EPIC v. NSA: Google / NSA Relationship
- European Court of Justice Hears Case Challenging "Safe Harbor" Agreement and NSA Spying: The Court of Justice for the European Union heard arguments this week in Maximilian Schrems v. Data Protection Commissioner, a case filed in Ireland following the revelations of the NSA PRISM program. At issue is whether the disclosure of EU citizens' data by Facebook and other Internet companies to the NSA violates the EU Charter of Fundamental Rights, and whether the EU-US "Safe Harbor" agreement provides "adequate" data protection. A decision is likely later this year. Schrems is the recipient of the 2013 EPIC International Privacy Champion Award. (Mar. 24, 2015)
- Wikimedia Sues NSA Over Mass Internet Surveillance: Wikimedia filed a federal lawsuit against the NSA over the mass surveillance of Internet communications. Wikimedia asked the court to halt the government's upstream collection—the practice of directly tapping into the Internet backbone that carries communications across the U.S. Wikimedia argues that upstream collection exceeds statutory authority and violates the First and Fourth Amendments, as well as Article III of the Constitution. Explaining the case, Wikipedia founder Jimmy Wales wrote, "Privacy is an essential right. It makes freedom of expression possible, and sustains freedom of inquiry and association." In 2013, EPIC petitioned the Supreme Court to stop the NSA's bulk telephone metadata program. (Mar. 10, 2015)
- UK Privacy Groups Prevail in GCHQ Spying Case: A British court that oversees intelligence gathering has ruled that GCHQ, the British spy agency, violated international human rights law with the mass collection of cellphone and Internet data. Last year, the same court ruled that data could lawfully be transferred between US and UK intelligence agencies. That earlier decision is on appeal to the European Court of Human Rights in Strasbourg. In 2013, following the disclosure of the "Verizon order," which authorized the NSA's routine collection of US telephone records, EPIC brought a petition to the US Supreme Court, arguing that the agency practice exceeded the "Section 215" authority. Dozens of legal scholars and former members of the Church Committee supported the EPIC petition. (Feb. 9, 2015)
- Privacy Board Renews Call for President Obama to End Bulk Collection: The Privacy and Civil Liberties Oversight Board released a report on prior recommendations regarding the NSA's domestic and global surveillance programs. The Board stated that the Obama Administration has failed to end the domestic telephone collection program. The Board stated, "the Administration can end the bulk telephone records program at any time, without congressional involvement." EPIC and a broad coalition have repeatedly urged the President end the NSA's bulk record collection program. Previously, EPIC petitioned the Supreme Court, with the support of dozens of legal experts, arguing that the NSA program was unlawful. (Jan. 30, 2015)
- Senator Leahy Urges Swift Passage of USA Freedom Act: Senator Patrick Leahy (D-VT), Chairman of the Senate Judiciary Committee, has urged swift passage of the USA FREEDOM Act, which would end the government's dragnet collection of telephone records. The bipartisan bill, which Senator Leahy introduced in July, would also improve oversight accountability for domestic surveillance activities. It has broad bipartisan support among the Intelligence Community, the technology industry, and privacy advocates. Senator Leahy said "Congress should pass the bipartisan USA FREEDOM Act without delay." Last year EPIC petitioned the US Supreme Court to end the NSA bulk record collection program. Former members of the Church Committee and dozens of legal scholars supported the EPIC petition. For more information, see EPIC: In re EPIC - NSA Telephone Record Surveillance. (Nov. 13, 2014)
- Appeals Court Limits Military Surveillance of Civilian Internet Use: The U.S. Court of Appeals for the Ninth Circuit ruled in United States v. Dreyer that an agent for the Naval Criminal Investigative Service violated Defense Department regulations and the Posse Comitatus Act when he conducted a surveillance operation in Washington state to identify civilians who might be sharing illegal files. The 1878 Act prevents the U.S. military from enforcing laws against civilians. The appeals court ruled that the NCIS intrusion into civilian networks showed “a profound lack of regard for the important limitations on the role of the military in our civilian society.” The court also ruled that the evidence obtained by NCIS should be suppressed to “deter future violations.” In a petition to the Supreme Court, EPIC challenged the NSA’s surveillance of domestic communications. The NSA is a component of the Department of Defense. For more information, see In re EPIC and EPIC v. DOJ: Warrantless Wiretapping Program. (Sep. 26, 2014)
