Federal officials should consider reopening public access to about three dozen Web sites withdrawn from the Internet after the Sept. 11, 2001, attacks, a government-financed study says, because the sites pose little or no risk to homeland security.
The Rand Corp. said the overwhelming majority of federal Web sites that reveal information about airports, power plants, military bases and other potential terrorist targets need not be censored because similar or better information is easily available elsewhere.
Rand identified four Web pages that might merit the restrictions imposed after the attacks.
"It's a good time to take a closer look at the choices that they made at the time," said John Baker, principal author of the study, which was funded by the National Geospatial-Intelligence Agency, the government's intelligence mapping agency.
Advocates of open government said the report shows the Bush administration acted rashly after the suicide attacks when it scrubbed numerous government Web sites.
"It was a gigantic mistake, and I hope the study brings some rationality back to this policy," said Steven Aftergood, director of the Federation of American Scientists' project on government secrecy. "Up to now, decisions have been made on a knee-jerk basis."
Rand's National Defense Research Institute identified 629 Internet-accessible federal databases that contain critical data about specific locations. Co-author Beth Lachman said they "appeared to be the most sensitive sites" among 5,000 federal Web pages the researchers checked.
The study, conducted between mid-2002 and mid-2003, found no federal Web sites that contained target information essential to a terrorist -- in other words, information a terrorist would need to launch an attack.
It identified four databases -- less than 1 percent of the 629 -- where restricting access probably would enhance homeland security. None was available to the general public anymore. Those sites included two devoted to pipelines, one to nuclear reactors and one to dams.
Information easily obtainable elsewhere
Researchers recommended that officials evaluate 66 databases with some useful information, but they didn't anticipate restrictions would be needed because similar or better data probably could be easily obtained elsewhere.
The remaining 559 databases "are probably not significant for addressing attackers' information needs and do not warrant any type of public restriction," the report said. It said that any information they contain that could be useful to terrorists is easily obtained elsewhere, often by simple, legal observation in an open society.
The Rand researchers found that 30 federal agencies or departments make public, on paper or online, "geospatial information" about critical or symbolic locations and structures. That kind of data can be as simple as a telephone book or as complex as an Internet database that discloses how many people live near each of the nation's power plants or toxic chemical storage sites.
After Sept. 11, federal agencies scrambled to pull such data off the Internet. The Transportation Department removed pipeline maps. The Environmental Protection Agency deleted descriptions of risk management plans for chemicals stored at 15,000 sites. The Nuclear Regulatory Commission took down its Web site, although much of it is now back online.
Using Internet archives that preserve old Web pages or detailed written descriptions, researchers identified 39 federal geospatial databases taken off-line since Sept. 11.
Other than the four databases that posed some risk, "these restrictions need to be more thoroughly assessed," the researchers wrote.
"Under the circumstances, these officials took prudent steps but in a very piecemeal, patchwork way," Baker said.
The study proposed a framework for analyzing and possibly restoring such data to the Internet:
- How useful would it be to an attacker? Far more detailed information is needed to plan an attack than to pick a target, but most federal Web sites are too general to help with more than target selection.
- Is similar or better data readily available elsewhere? If so, "the net security benefits of restricting access ... may be minimal or nonexistent" and could "possibly lead ... to a false sense of security at worst."
- Does the gain in security from restrictions outweigh any harm to those using the data, such as police and fire departments, economic planners or private companies?
For instance, Rand advocated that an Environmental Protection Agency Web site that discloses where toxic chemicals are stored and in what quantity should not be restricted because its value to terrorists is outweighed by its value to communities preparing for emergencies.
Restricting the site would "diminish the public good that comes from providing local communities access to information that can significantly affect the well-being of citizens," the study said.
To demonstrate the futility of removing government data that isn't unique, Rand researchers picked out 300 non-federal Web sites that had similar or better information about critical U.S. targets than federal pages.
For instance, an online scuba magazine contains a divers' description of the ocean depths and currents around an oil-drilling platform off the southern California coast that would be more useful to terrorists than the federal sites that described the platform.