EPIC v. NSA: Google / NSA Relationship
- Supreme Court Declines EPIC’s Challenge to NSA Domestic Surveillance Program, Leaves in Place Order of Surveillance Court: Today the Supreme Court denied review of In re EPIC, a direct challenge to the NSA telephone record collection program. EPIC argued that an order of the secretive Surveillance Court that required Verizon to turn over all customer records exceeded legal authority. "It is simply not possible that every phone record in the possession of Verizon is relevant to a national security investigation," EPIC stated. EPIC asked the Supreme Court to overturn the order of the Foreign Intelligence Surveillance Court. Prominent legal scholars and members of the Church Committee who wrote the law agreed. Four groups filed amicus briefs in support and urged the Supreme Court to grant EPIC’s petition. However, the Supreme Court, without comment, declined to hear the case. For more information, see In re EPIC, In re EPIC Press Release. (Nov. 18, 2013)
- Supreme Court to Consider EPIC Challenge to NSA Program This Week: The Supreme Court is scheduled to consider EPIC's challenge to the NSA telephone record collection program at conference this week. EPIC has asked the Court to overturn an order of the Foreign Intelligence Surveillance Court that compelled Verizon to produce all of the telephone records of all of its customers to the NSA. EPIC said that this order clearly exceeded the authority of the surveillance court. The EPIC Petition was distributed to the Justices last week along with briefs by former Church committee members and prominent scholars in information law, federal jurisdiction, and constitutional law, who all urged the Supreme Court to grant the EPIC petition. For more information, see In re EPIC. (Nov. 12, 2013)
- EPIC Supports Campaign to End Mass Surveillance: EPIC joined more than one hundred organizations at the Stop Watching Us rally October 28 in Washington DC. EPIC Counsel Khaliah Barnes told the crowd, "First they ignore us, then they laugh at us, then they fight us, and then we win." The night before the rally, EPIC organized a crypto party with Public Citizen. Featured speakers included Bruce Schneier and Libertarian Presidential candidate Gary Johnson. EPIC has filed a Supreme Court challenge to the NSA telephone record collection program. For more information, see In re EPIC - NSA Telephone Records Surveillance. (Oct. 29, 2013)
- In EPIC v. NSA, Court Rules Presidential Directives are Not Subject to FOIA but Orders Release of Additional Documents to EPIC: A federal court has issued an opinion in EPIC v. NSA, EPIC's Freedom of Information Act lawsuit concerning the government's policy for the security of American computer networks. As a result of the lawsuit, EPIC obtained documents that the National Security Agency had withheld from the public. The documents concern NSPD 54, a presidential policy directive outlining the scope of the NSA's authority over computer networks in the US. EPIC also challenged the NSA's decision to withheld several other records including the National Security Presidential Directive 54. A federal district court has now ruled that NSPD 54 is not subject to the FOIA because it was not under "the control" of the National Security Agency and the other federal agencies and officials who received the presidential directive. The Court also ordered to the NSA to identify and release other documents to EPIC.For more information, see: EPIC v. NSA - Cybersecurity Authority. (Oct. 23, 2013)
- EPIC, Coalition Urge NSA to Comply with Privacy Act: EPIC, joined by a coalition of privacy, consumer rights, and civil rights organizations, has urged the Department of Defense to require the National Security Agency to comply with the federal Privacy Act, the primary law protecting personal information held by the federal government. The comments came in response to a proposed agency rule that would amend the Defense Department's privacy program. The organizations noted that the National Security Agency is a component of the Defense Department and subject to agency regulations. EPIC and the coalition stated, "The DOD must ensure that the NSA complies with the Privacy Act by publishing additional system of records notices and otherwise adhering to the Privacy Act before it can adopt its current proposal." Although the NSA has identified twenty-six Privacy Act databases, recent revelations by the Guardian suggest that there are many other databases subject to the Privacy Act that should be identified. EPIC has also petitioned the Supreme Court, challenging to the NSA's telephone record collection program. For more information, see In re EPIC. (Oct. 22, 2013)
