Chapman v. Chi. Dep't of Fin.

• Docket Number: Docket No. 128300
• Decision Date: 18 May 2023
• Citation: 2023 IL 128300,220 N.E.3d 1080,468 Ill.Dec. 301
• Parties: Matt CHAPMAN, Appellee, v. The CHICAGO DEPARTMENT OF FINANCE, Appellant.
• Court: Illinois Supreme Court

2023 IL 128300

220 N.E.3d 1080

468 Ill.Dec. 301

Matt CHAPMAN, Appellee,

v.The CHICAGO DEPARTMENT OF FINANCE, Appellant.

Docket No. 128300

Supreme Court of Illinois.

Filed May 18, 2023

Celia Meza, CorporationCounsel, of Chicago (Myriam Zreczny Kasper, Suzanne Loose, Ellen W. McLaughlin, and Elizabeth M. Tisher, Assistant CorporationCounsel, of counsel), for appellant.

Matthew Topic, Josh Loevy, Merrick Wayne, and Shelley Geiszler, of Loevy & Loevy, of Chicago, for appellee.

OPINION

JUSTICE HOLDER WHITE delivered the judgment of the court, with opinion.

¶ 1Plaintiff, Matt Chapman, filed a request pursuant to the Freedom of Information Act (FOIA)( 5 ILCS 140/1 et seq.(West 2018)), seeking certain information utilized by defendant, the Chicago Department of Finance.Defendant denied the request, identifying the requested information as exempt from disclosure under section 7(1)(o ) of FOIA.Id.§ 7(1)(o ).

¶ 2Plaintiff filed a complaint, alleging defendant violated FOIA by failing to disclose the records and asking the Cook County circuit court to order their production.The court agreed with plaintiff and ordered defendant to produce the records.The First District affirmed.2022 IL App (1st) 200547, ¶ 1, 456 Ill.Dec. 710, 193 N.E.3d 950.

¶ 3 Now on appeal, defendant argues (1)section 7(1)(o ) of FOIA expressly exempts the requested records from disclosure and (2) it demonstrated clear and convincing evidence that disclosure would jeopardize the security of its system.We reverse and remand with directions.

¶ 4 BACKGROUND

¶ 5 In August 2018, plaintiff submitted a FOIA request to defendant for certain records pertaining to the Citation Administration and Adjudication System (CANVAS), developed by IBM for the City of Chicago in 2002 for the enforcement of parking, red-light, and speed-camera tickets.After a ticket has been issued, it is loaded into the CANVAS system, which defendant uses to issue notices and for payment purposes.

¶ 6 Specifically, plaintiff sought an "index of the tables and columns within each table of CANVAS" and asked for the "column data type as well."Further, plaintiff's request stated the following:

"Per the CANVAS specification, the database in question is Oracle, so the below SQL query will likely yield the records pursuant to this request:

select utc.column_name as colname, uo.object_name as tablename, utc.data_type

from user_objects uo

join user_tab_columns utc on uo.object_name = utc.table_name where uo.object_type = ‘TABLE’ "

Plaintiff indicated the requested documents would be made available to the general public and that the request was not being made for commercial purposes.

¶ 7Defendant denied the request, stating the records were exempt from disclosure pursuant to section 7(1)(o ) of FOIA( 5 ILCS 140/7(1)(o )(West 2018)).Section 7(1)(o ) exempts the following:

"Administrative or technical information associated with automated data processing operations, including but not limited to software, operating protocols, computer program abstracts, file layouts, source listings, object modules, load modules, user guides, documentation pertaining to all logical and physical design of computerized systems, employee manuals, and any other information that, if disclosed, would jeopardize the security of the system or its data or the security of materials exempt under this Section."Id.

Defendant stated the request for a copy of tables or columns within each table of CANVAS could, if disseminated, jeopardize the security of the systems of the City of Chicago.

¶ 8 In November 2018, plaintiff filed suit, alleging his request concerned nonexempt public records and defendant had willfully and intentionally violated FOIA by failing to produce the requested records.Thereafter, plaintiff filed a motion for partial summary judgment, and defendant filed a cross-motion for summary judgment.

¶ 9 In its cross-motion, defendant argued plaintiff's broad and open-ended request would "provide a detailed roadmap of the entire CANVAS system to the public" and, if released, "would not only provide information about how the CANVAS system was designed but would also facilitate cyber-attacks."The circuit court denied both motions.

