Judge Flags Redaction in Cybersecurity Program

     WASHINGTON (CN) – E-privacy advocates concerned that the government’s industrial cybersecurity program violates wiretap laws have vaulted a hurdle in their federal case.
     The Electronic Privacy Information Center filed the 2012 lawsuit at issue when the Department of Homeland Security was less-than forthcoming about a cybersecurity program it conducts jointly with the Department of Defense.
     Companies and others that participate in the Defense Industrial Base Cyber Pilot are “furnished classified threat and technical information,” according to a motion from the government.
     With defense contractors such as Lockheed Martin participating, EPIC sought information detailing the government’s contracts and communication with these companies, and asking for its contracts and communications with Verizon, AT&T and other Internet service providers.
     EPIC contends that such records are necessary to learning whether the program’s surveillance of private Internet traffic complies with federal wiretap laws.
     The government produced 1,300 pages but withheld various materials under exemptions to the Freedom of Information Act, prompting EPIC to sue.
     Noting that Homeland Security initially failed to include email attachments with its early production, EPIC challenged the various FOIA exemptions that the government cited, as well as the completeness of the search.
     Jeramie Scott, the coordinator of EPIC’s National Security Council Privacy Coalition, said the 1,300 documents that this case has won “revealed that the U.S. government, defense contractors, and Internet service providers were developing new strategies to monitor Internet communications, possibly in violation of the federal wiretap act.”
     One redaction that EPIC challenged involves the government’s omission of the names of its program’s corporate participants.
     Though the government cited an exemption that covers commercial information, EPIC contended that the names of companies are not commercial information, were not obtained from a person, and are not confidential.
     U.S. District Judge Gladys Kessler agreed with the government Tuesday, however, that a company’s name does not always present a commercial interest, but that “the identities of which companies have participated in the DIB Cyber Pilot, if disclosed, could have a commercial or financial impact on the companies involved.”
     “The companies are commercial enterprises doing business with the government and the reason they seek protection from having their participation disclosed is because of the potential effect that disclosure would have on their businesses,” the 38-page decision states.
     Kessler was less receptive, however, to Homeland Security’s reliance on an exemption for information that a “confidential source” gives the government.
     “Here, in most instances where Exemption 7(D) has been invoked … the government refers to the participating companies as ‘sources,’ without sufficiently explaining why the companies are sources,” Kessler wrote.
     The government’s promise of confidentiality to these companies is relevant to assessing its reliance on this exemption, but Kessler said “DHS has not contended that the companies provided any information pursuant to that promise.”
     “Nor has DHS shown that mere participation in the DIB Cyber Pilot program turns each company into a ‘source’ of information for purposes of Exemption 7(D),” the ruling continues.
     Describing the companies as “sources” implies that the companies provided information, but Kessler said “the court is not willing to rely on such a weak assumption.”
     “If in fact there are some companies that merely receive, but do not provide, information through the program, the government has failed to distinguish between them,” the ruling states.
     Kessler rejected EPIC’s other challenges, finding that Homeland Security conducted a thorough search.
     “The government here has done a commendable job in performing its search, and the court concludes that it has shown completion of a sufficient search to satisfy FOIA,” the memorandum opinion said.
     Homeland Security has not yet returned a request for comment.

%d bloggers like this: