EPIC v. DHS - Defense Contractor Monitoring
- EPIC Presses Department of Defense on Privacy of Cyber Threat Information: In a statement to Congress in advance of a hearing on the Department of Defense's cyber operations, EPIC urged lawmakers to consider the privacy impact of cyber policies. The Cybersecurity Information Sharing Act of 2015 allowed the federal government to obtain cyber threat information from the private sector—much of which concerns the activities of individual Internet users—without privacy safeguards. EPIC urged Congress to ask Michael Rogers, the Commander of U.S. Cyber Command, about the steps the Defense Department will take to reduce privacy risks. EPIC previously sued the federal government for information regarding a Department of Homeland Security program that allowed the NSA to monitor the Internet traffic of defense contractors. (Feb. 27, 2018)
- Classified NSA Cybersecurity Directive Sought by EPIC Establishes NSA Cyberattack Authority: Presidential Policy Directive 20 orders the creation of potential targets for Offensive Cyber Effects Operations by the NSA. According to the classified document, the "Government shall identify potential targets of national importance where [cyberattacks] can offer a favorable balance of effectiveness and risk . . ." The Directive was signed last October and EPIC immediately filed a Freedom of Information request seeking public release of the policy as it implicates the privacy of domestic communications. The NSA refused to release the Directive. The White House released a summary of the Directive, but failed to disclose information about the NSA's proposed cyberattacks. PPD-20 was made available to the public in a post to the Guardian by Glenn Greenwald. For more information, see EPIC: Presidential Directives and Cybersecurity, EPIC: EPIC v. NSA - Cybersecurity Authority and EPIC: Cybersecurity Privacy Practical Implications. (Jun. 8, 2013)
- EPIC FOIA Request Reveals Details About Government Cybersecurity Program: New documents obtained by EPIC in a Freedom of Information Act lawsuit reveal that the Department of Defense advised private industry on how to best circumvent federal wiretap law. The documents concern a collaboration between the Defense Department, the Department of Homeland Security, and private companies to allow government monitoring of private Internet networks. Though the program initially only applied to defense contractors, an Executive Order issued by the Obama administration earlier this year expanded it to include other "critical infrastructure" industries. The documents obtained by EPIC also cited NSPD 54 as one source of authority for the program. NSPD 54 is a presidential directive issued under President Bush that EPIC is pursuing in separate FOIA litigation. For more information, see EPIC: EPIC v. DHS (Defense Contractor Monitoring), and EPIC: EPIC v. NSA - Cybersecurity Authority. (Apr. 24, 2013)
On June 16, 2011, the Washington Post reported that the NSA had implemented a new program designed to monitor all traffic flowing through certain ISPs to a select number of defense contractors. The goal of this pilot program is the "thwarting [of] cyberattacks against defense firms," although Deputy Secretary of Defense William J. Lynn III stated that "[w]e hope the . . . cyber pilot can be the beginning something bigger." The NSA pilot program is to serve as a model that can be "transported to other critical infrastructure sectors, under the leadership of the Department of Homeland Security."
Although no public name has been given to this new program, it is known that the NSA has partnered with AT&T, Verizon and CenturyLink to filter the traffic of fifteen defense contractors, including Lockheed Martin, CSC, SAIC and Northrop Grumman. The NSA claims that it will not be "direct[ly] monitoring the contractors' networks." Instead, it has developed "signatures" of malicious code as well as sequences of suspicious network behavior that it will apply to filter all Internet traffic on those ISPs that flows to these defense contractors. By applying these signatures and filtering suspicious behavior, the NSA will be able to "disable the threats before an attack can penetrate a contractor's servers."
Individuals within the Department of Justice expressed misgivings that the program would "run afoul of privacy laws forbidding government surveillance of private Internet traffic." The Electronic Communications Privacy Act ("ECPA"), 18 U.S.C. § 2510, prohibits the interception of electronic communications without a court order or consent from one of the parties. The NSA has alleged that the Agency "will not directly filter the traffic or receive the malicious code captured by Internet providers." It is unclear how the program can detect malicious code and prevent its execution without "captur[ing]" it in violation of federal law.
Deputy Secretary of Defense William J. Lynn III publicly spoke about the program and provided a rough outline of its scope. He stated that it is currently run by the NSA, and that DHS is a partner.
EPIC's Freedom of Information Act Request and Subsequent Lawsuit
In July 2011, EPIC submitted a FOIA request to DHS asking for:
- All contracts and communications with Lockheed Martin, CSC, SAIC, Northop Grumman, or any other defense contractors regarding the new NSA pilot program;
- All contracts and communications with AT&T, Verizon, and CenturyLink or any other ISPs regarding the new NSA pilot program;
- All analyses, legal memoranda, and related records regarding the new NSA pilot program;
- Any memoranda of understanding between NSA and DHS or any other government agencies or corporations regarding the new NSA pilot program;
- Any Privacy Impact Assessment performed as part of the development of the new NSA pilot program.
