Feds map risks of GIS

Some geographic data may be kept classified if it poses a homeland security risk, according to a draft policy from a federal working group.

Officials at the Federal Geographic Data Committee's Homeland Security Working Group published the draft policy May 3 in an attempt to advise agency officials about identifying sensitive geospatial data and the proper balance of access and security. The group published the guidelines for federal and local governments, private-sector entities and not-for-profit organizations that create and maintain geospatial data.

The policy encourages officials to answer questions such as: Should a neighborhood have access to details about a nearby nuclear plant? If a chemical plant has an emergency, how do people assess the health risks without knowing the plant's contents?

The policy states that agency officials should assess whether security risks outweigh the benefits of making such information public.

Rand Corp. officials say that open access to geospatial data does not pose much of a national security risk. A recent report from the company found that much of the information available is not sufficiently unique, critical or current to be of much use to terrorists. Less than 1 percent of the 629 federal datasets that the company reviewed were useful and unique.

Nevertheless, as long as terrorism exists, the guidelines are here to stay.

"You have to ensure that you don't have different pieces of the community taking a different approach," said Michael Domaratz, co-chairman of the working group. "The purpose of the guidelines is to have people who are already making the judgments to have a common basis."

Decisions about curtailing public access to data are always thorny. When drafting the guidelines, working group officials included representatives from the library community in setting standards.

Commitee officials are expected to approve the guidelines in the fall after they review public comments. The deadline could slip depending on the comments, they said.

Some officials, however, are not concerned that geospatial data gives terrorists new information as much as they are concerned that the available data makes

information too convenient for potential attackers.

The library community supports open access to government documents. But Linda Zellmer, who heads Indiana University's geology library and served on the working group, said she is "not sure it's sensible to have some of this information out."

"I am not concerned that they're not blocking enough," Zellmer said, adding that the data makes "it a whole lot more convenient for someone trying to do something." She cited information about Luke Air Force Base in Glendale, Ariz., as data that should not be accessible. The original map of the base, she said, shows the location of trillions of dollars of hardware, including the largest squadron of F-16s.

However, Zellmer said that some information has been public for such a long time that potential attackers already possess it. "I don't think taking it down is going to do much good," she added.

"Geospatial databases are old and things change," said Beth Lachman, a geospatial policy analyst at Rand and one of the researchers of the report. "Because of the dynamic nature of the type of information [attackers] want for target selection, they need very detailed and timely information." She added that geospatial data "may also not be as detailed as the type [of information] attackers are looking for."

"Part of the reason we didn't find much information out there, even prior to [the attacks of Sept. 11, 2001] is that there were already security reasons for not putting certain information out there," Lachman said. "A bank isn't going to advertise where their video cameras are." She said that some data, such as Web sites for scuba divers and railway enthusiasts, often carry content that could be useful to terrorists.

The committee is issuing the guidelines under the authority provided by Office of Management and Budget Circular A-16 to implement the National Spatial Data Infrastructure. They will be reviewed every five years.