|Office of the Attorney General - State of Texas
August 3, 2000
Mr. Thomas G. Ricks
Dear Mr. Ricks:
You ask whether certain information is subject to required public disclosure under the Public Information Act (the "Act"), chapter 552 of the Government Code. Your request was assigned ID# 137376.(1)
The University of Texas Investment Management Company ("UTIMCO") received four requests for information related to UTIMCO computer and personnel information. You claim that the requested information is excepted from disclosure under sections 552.101, 552.102, and 552.104 of the Government Code. You also argue that some of the information is not public information as defined by Government Code section 552.002. We have considered the exceptions you claim and reviewed the submitted information.
You have submitted two e-mail requests that were submitted to UTIMCO on May 5, 2000. In the first May 5 request, sent at 10:47 a.m., the requestor asks for all information regarding "Joe Conason and the Harpers article." From your letter to the requestor dated May 19, 2000, we understand that the responsive information for this request has been provided to the requestor.
In the second May 5, 2000 request, sent at 11:06 a.m., the requestor asks for all information regarding the following:
All IP (internet protocol) addresses, domains, dns entry numbers, user names and physical locations for each and every computer or internet access terminal/appliance (including both those of agents and personal used for official business, etc.) which has visited or attempted to visit initiate.com, any of its web pages or any linked site/email address.
All hard-copy prints (and electronically-stored, etc.), traffic, messaging, and all other information, re: initiate.com or visits to initiate.com, any of its web pages, or any linked site/email address.
All "cookie" files since last batch sent or refused for each and every computer or internet access terminal/appliance (including both those of agents and personal used for official business, etc.) which has visited or attempted to visit initiate.com, any of its web pages or any linked site/email address.
You state that the "cookie" files have been made available to the requestor, but explain that neither UTIMCO nor its agents have "hard-copy prints (and electronically-stored, etc.), traffic, messaging, and all other information" responsive to this request. You refer to the remaining information responsive to the request as the "computer information." You have submitted a representative sample of the "computer information" for our review.
In his May 19, 2000, request, the requestor references the May 5, 11:06 a.m., request and additionally asks for "everything and everyones' [sic] since the date of the request; include all information pertaining to browsers, platforms and operating systems." You explain that neither UTIMCO nor its agents have information responsive to the request for computer information "since the date of the [May 5] request." You claim that the information pertaining to browsers, platforms, and operating systems is excepted from disclosure; you refer to this information as the "supplemental computer information." You have not submitted copies or representative samples of the supplemental computer information.
Finally, in his May 26, 2000 request, the requestor asks for all information relating to or concerning three persons; he specifically asks for the following regarding these three individuals:
1) separation, severance, consulting, contracts, informal arrangements, etc.
2) changes to personnel files, resumes, salaries, etc. since our last request.
3) ethics policies, agreements, etc. to which they a) were b) still are subject.
4) serial number, description, location, etc. of each computer to which they had access.
5) for each of their successors: name, title, salary, resume, dates of employment, work or engagement, etc.
You explain that a portion of the information responsive to the May 26 request has been made available to the requestor. You contend that information responsive to item no. 4, the serial number, description, location, etc., of the computers the individuals had access to, is excepted from disclosure; you refer to this information as the "personal computer information." You have submitted representative samples of the personal computer information. You also argue that the information responsive to item no. 2, the changes to personnel files, etc., is also excepted from disclosure; you refer to this information as the "personnel information." You have not submitted copies or representative samples of the personnel information.
We begin by addressing the supplemental computer information (information pertaining to browsers, platforms, and operating systems) requested in the May 5, 11:06 a.m. request and the personnel information of the May 26 request. As stated above, you have not submitted copies or representative samples of this requested information. Pursuant to section 552.301(e)(1)(D), a governmental body is required to submit to this office within fifteen business days of receiving an open records request a copy or representative samples of the specific information requested, labeled to indicate which exceptions apply to which parts of the documents. Pursuant to section 552.302 of the Government Code, a governmental body's failure to submit to this office the information required in section 552.301(e) results in the legal presumption that the information is public. Information that is presumed public must be released unless a governmental body demonstrates a compelling reason to withhold the information to overcome this presumption. See Hancock v. State Bd. of Ins., 797 S.W.2d 379, 381-82 (Tex. App.--Austin 1990, no writ) (governmental body must make compelling demonstration to overcome presumption of openness pursuant to statutory predecessor to Gov't Code § 552.302); Open Records Decision No. 319 (1982). You have not shown such a compelling interest to overcome the presumption that the information at issue is public. Accordingly, you must release the requested personnel information and the information pertaining to browsers, platforms, and operating systems. We caution that the distribution of confidential information constitutes a criminal offense. See Gov't Code § 552.352.
Next, we consider your arguments pertaining to the remaining computer information. For purposes of clarity, we reiterate the remaining computer information for which you have presented exceptions against disclosure: (1) All internet protocol ("IP") addresses, domains, DNS entry numbers, user names, and physical locations for each and every computer or internet access terminal/appliance which has visited or attempted to visit initiate.com, any of its web pages or any linked site/email address; and (2) serial numbers, descriptions, and location of each computer to which three individuals have had access.(2)
You argue that the computer information is not "public information" as defined by Government Code section 552.002. You state that UTIMCO does not assemble, collect, or maintain information regarding computers that have been used to access certain web sites nor does it categorize information by web sites accessed by computer users. You additionally express that some of the information is known by UTIMCO technology staff, but the information is not recorded in any form and, therefore, the technology personnel would have to look at each computer to obtain the information.