DHS referred EPIC's FOIA Request to the National Protection and Programs Directorate. The Directorate is charged with risk-reduction activities associated with the mission of DHS. The National Protection and Programs Directorate failed to provide any documents, and EPIC filed an Administrative Appeal in January 2012.On March 1, 2012, EPIC filed a lawsuit against the DHS based on that Agency's non-responsiveness to EPIC's request and in order to compel the disclosure of documents relating to the monitoring program.
EPIC v. Department of Homeland Security, Case No. 12-00333 (GK) (D.D.C. filed Mar. 1, 2012)
- EPIC's Complaint (Mar. 1, 2012) (pdf)
- DHS' Answer to EPIC's Complaint (May 1, 2012) (pdf)
- Joint Meet and Confer Statement (May 21, 2012) (pdf)
- Joint Meet and Confer Statement - DHS' Proposed Order (May 21, 2012) (pdf)
- Joint Meet and Confer Statement - EPIC's Proposed Order (May 21, 2012) (pdf)
- Scheduling Order (May 24, 2012) (pdf)
- DHS' Motion to Stay Proceedings for 10 Days (August 24, 2012) (pdf)
- DHS' Motion to Stay Proceedings for 10 Additional Days (September 5, 2012) (pdf)
- EPIC's Opposition to DHS' Motion to Stay Proceedings for 10 Additional Days (September 5, 2012) (pdf)
- Order Granting DHS' Motion to Stay Proceedings for 10 Additional Days - Final Stay (September 5, 2012) (pdf)
- DHS' Motion to Modify the Scheduling Order (September 14, 2012) (pdf)
- EPIC's Opposition to DHS' Motion to Modify the Scheduling Order and Cross-Motion to Show Cause (September 19, 2012) (pdf)
- DHS' Reply to DHS' Motion to Modify the Scheduling Order and Opposition to EPIC's Cross-Motion to Show Cause (September 28, 2012) (pdf)
- EPIC's Reply to EPIC's Motion to Show Cause (October 5, 2012) (pdf)
- Modified Scheduling Order (October 16, 2012) (pdf)
- EPIC's Motion for Reconsideration (November 7, 2012) (pdf)
- DHS' November 2012 Status Report (November 15, 2012) (pdf)
- DHS' Opposition to EPIC's Motion for Reconsideration and Cross-Motion to Modify the Scheduling Order (November 30, 2012) (pdf)
- EPIC's Reply to EPIC's Motion for Reconsideration and Opposition to DHS' Cross-Motion to Modify the Scheduling Order (December 7, 2012) (pdf)
- DHS's Reply to DHS' Cross-Motion to Modify the Scheduling Order (December 14, 2012) (pdf)
- DHS' December 2012 Status Report (December 17, 2012) (pdf)
- Final Order Granting EPIC's Motion for Reconsideration in Part (January 8, 2013) (pdf)
- DHS' February 2013 Status Report (February 1, 2013) (pdf)
- DHS' March 2013 Status Report (March 1, 2013) (pdf)
- DHS' April 2013 Status Report (April 15, 2013) (pdf)
- DHS Motion for Summary Judgment (August 30, 2013) (pdf)
- EPIC Motion for Summary Judgment (September 27, 2013) (pdf)
- DHS Opposition and Reply (November 4, 2013) (pdf)
- EPIC Reply (November 25, 2013) (pdf)
- Memorandum Opinion (August 4, 2015)
- EPIC Motion for Attorneys' Fees and Costs (Feb. 5, 2016) (pdf), Exhibits
- DHS Opposition to EPIC's Motion for Fees (Mar. 9, 2016) (pdf), Exhibits
- EPIC's Reply Motion for Fees (Mar. 22, 2016)
- Fees Opinion (Nov. 21, 2016)
- Fees Order (Nov. 21, 2016)
- EPIC's FOIA Request (July 26, 2011) (pdf)
- DHS' Acknowledgement and Referral to the National Protection and Programs Directorate (Aug. 3, 2011) (pdf)
- EPIC's Administrative Appeal (Jan. 5, 2012) (pdf)
- DHS Final Production Cover Letter (pdf)
- DHS Final Production Part 1 (pdf)
- DHS Final Production Part 2 (pdf)
- DHS Final Production Part 3 (pdf)
- DHS Final Production Part 4 (pdf)
- DHS Final Production Part 5 (pdf)
- DHS Final Production Part 6 (pdf)
- DHS Final Production Part 7 (pdf)
- DHS Final Production Part 8 (pdf)
- DHS Final Production Part 9 (pdf)
- DHS Supplemental Production Part 1 (pdf)
- DHS Supplemental Production Part 2 (pdf)
- DHS Supplemental Production Part 3 (pdf)
- DHS Supplemental Production Part 4 (pdf)
- DHS Supplemental Production Part 5 (pdf)
- U.S. gives big, secret push to Internet surveillance, CNET, Apr. 24, 2013.
- Notebook: NSA Seeks Tighter Info Security for Agencies, Contractors, Defense News, Mar. 22, 2012.
- Prepare to Have Your Email Read by the NSA, the Atlantic, June 17, 2011.
- NSA Allies with Internet Carriers to Thwart Cyber Attacks Against Defense Firms, Washington Post, June 16, 2011.