Skip Navigation
File a Consumer Complaint
Report a Robocall/Text
  • Robocall Hotline:(844)-8-NO-ROBO
  • All Other Complaints:(877)-5-NO-SCAM
  • Outside NC:919-716-6000
  • En Español:919-716-0058

Status of State Owned Computer Software

May 28, 1998

Commissioner Janice Faulkner North Carolina Division of Motor Vehicles 1100 New Bern Avenue Raleigh, NC 27697-0001

RE: Advisory Opinion; Status of State Owned Computer Software Under G.S. §132-1 et seq.

Dear Commissioner Faulkner:

On April 26, 1998, Ms. Carol Howard of your office asked for an opinion regarding whether computer software developed by the State with the assistance of a private contractor was a public record. On April 28, 1998, our office wrote an informal advisory memorandum which concluded that such software was a public record.

In a telephone conversation later that day, Assistant Commissioner Gene Cella provided additional information regarding the nature of this software and its use. As a result, Mr. Cella then asked us for further study and an advisory opinion in your behalf as to whether this software was properly characterized as a public record.

Specifically, Mr. Cella asked whether certain programming modules written for the State Title and Registration System (STARS) constitute a public record within the meaning of North Carolina’s Public Records Law, G.S. §132-1 et seq., which must be provided to members of the public upon request and compliance with the provisions of that law. He stated that the contractor that developed the software has no proprietary interest in any of the software in question. However, he also expressed concerns regarding the possible compromise of the Division’s computer security if the software were determined to be public record.

Based upon the foregoing, and after careful review of the applicable statutes, we are of the opinion that such software is not a "record", and, additionally, its disclosure may cause a breach in software security inconsistent with G.S. 132-6.1(c). We, therefore, rescind the memorandum of April 28, 1998.

The relevant law regarding public records is found primarily in Chapter 132 of the North Carolina General Statutes. G.S. § 132-1(a) defines "public records" as follows:

(a) "Public record" or "public records" shall mean all documents, papers, letters, maps, books, photographs, films, sound recordings, magnetic or other tapes, electronic data-processing records, artifacts, or other documentary material, regardless of physical form or characteristics, made or received pursuant to law or ordinance in connection with the transaction of public business by any agency of North Carolina government or its subdivisions. (Emphasis added).

The policy of the North Carolina Public Records Law is set forth in G.S. §132-1(b), and states that "The public records and public information compiled by the agencies of North Carolina government or its subdivisions are the property of the people. Therefore, it is the policy of this State that the people may obtain copies of their public records and public information free or at minimal cost unless otherwise specifically provided by law." Our State Supreme Court has broadly construed this law to provide the public with liberal access to public records, and have clearly stated that, absent a statutory exception, any record that falls within the definition of "public record" must be made available for public inspection. News and Observer Publishing Co.

v. Poole, 330 N.C. 465, 412 S.E.2d 7 (1992).

At first glance, it might appear that software owned exclusively by the State falls within the definition of a public record, since the general definition of public record explicitly includes "magnetic or other tapes" and "electronic data-processing records." However, G.S. §132-6.1 addresses the manner in which electronic data-processing records fit within the context of public records generally, and clearly distinguishes between "software" and "electronic data-processing records". A careful examination of this statute reveals that software is distinguishable from the records which it creates. Since it is not a record, it cannot therefore be considered a public record, even if all rights of ownership of that software lie exclusively with the State.

Subsection (a) of G.S. §132-6.1 mandates that "After June 30, 1996, no public agency shall … acquire any electronic data-processing system for the storage, manipulation, or retrieval of public records unless it first determines that the system will not impair or impede the agency’s ability to permit the public inspection and examination, and to provide electronic copies of such records." It further states that "Nothing in this subsection shall be construed to require the retention by the public agency of obsolete hardware or software." G.S. §132-6.1(a) (Emphasis added).

This subsection clearly distinguishes between software and electronic data processing systems, and the public records generated by such software or systems. It does not address the retention of electronically stored or generated public records, that being left to other provisions of law. See, e.g., G.S. §132-3 and G.S. §121-5. However, this subsection does address the retention of "obsolete" software, and explicitly does not mandate its retention when no longer needed. Thus, while records compiled by software are protected by other provisions of law, the software which produces them may be disposed of by the agency when it becomes obsolete.