- Government Responds to EPIC's Supreme Court Challenge of NSA Telephone Record Program: The Solicitor General has filed a response to EPIC's challenge to the NSA's telephone record collection program. In July, EPIC petitioned the Supreme Court to vacate the order of the Foreign Intelligence Surveillance Court that requires Verizon to turn over all telephone records to the NSA. EPIC argued that the Intelligence Court exceeded its legal authority and could not compel a telephone company to disclose so much personal information unrelated to a foreign intelligence investigation. Legal scholars and former Members of Congress filed briefs in support of EPIC's petition, including privacy and national security scholars, constitutional scholars, federal courts scholars, and members of the Church Committee. Congressman James Sensenbrenner, the primary author of the Patriot Act, has said that the telephone records collection program was never authorized by Section 215. For more information, see In re EPIC. (Oct. 14, 2013)
- Foreign Intelligence Court Releases Controversial Opinion on Domestic Telephone Records Program: The Foreign Intelligence Surveillance Court (FISC) has released an Opinion, justifying the NSA's telephone record collection program. In the Opinion, Judge Claire Eagan states that "there is no Fourth Amendment impediment to the collection" of all domestic call detail records. Judge Eagan also concluded that all domestic call detail records are "relevant" under Section 215 because "individuals associated with international terrorist organizations use telephonic systems to communicate" and because the government argued that bulk collection is 'necessary to create a historical repository of metadata' in order to identify 'known and unknown operatives. This FISC opinion was issued more than a month after EPIC filed its Mandamus Petition challenging the NSA domestic surveillance in the U.S. Supreme Court. The Eagan opinion has also been criticized by legal scholars. For more information, see In re EPIC. (Sep. 20, 2013)
- Office of National Intelligence Releases New Documents on NSA Surveillance: The Office of the Director of National Intelligence has just released new documents concerning the NSA's surveillance programs. The documents, which include numerous filings with the Foreign Intelligence Surveillance Court, date back to 2006. The documents specifically relate to the governments collection of information under Section 215 of the USA PATRIOT Act. In a Mandamus Petition to the United States Supreme Court, EPIC has argued that the FISA Court exceeded the statutory authority under Section 215 when it authorized bulk collection of American's telephone records in an Order concerning Verizon. Under Section 215, the FISA Court may order businesses to produce records that are "relevant" to an authorized national security investigation, but the Verizon Order requires production of all domestic telephone records on an ongoing basis. For more information, see EPIC: In re EPIC - NSA Telephone Records Surveillance. (Sep. 11, 2013)
- EPIC Meets with President's Intelligence Review Group: EPIC President Marc Rotenberg and EPIC Advisory Board Member Steve Aftergood met today with the Review Group on Intelligence and Communication Technology. The President tasked the panel with the responsibility to assess whether the "United States employs its technical collection capabilities in a manner that optimally protects our national security and advances our foreign policy while appropriately accounting for other policy considerations, such as the risk of unauthorized disclosure and our need to maintain the public trust." EPIC submitted detailed recommendations and included copies of EPIC's Supreme Court petition, arguing that the current domestic surveillance program is unlawful, as well as EPIC's Congressional testimony on the FISA Amendments Act and EPIC's 2010 letter to the Foreign Intelligence Surveillance Court concerning reform of FISA procedures. The panel will accept comments from the public until October 4, 2013. Comments are to be sent to firstname.lastname@example.org, which oddly is the domain of the current Director of National Intelligence. (Sep. 9, 2013)
- European Parliament Begins Hearings on NSA Surveillance: The European Parliament will hold a hearing, "Electronic Mass Surveillance of EU Citizens," on September 5, 2013. The hearing is hosted by the Committee on Civil Liberties, Justice, and Home Affairs ("LIBE Committee"). Witnesses include journalists and the Editor-in-Chief of the Guardian as well as current and former government officials. The hearing will focus on surveillance conducted by the United States, but will also address EU-Member State surveillance. A live stream will be accessible. The hearings is the first in a series mandated by a resolution of the European Parliament. EPIC has filed a Petition for a Writ of Mandamus in the U.S. Supreme Court, calling the National Security Agency's practice of collecting U.S. person phone call information unlawful. For more information, see EPIC: In re EPIC - NSA Telephone Records Surveillance. (Sep. 4, 2013)
On March 17, 2009, EPIC filed a complaint with the Federal Trade Commission (FTC), urging an investigation into Google's cloud computing services to determine "the adequacy of the privacy and security safeguards." The complaint followed a reported security breach of Google Docs. EPIC observed that Google repeatedly assured consumers that their services stored user-generated data securely, but had opted to not encrypt the personal information stored or transmitted on its computer network by default.