- Senator Leahy Introduces Bill to End NSA Bulk Record Collection: Today Senator Patrick Leahy (D-VT), joined by Democratic and Republican Senators, introduced legislation to end the NSA's practice of collecting telephone records of Americans. Leahy described the bill as "the most significant reform of government surveillance authorities since Congress passed the USA PATRIOT Act 13 years ago." The USA Freedom Act would require require the government to specify specific "search terms" to obtain telephone record information. The government would have to demonstrate that it has a "reasonable, articulable suspicion" that the search term is associated with a foreign terrorist organization. The bill also requires a comprehensive transparency report for the use of FISA surveillance authorities. However, the bill exempts the FBI from certain reporting requirements. Civil liberties organizations support the bill. EPIC previously filed a Petition for Mandamus with the U.S. Supreme Court, seeking to end the bulk collection of American's phone records. EPIC's petition was supported by legal scholars, technical experts, and former members of the Church Committee. For more information, see In re EPIC and EPIC: FISA Reform. (Jul. 29, 2014)
- Coalition to President: End NSA's Bulk Collection Program Now: EPIC and a coalition of 25 organizations urged the President and the Attorney General to end the NSA's bulk record collection program when the current authority expires on June 20. In January, the President committed to "end the Section 215 bulk metadata program as it currently exists." The coalition letter states, "[t]he NSA's Bulk Metadata program is simply not effective." Both the Privacy and Civil Liberties Oversight Board report and the President's Review Group report found the NSA's bulk collection to be ineffective. EPIC petitioned the Supreme Court to end the NSA's bulk collection of telephone records after the program was revealed last summer. EPIC's petition argued that the Foreign Intelligence Surveillance Court exceeded its authority when it ordered the production of all domestic telephone records. For more information, see In re EPIC. (Jun. 17, 2014)
- House Judiciary Committee to Consider Bill to End Bulk Surveillance, Improve NSA Oversight: The House Judiciary Committee has scheduled a markup of the USA Freedom Act. The proposed "Manager's Amendment", sponsored by James Sensenbrenner (R-WI), would prevent bulk collection of phone records and other business records, and would limit the scope of phone record searches. The bill would also (1) limit the collection of US persons communications by the NSA's PRISM program, (2) require public reports on the use of FISA surveillance, (3) require declassification of significant FISA Court opinions, and (4) create a public advocate at the FISA Court. In 2012, EPIC testified before the House Judiciary Committee on the need for public reports and the declassification of significant FISC opinions. In 2013, EPIC filed a petition with the Supreme Court, alleging that the bulk collection of telephone record was unlawful. For more information, see EPIC: FISA Reform and In re EPIC. (May. 5, 2014)
- President Obama Renews Unlawful, Ineffective Surveillance Authority: According to the Attorney General and the Director of National Intelligence, President Obama has renewed the NSA's authority to collect all of the telephone records of all American telephone customers. The "Section 215" program exceeded Congressional authority and was found to be ineffective by two expert panels. At a speech on January 17, 2014, President Obama ordered a transition that will end the Section 215 bulk telephony metadata program as it currently exists. However, according to DNI Clapper, the United States filed an application with the FISC to reauthorize the existing program as previously modified for 90 days, and the FISC issued an order approving the government's application. The order issued expires on June 20, 2014. EPIC and others have strongly objected to the renewal of the 215 program. For more information, see EPIC In re EPIC. (Mar. 29, 2014)
On March 17, 2009, EPIC filed a complaint with the Federal Trade Commission (FTC), urging an investigation into Google's cloud computing services to determine "the adequacy of the privacy and security safeguards." The complaint followed a reported security breach of Google Docs. EPIC observed that Google repeatedly assured consumers that their services stored user-generated data securely, but had opted to not encrypt the personal information stored or transmitted on its computer network by default.
