PSEUDO-CLASSIFICATION OF EXECUTIVE BRANCH DOCUMENTS: PROBLEMS WITH THE TRANSPORTATION SECURITY ADMINISTRATION’S USE OF THE SENSITIVE SECURITY INFORMATION (SSI) DESIGNATION
- 29 pages
- July 24, 2014
Under the Air Transportation Security Act of 1974, the Federal Aviation Administration (FAA) created a category of sensitive but unclassified information, frequently referred to as “Sensitive Security Information” (SSI), and issued regulations that prohibit the disclosure of any information that would be detrimental to transportation security. These regulations restrict disclosure of SSI, exempting information properly marked as SSI from release under the Freedom of Information Act.
After the 1988 bombing of a commercial airliner that crashed in Lockerbie, Scotland, the FAA made significant changes in aviation security, expanding the definition of SSI to include any information the FAA Administrator determined may reveal systemic vulnerabilities within the aviation system, or vulnerabilities of aviation facilities to attacks. Other definitional expansions included details of inspections and investigations, as well as alleged violations and certain agency findings. The SSI regulation was later expanded in order to limit access to protected information to those persons who have a “need-to-know.”
While the SSI designation can protect sensitive information, it is also vulnerable to misuse. Bipartisan concerns about the use of the SSI designation by the Transportation Security Administration (TSA), an agency of the Department of Homeland Security (DHS), have existed since the promulgation of the SSI regulations in 2004. Through its investigation, the Committee obtained witness testimony and documents that show possible misuse of the SSI designation by TSA. Witnesses detailed instances in which TSA barred the release of SSI documents against the advice of TSA’s SSI Office. TSA also released SSI documents against the advice of career staff in the SSI Office. The Committee’s investigation revealed that coordination challenges exist among the TSA Administrator, TSA’s Office of Public Affairs (OPA), and TSA’s SSI Office.
Witnesses testified that many of the problems related to the SSI designation process emanate from the structure of the SSI regulation itself. TSA’s SSI Office is staffed with career employees tasked with assisting in the SSI designation process. The final authority on SSI designation, however, rests with the TSA Administrator. Pursuant to the regulation, the TSA Administrator must provide certain documentation supporting his SSI designations. Yet, witnesses interviewed by the Committee stated that there were multiple incidents in which the SSI Office was not consulted or where TSA took actions against the advice of SSI Office officials. Further, such actions occurred without the TSA Administrator providing required written documentation supporting the action.
Due to this contentious relationship and the failure to follow proper procedures, the SSI Office struggled to carry out its statutory obligations effectively. While the TSA Administrator has the final authority to determine whether information is SSI, he is also required under the regulations to submit written explanations of his decisions to the SSI Office in a timely fashion. Unfortunately, the repeated failure to submit written determinations before taking actions on SSI caused a rift between senior TSA leadership and the SSI Office. This rift resulted in inconsistencies, which could be detrimental to the process for protecting sensitive information.
This report explores issues related to the current TSA SSI designation process and recommends improvements to ensure that sensitive information is properly protected while non-sensitive information is properly released to the public. TSA’s use of SSI reveals a broader problem of pseudo-classification of information in federal departments and agencies. Limits on such labeling of information are needed to provide greater transparency and accountability to the public while promoting information security.
…
SSI is not classified national security information and therefore not afforded the same protections as classified information. SSI is defined in the Homeland Security Act of 2002 as information obtained or developed during security activities, “if the Under Secretary decides that disclosing the information would (A) be an unwarranted invasion of personal privacy; (B) reveal a trade secret or privileged or confidential commercial or financial information, or (C) be detrimental to the security of transportation.” In order for information to be SSI, it must be related to transportation security, and it must fall under one of the 16 categories of SSI as defined in the SSI regulation.
Although SSI is not subject to the handling requirements governing classified national security information, it is subject to the handling procedures required by TSA’s SSI regulation. Restrictions on access to SSI and penalties for unauthorized disclosure of SSI are much less severe. A security clearance is not required to gain access to SSI, and criminal penalties may not be imposed in the event of unauthorized disclosure of SSI. Unauthorized disclosure of SSI may, however, result in civil penalties and/or other enforcement or corrective actions.
…
VI. Inappropriate Use of the SSI Designation to Prevent FOIA Releases
FINDING: TSA improperly designated certain information as SSI in order to avoid its public release.
Witnesses interviewed by the Committee testified about instances in which TSA inappropriately withheld documents from FOIA requesters because it was deemed SSI. Former SSI Office Director Andrew Colsky testified that TSA used the SSI designation to prevent the release of documents to FOIA requesters related to Whole Body Imagers (WBIs). He stated:
There’s certain public interest groups out there that do a lot of FOIA requests over these types of things, and one of them did a FOIA request about information related to those scanners, I guess, and their ability to store images or not store images or whatever. And now this is being—you know, coming secondhand, but from a significant number of highly reliable sources, and — I don’t want to say anything to get anybody in trouble — and things that I personally overheard where there was information in the responsive documents that was not by any stretch of the imagination at all SSI, but was either embarrassing or was something that they just didn’t want the other side to know. And there was extreme pressure from again I’ll use the term ‘front office’ to mark it as SSI.
Colsky also discussed other ways that TSA may be withholding information from disclosure under FOIA. He stated:
[C]urrently I sit in the Freedom of Information Act office. And one of the first things I was told when I got there from both attorneys and FOIA processors was, oh, yeah, don’t worry about it, because if you come across embarrassing information or whatever, [the Chief Counsel] will just hide it and come up with an exemption; because if you cover it with a FOIA exemption, it’s so hard for the other person to challenge it, and it will be costly and difficult for them to challenge it, and they’re probably never going to see it anyway, so you just get away with it. That’s the way it’s done.