EPIC v. NSA: Google / NSA Relationship
- EPIC Seeks Legal Justification for NSA Domestic Surveillance Program: EPIC has filed a Freedom of Information Act request with the Department of Justice, seeking the agency's justification for the NSA domestic surveillance program. The Department of Justice authorized a request for "all call detail records or 'telephony metadata' created by Verizon for communications . . . (ii) wholly within the United States, including local telephone calls." By statute, the scope of the Foreign Intelligence Surveillance Court is limited to investigations concerning the collection of foreign intelligence. The Department of Justice and the President have been acknowledged that the Department conveyed information about the program to Congress. EPIC has asked Congress to determine whether the special court exceeded its authority when it compelled Verizon to turn over the records of millions of telephone customers. For more information, see EPIC: Foreign Intelligence Surveillance Act, EPIC: Clapper v. Amnesty Int'l, and EPIC: USA Patriot Act. (Jun. 7, 2013)
- Congress Begins Investigation of NSA Domestic Surveillance Program: Following the revelation of that the National Security Agency is monitoring domestic communications, members of Congress are initiating new oversight proceedings. The Senate Intelligence Committee will review the program's legal authority. Members of the House Judiciary Committee wrote to President Obama, saying, "We believe this type of program is far too broad and inconsistent with our nation's founding principles." During a hearing of the Senate Appropriations Committee, Sen. Mark Kirk (R-IL)asked Attorney General Eric Holder whether the NSA has spied on members of Congress. EPIC has sent a letter to leaders in Congresscalling for an investigation into the NSA's activities, and alleging that the FISC's authorization of the Verizon search was unlawful. For more information, see EPIC: Foreign Intelligence Surveillance Act, EPIC: Clapper v. Amnesty Int'l, and EPIC: USA Patriot Act.
(Jun. 7, 2013)
- EPIC to Congress: 'NSA Domestic Surveillance Program is Unlawful': EPIC has sent a letter to Congress charging that the National Security Agency's demand for domestic telephone records is unlawful. EPIC stated, "The Foreign Intelligence Surveillance Court ordered an American telephone company to disclose to the NSA records of wholly domestic communications. The FISC lacks the legal authority to grant this order." EPIC's letter calls on Congress to conduct hearings and determine whether the specialized court, charged with overseeing the collection of foreign intelligence, may also authorize surveillance of solely domestic communications. For more information, see EPIC: Foreign Intelligence Surveillance Act, EPIC: Clapper v. Amnesty Int'l, and EPIC: USA Patriot Act. (Jun. 7, 2013)
- EPIC Seeks Documents on Government's Authority to Search Journalists' Email: EPIC has filed a Freedom of Information Act request with the Department of Justice Office of Legal Counsel, seeking documents explaining the DOJ's legal authority to search the electronic communications of reporters. Following news reports that the DOJ seized the telephone records of the Associated Press, EPIC's request seeks to discover the legal basis for the action as well as whether the DOJ could obtain the email or text messaging records of journalists. In 2005, EPIC filed the first FOIA request concerning the government's "warrantless wiretapping". EPIC eventually obtained emails and a memo (pdf) from a former high-level Justice Department official expressing doubt about the government's argument in favor of the legality of the program. EPIC also obtained internal messages (pdf) from the NSA's director to agency staff, defending the NSA's warrantless eavesdropping and discouraging employees from discussing the issue with the news media. For more information, see EPIC: Open Government, EPIC: New York Times v. DOJ. (May. 14, 2013)
- EPIC Obtains Documents on NSA's "Perfect Citizen" Program: The NSA has turned over documents on the controversial "Perfect Citizen" program to EPIC in response to a FOIA request. "Perfect Citizen" is an NSA program that monitors private networks in the United States. The redacted documents obtained from the federal agency by EPIC state that "[t]he prevention of a loss due to a cyber or physical attack [on Sensitive Control Systems, like large-scale utilities], or recovery of operational capability after such an event, is crucial to the continuity of the [Department of Defense] , the [Intelligence Community], and the operation of SIGNIT systems." The NSA claims that Perfect Citizen is merely a research and development program. The documents obtained by EPIC suggest that the program is operational. For more information, see EPIC: Perfect Citizen. (Jan. 2, 2013)
