SPRINGFIELD, IL. (ECWd) -
While attempting to figure out the costs of the network hack from April 2021 (here is our initial report) on the Illinois Attorney General's computers and servers, we requested meeting minutes of the open public meetings, only to find them either redacted or not provided. We also requested the recordings of the open public meetings, only to find them not provided (except for one meeting) because the AG wanted to redact them (those issues in this article).
After we sued the AG, they unredacted two of the meeting minutes at their next meeting, but have not unredacted the remainder, and they haven't produced the remaining recordings either.
Next, we took a different approach to obtain the information.
Knowing that Section 1(c) of the Illinois Constitution and Sections 3(b) and 4 of the State Records Act both require "Reports and records of the obligation, receipt and use of public funds . . . are public records available for inspection by the public" (with very few exceptions), we submitted a Freedom of Information Act request for the contracts approved by or passed through the Procurement Policy Control Board of the Attorney General.
To our surprise, some of the responsive records were redacted. The redactions were within the contracts for software and services, and in our opinion, should have been provided unredacted - especially since the exact same information is available to the public on the vendor's website.
- In the CROWD STRIKE Statement of Work agreement, the AG's office redacted pages 3, 4, 6, 8, 9, 18, 19, 28, 29, 31, and 32.
- Much of the redacted information appears to be public information and found on the CrowdStrike website (here)
- On page 18 of the SOW, the AG redacted what appears to be the words "correlative and/or contextual data, and/or detections":
- EXAMPLE, on page 18 of the SOW, are their redactions under “CrowdStrike Data” which appears to be exactly the same as the paragraph on CrowdStrike’s own webpage: https://www.crowdstrike.com/terms-conditions/
- “CrowdStrike Data” shall mean the data generated by the CrowdStrike Offerings, including but not limited to, correlative and/or contextual data, and/or detections. For the avoidance of doubt, CrowdStrike Data does not include Customer Data.
- On page 19 of the SOW, the AG redacted what appears to be the words "Falcon OverWatch" and "Falcon Complete Team":
- EXAMPLE, on page 19 is their redactions under “Product-Related Services” which appears to be exactly the same as the paragraph on CrowdStrike’s own webpage: https://www.crowdstrike.com/terms-conditions/
- “Product-Related Services” means, collectively, (i) Falcon OverWatch, (ii) Falcon Complete Team, (iii) the technical support services for certain Products provided by CrowdStrike, (iv) training, and (v) any other CrowdStrike services provided or sold with Products. Product-Related Services do not include Professional Services.
Other redactions are also found on the vendor's webpage, but the point is, we cannot write about these contracts and state with certainty that the Attorney General's office purchased Falcon OverWatch and Falcon Complete Team, because it is redacted in the documents provided to us under FOIA - even though we believe we know what is lingering under those redactions.
Now we must decide whether to sue them under FOIA again, or ignore the redactions - and we have made it a policy to not ignore unreasonable redactions. These are public records and should have been provided.