EPIC - EPIC v. NSA: Google / NSA Relationship

EPIC v. NSA: Google / NSA Relationship

Top News |
Background |
Legal Documents |
Freedom of Information Act Documents |
Resources |

Top News

EPIC to Argue for Disclosure of Google-NSA Agreement before Federal Appeals Court: EPIC will pursue its Freedom of Information Act request with the National Security Agency in scheduled arguments before the Court of Appeals for the DC Circuit this Tuesday morning. EPIC submitted the FOIA request in February 2010, following a widely reported collaboration between Google and the NSA after the China hack. The agency replied that it could "neither confirm nor deny" the existence of records responsive to EPIC's request. A lower court ruled in favor of the NSA, but EPIC has challenged that opinion, and the federal appeals court will hear the case on March 20, 2012. The case is EPIC v. NSA, No. 11-5233. (Mar. 19, 2012)
Open Government Groups Oppose Cyber Security FOIA Exemption: Open government organizations have sent a letter to Senator John McCain, opposing specific provisions in a cybersecurity bill he introduced. The SECURE IT Act would create a new Freedom of Information Act exemptions for "cyber threat information" as well as for all information shared with a cybersecurity center. FOIA exemptions limit public access to government information. The organizations stated, "Unnecessarily wide-ranging exemptions of this type have the potential to harm public safety and the national defense more than they enhance those interests." In a statement for a hearing on the FOIA and critical infrastructure information, EPIC also warned against new FOIA exemptions and said that the National Security Agency has become a "black hole" for public information about cybersecurity. For more information, see EPIC: Cybersecurity. (Mar. 14, 2012)
EPIC Urges Senate to Safeguard FOIA for Cybersecurity: In a detailed statement to the Senate for a hearing on the "Freedom of Information Act: Safeguarding Critical Infrastructure and the Public's Right to Know," EPIC said that safeguarding FOIA was critical to ensure government oversight and accountability. EPIC described how the FOIA provides the public important information about safety and security, but also warned that the National Security Agency has become a "black hole" for public information about cyber security. EPIC described several NSA programs, including "Perfect Citizen," Internet wiretapping, and even the NSA's own legal authority which the agency has refused to release to the public. EPIC v. NSA, a challenge to the agency's "neither confirm nor deny" response to an EPIC FOIA request will be heard next week by the DC Circuit Court of Appeals. For more information, see EPIC: Cybersecurity. (Mar. 12, 2012)
Federal Court Revives Suit Over NSA Dragnet Surveillance: A federal appeals recently revived a lawsuit, Jewel v. NSA, challenging the NSA's use of the nation's largest telecommunication providers to conduct suspicionless surveillance of Americans. The three-judge panel reversed a lower court decision that rejected claims based on lack of standing. The case will now return to the district court for a decision on the merits. The same three-judge panel also rejected a related suit against the telecommunications providers, Hepting v. AT&T, based on the "retroactive immunity" provided by Congress in 2008. EPIC, in cooperation with the Stanford Constitutional Law Center, filed a "Friend of the Court" brief in support of the plaintiffs in these cases, arguing that statutory and constitutional privacy violations are sufficient to establish standing, and that the state secrets doctrine should not bar adjudication. For more information, see EPIC: Hepting v. AT&T and EPIC: NSA Warrantless Surveillance. (Jan. 5, 2012)
EPIC Urges Appeals Court to Shed Light on Google-NSA Agreement: EPIC filed the opening brief in EPIC v. NSA, No. 11-5233, challenging the National Security Agency’s response to EPIC's Freedom of Information Act request. EPIC is seeking information about the widely publicized cybersecurity agreement between the NSA and Google that followed the January 2010 China hack. The NSA claimed it "could neither confirm nor deny" the existence of any information about its relations with Google. After the attack, Google's implemented encryption technology for Gmail by default, a privacy safeguard EPIC and technical experts had urged in 2009. For more information, see EPIC v. NSA: Google / NSA Relationship. (Jan. 4, 2012)
