In addition to citing potential health-privacy violations, the government cited exemptions intended to protect personal privacy and law-enforcement records, although the agency didn't explain what files about the health care website had been compiled for law-enforcement purposes. Some open-government advocates were skeptical.
"Here you have an example of an agency resorting to a far-fetched privacy claim in an unprecedented attempt to bridge this legal gap and, in the process, making it even worse by going overboard in withholding such records in their entireties," said Dan Metcalfe, a former director of the Justice Department's office of information and privacy who's now at American University's law school.
Keeping details about lockdown practices confidential is generally derided by information technology experts as "security through obscurity." Disclosing some types of information could help hackers formulate break-in strategies, but other facts, such as numbers of break-ins or descriptions of how systems store personal data, are commonly shared in the private sector. "Security practices aren't private information," said David Kennedy, an industry consultant who testified before Congress last year about HealthCare.gov's security.