Similarly, subsection (b) mandates the creation of indexes of computer databases by public agencies which

… shall include, at a minimum, the following information with respect to each database listed therein: a list of the data fields; a description of the format or record layout; information as to the frequency with which the database is updated; a list of any data fields to which public access is restricted; a description of each form in which the database can be copied or reproduced using the agency’s computer facilities; and a schedule of fees for the production of copies in each available form. G.S. §132-6.1(b) (Emphasis added).

Again, the emphasis is on the database, or the "structured collection of data or documents residing in a database management program or spreadsheet software", and not the software or hardware used to create that database. G.S. §132-6.1(d)(1). It is the information residing within the program or the software which constitute the records, and not the software itself. Moreover, this provision concerns itself with identifying the data stored, the form in which it may be generated, and the cost of generating such data. It is silent regarding the software itself.

Subsection (c) also draws this distinction. It states that: Nothing in this section shall require a public agency to create a computer database that

the public agency has not otherwise created or is not otherwise required to be created.

Nothing in this section requires a public agency to disclose its software security,

including passwords.

G.S. §132-6.1(c) (Emphasis added).

The statute again focuses on the database rather than the software used to create the database. The first portion of this subsection is consistent with the more general provision found at G.S. 132-6.2(e) that "Nothing in this section shall be construed to require a public agency to respond to a request for a copy of a public record by creating or compiling a record that does not exist." The form of the database, the record itself, is determined by the software used to create it. Creating a different database involves giving software different instructions, reprogramming it, or perhaps even using different software altogether. In any case, the clear implication is that the database – the records – are separate and apart from the software that compiles them.

Moreover, the second portion of G.S. §132-6.1(c) removes "software security" measures from the domain of public records. While most people readily recognize the significance of passwords as being a part of computer security, software almost always contains security measures imbedded within the code. Some of these measures may be so innocuous as safeguards to prevent accidental entry or deletion of data or files. However, other measures may serve to protect the database from deliberate, unauthorized entry or modification of data, or corruption of the software or hardware by a computer virus.

Disclosing such software security provisions to the public would pose a significant risk of a breach of the security of a computer system, and release is not required. For example, with the Division of Motor Vehicles’ computer system, the obvious potential for harm lies in the ability to access its system. If the code contained in the software modules may be read and "reverse engineered" to decipher security safeguards, a creative hacker could access D.M.V.’s computer records, including non-public records, or worse yet, modify both public and non-public data. This would have potentially serious consequences for records maintained by the Division. G.S. §132

6.1 recognizes the danger inherent in such a breach of software security, and thus explicitly states that its release would not be required. Again, the software is distinguished from the records that software generates.

Finally, it should be noted that the working definitions contained within G.S. §132-6.1 explicitly distinguish software and programs from the data they generate, and thus evidence a clear intent by the Legislature to exclude computer software from the scope of public records. G.S. §1326.1(d) states:

(d) The following definitions apply in this section:

(1)
Computer database.–A structured collection of data or documents residing in a database management program or spreadsheet software.
(2)
Computer hardware.–Any tangible machine or device utilized for the
electronic storage, manipulation, or retrieval of data.
(3)
Computer program.–A series of instructions or statements that permit the

storage, manipulation, and retrieval of data within an electronic data-processing system, together with any associated documentation. The term does not include the original data, or any analysis, compilation, or manipulated form of the original data produced by the use of the program or software.

(4)
Computer software.–Any set or combination of computer programs. The term does not include the original data, or any analysis, compilation, or manipulated form of the original data produced by the use of the program or software.
(5)
Electronic data-processing system. — Computer hardware, computer software, or computer programs or any combination thereof, regardless of kind or origin.

(Emphasis added).

In summary, the explicit language of G.S. §132-6.1 distinguishes software used to generate records from records it generates. Thus, we are of the opinion that in light of current law, the General Assembly did not intend to mandate disclosure of State- owned computer software pursuant to G.S. §132-1 et seq.

Please bear in mind that nothing in this opinion should be construed to preclude any citizen from having full access to public records which are generated by State-owned software.

signed by:

Reginald L. Watkins Senior Deputy Attorney General

C. Norman Young

Assistant Attorney General