EPIC v. NSA: Agency Can “Neither Confirm Nor Deny” Google Ties (Electronic Information Privacy Center):
A federal judge has issued an opinion in EPIC v. NSA, and accepted the NSA’s claim that it can “neither confirm nor deny” that it had entered into a relationship with Google following the China hacking incident in January 2010. EPIC had sought documents under the FOIA because such an agreement could reveal that the NSA is developing technical standards that would enable greater surveillance of Internet users. The “Glomar response,” to neither confirm nor deny, is a controversial legal doctrine that allows agencies to conceal the existence of records that might otherwise be subject to public disclosure. EPIC plans to appeal this decision. EPIC is also litigating to obtain the National Security Presidential Directive that sets out the NSA’s cyber security authority. And EPIC is seeking from the NSA information about Internet vulnerability assessments, the Director’s classified views on how the NSA’s practices impact Internet privacy, and the NSA’s “Perfect Citizen” program.
Civil Case No. 10-1533 (RJL) MEMORANDUM OPINION (July 8, 2011) [#9, #11] (uscourts.gov):
On February 4, 2010, following media coverage of a possible partnership between the NSA and Google relating to an alleged cyber attack by hackers in China, EPIC submitted a FOIA request to NSA seeking:
1. All records concerning an agreement or similar basis for collaboration, final or draft, between the NSA and Google regarding cyber security;
2. All records of communication between the NSA and Google concerning Gmail, including but not limited to Google’s decision to fail to routinely encrypt Gmail messages prior to January 13,2010; and
3. All records of communications regarding the NSA’s role in Google’s decision regarding the failure to routinely deploy encryption for cloud-based computing service, such as Google Docs.
Compl. ¶ 12.
NSA denied EPIC’s request. Letter from Pamela N. Phillips, NSA, FOIA/PA Office, Mar. 10,2010 [#9-3]. While it acknowledged working “with a broad range of commercial partners and research associates,” the Agency refused to “confirm [ or] deny” whether it even had a relationship with Google. Id. In support of its response, NSA cited Exemption 3 of FOIA and Section 6 of the National Security Agency Act of 1959 (“NSA Act”), explaining that any response would improperly reveal information about NSA’s functions and activities. Id. Such a response – neither confirming nor denying the existence of requested documents – is known as a Glomar response.
With respect to EPIC’s specific request, the Declaration states that “[t]o confirm or deny the existence of any such records would be to reveal whether the NSA … determined that vulnerabilities or cybersecurity issues pertaining to Google or certain of its commercial technologies could make U.S. government information systems susceptible to exploitation or attack.” Id. ¶ 13. The Declaration further clarifies that even an acknowledgement of a relationship between the NSA and a commercial entity could potentially alert “adversaries to NSA priorities, threat assessment, or countermeasures,” and that, as such, the information relates to the Agency’s core functions and activities under its Information Assurance mission. Id. ¶¶ 13-14.