On June 16, 2009, Christopher Soghoian wrote an open letter to Google CEO, Eric Schmidt that was joined by 37 researchers and academics in the fields of computer science, information security, and privacy law. The letter pointed out that Google had already employed encryption techniques to protect individuals' login information, but did not enable it to protect information transmitted over their network. The letter pointed out that, while the option to encrypt this information was available, it was difficult to locate, even for sophisticated users who were aware of what to look for.
Google opted to ignore both of these warnings.
On January 12, 2010, Google reported that the company had suffered a "highly sophisticated and coordinated" cyber attack originating from China. The attackers planted malicious code in Google's corporate networks, and resulted in the theft of Google's intellectual property, and at least the attempted access of the Gmail accounts of Chinese human rights activists. The following day, Google changed a key setting, causing all subsequent traffic to and from its electronic mail servers to be encrypted by default. On February 4, 2010, the Washington Post reported that Google had contacted the National Security Agency ("NSA") regarding the firm's security practices immediately following the attack. In addition, the Wall Street Journal stated that the NSA's general counsel had drafted a "cooperative research and development agreement" within 24 hours of Google's announcement of the attack, which authorized the Agency to "examine some of the data related to the intrusion into Google's systems."
EPIC's Freedom of Information Act Requests and Subsequent Lawsuit
On February 4, 2010, EPIC filed a Freedom of Information Act ("FOIA") request with the National Security Agency ("NSA"). EPIC requested the following agency records:
- All records concerning an agreement or similar basis for collaboration, final or draft, between the NSA and Google regarding cyber security;
- All records of communication between NSA and Google concerning Gmail, including but not limited to Google's decision to fail to routinely encrypt Gmail messages prior to January 13, 2010; and
- All records of communications regarding NSA's role in Google's decision regarding the failure to routinely deploy encryption for cloud-based computing service, such as Google Docs.
By letter dated March 10, the NSA acknowledged receipt of EPIC's FOIA Request and granted EPIC's request for a fee waiver. The NSA's letter invoked FOIA exemption b(3) and Section 6 of the National Security Agency Act in order to issue a Glomar response. A Glomar response is the Agency's act of neither confirming nor denying the existence of Agency records responsive to the Request.
On May 7, 2010, EPIC filed an administrative appeal stating that the NSA had failed to present factual evidence that the requested documents fell within Section 6 and that established FOIA exemptions could sufficiently conceal protected information. The NSA never replied to EPIC's appeal or produced responsive documents. EPIC filed a complaint in United States District Court for the District of Columbia on September 13, 2010. The NSA argued that the Agency was under no obligation to conduct a search prior to determining that any potentially responsive records would implicate the Agency's functions or activities. Judge Richard Leon deferred to the NSA's judgment in a Memorandum Opinion dated July 8, 2011. EPIC filed a Notice of Appeal in the D.C. Circuit Court on September 9, 2011. Oral argument is schedule for March 20, 2012 before Judge Brown, Judge Kavanaugh, and Judge Ginsburg.
The Glomar Doctrine
In a unique category of FOIA cases, an agency may issue a “Glomar response” and refuse to confirm or deny the existence of records. Gardels v. CIA, 689 F.2d 1100, 1103 (D.C. Cir. 1982); see also Miller v. Casey, 730 F.2d 773, 776-77 (D.C. Cir. 1984); Phillippi v. CIA, 546 F.2d 1009, 1012 (D.C. Cir. 1976). Courts uphold Glomar responses when “to answer the FOIA inquiry would cause harm cognizable under” an applicable statutory exemption. Gardels, 689 F.2d at 1103. Glomar responses must be tethered to a specific exemption. The agency must demonstrate that acknowledging the mere existence of responsive records would disclose exempt information. Wolf v. CIA, 473 F.3d 370, 374 (D.C. Cir. 2007).
