Focusing public attention on emerging privacy and civil liberties issues

EPIC v. NSA - Cybersecurity Authority

Top News

  • EPIC v. NSA: EPIC Appeals Lower Court Decision on Presidential Directive: EPIC has filed its opening brief in EPIC v. NSA. EPIC is seeking to obtain NSPD-54, a Presidential Directive on cyber security that was widely circulated to federal agencies and senior policy advisors. EPIC submitted a Freedom of Information Act request to the NSA for NSPD-54 and several related documents. The NSA turned over some of the materials to EPIC but withheld the Directive. EPIC then sued the agency to force disclosure of the document but a court ruled sue sponte that the NSA did not have control over NSPD-54, and thus it was not an "agency record" subject to release. It was the first time a federal court had ruled that a Presidential Directive was not subject to FOIA. In the appeal, EPIC argued that the agency has the document and therefore bears the burden of proving it is not an "agency record." EPIC also pointed out that the lower court failed to apply the control test followed by other courts, and that the NSA itself never claimed that NSPD-54 was not an agency record. For more information, see EPIC: Presidential Directives and Cybersecurity and EPIC v. NSA: NSPD-54 Appeal. (Apr. 1, 2014)
  • DHS Releases Revises Privacy Impact Assessment on Internet Monitoring Program : The Department of Homeland Security has released a Privacy Impact Assessment for Einstein 3 - Accelerated. Einstein 3 is a government cybersecurity program that monitors Internet traffic. The monitoring includes scanning email destined for .gov networks for malicious attachments and URLs. According to DHS, the basis of the government’s authority to perform the monitoring is National Security Presidential Directive 54. EPIC is pursuing FOIA litigation to force the government to release the Directive to the public. For more information, see EPIC v. NSA - Cybersecurity Authority. (Apr. 24, 2013)
  • UPDATED: EPIC Appeals NSA's Withholding of Cybersecurity Directive: EPIC has appealed a decision by the National Security Agency to deny EPIC's Freedom of Information Act Request for the public release of Presidential Policy Directive 20. The Policy Directive expands the NSA's cybersecurity authority and has raised concerns about government surveillance of the Internet. EPIC's FOIA appeal points to numerous substantive and procedural defects in the NSA's response, and highlights the importance of public discussion of cyber security authority. The NSA has ten days to respond to EPIC's appeal. For more information, see EPIC: Cybersecurity Privacy Practical Implications, EPIC: EPIC v. NSA - Cybersecurity Authority. (Nov. 27, 2012)
  • President Issues Secret Cybersecurity Directive, EPIC Seeks Public Release: Following a Washington Post report of a new cyber security directive, EPIC has filed a Freedom of Information Act request for the release of Presidential Policy Directive 20. The Directive is believed to expand cyber security authority for the National Security Agency. EPIC is pursuing several FOIA cases, including the release of NSPD-54, an earlier Directive that gave NSA authority to conduct surveillance within the United States. EPIC has also sought public release of the technical arrangement between the NSA and Google that was adopted in January 2010. Federal law prevents the National Security Agency, a component of the Department of Defense, from conducting operations within the United States. For more information, see EPIC: Cybersecurity Privacy Practical Implications, EPIC: EPIC v. NSA - Cybersecurity Authority, and EPIC v. NSA: Google / NSA Relationship. (Nov. 14, 2012)
  • EPIC Urges Senate to Safeguard FOIA for Cybersecurity: In a detailed statement to the Senate for a hearing on the "Freedom of Information Act: Safeguarding Critical Infrastructure and the Public's Right to Know," EPIC said that safeguarding FOIA was critical to ensure government oversight and accountability. EPIC described how the FOIA provides the public important information about safety and security, but also warned that the National Security Agency has become a "black hole" for public information about cyber security. EPIC described several NSA programs, including "Perfect Citizen," Internet wiretapping, and even the NSA's own legal authority which the agency has refused to release to the public. EPIC v. NSA, a challenge to the agency's "neither confirm nor deny" response to an EPIC FOIA request will be heard next week by the DC Circuit Court of Appeals. For more information, see EPIC: Cybersecurity. (Mar. 12, 2012)