EPIC v. NSA: Agency Can "Neither Confirm Nor Deny" Google Ties: A federal judge has issued an opinion in EPIC v. NSA, and accepted the NSA's claim that it can "neither confirm nor deny" that it had entered into a relationship with Google following the China hacking incident in January 2010. EPIC had sought documents under the FOIA because such an agreement could reveal that the NSA is developing technical standards that would enable greater surveillance of Internet users. The "Glomar response," to neither confirm nor deny, is a controversial legal doctrine that allows agencies to conceal the existence of records that might otherwise be subject to public disclosure. EPIC plans to appeal this decision. EPIC is also litigating to obtain the National Security Presidential Directive that sets out the NSA's cyber security authority. And EPIC is seeking from the NSA information about Internet vulnerability assessments, the Director's classified views on how the NSA's practices impact Internet privacy, and the NSA's "Perfect Citizen" program. (Jul. 13, 2011)
EPIC v. NSA: FOIA Suit for Cybersecurity Authority Will Move Forward, though National Security Council Remains a "FOIA-Free Zone": A District of Columbia federal court ordered an EPIC lawsuit against the National Security Agency to proceed, holding that EPIC can "pursue its claim against the NSA for wrongfully withholding an agency record in its possession." EPIC's Freedom of Information Act suit seeks disclosure of National Security Presidential Directive 54 - the document that provides the legal basis for the NSA's cybersecurity activities. The NSA failed to disclose the document in response to EPIC's FOIA request, instead forwarding the request to the National Security Council. The Court held that the NSC is not subject to FOIA, but that the NSA's transfer of EPIC's request does not absolve the agency of its responsibility to respond to EPIC. For more, see: EPIC: EPIC v. NSA. (Jul. 8, 2011)
EPIC v. NSA FOIA Lawsuit: NSA Will Neither Confirm Nor Deny Communications with Google: In a Freedom of Information Act lawsuit filed by EPIC against the National Security Agency for information about the NSA's relationship with Google, the NSA has replied that "confirming or denying the existence of any such records would reveal information relating to its core functions and activities . . ." EPIC sought the information, including a widely discussed cooperative research agreement between NSA and Google, because the agency's practices would impact the privacy interests of millions of Internet users both in the United States and around the world. The case is EPIC v. NSA, Civ. Action No. 10-1533 (RJL). EPIC has a related release against the NSA concerning the agency's cybersecurity authority. For more information, see EPIC - EPIC v. NSA. (Feb. 18, 2011)
EPIC Files Suit For Documents Regarding Google/NSA Partnership: Today, EPIC filed a Freedom of Information Act lawsuit against the National Security Agency in the United States District Court in the District of Columbia. The agency failed to respond to EPIC's FOIA request for documents about an "Information Assurance" partnership with Google. EPIC previously appealed to the agency to comply with its legal duty to produce the documents, but he agency failed to respond. EPIC is also seeking the Presidential Directive that grants the NSA authority to conduct electronic surveillance in the United States. For more information, see EPIC: Open Government. (Sep. 13, 2010)
EPIC FOIAs NSA for Details of "Perfect Citizen": EPIC has filed a Freedom of Information Act request with the National Security Agency regarding the new secret cybersecurity program known as "Perfect Citizen." According to the Wall Street Journal, the program "would rely on a set of sensors deployed in computer networks for critical infrastructure that would be triggered by unusual activity suggesting an impending cyber attack," although the agency has claimed that there "is no monitoring activity involved, and no sensors are employed in this endeavor" but has refused to release the details of the program. In its request, EPIC has sought contracts, memoranda, and other records relating to "Perfect Citizen." For more information, see EPIC Cybersecurity and Privacy. (Jul. 16, 2010)