- UPDATED: EPIC Appeals NSA's Withholding of Cybersecurity Directive: EPIC has appealed a decision by the National Security Agency to deny EPIC's Freedom of Information Act Request for the public release of Presidential Policy Directive 20. The Policy Directive expands the NSA's cybersecurity authority and has raised concerns about government surveillance of the Internet. EPIC's FOIA appeal points to numerous substantive and procedural defects in the NSA's response, and highlights the importance of public discussion of cyber security authority. The NSA has ten days to respond to EPIC's appeal. For more information, see EPIC: Cybersecurity Privacy Practical Implications, EPIC: EPIC v. NSA - Cybersecurity Authority. (Nov. 27, 2012)
- Federal Appeals Courts Sides with NSA, Rejects EPIC's Arguments that Agency Should Provide Information About Collaboration with Google: The DC Circuit Court of Appeals ruled today the National Security Agency need neither "confirm nor deny" the existence of any records about the agency's relationship with Google, even after such a collaboration was widely reported in the national media. EPIC filed a Freedom of Information Act (FOIA) request with the NSA following a cyber attack in January 2010 that led Google to contact the NSA. The NSA refused to either confirm or deny the existence of responsive records, claiming that such information is exempt from disclosure under the NSA Act. EPIC challenged this "Glomar" response and argued that the agency had a responsibility to locate records that could be disclosed, but a lower court ruled in favor of the NSA and the appellate court affirmed. EPIC has several other pending FOIA matters concerning the NSA, including "Perfect Citizen," Internet wiretapping, and even the NSA's own legal authority which the agency has refused to release to the public. For more information, see EPIC v. NSA: Google / NSA Relationship. (May. 11, 2012)
- Flawed Cybersecurity Bill Passes House, Headed for Senate without Privacy, FOIA Safeguards: The House of Representatives passed the Cyber Intelligence Information Protection Act ("CISPA"), a cybersecurity bill that allows the government to obtain detailed information about Internet users from the private sector. The bill preempts established privacy protections in other federal laws and opens the door for increased surveillance of individuals in the United States. The bill also creates a new Freedom of Information Act exemption, which will reduce government transparency and accountability. Earlier this year, EPIC said in a statement to the Senate that the Freedom of Information Act provides the public important information about network security, and warned that the National Security Agency has become a “black hole” for public information about cybersecurity. For more information, see EPIC: Cybersecurity and EPIC: EPIC v. NSA (FOIA for NSA Cybersecurity Authority), and EPIC: EPIC v. NSA (FOIA for Google/NSA Relatioship). (Apr. 27, 2012)
- EPIC to Argue for Disclosure of Google-NSA Agreement before Federal Appeals Court: EPIC will pursue its Freedom of Information Act request with the National Security Agency in scheduled arguments before the Court of Appeals for the DC Circuit this Tuesday morning. EPIC submitted the FOIA request in February 2010, following a widely reported collaboration between Google and the NSA after the China hack. The agency replied that it could "neither confirm nor deny" the existence of records responsive to EPIC's request. A lower court ruled in favor of the NSA, but EPIC has challenged that opinion, and the federal appeals court will hear the case on March 20, 2012. The case is EPIC v. NSA, No. 11-5233. (Mar. 19, 2012)
- Open Government Groups Oppose Cyber Security FOIA Exemption: Open government organizations have sent a letter to Senator John McCain, opposing specific provisions in a cybersecurity bill he introduced. The SECURE IT Act would create a new Freedom of Information Act exemptions for "cyber threat information" as well as for all information shared with a cybersecurity center. FOIA exemptions limit public access to government information. The organizations stated, "Unnecessarily wide-ranging exemptions of this type have the potential to harm public safety and the national defense more than they enhance those interests." In a statement for a hearing on the FOIA and critical infrastructure information, EPIC also warned against new FOIA exemptions and said that the National Security Agency has become a "black hole" for public information about cybersecurity. For more information, see EPIC: Cybersecurity. (Mar. 14, 2012)
On March 17, 2009, EPIC filed a complaint with the Federal Trade Commission (FTC), urging an investigation into Google's cloud computing services to determine "the adequacy of the privacy and security safeguards." The complaint followed a reported security breach of Google Docs. EPIC observed that Google repeatedly assured consumers that their services stored user-generated data securely, but had opted to not encrypt the personal information stored or transmitted on its computer network by default.
