Virginia Freedom of Information Advisory Council

VIRGINIA FREEDOM OF INFORMATION ADVISORY COUNCIL
COMMONWEALTH OF VIRGINIA

AO-04-05

April 28 , 2005

Andrew Jennings
Hillsville, Virginia

The staff of the Freedom of Information Advisory Council is authorized to issue advisory opinions. The ensuing staff advisory opinion is based solely upon the information presented in your electronic mail of March 9, 2005.

Dear Mr. Jennings:

You have asked whether a school district acted in compliance with the Virginia Freedom of Information Act (FOIA) when it denied your request for a list of websites and keywords blocked by the school district's computer network firewall. You indicate that you made a request for "a listing of websites and keywords blocked on the district's firewall, and additionally where websites and keywords are blocked geographically and within schools." The school district denied your request, citing the exemption from mandatory disclosure found in subdivision 3 of § 2.2-3705.2 of the Code of Virginia. You indicate that you do not feel that this exemption is applicable to the records you have requested.

Before proceeding with legal analysis of your question, it is necessary to set forth some general background information concerning computer network firewalls, what they do, and how they work. Merriam-Webster Online defines firewall in this context to mean a computer or computer software that prevents unauthorized access to private data (as on a company's local area network or intranet) by outside computer users (as of the Internet).¹ Dictionary.com defines firewall in this context to mean [a]ny of a number of security schemes that prevent unauthorized users from gaining access to a computer network or that monitor transfers of information to and from the network.² Firewalls come in multiple types and perform multiple tasks. Firewalls can involve both hardware and software (such as in network routers), be stand-alone software programs, or be software packaged with other programs (such as firewalls that come packaged with certain operating systems). A firewall may restrict access to and from a computer network based upon Internet Protocol (IP) address, by domain name, by computer port-ranges, or by restricting different computer transfer protocols (HTTP, FTP, etc.). Firewalls may restrict all traffic by default except for traffic specifically allowed, or conversely, may permit all traffic by default except for traffic specifically prohibited. As a practical matter, it appears that most firewalls do not restrict access based upon lists of keywords, although some do, particularly in conjunction with other filtering software. Similarly, while at least some firewalls do block access to websites, they may do so by blocking the specific IP address or domain name of the site or through a more general security rule that does not necessarily involve the IP address or domain name of a particular site. Such rules, addresses, and keywords must be incorporated into the programming of the firewall in order for the firewall to perform its tasks. Additionally, it appears that at least some firewalls may receive automatic updates to their programming, including lists of websites, from third parties (generally the vendor of the firewall) as various sites on the Internet are added and removed. A more detailed technical description is beyond the scope of this opinion.³

Turning now to a legal analysis of your request under FOIA, subsection A of § 2.2-3704 provides that [e]xcept as otherwise specifically provided by law, all public records shall be open to inspection and copying by any citizens of the Commonwealth during the regular office hours of the custodian of such records. The policy of FOIA at subsection B of § 2.2-3700 requires that [a]ny exemption from public access to records...shall be narrowly construed. Subdivision 3 of § 2.2-3705.2 provides a discretionary exemption applicable to [d]ocumentation or other information that describes the design, function, operation or access control features of any security system, whether manual or automated, which is used to control access to or use of any automated data processing or telecommunications system. If this exemption applies, then the school district acted within its discretion to withhold these records as exempt from the mandatory disclosure requirements of FOIA.

You indicated that you do not feel that the records you have requested fall under the terms of this exemption because you are asking only what websites and keywords are blocked and where they are blocked, as opposed to requesting information concerning the design, function, operation or access control features of the firewall security system. It appears that you and the school district agree that the firewall is a security system...used to control access to or use of the school district's computer network, and that the computer network itself is an automated data processing or telecommunications system. The question is thus narrowed to whether the list of websites and keywords you seek describes the design, function, operation or access control features of the firewall. In interpreting this exemption, these terms must be given their ordinary meanings within the context in which they are used.⁴

The American Heritage Dictionary defines the term design, when used as a noun, to mean the invention and disposition of the forms, parts, or details of something according to a plan.⁵ The design of the firewall as a security system would include the physical locations where the firewall acts (e.g., if the firewall protects certain computers but not others, or has different access rules for different computers located in different areas within the schools). Keep in mind that the purpose of this exemption is to protect security systems, and a disclosure of the locations where a security system operates and where it does not may compromise the system. Any record that describes "where websites and keywords are blocked geographically and within schools" thus could be properly withheld pursuant to subdivision 3 of § 2.2-3705.2 because such a record describes the design of the firewall. The school system acted in compliance with FOIA when it denied this aspect of your request. Regarding your request for a list of blocked websites and keywords, if the firewall in question does act to block particular websites and to restrict access based upon particular keywords, these functions must be implemented as part of the firewall's programming. Thus, a list of websites and keywords such as you requested, if it exists at all, must exist in some form within the programming of the firewall. The programming code is part of the design of the firewall. Thus such a list describes the design of the firewall, as it describes the programming of the firewall, and may be withheld from disclosure under subdivision 3 of § 2.2-3705.2.

Considering the next term used in the exemption, function is defined to mean [t]he action for which a person or thing is particularly fitted or employed or [a]ssigned duty or activity.⁶ As previously described, a firewall may be programmed to block access to certain websites, whether by IP address, domain name, or based upon a list of keywords (or through other rules). A list of such blocked sites and keywords therefore describes the function (i.e., the assigned duty or activity) of the firewall. Thus, the list you request also may be properly withheld from disclosure under subdivision 3 of § 2.2-3705.2 because it describes the function of the firewall. Because the records you requested describe the design and/or function of the firewall, it is not necessary to consider whether these records also describe the operation or the access control features of the firewall, although it appears that this may be the case. In conclusion, the school district properly withheld the records you requested pursuant to subdivision 3 of § 2.2-3705.2 because these records describe the design and/or function of the firewall.

While recognizing that the school district properly invoked the exemption in this case, a public body faced with a situation like this one might choose to disclose any policy it has regarding the general nature or types of websites or keywords that are restricted, or general parameters by which access is restricted (i.e., a statement of policy restricting access to pornographic websites, or restricting peer-to-peer file sharing, etc.). Providing information in this fashion is not required by FOIA but can be helpful in satisfying a request and maintaining good public relations.

Thank you for contacting this office. I hope that I have been of assistance.

Sincerely,

Maria J.K. Everett
Executive Director

¹Merriam-Webster Online Dictionary, available at http://www.m-w.com/ (last visited April 6, 2005).
²Dictionary.com, available at http://dictionary.reference.com/ (last visited April 6, 2005).
³More detailed information concerning firewalls is widely available on the internet. The following websites, among others, provide more detailed information about firewalls and were used as references in preparing this opinion: http://computer.howstuffworks.com/firewall.htm (last visited April 25, 2005); http://www.interhack.net/pubs/fwfaq/ (last visited April 25, 2005); http://www.microsoft.com/athome/security/protect/firewall.mspx (last visited April 25, 2005).
⁴See, e.g., Sansom v. Board of Supervisors of Madison County, 257 Va. 589, 594-95, 514 S.E.2d 345, 349 (1999).
⁵The American Heritage Dictionary 386 (2d College ed. 1982).
⁶Id. at 539.