On March 17, 2009, EPIC filed a complaint with the Federal Trade Commission (FTC), urging an investigation into Google's cloud computing services to determine "the adequacy of the privacy and security safeguards." The complaint followed a reported security breach of Google Docs. EPIC observed that Google repeatedly assured consumers that their services stored user-generated data securely, but had opted to not encrypt the personal information stored or transmitted on its computer network by default.

On June 16, 2009, Christopher Soghoian wrote an open letter to Google CEO, Eric Schmidt that was joined by 37 researchers and academics in the fields of computer science, information security, and privacy law. The letter pointed out that Google had already employed encryption techniques to protect individuals' login information, but did not enable it to protect information transmitted over their network. The letter pointed out that, while the option to encrypt this information was available, it was difficult to locate, even for sophisticated users who were aware of what to look for.

Google opted to ignore both of these warnings.

On January 12, 2010, Google reported that the company had suffered a "highly sophisticated and coordinated" cyber attack originating from China. The attackers planted malicious code in Google's corporate networks, and resulted in the theft of Google's intellectual property, and at least the attempted access of the Gmail accounts of Chinese human rights activists. The following day, Google changed a key setting, causing all subsequent traffic to and from its electronic mail servers to be encrypted by default. On February 4, 2010, the Washington Post reported that Google had contacted the National Security Agency ("NSA") regarding the firm's security practices immediately following the attack. In addition, the Wall Street Journal stated that the NSA's general counsel had drafted a "cooperative research and development agreement" within 24 hours of Google's announcement of the attack, which authorized the Agency to "examine some of the data related to the intrusion into Google's systems."

EPIC's Freedom of Information Act Requests and Subsequent Lawsuit

On February 4, 2010, EPIC filed a Freedom of Information Act ("FOIA") request with the National Security Agency ("NSA"). EPIC requested the following agency records:

All records concerning an agreement or similar basis for collaboration, final or draft, between the NSA and Google regarding cyber security;
All records of communication between NSA and Google concerning Gmail, including but not limited to Google's decision to fail to routinely encrypt Gmail messages prior to January 13, 2010; and
All records of communications regarding NSA's role in Google's decision regarding the failure to routinely deploy encryption for cloud-based computing service, such as Google Docs.

By letter dated March 10, the NSA acknowledged receipt of EPIC's FOIA Request and granted EPIC's request for a fee waiver. The NSA's letter invoked FOIA exemption b(3) and Section 6 of the National Security Agency Act in order to issue a Glomar response. A Glomar response is the Agency's act of neither confirming nor denying the existence of Agency records responsive to the Request.

On May 7, 2010, EPIC filed an administrative appeal stating that the NSA had failed to present factual evidence that the requested documents fell within Section 6 and that established FOIA exemptions could sufficiently conceal protected information. The NSA never replied to EPIC's appeal or produced responsive documents. EPIC filed a complaint in United States District Court for the District of Columbia on September 13, 2010. The NSA argued that the Agency was under no obligation to conduct a search prior to determining that any potentially responsive records would implicate the Agency's functions or activities. Judge Richard Leon deferred to the NSA's judgment in a Memorandum Opinion dated July 8, 2011. EPIC filed a Notice of Appeal in the D.C. Circuit Court on September 9, 2011. Oral argument is schedule for March 20, 2012 before Judge Brown, Judge Kavanaugh, and Judge Ginsburg.

The Glomar Doctrine

In a unique category of FOIA cases, an agency may issue a “Glomar response” and refuse to confirm or deny the existence of records. Gardels v. CIA, 689 F.2d 1100, 1103 (D.C. Cir. 1982); see also Miller v. Casey, 730 F.2d 773, 776-77 (D.C. Cir. 1984); Phillippi v. CIA, 546 F.2d 1009, 1012 (D.C. Cir. 1976). Courts uphold Glomar responses when “to answer the FOIA inquiry would cause harm cognizable under” an applicable statutory exemption. Gardels, 689 F.2d at 1103. Glomar responses must be tethered to a specific exemption. The agency must demonstrate that acknowledging the mere existence of responsive records would disclose exempt information. Wolf v. CIA, 473 F.3d 370, 374 (D.C. Cir. 2007).

In Glomar cases, courts may grant summary judgment on the basis of agency affidavits that contain “reasonable specificity of detail rather than merely conclusory statements, and if they are not called into question by contradictory evidence in the record or by evidence of agency bad faith.” Gardels, 689 F.2d at 1104-05 (citing Halperin v, CIA, 629 F.2d 144, 148 (D.C. Cir. 1980)). The supporting affidavit must give a “logical” justification for the Glomar response based on “general exemption review standards established in non-Glomar cases.” Wolf, 473 F.3d at 375. “Very importantly, ‘the burden is on the agency to sustain its action.’” Founding Church of Scientology of Washington, D.C., Inc. v. NSA, 610 F.2d 824, 830 (D.C. Cir. 1979). This Circuit has made clear that “‘[c]onclusory and generalized allegations of exemptions’ are unacceptable; if the court is unable to sustain nondivulgence on the basis of affidavits, in camera inspection may well be in order.” Wolf, 473 F.3d at 375.