digital environment. Computer crimes are simply novel ways to perpetrate conventional offenses via an electronic platform. As such, the current state laws are inadequate to curb the computer-based crimes (Kunz & Wilson, 2004, p.4). The following section will compare computer and internet legislations in three countries namely: United States, United Kingdom and Singapore. United States The legislation framework in the US entails a two-tier system whereby the Constitution grants authority to both the federal and state governments to enact laws. Federal laws are thus enacted in a situation where the problems have a national appeal and the solutions rely on a homogenous and consistent legislation that is applicable in all states. Consequently, computer and internet crimes (which transcend state borders)
6 provide an apt example of crimes that are susceptible to federal legislations. Given the political structure in the US, the enactment and enforcement of computer-based crimes rests with each state (Brenner, 2001, par. 1). According to the US Department of Justice (DOJ), computer crime is defined as any infringement of criminal laws that entails knowledge of computer for their perpetration, investigation, or prosecution. Ever since 1984, the US Congress has adopted a dual strategy in fighting computer crime. For example, The Counterfeit Access Device as well as Computer Fraud and Abuse Law [1984] and successive amendment Acts tackle offences whereby the computer is identified as the subject (Doyle, 2010, p.1). The approach employed by the federal government in controlling offenses that involve the computer as a device entails amending existing laws to include computer-based crimes. For example, the federal government has amended the US Sentencing Guidelines (USSG) to include punishments for conventional offenses carried out via computers (Doyle, 2010, p.3). There are various federal computer/cyber-based laws which make it illegal for an individual to gain unauthorized access to a computer (and information therein) without a prior consent from the owner. For example, the Identity Theft Penalty Enhancement act (ITPEA) of 2004 makes identity theft a criminal offense and imposes stringent sentences to punish phishers. The law addressing phishing activities was first enacted by the Congress in 2004 and amended in 2005 into Anti-Phishing Act [2005]. This law addresses the entire scam process. This law specifies that the phisher must have a criminal intention of executing a crime of identity theft or fraud before an offense is carried out (Doyle, 2010, p.3).
7 A salient aspect of this law is that it criminalizes the bait. The poisoned bait strategy illegalizes the intention to commit the crime. In other words, the law makes it unlawful to deliberately send out spoofed emails associated with bogus websites with the purpose of carrying out a crime. In addition, the law makes it illegal to operate fake websites for the purpose of engaging in criminal activities. As a result, this law provide avenues to prosecute the perpetrator before he/she actually execute the offense. In essence, this law possesses a pre-emptive aspect for these crimes (i.e. phishing and identity theft crimes) and lends credence to crime prevention and deterrence. Although such law is useful in curbing these crimes, it is subject to territorial constraints in terms of legislation reach as well as effective enforcement (Almahroos, 2007, p.597).
United Kingdom The current law used in the UK to combat computer-based criminal activities is the Computer Misuse Act (CMA) of 1990 (Clayton, 2006, p.3). However, several amendments to the law (as envisage in the Police and Justice Bill) have been proposed and forwarded to the House of Lord for deliberation. The only relevant CMA provision that addresses computer-based crimes is section 2 which criminalizes illegal access to any data or program in a computer with the purpose of aiding or assisting the execution of crime. The UK has a unique dual track strategy by ratifying the CMA for computerbased offenses and leaving computer-enabled conventional crimes to be handled by the current criminal laws. The application of conventional criminal concepts to nonconventional products, information, instruments, acts and actors attributed to novel
8 technology demand amendments, especially in relation to scope, definition and interpretation. The UK government has already accomplished this for a number of its laws, particularly those related to intellectual property crimes, pornography, theft and fraud. In addition, section 2 of CMA provides a sound basis to catch crimes that are executed via electronic channels (Clayton, 2006, p.5; Kirk, 2006, par.2). The Singapore Model Unlike the US’s legislative approach, which merges computer-related offenses and cyber offenses into a single legislative instrument, the Singapore model lends credence to crafting a computer offense specific law while leaving cyber offenses to be addressed by the current legislations via enhancement and amendment (Cheon et al., 2009, p.78; Chung et al., 2006, p.669). This model seems to follow the UK’s legislative approach to addressing computer crimes. For example, in Singapore, computer crimes are handled via the Computer Misuse Act (Cap. 50A) (CMA). On the other hand, cyber crimes are addressed via the Penal Code (Cap. 224) provision including a number of other laws. Nonetheless, these provisions are insufficient with respect to curbing computer-related crimes (Cheon et al., 2009, p.82). Combined Legislative Approach The advantage of an omnibus law is that it addresses computer-related crimes comprehensively. Such a law can provide impetus for cooperation and convergence as a joint statement for worldwide policy objectives. What’s more, a combine legislative model that is generally ratified can generate a consistent set of decrees and enforcement processes in various states. For example, the Cybercrime Convention may present an apt platform to promote dialogue and general consensus as well as
