D.C. Circuit Blocks EPIC from FOIA on Potential Google-NSA Records
Communications between Google and the National Security Agency concerning encryption and cybersecurity, should they exist, won’t be turned over to the Electronic Privacy Information Center, the U.S. Court of Appeals for the D.C. Circuit ruled Friday. The D.C. Circuit affirmed a trial court order in favor of the NSA.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
EPIC had sought records of communications and agreements between Google and the NSA following the January 2010 attacks on the Gmail accounts of Chinese human rights activists, after which the company started routinely encrypting Gmail traffic. A Google executive had said publicly that the company was working with “relevant U.S. authorities,” and NSA Director Mike McConnell said in the media that cooperation between the agency and private companies like Google was “inevitable.” EPIC’s FOIA request to the NSA had asked in particular what role if any the agency played in Google’s decision not to routinely encrypt before the January 2010 attacks.
Judge Janice Brown wrote for the three-judge panel, upholding NSA’s explanation that the sought information -- whose existence NSA neither confirmed nor denied, known as a “Glomar response” -- would pertain to its “organization, functions or activities,” and thus qualify for an agency-specific FOIA exemption. She said NSA’s explanation was “logical” and “plausible” about the benchmarks for qualifying for the exemption.
EPIC’s claim that some of the sought information was “unsolicited” -- potential Google communications to the NSA -- and thus doesn’t fall under a pertinent exemption, didn’t convince Brown, who said the “broad language” in the NSA exemption applied to NSA’s vetting of commercial technology used by the government for “security vulnerabilities.” Potential communications between Google and the NSA could reveal “protected information about NSA’s implementation” of its information-assurance mission, and constitute a protected agency “activity” under the exemption, Brown said. It could also make companies “hesitate or decline” to contact the NSA for help if they knew the records could be revealed under FOIA, she said.
EPIC’s citation of a previous D.C. Circuit rejection of a FOIA exemption for the NSA isn’t relevant, because the agency had made “conclusory” statements in that case, as opposed to the specific warnings about what would be compromised in EPIC’s request, Brown said. Simply because NSA discloses “basic information” about its information-assurance activities doesn’t mean it forsakes the exemption in response to EPIC’s “blanket request” for “all records,” nor does Google-NSA collaboration “widely reported in the national media” have any bearing, the judge said. Brown said EPIC’s assertion is “inaccurate” that the D.C. Circuit had only upheld Glomar responses where it was apparent the NSA “first conducted a search and segregability analysis” to locate potentially relevant records for disclosure: The NSA did those searches voluntarily, and the court never held or implied that search was “required.”
The ruling should give lawmakers pause, EPIC Executive Director Mark Rotenberg told us. “The NSA has become a black hole for cybersecurity activity,” he said. “If the agency cannot acknowledge the existence of records responsive to a FOIA request about a relationship with Google that was widely reported in the national media, then it would be absurd for lawmakers to give the agency any further authority for cybersecurity. Transparency, not secrecy, is the prerequisite for effective cybersecurity.”