Focusing public attention on emerging privacy and civil liberties issues

EPIC v. NSA: Google / NSA Relationship

Top News

  • President Obama Renews Unlawful, Ineffective Surveillance Authority: According to the Attorney General and the Director of National Intelligence, President Obama has renewed the NSA's authority to collect all of the telephone records of all American telephone customers. The "Section 215" program exceeded Congressional authority and was found to be ineffective by two expert panels. At a speech on January 17, 2014, President Obama ordered a transition that will end the Section 215 bulk telephony metadata program as it currently exists. However, according to DNI Clapper, the United States filed an application with the FISC to reauthorize the existing program as previously modified for 90 days, and the FISC issued an order approving the government's application. The order issued expires on June 20, 2014. EPIC and others have strongly objected to the renewal of the 215 program. For more information, see EPIC In re EPIC. (Mar. 29, 2014)
  • Senator Leahy Urges President to End NSA Record Collection Program on Friday: In remarks published this week, Senator Patrick Leahy, Chairman of the Senate Judiciary Committee and co-sponsor of the USA FREEDOM Act, said "I welcome the President's statement that he plans to end the bulk collection of American’s phone records. That is a key element of what I and others have outlined in the USA FREEDOM Act, and that is what the American people have been demanding." Senator Leahy added, "the President could end bulk collection once and for all on Friday by not seeking reauthorization of this program. Rather than postponing action any longer, I hope he chooses this path." EPIC and others have urged the President not to renew the NSA telephone record collection authority when it expires this week. For more information, see In re EPIC. (Mar. 27, 2014)
  • Deadline Approaches for End of NSA's Telephone Record Collection Program: March 28 marks the deadline set by President Obama to end the NSA's bulk collection of American's telephone records. Last week, Attorney General Eric Holder confirmed that the Justice Department is ready to meet the deadline that the President has set. After extensive meetings with leaders of the Intelligence Community, both the President's Review Group and the Privacy and Civil Liberties Oversight Board found the program was ineffective and likely exceeded current legal authority. Senator Leahy, who held extensive public hearings, has stated "This program is not effective. It has to end." EPIC, supported by dozens of legal scholars and former members of the Church Committee, petitioned the US Supreme Court in July 2013 to end the "215" program. For more information, see In re EPIC and EPIC: NSA Verizon Phone Record Monitoring. (Mar. 24, 2014)
  • Review Group to Senate: NSA Program Has Not Prevented Threats: Members of the President's Review Group presented their recommendations for NSA reform a Senate Judiciary Committee hearing. EPIC participated in the work of the Review Group. The export panel set out 46 recommendations on a range of issues from reforming intelligence surveillance directed at United States persons to promoting prosperity, security, and openness in the networked world. The Members stated the the NSA's bulk collection of metadata had not prevented threats against the United States and recommend that the it be ended. Acknowledging privacy concerns, former CIA Deputy Director Michael Morrell also stated that "there is quite a bit of content in metadata." Last year, EPIC filed a petition in the Supreme Court challenging the legality of the NSA's telephone record collection program. Legal scholars and former members of the Church Committee supported the EPIC petition. The Supreme Court dismissed the petition without ruling on the merits. For more information, see In re EPIC.
    "there is quite a bit of content in metadata" - Morrell, former CIA Deputy Director (Jan. 15, 2014)
  • Presidential Task Force to Recommend Changes at NSA : The Review Group on Intelligence and Communications Technologies, established to recommend surveillance reforms, will send a final report to the President this Sunday. According to one news article, the task force will recommend putting a civilian leader in charge of NSA, separating out the code-breaking "Information Assurance Directorate," and splitting the U.S. Cyber Command off into a separate military unit. The Review Group will also recommend new limits on the NSA’s ability to search telephone call records, proposing that telephone records be stored with a third party rather than the NSA. The group will also recommend safeguards for the data of European citizens, and restrictions on the use of National Security Letters. Earlier this year, EPIC filed a petition with the U.S. Supreme Court, supported by legal scholars and former members of the Church Committee, arguing that the NSA bulk collection program was unlawful. For more information, see EPIC: Foreign Intelligence Surveillance Act, EPIC: Foreign Intelligence Surveillance Act Reform, and EPIC: In re EPIC. (Dec. 13, 2013)