  • EPIC Urges Court to Order Disclosure of CyberSecurity Authority: EPIC filed papers urging a federal court to order the National Security Agency to disclose National Security Presidential Directive 54, a key document governing national cybersecurity policy. The directive grants the NSA broad authority over the security of American computer networks. But the agency has refused to make the document public in response to an EPIC Freedom of Information Act request. EPIC noted that "The NSA’s position amounts to a claim that the President may enact secret laws, direct federal agencies to implement those laws, and shield the content of those laws from public scrutiny." EPIC argued that the law "does not support such a sweeping result." For more, see EPIC v. NSA - Cybersecurity Authority. (Dec. 23, 2011)
  • EPIC to Appeal Security Agency's Non-response in FOIA Lawsuit: EPIC has filed a notice of appeal in EPIC v. NSA, a recent court decision that allowed the National Security Agency to neither confirm or deny the existence of government records EPIC sought under the Freedom of Information Act. EPIC is seeking information about the relationship between Google and the NSA, which could reveal that the NSA is developing technical standards that would enable greater surveillance of Internet users. The NSA provided a "Glomar Response," a controversial legal claim that allows federal agencies to conceal the existence of records that might otherwise be subject to public disclosure. In related FOIA matters, EPIC is also seeking government documents relating to the NSA's cybersecurity authority and the NSA's "Perfect Citizen" program. For more information, see EPIC: Open Government. (Sep. 9, 2011)
  • EPIC v. NSA: Agency Can "Neither Confirm Nor Deny" Google Ties: A federal judge has issued an opinion in EPIC v. NSA, and accepted the NSA's claim that it can "neither confirm nor deny" that it had entered into a relationship with Google following the China hacking incident in January 2010. EPIC had sought documents under the FOIA because such an agreement could reveal that the NSA is developing technical standards that would enable greater surveillance of Internet users. The "Glomar response," to neither confirm nor deny, is a controversial legal doctrine that allows agencies to conceal the existence of records that might otherwise be subject to public disclosure. EPIC plans to appeal this decision. EPIC is also litigating to obtain the National Security Presidential Directive that sets out the NSA's cyber security authority. And EPIC is seeking from the NSA information about Internet vulnerability assessments, the Director's classified views on how the NSA's practices impact Internet privacy, and the NSA's "Perfect Citizen" program. (Jul. 13, 2011)
  • EPIC Demands Release of Classified Answers on Privacy and Internet Standards from Cyber Command Nominee : EPIC has filed a Freedom of Information Act (FOIA) request with the National Security Agency (NSA) seeking the "classified supplement" that Director Lt. Gen. Keith Alexander filed with his answers to questions from the Senate Armed Services Committee regarding his nomination to be the Commander of the newly formed United States Cyber Command.┬áSeveral of Lt. Gen. Alexander's classified responses were to questions regarding the privacy of Americans' communications, and EPIC's request urges the Agency to make the full responses public. EPIC is currently in litigation with the NSA to obtain the secret policy for NSA surveillance authority. For more information, see EPIC Sues NSA to Force Disclosure of Cybersecurity Authority. (Apr. 19, 2010)
  • Congress Considers Nomination of NSA Director to US Cyber Command, Concerns Remain: The Senate Armed Services Committee will hold a hearing on April 15, to consider the nomination NSA Director Lt. Gen Keith B. Alexander to be the Commander of the US Cyber Command. EPIC has expressed concern about the expanded authority of the NSA within the United States and has specifically requested the public release of NSPD-54, the secret Presidential Directive that allows the NSA to conduct electronic surveillance against US citizens within the United States, prior to the confirmation of Lt. Gen. Alexander. EPIC is seeking this and related document in a Freedom of Information Act lawsuit. For more information, see EPIC Sues NSA to Force Disclosure of Cyber Security Authority. (Apr. 15, 2010)

Background

In January 2008, President Bush issued National Security Presidential Directive 54 (NSPD 54), which grants the National Security Administration broad authority over the security of American computer networks. The Directive created the Comprehensive National Cybersecurity Initiative (CNCI), a "multi-agency, multi-year plan that lays out twelve steps to securing the federal government's cyber networks." This Directive was not released to the public.