On June 16, 2009, Christopher Soghoian wrote an open letter to Google CEO, Eric Schmidt that was joined by 37 researchers and academics in the fields of computer science, information security, and privacy law. The letter pointed out that Google had already employed encryption techniques to protect individuals' login information, but did not enable it to protect information transmitted over their network. The letter pointed out that, while the option to encrypt this information was available, it was difficult to locate, even for sophisticated users who were aware of what to look for.
Google opted to ignore both of these warnings.
On January 12, 2010, Google reported that the company had suffered a "highly sophisticated and coordinated" cyber attack originating from China. The attackers planted malicious code in Google's corporate networks, and resulted in the theft of Google's intellectual property, and at least the attempted access of the Gmail accounts of Chinese human rights activists. The following day, Google changed a key setting, causing all subsequent traffic to and from its electronic mail servers to be encrypted by default. On February 4, 2010, the Washington Post reported that Google had contacted the National Security Agency ("NSA") regarding the firm's security practices immediately following the attack. In addition, the Wall Street Journal stated that the NSA's general counsel had drafted a "cooperative research and development agreement" within 24 hours of Google's announcement of the attack, which authorized the Agency to "examine some of the data related to the intrusion into Google's systems."
EPIC's Freedom of Information Act Requests and Subsequent Lawsuit
On February 4, 2010, EPIC filed a Freedom of Information Act ("FOIA") request with the National Security Agency ("NSA"). EPIC requested the following agency records:
- All records concerning an agreement or similar basis for collaboration, final or draft, between the NSA and Google regarding cyber security;
- All records of communication between NSA and Google concerning Gmail, including but not limited to Google's decision to fail to routinely encrypt Gmail messages prior to January 13, 2010; and
- All records of communications regarding NSA's role in Google's decision regarding the failure to routinely deploy encryption for cloud-based computing service, such as Google Docs.
By letter dated March 10, the NSA acknowledged receipt of EPIC's FOIA Request and granted EPIC's request for a fee waiver. The NSA's letter invoked FOIA exemption b(3) and Section 6 of the National Security Agency Act in order to issue a Glomar response. A Glomar response is the Agency's act of neither confirming nor denying the existence of Agency records responsive to the Request.
On May 7, 2010, EPIC filed an administrative appeal stating that the NSA had failed to present factual evidence that the requested documents fell within Section 6 and that established FOIA exemptions could sufficiently conceal protected information. The NSA never replied to EPIC's appeal or produced responsive documents. EPIC filed a complaint in United States District Court for the District of Columbia on September 13, 2010. The NSA argued that the Agency was under no obligation to conduct a search prior to determining that any potentially responsive records would implicate the Agency's functions or activities. Judge Richard Leon deferred to the NSA's judgment in a Memorandum Opinion dated July 8, 2011. EPIC filed a Notice of Appeal in the D.C. Circuit Court on September 9, 2011. Oral argument is schedule for March 20, 2012 before Judge Brown, Judge Kavanaugh, and Judge Ginsburg.
The Glomar Doctrine
In a unique category of FOIA cases, an agency may issue a “Glomar response” and refuse to confirm or deny the existence of records. Gardels v. CIA, 689 F.2d 1100, 1103 (D.C. Cir. 1982); see also Miller v. Casey, 730 F.2d 773, 776-77 (D.C. Cir. 1984); Phillippi v. CIA, 546 F.2d 1009, 1012 (D.C. Cir. 1976). Courts uphold Glomar responses when “to answer the FOIA inquiry would cause harm cognizable under” an applicable statutory exemption. Gardels, 689 F.2d at 1103. Glomar responses must be tethered to a specific exemption. The agency must demonstrate that acknowledging the mere existence of responsive records would disclose exempt information. Wolf v. CIA, 473 F.3d 370, 374 (D.C. Cir. 2007).