  • EPIC Files Lawsuit to Determine Legal Authority For PRISM Program: EPIC has filed a Freedom of Information Act lawsuit against the Department of Justice's Office of Legal Counsel for the secret legal analyses that justifies the use of the NSA PRISM program. PRISM is a program that allows the FBI and NSA to collect information - including the contents of internet users' communications - directly from internet service providers, and without a warrant. Through this lawsuit, EPIC seeks to clarify which, if any, legal authority would permit such extensive domestic surveillance of personal activities. The secrecy of these opinions is of increasing concern to Open Government advocates. EPIC, joined by a coalition of FOIA organizations, recently filed an amicus brief in support of a New York Times lawsuit for opinions of the Office of Legal Counsel. For more information, see EPIC v. DOJ - PRISM. (Nov. 25, 2013)
  • Supreme Court Declines EPIC's Challenge to NSA Domestic Surveillance Program, Leaves in Place Order of Surveillance Court: Today the Supreme Court denied review of In re EPIC, a direct challenge to the NSA telephone record collection program. EPIC argued that an order of the secretive Surveillance Court that required Verizon to turn over all customer records exceeded legal authority. "It is simply not possible that every phone record in the possession of Verizon is relevant to a national security investigation," EPIC stated. EPIC asked the Supreme Court to overturn the order of the Foreign Intelligence Surveillance Court. Prominent legal scholars and members of the Church Committee who wrote the law agreed. Four groups filed amicus briefs in support and urged the Supreme Court to grant EPIC’s petition. However, the Supreme Court, without comment, declined to hear the case. For more information, see In re EPIC, In re EPIC Press Release. (Nov. 18, 2013)
  • Supreme Court to Consider EPIC Challenge to NSA Program This Week: The Supreme Court is scheduled to consider EPIC's challenge to the NSA telephone record collection program at conference this week. EPIC has asked the Court to overturn an order of the Foreign Intelligence Surveillance Court that compelled Verizon to produce all of the telephone records of all of its customers to the NSA. EPIC said that this order clearly exceeded the authority of the surveillance court. The EPIC Petition was distributed to the Justices last week along with briefs by former Church committee members and prominent scholars in information law, federal jurisdiction, and constitutional law, who all urged the Supreme Court to grant the EPIC petition. For more information, see In re EPIC. (Nov. 12, 2013)
  • EPIC Supports Campaign to End Mass Surveillance: EPIC joined more than one hundred organizations at the Stop Watching Us rally October 28 in Washington DC. EPIC Counsel Khaliah Barnes told the crowd, "First they ignore us, then they laugh at us, then they fight us, and then we win." The night before the rally, EPIC organized a crypto party with Public Citizen. Featured speakers included Bruce Schneier and Libertarian Presidential candidate Gary Johnson. EPIC has filed a Supreme Court challenge to the NSA telephone record collection program. For more information, see In re EPIC - NSA Telephone Records Surveillance. (Oct. 29, 2013)
  • In EPIC v. NSA, Court Rules Presidential Directives are Not Subject to FOIA but Orders Release of Additional Documents to EPIC: A federal court has issued an opinion in EPIC v. NSA, EPIC's Freedom of Information Act lawsuit concerning the government's policy for the security of American computer networks. As a result of the lawsuit, EPIC obtained documents that the National Security Agency had withheld from the public. The documents concern NSPD 54, a presidential policy directive outlining the scope of the NSA's authority over computer networks in the US. EPIC also challenged the NSA's decision to withheld several other records including the National Security Presidential Directive 54. A federal district court has now ruled that NSPD 54 is not subject to the FOIA because it was not under "the control" of the National Security Agency and the other federal agencies and officials who received the presidential directive. The Court also ordered to the NSA to identify and release other documents to EPIC.For more information, see: EPIC v. NSA - Cybersecurity Authority. (Oct. 23, 2013)