Section 552.002 defines "public information" as "information that is collected, assembled, or maintained under a law or ordinance or in connection with the transaction of official business[.]" Information is generally public information within the Act when it relates to the official business of a governmental body or is used by a public official or employee in the performance of official duties. See Open Records Decision No. 635 at 4 (1995).
In Open Records Decision No. 581 (1990), this office determined that certain computer information, such as source codes, documentation information, and other computer programming, that has no significance other than its use as a tool for the maintenance, manipulation, or protection of public property is not the kind of information made public under section 552.021 of the Government Code. The requested information pertaining to IP addresses, DNS entry numbers, and user names is the type of information that has no significance other than its use as a tool for the maintenance, manipulation, or protection of public property. As such, this information is not public information as defined by section 552.002, and, therefore, is not subject to the Act.
The remaining computer information--the domain names, physical location, serial numbers, and descriptions of computers--does have public significance other than its use as a tool for the maintenance, manipulation, or protection of public property because it is information pertaining to state property used by state employees. As such, we conclude that this information is public information under section 552.002, and, therefore, is subject to public disclosure under section 552.021 of the Act. Therefore, in regards to this information, we will address your arguments that release of the information would breach the security of UTIMCO's computer system and provide access to all of UTIMCO's files.
Open Records Decision No. 401 (1983) addressed the issue of the public release of information which could possibly breach the security of government computers or files. Although the information at issue in that decision was a computer program, the reasoning of the decision is applicable to the instant request. In that decision, this office stated the following:
To the extent that use of a program would enable the user to gain access to a government computer or its memory banks in an unauthorized fashion . . . the program may be withheld.
Programs that give access to computer-stored information are analogous . . . to the combinations of safes. Safe combinations are merely notations of mechanical adjustments that must be made to gain access to the contents of the safe. The security of the information can be very important, even vital, depending on the contents. The same is true of information allowing access to government computers. Just as there is a difference between (a) making public particular documents kept in a safe and (b) releasing the safe's combination, there is a difference between (a) making available information stored in a computer and (b) making available information about how to get into the computer. The Open Records Act does not require governmental bodies to disclose information that would breach the security of government computers or computer files any more than it requires them to disclose the combinations of safes that might be on their premises.
Open Records Decision No. 401 at 4 (1983).
We conclude that the release of information related to the domain names, physical location, serial numbers, and description of computers would not pose a risk of a security breach. Therefore, this information must be released to the requestor.
Next, you contend that Government Code section 552.104 excepts the information from disclosure. Section 552.104 states that information "is excepted from [required public disclosure] if it is information that, if released, would give advantage to a competitor or bidder." We conclude that section 552.104 is not applicable in this instance. Thus, you may not withhold the information under section 552.104.
In summary, the following information must be released to the requestor: the personnel information; information related to browsers, platforms, and operating systems; domain names; and the physical locations, serial numbers, and descriptions of UTIMCO computers. The information pertaining to IP addresses, DNS entry numbers, and user names is not "public information" subject to the Act. Therefore, UTIMCO has no obligation under the Act regarding the release of this information.
This letter ruling is limited to the particular records at issue in this request and to the facts as presented to us; therefore, this ruling must not be relied upon as a previous determination regarding any other records or any other circumstances.
This ruling triggers important deadlines regarding the rights and responsibilities of the governmental body and of the requestor. For example, governmental bodies are prohibited from asking the attorney general to reconsider this ruling. Gov't Code § 552.301(f). If the governmental body wants to challenge this ruling, the governmental body must appeal by filing suit in Travis County within 30 calendar days. Id. § 552.324(b). In order to get the full benefit of such an appeal, the governmental body must file suit within 10 calendar days. Id. § 552.353(b)(3), (c). If the governmental body does not appeal this ruling and the governmental body does not comply with it, then both the requestor and the attorney general have the right to file suit against the governmental body to enforce this ruling. Id. § 552.321(a).
If this ruling requires the governmental body to release all or part of the requested information, the governmental body is responsible for taking the next step. Based on the statute, the attorney general expects that, within 10 calendar days of this ruling, the governmental body will do one of the following three things: 1) release the public records; 2) notify the requestor of the exact day, time, and place that copies of the records will be provided or that the records can be inspected; or 3) notify the requestor of the governmental body's intent to challenge this letter ruling in court. If the governmental body fails to do one of these three things within 10 calendar days of this ruling, then the requestor should report that failure to the attorney general's Open Government Hotline, toll free, at 877/673-6839. The requestor may also file a complaint with the district or county attorney. Id. § 552.3215(e).
If this ruling requires or permits the governmental body to withhold all or some of the requested information, the requestor can appeal that decision by suing the governmental body. Id. § 552.321(a); Texas Department of Public Safety v. Gilbreath, 842 S.W.2d 408,411 (Tex. App.--Austin 1992, no writ).
If the governmental body, the requestor, or any other person has questions or comments about this ruling, they may contact our office. Although there is no statutory deadline for contacting us, the attorney general prefers to receive any comments within 10 calendar days of the date of this ruling.
Julie Reagan Watson
Ref: ID# 137376
Encl. Submitted documents
cc: Mr. Stephen Lisson
1. We note that your request for a decision dated June 12, 2000 was originally assigned ID# 138036. That request for a decision has now been consolidated with ID# 137376.
2. You state that the three persons identified in the request each had access to all of UTIMCO's computers.
POST OFFICE BOX 12548, AUSTIN, TEXAS 78711-2548 TEL: (512) 463-2100 WEB: WWW.OAG.STATE.TX.US