¶ 10 In January 2020, the circuit court held a trial on plaintiff's complaint.Before the trial began, defendant argued the information plaintiff requested constituted a "file layout" or "source listing," both of which are expressly exempt from disclosure under section 7(1)(o ) without regard to whether disclosure would jeopardize the security of the system.The court disagreed "as a matter of law," stating the phrase "if disclosed[,] would jeopardize [the] security of the system or its data or the security of the material[s] exempt under this [S]ection," qualifies every term that precedes it, including "file layouts" and "source listings."Thus, the only issue for trial was whether disclosure of the information would jeopardize the security of the system.

¶ 11 On defendant's behalf, Bruce Coffing testified he was the chief information security officer for the City of Chicago.He indicated his familiarity with the CANVAS system, which contains sensitive information pertinent to constituents who have received tickets relating to parking, speed-light cameras, red-light cameras, booting, and towing.Coffing stated that information includes, among other things, first and last names of the primary and secondary vehicle owners, driver's license numbers, addresses, handicap-parking status, the ticket issuer, and payment method.

¶ 12 Coffing testified he is responsible for protecting the CANVAS system from cyberattacks.One of the ways to defend against such attacks includes limiting the information known about a system, so that hackers have to be "more noisy" when attempting an attack and thereby alerting security defenses that an attack is underway.If an attack is conducted by someone with knowledge of the system, "their activity may blend in and look like normal activity in the system."Coffing stated releasing the requested information would undermine the layer defense strategy by "providing more information for a threat actor to perform [reconnaissance] again to more precisely tailor their attack."

¶ 13 Coffing testified that plaintiff's request concerned file layouts and source listings.He stated file layouts include "table names and column names," which is "the information that the database management system uses to create the structure of the database.""Source listings" include instructions to "the database management system on how to do something to setup the database, the tables, the columns within each of those tables and the data types that those columns represent."

¶ 14 Coffing stated that, if a threat actor knew the file layouts or source listings, he or she could use that knowledge to "perform [reconnaissance] on a target or a system and in this case would use this information to more precisely craft their attacks, again to limit the noise that they would make to limit the likelihood of them being detected."

¶ 15 Coffing also testified releasing the information requested by plaintiff could facilitate a type of attack known as a structured query language (SQL) injection, which would force the system to do something it is not designed to do.In such an instance, the injection acts as "a window into the system and then it uses this vulnerability to attempt to make the system do something that the threat actor wants the system to do."Coffing stated an SQL injection could be used against the CANVAS system to gain access and modify information, such as payment on a ticket, or delete data to make the system unusable.

¶ 16 On cross-examination, Coffing acknowledged plaintiff's FOIA request did not seek actual data, such as a person's driver's license number, but instead sought a listing of the tables in the CANVAS database and the fields and columns within those tables.However, Coffing explained that disclosure of the requested records would "disclose how the database management system constructs the database that contains the data used, stored and processed by the CANVAS system."

¶ 17 When asked by the circuit court to assume the general public knows what information is being collected, e.g. , first and last names, citation number, vehicle information, and date and type of citations, Coffing testified that knowing the specific field name could allow someone to precisely craft an attack to make less noise and go undetected.For example, Coffing stated a field name could be "L underscore name" or "last underscore name," but not knowing which one could lead to inaccurate guesses and thereby alert the system that a threat actor is in the environment.

¶ 18 In plaintiff's case, Thomas Ptacek testified he worked in the field of information and software security.Describing himself as a "vulnerability researcher,"he acknowledged he hacks systems for a living.Ptacek understood plaintiff's FOIA request as seeking "the schema of the database that backs the CANVAS application, the tables and the columns of those tables."

¶ 19 Ptacek described "schema" as a term of art referring to "all of the fields and the databases that sit behind these applications."According to Ptacek, "schema information would be of marginal value to an attacker."Moreover, disclosing the requested records would not produce the source code for the CANVAS system, which would provide a collection of instructions that tells the CANVAS application how to function.

¶ 20 Ptacek could not think of a way in which publicly "disclosing the schema would jeopardize the security" of a system or make it easier to carry out an SQL injection attack.Instead, he stated one of the first things he would get from an SQL injection attack would be the schema itself.Ptacek did testify that, if a hacker breached a database, knowledge of the schema would be "of value in that it would allow [the hacker] to select" the application to target.However, he stated...