Background

On March 17, 2009, EPIC filed a complaint with the Federal Trade Commission (FTC), urging an investigation into Google's cloud computing services to determine "the adequacy of the privacy and security safeguards." The complaint followed a reported security breach of Google Docs. EPIC observed that Google repeatedly assured consumers that their services stored user-generated data securely, but had opted to not encrypt the personal information stored or transmitted on its computer network by default.

On June 16, 2009, Christopher Soghoian wrote an open letter to Google CEO, Eric Schmidt that was joined by 37 researchers and academics in the fields of computer science, information security, and privacy law. The letter pointed out that Google had already employed encryption techniques to protect individuals' login information, but did not enable it to protect information transmitted over their network. The letter pointed out that, while the option to encrypt this information was available, it was difficult to locate, even for sophisticated users who were aware of what to look for.

Google opted to ignore both of these warnings.

On January 12, 2010, Google reported that the company had suffered a "highly sophisticated and coordinated" cyber attack originating from China. The attackers planted malicious code in Google's corporate networks, and resulted in the theft of Google's intellectual property, and at least the attempted access of the Gmail accounts of Chinese human rights activists. The following day, Google changed a key setting, causing all subsequent traffic to and from its electronic mail servers to be encrypted by default. On February 4, 2010, the Washington Post reported that Google had contacted the National Security Agency ("NSA") regarding the firm's security practices immediately following the attack. In addition, the Wall Street Journal stated that the NSA's general counsel had drafted a "cooperative research and development agreement" within 24 hours of Google's announcement of the attack, which authorized the Agency to "examine some of the data related to the intrusion into Google's systems."

EPIC's Freedom of Information Act Requests and Subsequent Lawsuit

On February 4, 2010, EPIC filed a Freedom of Information Act ("FOIA") request with the National Security Agency ("NSA"). EPIC requested the following agency records:

  • All records concerning an agreement or similar basis for collaboration, final or draft, between the NSA and Google regarding cyber security;
  • All records of communication between NSA and Google concerning Gmail, including but not limited to Google's decision to fail to routinely encrypt Gmail messages prior to January 13, 2010; and
  • All records of communications regarding NSA's role in Google's decision regarding the failure to routinely deploy encryption for cloud-based computing service, such as Google Docs.

By letter dated March 10, the NSA acknowledged receipt of EPIC's FOIA Request and granted EPIC's request for a fee waiver. The NSA's letter invoked FOIA exemption b(3) and Section 6 of the National Security Agency Act in order to issue a Glomar response. A Glomar response is the Agency's act of neither confirming nor denying the existence of Agency records responsive to the Request.

On May 7, 2010, EPIC filed an administrative appeal stating that the NSA had failed to present factual evidence that the requested documents fell within Section 6 and that established FOIA exemptions could sufficiently conceal protected information. The NSA never replied to EPIC's appeal or produced responsive documents. EPIC filed a complaint in United States District Court for the District of Columbia on September 13, 2010. The NSA argued that the Agency was under no obligation to conduct a search prior to determining that any potentially responsive records would implicate the Agency's functions or activities. Judge Richard Leon deferred to the NSA's judgment in a Memorandum Opinion dated July 8, 2011. EPIC filed a Notice of Appeal in the D.C. Circuit Court on September 9, 2011. Oral argument is schedule for March 20, 2012 before Judge Brown, Judge Kavanaugh, and Judge Ginsburg.

The Glomar Doctrine

In a unique category of FOIA cases, an agency may issue a “Glomar response” and refuse to confirm or deny the existence of records. Gardels v. CIA, 689 F.2d 1100, 1103 (D.C. Cir. 1982); see also Miller v. Casey, 730 F.2d 773, 776-77 (D.C. Cir. 1984); Phillippi v. CIA, 546 F.2d 1009, 1012 (D.C. Cir. 1976). Courts uphold Glomar responses when “to answer the FOIA inquiry would cause harm cognizable under” an applicable statutory exemption. Gardels, 689 F.2d at 1103. Glomar responses must be tethered to a specific exemption. The agency must demonstrate that acknowledging the mere existence of responsive records would disclose exempt information. Wolf v. CIA, 473 F.3d 370, 374 (D.C. Cir. 2007).

In Glomar cases, courts may grant summary judgment on the basis of agency affidavits that contain “reasonable specificity of detail rather than merely conclusory statements, and if they are not called into question by contradictory evidence in the record or by evidence of agency bad faith.” Gardels, 689 F.2d at 1104-05 (citing Halperin v, CIA, 629 F.2d 144, 148 (D.C. Cir. 1980)). The supporting affidavit must give a “logical” justification for the Glomar response based on “general exemption review standards established in non-Glomar cases.” Wolf, 473 F.3d at 375. “Very importantly, ‘the burden is on the agency to sustain its action.’” Founding Church of Scientology of Washington, D.C., Inc. v. NSA, 610 F.2d 824, 830 (D.C. Cir. 1979). This Circuit has made clear that “‘[c]onclusory and generalized allegations of exemptions’ are unacceptable; if the court is unable to sustain nondivulgence on the basis of affidavits, in camera inspection may well be in order.” Wolf, 473 F.3d at 375.

Legal Documents

EPIC v. National Security Agency, Case No. 10-1533 (RJL) (D.D.C. filed Sept. 13, 2010)

EPIC v. National Security Agency, Case No. 11-5233 (D.C.Cir. filed Sept. 9, 2011)

Freedom of Information Act Documents

Resources