In Glomar cases, courts may grant summary judgment on the basis of agency affidavits that contain “reasonable specificity of detail rather than merely conclusory statements, and if they are not called into question by contradictory evidence in the record or by evidence of agency bad faith.” Gardels, 689 F.2d at 1104-05 (citing Halperin v, CIA, 629 F.2d 144, 148 (D.C. Cir. 1980)). The supporting affidavit must give a “logical” justification for the Glomar response based on “general exemption review standards established in non-Glomar cases.” Wolf, 473 F.3d at 375. “Very importantly, ‘the burden is on the agency to sustain its action.’” Founding Church of Scientology of Washington, D.C., Inc. v. NSA, 610 F.2d 824, 830 (D.C. Cir. 1979). This Circuit has made clear that “‘[c]onclusory and generalized allegations of exemptions’ are unacceptable; if the court is unable to sustain nondivulgence on the basis of affidavits, in camera inspection may well be in order.” Wolf, 473 F.3d at 375.
EPIC v. National Security Agency, Case No. 10-1533 (RJL) (D.D.C. filed Sept. 13, 2010)
- EPIC's Complaint Against NSA (Sept. 13, 2010) (pdf)
- NSA's Answer to EPIC's Complaint (Oct. 27, 2010) (pdf)
- NSA Motion for Summary Judgment (Dec. 22, 2010) (pdf)
- EPIC's Opposition and Cross Motion for Summary Judgment (Jan. 28, 2011) (pdf)
- NSA's Opposition and Reply (Feb. 18, 2011) (pdf)
- EPIC's Reply (Mar. 4, 2011) (pdf)
- District Court Memorandum Opinion, 798 F.Supp.2d 26 (D.D.C. 2011) (July 8, 2011) (pdf)
EPIC v. National Security Agency, Case No. 11-5233 (D.C.Cir. filed Sept. 9, 2011)
- EPIC's Notice of Appeal (Sept. 9, 2011) (pdf)
- Order Setting Briefing Schedule (Nov. 16, 2011) (pdf)
- Order Scheduling Oral Argument (Nov. 22, 2011) (pdf)
- EPIC's Opening Brief (Jan. 3, 2012) (pdf)
- Joint Appendix (Jan. 3, 2012) (pdf)
- NSA's Opening Brief (Jan. 26, 2012) (pdf)
- EPIC's Reply Brief (Feb. 16, 2012) (pdf)
- EPIC's February 4, 2010 request for agency records under the Freedom of Information Act
- NSA's March 10, 2010 letter acknowledging of receipt of EPIC's FOIA request and invoking the Glomar Response
- EPIC's May 7, 2010 Administrative Appeal to the NSA
- In 1976, NSA Was Tasked to Help Secure Private Communications, Secrecy News, March 12, 2012.
- DOJ Asks Court To Keep Secret Any Partnership Between Google, NSA, BLT: The Blog of Legal Times, March 9, 2012.
- A New Approach to China, Google Blog, January 12, 2010.
- Mike McConnell on How to Win the Cyber-War We're Losing, Washington Post, February 28, 2010.
- Google to enlist NSA to help it ward off cyberattacks, Washington Post, February 4, 2010.
- Google Working With NSA to Investigate Cyber Attack, Wall Street Journal, February 4, 2010.
- Default https access for Gmail, Google Blog, January 13, 2010.
- HTTPS Security for Web Applications, Google Security Blog, June 1, 2009.
- In re: Google, Inc. and Cloud Computing Services, EPIC, March 17, 2009.
- Letter from Eileen Harrington, Acting Director, Bureau of Consumer Protection (FTC), EPIC, March 18, 2009.
- An open letter to Google's CEO, Eric Schmidt, Christopher Soghoian, June 16, 2009.