9 information sharing among different states in order to produce effective international legal solutions for computer crimes (Keyser, 2003, p.289; Archick, 2004, p.2). The Cybercrime Convention is the only global accord that can effectively protect all countries from computer-based crimes that are executed through the internet. The effectiveness of the Cybercrime Convention is subject to three salient aspects: ďƒ˜ The synchronization of state-based legislations on computer-based crimes. The main aim of Cybercrime Convention is to produce consistency among signatory countries with respect to the nature and scope of laws that criminalize computer crimes. For example, the Cybercrime Convention demands consistency with regard to legal description of terms such as traffic data, service provider, computer data and computer system (Schjolberg & Ghernaouti-Helie, 2011, p.9). ďƒ˜ The effectiveness of the Cybercrime Convention rests on the ability of signatory states to set up efficient local investigative processes and powers that address computer crimes as well as electronic evidence. It is thus imperative that all countries have consistent powers for inspecting computer crimes as well as collecting evidence. These powers must include interception of content records, search and seizure, and disclosure of traffic records (Schjolberg & Ghernaouti-Helie, 2011, p.9). ďƒ˜ The setting up of a rapid and efficient system of international collaboration with regard to the investigation and prosecution of computer crimes. In addition, the combined legislative approach will create a system that facilitates reciprocated support among signatory countries. The role of international reciprocated support in combating computer crimes cannot be understated given that internet usage transcends national borders. For instance, a computer-related offense executed in one state may have
10 adverse effects in another state. Thus, a combined legislative model provides a widespread avenue for punishing perpetrators of such crimes (Schjolberg & GhernaoutiHelie, 2011, p.9).
References Almahroos, R. (2007). Phishing for the Answer: Recent Developments in Combating Phishing. Journal of Law and policy for the Information society, 3(3), 595-621. Archick, K. (2004). Cybercrime: The Council of Europe Convention. Retrieved from http://fpc.state.gov/documents/organization/36076.pdf Brenner, S. (2001). State Cybercrime Legislation in the United States of America: A Survey, 7 Rich. J.L. & TECH. Retrieved from http://www.richmond.edu/jolt/v7i3/article2.html
11 Cheon et al. (2009). Analysis of Computer Crime in Singapore using Local English Newspapers. Singapore Journal of Library & Information Management, 38, 77 -102. Chung et al. (2006). Fighting cybercrime: A review and the Taiwan experience. Decision Support Systems, 41(3), 669-682. Clayton, R. (2006). Complexities in Criminalizing Denial of Service Attacks. Retrieved from http://www.cl.cam.ac.uk/~rnc1/complexity.pdf Donley, M.B. (2006). Department of Defence (DoD) Freedom of Information Act (FOIA) Improvement plan for Executive Order (EO), 13392: Improving Agency Disclosure of Information. Retrieved from http://www.fas.org/sgp/othergov/dod/foiaplan.pdf Doyle, C. (2010). Cybercrime: An Overview of the Federal Computer Fraud and Abuse Statute and Related Federal Criminal Laws. Retrieved from http://www.fas.org/sgp/crs/misc/97-1025.pdf
Keyser, M. (2003). The Council of Europe Convention on Cybercrime. J. Transnational Law & Policy, 12(2), 287-326. Kirk, J. (2006). Analysts wary of U.K. cybercrime law revamp. Retrieved from http://www.computerworld.com/s/article/9000999/Analysts_wary_of_U.K._cyber rime_law_revamp?taxonomyId=82&taxonomyName=Cybercrime_Hacking Kreimer, S. (2007). Rays of Sunlight in a Shadow War: FOIA, the Abuses of Anti Terrorism and the Strategy of Transparency. Lewis & Clark Review, 11(4), 1141 -1220.
12 Kunz, M., & Wilson, P. (2004). Computer Crime and Computer Fraud. Retrieved from http://www.montgomerycountymd.gov/content/cjcc/pdf/computer_crime_study.p df National Security Archive. (2009). FOIA Basics. Retrieved from http://www.gwu.edu/~nsarchiv/nsa/foia/guide.html Pozen, D. (2005). The Mosaic Theory, National Security and the Freedom of Information Act. The Yale Law Journal, 115, 628-679. Schjolberg, S & Ghernaouti-Helie, S. (2011). A Global Treaty on Cybersecurity and Cybercrime. Retrieved from http://www.cybercrimelaw.net/documents/A_Global_Treaty_on_Cybersecurity_a d_Cybercrime,_Second_edition_2011.pdf