EPIC's Freedom of Information Act Request and Subsequent Lawsuit

In June 2009, EPIC submitted a FOIA request to the NSA asking for copies of the Directive, the Initiative and privacy policies related to either. The request specifically asked for the following documents:

  • The text of the National Security Presidential Directive 54.
  • The full text of the Comprehensive National Cybersecurity Initiative, including unreported sections and any executing protocols distributed to the agencies in charge of its implementation.
  • Any privacy policies related to the Directive or the Initiative, including contracts or other documents describing privacy policies with information shared with private contractors to facilitate the CNCI.
Noting the extraordinary public interest in the plan and the public's right to comment on the measures in Congress, EPIC asked the NSA to expedite the processing of its request.

On July 1, 2009, the NSA acknowledged receipt of EPIC's FOIA request, but denied the request for expedited processing and did not make any substantive determination regarding the actual FOIA request. EPIC then submitted an administrative appeal, appealing the NSA's failure to make a timely substantive determination as well as denying expedited processing on July 30, 2009. In response, the NSA granted EPIC's request for expedited processing, but did not make a substantive determination on the FOIA request.

On August 14, 2009, the NSA released two documents that had previously been made public

In October 2009, the NSA identified three relevant documents, but refused to disclose any of them. One document, relating to the text of the Directive, was not disclosed because the record "did not originate with" the NSA, and "has been referred to the National Security Council for review and direct response to" EPIC. Two other documents relating to privacy policies were withheld allegedly pursuant to a FOIA exemption. On November 24, 2009, EPIC appealed the NSA's determination. The NSA acknowledged receipt of this appeal in December, but failed to provide any further communication.

On February 4, 2010, EPIC filed a lawsuit against the NSA and the National Security Council to compel the disclosure of documents relating to NSPD 54. One of EPIC's counts against the NSA included an Administrative Procedures Act violation because the NSA referred EPIC's FOIA request to the NSC, which is not subject to FOIA.

In March 2010, the NSA and NSC filed a partial motion to dismiss the alleged FOIA violation against the NSC and the alleged APA violation against the NSA. EPIC filed an opposition on April 8, 2010, the government filed its reply on April 15, 2010. On July 7, 2011, the District Court ordered that the lawsuit would proceed against the NSA, but dismissed the NSC from the case. The Judge agreed with EPIC that "a referral of a FOIA request could be considered a 'withholding' if 'its net effect is to impair the requester's ability to obtain the records or significantly to increase the amount of time he must wait to obtain them," but held that "an entity that is not subject to FOIA cannot unilaterally be made subject to the statute by any action of an agency, including referral of a FOIA request."

In the interim, the White House published a description of the CNCI in March 2010. The initiatives cover a wide range of government activity, from cyber education to intrusion detection. However, the text of the underlying legal authority for cybersecurity still remains a secret. On August 30, 2011, the NSA released the heavily redacted version of two of the original three documents it had identified as responsive. The remaining document, NSPD 54 (and the CNCI, contained therein) was not released in any form.

On July 21, 2011, a briefing schedule was set for the case to move forward. The NSA invoked the narrowly construed "Presidential Communications Privilege" as the basis for withholding the text of NSPD 54 and the full version of the CNCI. The case remains pending in U.S. District Court for the District of Columbia for a finding on the merits of (a) the withholding of NSPD 54 and the CNCI in full and (b) the exemptions invoked to redact material from the August 30, 2011 documents.

Legal Documents

EPIC v. National Security Agency & National Security Council, Case No. 10-0196 (RMU) (D.D.C. filed Feb. 2, 2010)

Freedom of Information Act Documents

Released Documents

News Items