SAN FRANCISCO (CN) - The National Security Agency on Thursday defended hiding key details of its process for deciding whether to exploit or disclose software security flaws that make people vulnerable to hackers.
The Electronic Frontier Foundation sued the NSA in 2014 for withholding records on the government's handling of "zero days," newly discovered security flaws not yet fixed by software developers.
The lawsuit was filed after Bloomberg News reported that for two years the government knew about and exploited the Heartbleed bug, a security flaw affecting an estimated two-thirds of the world's websites, without disclosing the threat.
In January, the government released a less redacted version of its Vulnerable Equities Process (VEP) document, which describes how government agencies decide whether to disclose or exploit a security flaw. EFF lawyers say the document still contains unwarranted redactions that violate the Freedom of Information Act.
During a Thursday hearing, U.S. District Judge Richard Seeborg said he reviewed declarations submitted by intelligence officials and was "satisfied" that most of the redactions were justified.
The government says each redaction falls within one of four categories: actions taken when a vulnerability is identified; timelines for the process; identities of entities involved in the process; and details on procedures for addressing vulnerabilities.
The government insists that all redactions are covered by one of three FOIA exemptions that protect classified information and deliberative process from disclosure.
EFF attorney Andrew Crocker urged the judge to conduct an in camera review of the redacted file and not rely solely on government declarations describing what information was withheld.
"Unless the declaration quotes the entire document, there will be a gap between what the document actually says and what the declaration says it says," Crocker said.
The fact that the government previously claimed certain information was exempt from the FOIA before releasing a less redacted version last month also raises questions about the government's credibility, Crocker said.
Seeborg was not persuaded. "I'm loath to take the position that that is somehow an admission of improper conduct," he said. "I encourage the government to reassess and release when it's appropriate."
The EFF says much of the information the government still claims as classified has been disclosed by official sources, which nullifies the exemptions.
The digital civil liberties group cited a 2014 blog post by Special Assistant to the President and Cybersecurity Coordinator Michael Daniel, who acknowledged the government sometimes "withholds knowledge of some vulnerabilities for a limited time" to "collect crucial intelligence that could thwart a terrorist attack."
But government attorney Rodney Patton said that whether the government officially acknowledged classified information requires the application of a stringent, three-part test. The information withheld must be specific and match what was revealed in an official public disclosure, he said.
Declarations submitted to the court show the information has not been publicly disclosed and that those details must remain shielded from the public, Patton argued.
The government also invoked the deliberative process exemption to withhold header information and names of agencies involved in the process.
Government attorney Julie Berman said the header information embodies a working group's declaration to a higher government branch, to help higher authority make its decision. Revealing the header information and names of agencies involved in the process could threaten the integrity of the process, she said.
"The deliberative process protects the identities of process participants," Berman said. "With small government components participating in the deliberative process, disclosure could harm that process."
Berman cited a 2007 Ninth Circuit decision, AIDS Healthcare Found. v. Leavitt, which found the identities of people who issued decisions on specific grant applications were exempt from disclosure.
Crocker replied that a general list of grant application decision-makers was disclosed in that case, just not the identities of individuals that handled specific grants.
"Factual information is not subject to exemption unless it's part of the deliberative process," Crocker said.
Early in the hearing, the judge said the government appears justified in withholding classified information under FOIA exemptions 1 and 2, but he was less certain about its decision to hold back information under exemption 5, the deliberative process exemption.
After the hearing, EFF attorney Nathan Cardozo said that despite the government's claim that it discloses 91 percent of vulnerabilities it discovers, his conversations with Google employees suggest the government has shared no information on security vulnerabilities.
"We think it's important the public knows how the government uses our vulnerabilities against us, and this document details how the government makes that decision," Cardozo said.