Via Reason's Hit and Run Blog comes a link to a case ruling
against a Freedom of Information Act (FOIA) request concerning recent alleged
collaborations between the National Security Agency (NSA) and Google. Back in early 2010, it was widely reported
that Google
had suffered some hacking, originating from China, that compromised the
Gmail accounts of a variety of large firms and human rights activists. As the Court notes, it soon became public
knowledge that Google had sought the assistance of the NSA following the
attack. The extent of the partnership is
uncertain, but former NSA head Mike McConnell weighed in, stating that our “cyber
security” will depend on sustained partnerships between private industries
like Google and government agencies like the NSA.
The Electronic Privacy Information Center (EPIC) has been on
top of Google and the “adequacy of [their] privacy and security safeguards” since before the
China attack. On February 10, 2010, they filed
the FOIA at issue in this case requesting information concerning an
agreement between NSA and Google regarding cyber security and any
communications between Google and the NSA regarding Google’s security decisions
regarding their Gmail and cloud-based services like Google Docs. The NSA claimed an exemption and responded
with a controversial Glomar denial. A Glomar
denial allows the government to respond to such a request with a refusal to
“confirm or deny the existence or nonexistence” of the records sought. Let me state that the unintentional hilarity
of the language used in a Glomar response does not necessarily make it invalid
or otherwise nasty; nevertheless, a Glomar
denial may cause gratuitous injuries to the cause of transparency (more on
that later).
Section 552(b) of the FOIA lists
nine exemptions allowing a government to refuse disclosure of the
information requested. Here, the
government invokes
“FOIA Exemption 3” which shields “records that are ‘specifically exempted
from disclosure by statute.’” The
government points to Section
6 of the National Security Agency Act (NSAA) which prevents disclosure of
information pertaining to “NSA’s organization, functions, or activities.” This statute, for some obvious good reasons,
shields quite a bit of information that the NSA may want to shield from an FOIA
request. Still, the D.C. Circuit Court
has noted the obvious by stating that the vague terms of Section 6 should be
“construed with sensitivity” in order to maintain the overriding purpose of the
FOIA to foster an environment that generally favors openness to secrecy.
In order to justify their Glomar response, the NSA bears the burden of proving the exemption
through signed affidavits that provide, with some level of detail, the reason
why disclosure would cause the harm contemplated under the FOIA exemption. To boot, the agency must provide some logical basis
for the court to believe that disclosure of the mere existence or nonexistence
of any such records would cause the excepted harm.
The Court makes their case with one 7-page affidavit (actual affidavit is about half-way down, titled Declaration of Diane M. Janosek). They state that “to confirm or deny the
existence of any such records would be to reveal whether NSA, in fulfilling one
of its key missions, determined that vulnerabilities or cybersecurity issues
pertaining to Google or certain of its commercial technologies could make U.S.
government information systems susceptible to exploitation or attack by
adversaries and, if so, whether NSA collaborated with Google to mitigate
them.” The agency’s theory is basically
two-fold: the recondite Glomar response
is justified because if we speak about this at all people will assume that
Google’s security problems are also the government’s problems or that Google’s encryption strategies are in and of themselves somehow related to the
NSA’s encryption strategies.
Fair
enough. I certainly don’t want the bad
guys to know what type of strategies the NSA uses to protect sensitive
government information.
From the 8-limbs of Pantanjali, Satya or truthfulness is one of the five Yamas.
The Yamas are best understood as the “shall-nots” of the 8-limbed path
to rightful living, as in, one should abstain from untruthfulness because you
position yourself against the grain of the universe. Yogic scholars, like T.K.V. Desikachar, are
quick to point out “that it is not always desirable to speak the truth come
what may, for it could harm someone unnecessarily.” If disclosing a governmental record would
cause unnecessary harm, better to temper our truthfulness with the first Yama,
Ahimsa or non-harming. As the great
classical liberal J.S. Mill wrote, the legitimate aim of government “is to prevent harm to others.” Transparency
comes to a halt when the rights and safety of others would be compromised by
full disclosure. Still, we have a system
of courts for a reason, and they are fairly well equipped at figuring out
whether disclosure would actually
cause the harm claimed by the government while using precautions to make sure
there is no ancillary disclosure of sensitive information during the case.