In Glomar cases, courts may grant summary judgment on the basis of agency affidavits that contain “reasonable specificity of detail rather than merely conclusory statements, and if they are not called into question by contradictory evidence in the record or by evidence of agency bad faith.” Gardels, 689 F.2d at 1104-05 (citing Halperin v, CIA, 629 F.2d 144, 148 (D.C. Cir. 1980)). The supporting affidavit must give a “logical” justification for the Glomar response based on “general exemption review standards established in non-Glomar cases.” Wolf, 473 F.3d at 375. “Very importantly, ‘the burden is on the agency to sustain its action.’” Founding Church of Scientology of Washington, D.C., Inc. v. NSA, 610 F.2d 824, 830 (D.C. Cir. 1979). This Circuit has made clear that “‘[c]onclusory and generalized allegations of exemptions’ are unacceptable; if the court is unable to sustain nondivulgence on the basis of affidavits, in camera inspection may well be in order.” Wolf, 473 F.3d at 375.
EPIC v. National Security Agency, Case No. 10-1533 (RJL) (D.D.C. filed Sept. 13, 2010)
- EPIC's Complaint Against NSA (Sept. 13, 2010) (pdf)
- NSA's Answer to EPIC's Complaint (Oct. 27, 2010) (pdf)
- NSA Motion for Summary Judgment (Dec. 22, 2010) (pdf)
- EPIC's Opposition and Cross Motion for Summary Judgment (Jan. 28, 2011) (pdf)
- NSA's Opposition and Reply (Feb. 18, 2011) (pdf)
- EPIC's Reply (Mar. 4, 2011) (pdf)
- District Court Memorandum Opinion, 798 F.Supp.2d 26 (D.D.C. 2011) (July 8, 2011) (pdf)
EPIC v. National Security Agency, Case No. 11-5233 (D.C.Cir. filed Sept. 9, 2011)
- EPIC's Notice of Appeal (Sept. 9, 2011) (pdf)
- Order Setting Briefing Schedule (Nov. 16, 2011) (pdf)
- Order Scheduling Oral Argument (Nov. 22, 2011) (pdf)
- EPIC's Opening Brief (Jan. 3, 2012) (pdf)
- Joint Appendix (Jan. 3, 2012) (pdf)
- NSA's Opening Brief (Jan. 26, 2012) (pdf)
- EPIC's Reply Brief (Feb. 16, 2012) (pdf)
- Opinion, EPIC v. NSA, 678 F.3d 926 (D.C. Cir. 2012)
- EPIC's February 4, 2010 request for agency records under the Freedom of Information Act
- NSA's March 10, 2010 letter acknowledging of receipt of EPIC's FOIA request and invoking the Glomar Response
- EPIC's May 7, 2010 Administrative Appeal to the NSA
- In 1976, NSA Was Tasked to Help Secure Private Communications, Secrecy News, March 12, 2012.
- DOJ Asks Court To Keep Secret Any Partnership Between Google, NSA, BLT: The Blog of Legal Times, March 9, 2012.
- A New Approach to China, Google Blog, January 12, 2010.
- Mike McConnell on How to Win the Cyber-War We're Losing, Washington Post, February 28, 2010.
- Google to enlist NSA to help it ward off cyberattacks, Washington Post, February 4, 2010.
- Google Working With NSA to Investigate Cyber Attack, Wall Street Journal, February 4, 2010.
- Default https access for Gmail, Google Blog, January 13, 2010.
- HTTPS Security for Web Applications, Google Security Blog, June 1, 2009.
- In re: Google, Inc. and Cloud Computing Services, EPIC, March 17, 2009.
- Letter from Eileen Harrington, Acting Director, Bureau of Consumer Protection (FTC), EPIC, March 18, 2009.
- An open letter to Google's CEO, Eric Schmidt, Christopher Soghoian, June 16, 2009.
Share this page:
EPIC relies on support from individual donors to pursue our work.
Subscribe to the EPIC Alert
The EPIC Alert is a by-monthly newsletter highlighting emerging privacy issues.