On June 16, 2009, Christopher Soghoian wrote an open letter to Google CEO, Eric Schmidt that was joined by 37 researchers and academics in the fields of computer science, information security, and privacy law. The letter pointed out that Google had already employed encryption techniques to protect individuals' login information, but did not enable it to protect information transmitted over their network. The letter pointed out that, while the option to encrypt this information was available, it was difficult to locate, even for sophisticated users who were aware of what to look for.
Google opted to ignore both of these warnings.
On January 12, 2010, Google reported that the company had suffered a "highly sophisticated and coordinated" cyber attack originating from China. The attackers planted malicious code in Google's corporate networks, and resulted in the theft of Google's intellectual property, and at least the attempted access of the Gmail accounts of Chinese human rights activists. The following day, Google changed a key setting, causing all subsequent traffic to and from its electronic mail servers to be encrypted by default. On February 4, 2010, the Washington Post reported that Google had contacted the National Security Agency ("NSA") regarding the firm's security practices immediately following the attack. In addition, the Wall Street Journal stated that the NSA's general counsel had drafted a "cooperative research and development agreement" within 24 hours of Google's announcement of the attack, which authorized the Agency to "examine some of the data related to the intrusion into Google's systems."
EPIC's Freedom of Information Act Requests and Subsequent Lawsuit
On February 4, 2010, EPIC filed a Freedom of Information Act ("FOIA") request with the National Security Agency ("NSA"). EPIC requested the following agency records:
- All records concerning an agreement or similar basis for collaboration, final or draft, between the NSA and Google regarding cyber security;
- All records of communication between NSA and Google concerning Gmail, including but not limited to Google's decision to fail to routinely encrypt Gmail messages prior to January 13, 2010; and
- All records of communications regarding NSA's role in Google's decision regarding the failure to routinely deploy encryption for cloud-based computing service, such as Google Docs.
By letter dated March 10, the NSA acknowledged receipt of EPIC's FOIA Request and granted EPIC's request for a fee waiver. The NSA's letter invoked FOIA exemption b(3) and Section 6 of the National Security Agency Act in order to issue a Glomar response. A Glomar response is the Agency's act of neither confirming nor denying the existence of Agency records responsive to the Request.
On May 7, 2010, EPIC filed an administrative appeal stating that the NSA had failed to present factual evidence that the requested documents fell within Section 6 and that established FOIA exemptions could sufficiently conceal protected information. The NSA never replied to EPIC's appeal or produced responsive documents. EPIC filed a complaint in United States District Court for the District of Columbia on September 13, 2010. The NSA argued that the Agency was under no obligation to conduct a search prior to determining that any potentially responsive records would implicate the Agency's functions or activities. Judge Richard Leon deferred to the NSA's judgment in a Memorandum Opinion dated July 8, 2011. EPIC filed a Notice of Appeal in the D.C. Circuit Court on September 9, 2011. Oral argument is schedule for March 20, 2012 before Judge Brown, Judge Kavanaugh, and Judge Ginsburg.
The Glomar Doctrine
In a unique category of FOIA cases, an agency may issue a “Glomar response” and refuse to confirm or deny the existence of records. Gardels v. CIA, 689 F.2d 1100, 1103 (D.C. Cir. 1982); see also Miller v. Casey, 730 F.2d 773, 776-77 (D.C. Cir. 1984); Phillippi v. CIA, 546 F.2d 1009, 1012 (D.C. Cir. 1976). Courts uphold Glomar responses when “to answer the FOIA inquiry would cause harm cognizable under” an applicable statutory exemption. Gardels, 689 F.2d at 1103. Glomar responses must be tethered to a specific exemption. The agency must demonstrate that acknowledging the mere existence of responsive records would disclose exempt information. Wolf v. CIA, 473 F.3d 370, 374 (D.C. Cir. 2007).
