July 3, 2008
The staff of the Committee on Open Government is authorized to issue advisory opinions. The ensuing staff advisory opinion is based solely upon the information presented in your correspondence.
We are in receipt of your request for an advisory opinion concerning application of the Freedom of Information Law to a request for records made to the Town of North Greenbush. Specifically, the Town denied your request for “a computer record which identifies the IP Address of the computers in the town clerk’s office” on the ground that disclosure “can compromise the security of the computer system in the Town Clerk’s Office and possibly the Town Offices and cannot be revealed.” In support of its denial of access, the Town Clerk forwarded a written opinion obtained from an information security professional. Although we understand that you have no malicious intent, we agree with the Town’s assertion that disclosure could jeopardize the security of the Town’s computer system, and we offer the following comments.
First, because we have very little experience involving Internet Protocol(“IP”) addresses, we consulted with professionals at the NYS Office of Cyber-Security and Critical Infrastructure Coordination to learn the difference between “public” IP addresses, which are assigned to a website, for example, and “private” IP addresses which are assigned to individual desktop computers and network devices. We were informed that knowing an organization’s internal or “private” IP addresses would increase the speed at which a person with malicious intent could attack and disable an entire computer system. Disclosure of an IP addressing scheme would also indicate the most critical systems within the scheme, enabling a targeted attack.
Second, as a general matter, the Freedom of Information Law is based upon a presumption of access. Stated differently, all records of an agency are available, except to the extent that records or portions thereof fall within one or more grounds for denial appearing in §87(2)(a) through (j) of the law.
When records are accessible under the Freedom of Information Law, it has been held that they should be made equally available to any person, regardless of one's status, interest or the intended use of the records [see Burke v. Yudelson, 368 NYS 2d 779, aff'd 51 AD 2d 673, 378 NYS 2d 165 (1976)]. Moreover, the Court of Appeals, the State's highest court, has held that:
"FOIL does not require that the party requesting records make any showing of need, good faith or legitimate purpose; while its purpose may be to shed light on government decision-making, its ambit is not confined to records actually used in the decision-making process. (Matter of Westchester Rockland Newspapers v. Kimball, 50 NY2d 575, 581.) Full disclosure by public agencies is, under FOIL, a public right and in the public interest, irrespective of the status or need of the person making the request" [Farbman v. New York City Health and Hospitals Corporation, 62 NY 2d 75, 80 (1984)].
The only exception to the principles described above involves one provision pertaining to the protection of personal privacy that does not apply here.
The pertinent exception with respect to IP addresses, in our view, is §87(2)(i), which permits an agency to deny access to records that “if disclosed, would jeopardize the security of its information technology assets, such assets encompassing both electronic information systems and infrastructures.” Unlike security codes or passwords utilized to gain access to a particular database, it is our understanding that disclosure of IP addresses would permit a person to implement an attack on agency’s computers with precision and accuracy. Accordingly, it is our opinion that the Town could justifiably rely on this exception to withhold the requested record.
In your correspondence, you describe your effort “to eliminate the Town Clerk’s computers as the source of legally libelous postings to public web domains which are routinely accomplished during daytime business hours.” While your intent may not be designed to maliciously disable operation of the Town’s computer system, because the Freedom of Information Law permits an agency to deny access when disclosure would jeopardize the security of the Town’s computers, in this instance, we believe that it has the ability to do so.
Because you allege illegal activity, we recommend that you might consult with the local district attorney.
On behalf of the Committee on Open Government, we hope that this is helpful to you.
Camille S. Jobin-Davis
cc: Hon. Kathryn A. Connolly