With that in mind, I am sympathetic to EPIC’s plea that the Court should at all times have the goal of creating “as complete a public
record as is possible.” This brings us
to subsection (b) of the FOIA which provides that “any reasonably segregable
portion of a record shall be provided to any person requesting such record after deletion of the portion which are exempt under this
subsection.” This would require the
agency to search for the records and undertake a studied inspection of the
documents to figure out if any generally exempted records contain information
that would not fit into the exemption.
Often, but not always, this leads to the production of a “Vaughn index” of the exempted records
with brief descriptions as to what the document is and some basic facts as to
why it fits into the exemption. This
allows the judge, and perhaps the opposing party, to start putting the pieces of the puzzle together or even just to hold the agency accountable for their
claims.
In the present case, we don’t get a Vaughn index. The Court is
satisfied that the affidavit supports the agency’s Glomar response, ergo how could we index or not index something
that may or may not exist? As the Court
states, “when the agency takes the position that it can neither confirm nor
deny the existence of the requested records, ‘there are no relevant documents
for the court to examine.’” A little
cryptic, but there is definitely some logic there. Still, there is no template for a Vaughn index. The court has the flexibility to get creative
and discern some method of getting at the non-exempt information without
compromising the legitimately exempt information. Provided that the party has offered evidence
to cast some doubt into the agency’s insistence that there is absolutely no
relevant, non-exempt information, it seems the court does an injustice to the
FOIA by shutting the case down right then and there.
EPIC insists that the communications between Google and NSA
may contain parts that do not reveal the NSA’s functions (for this core argument, start reading at p. 28). They have stressed that the records likely
contain some relevant material about Google’s
activities (not the agency’s). On
1-12-2010 Google both reported the attack and contacted the agency presumably
for advice. On 1-13-2010 Google changed
their default setting on Gmail to encrypt traffic to and from its servers. It does not seem that the Court can rule out
the possibility that there is a lot in the correspondence pertaining to Google’s
own security activities, and could be
emancipated from the parts of the record that reveal the NSA’s activities. The mere fact that the NSA responded to
Google is already public knowledge.
Accordingly, I feel the Court could have leaned on the NSA to crack the
door open just ever so slightly.
Being
so furtive about a topic that was widely reported on two years ago is the type
of government behavior that needlessly invites conspiracy theories: What if the NSA needs a Glomar denial because they had some agreement with Google prior to
January 2010…. And what if that
agreement was to the effect that Google could not sufficiently encrypt their
Gmail accounts because they are bound to forward all sorts of our e-mails
straight to the NSA? A bare Glomar denial could make some curious people grasp at these types of straws. This is the type of
speculation that is largely unhelpful. And conspiracy theories have the alluring power to trap otherwise
thoughtful minds into firmly believing one story despite evidence to the
contrary.
The NSA has been increasing their profile (or shadow)
dramatically over the past decade, culminating with the on-going construction
of the Utah Data Center, or what many are calling a gigantic Spy
Center. Far be it from me to explain the
stated and speculated purposes of this new facility, but you can click through
to the links to at least get a feel for the unthinkable
potential of such a place. I’m
afraid halting this particular case at a Glomar
denial will only stoke the public’s worst fears about such an agency. Let us remember that Congress has not yet
passed the SECURE
It act which would add a tenth exemption to the FOIA for “information
shared with or provided to a cybersecurity center.” If passed, this act would probably seal the
door shut many, many times over. Nearly
every single person shares private information with commercial Internet companies. We do so largely with the expectation that,
despite oddly relevant advertisements for wedding planners popping up right
after we get engaged, we are not inviting the government to collaborate with
search engines about our shopping or reading habits. Before Congress gives more power and more
secrecy to the intelligence community, it would be nice to have even a vague
understanding of some of the implications for using these here cyber
tubes.