Should public bodies in Illinois, like cities and school districts
and sheriff’s departments, be allowed to hide information from Freedom
of Information requests by keeping them in databases? That question is
before the 104th Illinois General Assembly, thanks to a bill sponsored
by Donald P. DeWitte, elected state senator by the wise citizens of
Batavia and Elgin (motto: “The City In The Suburbs”; indeed), and
prompted in part by my friend Matt Chapman.
I play a very small part in this story, so I get to tell it.
Background
Illinois has an excellent,
toothy FOIA statute.
With very
few exceptions, any information collected by an Illinois public body
is public property. Anybody is entitled to ask for it. You can’t
generally be charged for asking. Public bodies can’t really limit the
number of requests you make. They get just 5 days to respond, with 5
additional extension days if requested in writing. Improper denials can
get you legal fee recovery if you sue over them, so there are lawyers
that will take these cases on contingency. It’s pretty neat!
I think people are too shy about making FOIA requests. It’s easier
than it looks! You just need to send an email to the public body you
want information from. Put “FOIA” in the subject line. By law, there’s
no more ceremony to it than that. And you’ll find that the people
responding to those emails are generally kind and happy to help.
The one big limitation of Illinois FOIA (with FOIA laws everywhere, really)
is that you can’t use them to compel public bodies to create new
records. Often, what you’ll be looking for is some kind of report about
some issue of public policy. If that exact report exists, you’re golden.
But if it doesn’t, you have to find and request the raw data for that
report, and you have to assemble it yourself. This limitation is about
to matter a lot.
To understand what’s happening in this story, I’m going to have to
explain a technical concept: the idea of a “database schema”. More and
more of the information tracked by public bodies now lives in databases,
rather than filing cabinets or shared drives. Databases are organized
according to schemas.
Think of a modern database as a huge Excel spreadsheet file, with
many dozens of tabs. Each tab has a name; under each of those tabs is a
separate spreadsheet. Each spreadsheet has a header row, labeling the
columns, like “price” and “quantity” and “name”. A database schema is
simply the names of all the tabs, and each of those header rows.
Congratulations! You now understand databases.
Matt Chapman vs. City of Chicago
My friend Matt is a self-styled “civic
hacker” and a national expert at performing data journalism with
large-scale FOIA requests. Matt’s love language is pushing FOIA statutes
to their limits, sniffing out buried data and bulk-extracting it with
clever requests.
A good example of the kind of stuff Matt does is this ProPublica
collaboration about how Chicago issues parking tickets. After Matt
was towed over a facially bogus ticket and successfully took the city to
court over it, he got curious about the patterns of towing for things
like compliance violations. As it turns out, parking tickets have pushed
thousands of Illinoisans into bankruptcy, and, once you get
your hands on the ticket data, it turns out there’s a very clear
pattern of majority-Black neighborhoods being systematically targeted
for higher enforcement.
In the course of this reporting work, Matt learned about a system
Chicago operates called CANVAS. CANVAS is the central repository for all
parking ticket data in the city. It’s a giant database, and Matt would
very much like to know what’s in it. So he filed a FOIA request for the
CANVAS database schema.
The city flatly refused. To do so, they relied on a specific
exemption in the statute:
“(o) Administrative or technical information associated with
automated data processing operations, including but not limited to
software, operating protocols, computer program abstracts, file layouts,
source listings, object modules, load modules, user guides,
documentation pertaining to all logical and physical design of
computerized systems, employee manuals, and any other information that,
if disclosed, would jeopardize the security of the system or its data or
the security of materials exempt under this Section.”
In plain English, this exemption says that public bodies aren’t
required to reveal information that might jeopardize the security of
their systems. You obviously can’t FOIA logins and passwords. You also
generally can’t FOIA the source code of programs they run. Chicago
claimed that Matt was a “hacker”, and that the CANVAS schema could in
the wrong hands put the city at risk.
With the help of Merrick Wayne and Matt Topic of Loevy and Loevy,
Matt sued the city. Here’s where I come in.
They Put Me On The Stand
Is the CANVAS schema too scary to give Matt Chapman? To decide that,
we have to answer a bunch of questions:
- Does disclosure
11 Comments
tptacek
Kurt posted this to troll me. Just know my audience here was, mostly, non-technical people involved in politics in my local Chicagoland municipality.
Permit me a PSA about local politics: engaging in national politics is bleak and dispiriting, like being a gnat bouncing off the glass plate window of a skyscraper. Local politics is, by contrast, extremely responsive. I've gotten things done — including a law passed — in my spare time and at practically no expense (drastically unlike national politics).
An amazing thing about local politics, at least in a lot of places, is that they revolve around message boards. The boards won't be in places you want to be (in particular: a lot of them are Facebook Groups) and you just have to suck it up. But if you enjoy participating in a community like HN, you can participate in politics, too, and message-board your way towards making things happen.
duxup
Very interesting read.
It does seem absurd to think of divulging schema as protected, as described it allows for a magical sort of outcome where: "well it's in a database you can't know anything about, and if you can't tell me how to find it you're sol".
Working at a small company with lots of clients I wouldn't want to hand out DB schema outright, but I also go out of my way to search / get the client the data they want … not reject them.
bobsmooth
What stands out to me about this article is the time between court appearances. Seems like if you want to accomplish anything in court you need to be prepared to spend years of your life on it.
SunlitCat
So, you are little Bobby Tables, aren't you? :D
[0] https://xkcd.com/327/
wswope
Anyone with a legal background willing to opine about potential workarounds to this ruling?
Specifically, would a request for “data field labels” (i.e. a column list without any table structure info) likely circumvent the exemption?
pavon
Great read. Frustrating that the court ruled that a schema was a file layout, since I don't think it is, but at the same time if it didn't fall under that exception, there is a strong arguments that would be considered "documentation pertaining to all logical … design of computerized systems". A schema is literally, the logical design of the database, and the database is a part of the computerized system. Once it was ruled that those examples are "per se" exempt it was a long shot to argue that schema wasn't covered by any of the examples.
hnthrow90348765
>just self-important message-board hedging
I can confidently say it does not stop at message boards for many people, self included
gowld
This is part of what discouraged me from going to law school. So much of litigation is Kabuki theater, grant rhetoric not in any way intended at achieving a just or logical outcomes, but designed only to the person in power an excuse to decide however they had already wanted to decide before the case was tried.
paulddraper
> I wrote that SQL schemas would provide “only marginal value” to an attacker. Big mistake. Chicago jumped on those words and said “see, you yourself agree that a schema is of some value to an attacker.” Of course, I don’t really believe that; “only marginal value” is just self-important message-board hedging. I also claimed on the stand that “only an incompetently built application” could be attacked with nothing but it’s schema. Even I don’t know what I meant by that.
The author seems an unsuitable expert witness.
You can't say "Even I don’t know what I meant by that" about statements under oath.
chaps
Hi everyone, I'm the plaintiff in this lawsuit. I'm still working on my companion post for tptacek's post! I'll have it ready Soon TM, but feel free to me any questions in the meantime here.
While you're waiting, check out this older post: https://mchap.io/that-time-the-city-of-seattle-accidentally-…
probably_wrong
Random thought: someone should drive to Chicago, get a parking ticket, and then make a FOIA request for all of their information contained in that database.
It won't be the whole database schema, but it would be a start.