In Glomar cases, courts may grant summary judgment on the basis of agency affidavits that contain “reasonable specificity of detail rather than merely conclusory statements, and if they are not called into question by contradictory evidence in the record or by evidence of agency bad faith.” Gardels, 689 F.2d at 1104-05 (citing Halperin v, CIA, 629 F.2d 144, 148 (D.C. Cir. 1980)). The supporting affidavit must give a “logical” justification for the Glomar response based on “general exemption review standards established in non-Glomar cases.” Wolf, 473 F.3d at 375. “Very importantly, ‘the burden is on the agency to sustain its action.’” Founding Church of Scientology of Washington, D.C., Inc. v. NSA, 610 F.2d 824, 830 (D.C. Cir. 1979). This Circuit has made clear that “‘[c]onclusory and generalized allegations of exemptions’ are unacceptable; if the court is unable to sustain nondivulgence on the basis of affidavits, in camera inspection may well be in order.” Wolf, 473 F.3d at 375.
EPIC v. National Security Agency, Case No. 10-1533 (RJL) (D.D.C. filed Sept. 13, 2010)
- EPIC's Complaint Against NSA (Sept. 13, 2010) (pdf)
- NSA's Answer to EPIC's Complaint (Oct. 27, 2010) (pdf)
- NSA Motion for Summary Judgment (Dec. 22, 2010) (pdf)
- EPIC's Opposition and Cross Motion for Summary Judgment (Jan. 28, 2011) (pdf)
- NSA's Opposition and Reply (Feb. 18, 2011) (pdf)
- EPIC's Reply (Mar. 4, 2011) (pdf)
- District Court Memorandum Opinion, 798 F.Supp.2d 26 (D.D.C. 2011) (July 8, 2011) (pdf)
EPIC v. National Security Agency, Case No. 11-5233 (D.C.Cir. filed Sept. 9, 2011)
- EPIC's Notice of Appeal (Sept. 9, 2011) (pdf)
- Order Setting Briefing Schedule (Nov. 16, 2011) (pdf)
- Order Scheduling Oral Argument (Nov. 22, 2011) (pdf)
- EPIC's Opening Brief (Jan. 3, 2012) (pdf)
- Joint Appendix (Jan. 3, 2012) (pdf)
- NSA's Opening Brief (Jan. 26, 2012) (pdf)
- EPIC's Reply Brief (Feb. 16, 2012) (pdf)
- EPIC's February 4, 2010 request for agency records under the Freedom of Information Act
- NSA's March 10, 2010 letter acknowledging of receipt of EPIC's FOIA request and invoking the Glomar Response
- EPIC's May 7, 2010 Administrative Appeal to the NSA
- In 1976, NSA Was Tasked to Help Secure Private Communications, Secrecy News, March 12, 2012.
- DOJ Asks Court To Keep Secret Any Partnership Between Google, NSA, BLT: The Blog of Legal Times, March 9, 2012.
- A New Approach to China, Google Blog, January 12, 2010.
- Mike McConnell on How to Win the Cyber-War We're Losing, Washington Post, February 28, 2010.
- Google to enlist NSA to help it ward off cyberattacks, Washington Post, February 4, 2010.
- Google Working With NSA to Investigate Cyber Attack, Wall Street Journal, February 4, 2010.
- Default https access for Gmail, Google Blog, January 13, 2010.
- HTTPS Security for Web Applications, Google Security Blog, June 1, 2009.
- In re: Google, Inc. and Cloud Computing Services, EPIC, March 17, 2009.
- Letter from Eileen Harrington, Acting Director, Bureau of Consumer Protection (FTC), EPIC, March 18, 2009.
- An open letter to Google's CEO, Eric Schmidt, Christopher Soghoian, June 16, 2009.