British public bodies are currently facing an unprecedented volume of information requests that appear to be part of a coordinated intelligence-gathering effort. While the Freedom of Information (FOI) Act was designed to provide transparency for citizens, it is increasingly being used as a low-cost tool for foreign actors to map out the UK's critical infrastructure and security protocols. This is not a theoretical vulnerability. Local councils, emergency services, and government departments report a surge in highly specific queries regarding supply chains, digital architecture, and physical security assets. By aggregating these seemingly mundane data points, hostile entities can build a comprehensive "digital twin" of national vulnerabilities without ever hacking a single server.
The Open Window Policy
The Freedom of Information Act 2000 is a cornerstone of British democracy. It allows anyone, regardless of nationality or location, to demand data from over 100,000 public authorities. The law is "applicant blind," meaning officials are legally barred from asking why someone wants the information. This creates a massive blind spot.
In recent months, security analysts have tracked a pattern of requests originating from accounts linked to overseas research institutes and private firms with ties to the Chinese state. These requests do not ask for "top secret" files. They ask for the boring stuff. They want to know the exact model of CCTV cameras used in a provincial town center. They ask for the maintenance schedules of water treatment plants. They request the floor plans of refurbished government offices under the guise of "architectural interest."
Individually, these answers are harmless. Collectively, they are a goldmine. When you know the specific hardware a council uses for its internal network, you know exactly which exploits to prepare. When you have the logistics schedule for a power station, you know when it is most vulnerable to disruption. The UK is essentially subsidizing the reconnaissance phase of foreign intelligence operations.
The Mosaic Effect in Modern Espionage
Intelligence work has changed. It is no longer just about the "smash and grab" of classified documents. Modern statecraft relies on the Mosaic Effect. This is the process of taking disparate pieces of unclassified information and assembling them to reveal a sensitive whole.
Imagine a jigsaw puzzle. A single piece showing a patch of blue sky tells you nothing. But if you acquire enough pieces of blue sky, you can determine the exact weather conditions, the time of day, and the location of the horizon. Foreign intelligence services are currently collecting the "blue sky" of British public administration.
Strategic Infrastructure Mapping
One particularly concerning trend involves requests directed at the UK's maritime and energy sectors. Requests have surfaced asking for detailed blueprints of port expansions and the specifications of undersea cable landings.
- Port Security: Detailed queries regarding the draft depth of harbors and the specific software used for container tracking.
- Energy Resilience: Information on the age and capacity of backup generators at regional hospitals and data centers.
- Emergency Response: Granular data on the response times and radio frequencies used by police in specific boroughs.
Because these requests are framed as "commercial research" or "public interest inquiries," they often bypass the initial scrutiny of overstretched FOI officers. These officers are often more concerned with meeting the 20-working-day legal deadline than questioning whether a request for "server rack dimensions" in a local government building might be a precursor to a physical or cyber intrusion.
The Cost of Compliance
The burden on the British taxpayer is twofold. First, there is the direct cost of processing these requests. A complex FOI can take dozens of man-hours to research and redact. Second, there is the long-term cost of hardening systems that have been exposed.
Public authorities can refuse a request if the cost exceeds £600 (for central government) or £450 (for other authorities). However, sophisticated actors have learned to "salami slice" their queries. Instead of one massive request that gets rejected on cost grounds, they send twenty smaller requests across twenty different departments. Each one stays under the threshold. Each one is a single piece of the mosaic.
The Vexatious Loophole
Under Section 14 of the FOI Act, an authority can refuse a request if it is "vexatious." This is a high bar to clear. Proving that a series of requests from different email addresses—often using VPNs to mask their origin—is part of a coordinated campaign is nearly impossible for a mid-level administrator in a rural county council.
The Information Commissioner’s Office (ICO) has traditionally leaned toward transparency. The default position is to release. While this serves the public’s right to know, it fails to account for a global environment where data is the primary currency of conflict. We are playing a game of cricket while the opposition is playing 3D chess.
Hardware and the Hidden Threat
The concern goes beyond just digital data. There is a physical component to this information gathering that often gets overlooked. By using FOI laws to identify the specific brands of hardware used in UK infrastructure, foreign actors can identify "weak links" in the supply chain.
If a request reveals that a significant number of NHS trusts are using a specific brand of network switch, and that brand is known to have vulnerabilities or "backdoors," the attackers have their roadmap. They don't need to scan the whole UK network; they just need to target the institutions they already know are using the compromised gear.
This is a quiet, methodical stripping of national privacy. It is a form of Legalized Reconnaissance. By the time a cyber-attack actually occurs, the "intruder" has already walked the halls virtually for years, thanks to the very laws intended to keep the government honest.
Structural Deficiencies in the FOI Framework
The current system lacks a unified "threat intelligence" layer. When a council in Scotland receives a suspicious request about its water supply, there is no central database to check if a council in Cornwall received the exact same query the day before.
This lack of communication is the greatest asset for those looking to exploit the system. Without a centralized clearinghouse for FOI requests that touch on "Sensitive But Unclassified" (SBU) data, the UK remains a fragmented target.
The Identity Problem
The "applicant blind" nature of the law means that an intelligence officer in Shanghai has the same rights to British data as a journalist in Sheffield. Attempts to change this are met with fierce resistance from civil liberties groups, who argue—rightly—that anonymity is vital for whistleblowers and activists.
However, there is a middle ground that is currently being ignored. The UK could implement a "provenance check" for requests that touch on critical national infrastructure. This wouldn't mean banning foreign requests, but it would mean subjecting them to a different level of risk assessment.
Reevaluating the Risk Threshold
Security experts are increasingly calling for an update to the "Public Interest Test." Currently, the benefit of transparency almost always outweighs the vague "prejudice to national security" unless the data is explicitly classified.
We need to redefine what constitutes a threat. In the 1990s, a floor plan of a municipal building was just a floor plan. Today, in the era of drone strikes and precision cyber-attacks, that same floor plan is a targeting package.
Immediate Steps for Public Authorities
The burden of defense cannot fall solely on the ICO. Public authorities must become more "security-literate" in their FOI responses.
- Contextual Redaction: Moving beyond just redacting names to redacting technical specifications that could facilitate a cyber-attack.
- Cross-Departmental Alerts: Establishing informal networks to flag suspicious patterns of technical queries.
- Aggressive Use of Section 24: Using the National Security exemption more proactively when requests target infrastructure, rather than waiting for an explicit "top secret" tag.
The reality is that our commitment to an open society is being turned into a tactical weakness. We are handing over the blueprints of our house because we are too polite to ask who is standing at the door.
The Global Context
The UK is not alone in this struggle, but it is one of the most targeted. As a key member of Five Eyes and a global financial hub, the UK's "data surface area" is massive. Other nations, such as Australia, have already begun tightening their transparency laws to prevent foreign interference. They have recognized that an "open by default" policy is a luxury that few modern states can afford without significant safeguards.
The tension between transparency and security will never be fully resolved. It is a permanent feature of democratic life. But when the mechanism for transparency becomes a tool for subversion, the system is no longer functioning as intended.
We must stop treating every FOI request as an isolated event. Every query is a data point. Every data point is a coordinate. Every coordinate is a potential target. If the UK does not modernize its approach to information disclosure, it will continue to provide its adversaries with the very tools they need to dismantle it from the inside out.
The FOI Act was written for a world of paper files and local concerns. We are now living in a world of persistent, state-sponsored data harvesting. The law must catch up, or the window of transparency will remain a wide-open door for those who wish us harm.
Stop treating the FOI office as a back-office administrative function and start treating it as a front-line security post.
