                              UNITED STATES DISTRICT COURT
                              FOR THE DISTRICT OF COLUMBIA


 JASON PRECHTEL

                         Plaintiff,

                         v.                            Case No. 17-cv-01835 (CRC)

 FEDERAL COMMUNICATIONS
 COMMISSION, et al.

                         Defendants.



                                      MEMORANDUM OPINION

       In spring of 2017, the Federal Communications Commission (“FCC” or “Commission”)

promulgated a proposed rule to establish regulations for broadband internet service providers.

Captioned “Restoring Internet Freedom,” the rulemaking sought to repeal prior regulations

promoting “net neutrality”—the principle that internet service providers afford equal access to all

internet-enabled data. The proposal received significant public attention, garnering an

unprecedented twenty-four million public comments on the administrative record. The number

of fraudulent, duplicative, or otherwise dubious comments was equally unprecedented. These

questionable comments have drawn the attention of FCC Commissioners, Members of Congress,

and journalists including Jason Prechtel, the plaintiff in this case.

       Prechtel filed Freedom of Information Act (“FOIA”) requests seeking details about the

use of two electronic comment-submission tools that the FCC had enabled to facilitate public

participation in the regulatory process: comma-separated value (“.CSV”) files and an Application

Programming Interface (“API”). These tools allowed members of the public to comment on the

proposal without going directly to the Commission’s website and accessing its comment



                                                   1
platform (or Electronic Comment Filing System (“ECFS”)). A .CSV file is a template provided

by the FCC—essentially, a spreadsheet in which every row contains a separate comment—that

allows an individual or organization to solicit and compile multiple comments and upload them

into ECFS in one fell swoop. These submissions are sometimes referred to as “bulk comments.”

By way of example, if an organization wanted its membership to submit comments supporting

the FCC’s proposed actions, it might ordinarily be forced to encourage each member to access

the ECFS website and submit an individual comment. The bulk comment submission process

enabled the organization to collect its members’ comments, format them into the .CSV

spreadsheet, and submit them all at once by transmitting that spreadsheet to ECFS.

       An API, in turn, is a mechanism that facilitates communication between ECFS and other

websites. As relevant here, it allows website developers to place comment-submission tools on

third-party websites, meaning that visitors to those websites can submit comments to ECFS

directly from those websites. For example, if a group opposing the Commission’s proposed

actions wanted visitors to its website to submit comments into the record, it might ordinarily

include a link to ECFS, forcing a visitor to leave its website to submit a comment. The API

instead enabled the group to place a comment form directly on its own website, allowing a

visitor to type a comment and submit it into ECFS without leaving the site. Those seeking to

host an API capable of communicating with ECFS must register for a “key,” which confirms to

ECFS that the information being transmitted comes from a registered source—essentially, a

unique code that opens the door to ECFS so a comment can be left inside.

       Prechtel filed two FOIA requests: one with the Commission and one with the General

Services Administration (“GSA”), the executive agency that manages the Commission’s API

system. See Compl. Ex. A; Pl.’s Statement of Undisputed Material Facts (“SUMF”) Ex. B. In




                                                2
this suit, Prechtel challenges how the agencies handled his requests. Specifically, he challenges

the adequacy of the FCC’s search for the requested records, its invocation of several statutory

exemptions to withhold or redact those records, and the GSA’s constructive denial of his FOIA

request. Am. Compl. ¶¶ 24, 27-28; Pl.’s Mot. Summ. J. & Opp’n at 1. The Court addresses only

the second challenge, aimed at the Commission’s withholdings. Prechtel belatedly served the

GSA and it has not had the opportunity to submit an affidavit clarifying its response to his FOIA

request. Accordingly, the Court reserves judgment on the GSA’s actions. And because a GSA

affidavit should clarify ownership of the API keys, which implicates the adequacy of the FCC’s

search, the Court also reserves judgment on Prechtel’s challenge to that search. The Court will

thus deny without prejudice all parties’ motions for summary judgment on those issues.

Regarding Prechtel’s challenge to the Commission’s withholdings: The Court will grant the

Commission’s motion for summary judgment on its withholding of certain privileged emails and

its server logs; grant Prechtel’s motion for summary judgment on the email addresses used to

submit .CSV files; and direct the parties to confer regarding the .CSV files themselves.

 I.    Background

       On June 4, 2017, Prechtel filed FOIA requests with the GSA and the FCC. Am.

Compl. ¶¶ 9, 16. His request to the GSA sought two sets of documents: (1) all public API keys

used to submit online comments relating to the “Restoring Internet Freedom” proceeding,

including the associated registration names and email addresses, and copies of all data files

submitted through those API keys; and (2) logs of all dates and times that those API keys were

used to submit comments. Id. ¶ 9. Prechtel’s FOIA request to the FCC sought the same

information as well as: (1) “the email addresses associated with .CSV comment uploads, along

with all .CSV files uploaded in response to [the] Proceeding”; (2) “logs of all dates and times the




                                                 3
email addresses submitted comments”; and (3) “all email inquiries to ECFSHelp@fcc.gov

regarding .CSV comment submissions to the Proceeding.” Id. ¶ 16.

       On June 5, the GSA informed Prechtel that the requested files were not within its

“jurisdiction.” Pl.’s SUMF Ex. B, at 1 (GSA response to Prechtel’s FOIA request). After

several email exchanges, the GSA elaborated that the FCC was the “API owner” and therefore

that Prechtel’s request was “more appropriate[ly]” addressed to the FCC. Id. at 7.

       After receiving no substantive response from the FCC, Prechtel filed this suit on

September 7, 2017. See Compl.; id. ¶¶ 9-12. Twenty days later, the Commission released

fifteen pages of documents responsive to the fifth part of his request—that seeking

communications to the ECFSHelp@fcc.gov “help desk” email address. See Defs.’ SUMF Ex. B,

at 2 (FCC response to Prechtel’s FOIA request). It redacted several emails within these records

and withheld all records responsive to other aspects of Prechtel’s request, invoking several of

FOIA’s statutory exemptions to justify its redactions and withholdings. Id. at 2-4. Further, it

indicated that it did not maintain documents responsive to Prechtel’s request for the API keys

and associated information, asserting that the GSA maintains these records. Id. at 1-2.

       The parties filed cross-motions for summary judgment, after which Prechtel amended his

complaint to add the GSA as a defendant. See Am. Compl. ¶¶ 9-15, 21-24. However, Prechtel

did not serve the GSA until after briefing had commenced. The GSA has joined the FCC’s

motion for summary judgment. But it has not provided an affidavit or declaration explaining its

response to Prechtel or the extent to which it is in tension with the FCC’s response regarding API

keys and attendant information. The Court held a telephonic status conference with the parties

regarding this issue, after which Prechtel served the GSA. Based on the status conference, the

Court expects that the GSA will provide a declaration detailing how it handled Prechtel’s FOIA




                                                4
request, which will clarify the issues surrounding the API keys and associated information.

Consequently, the Court will deny without prejudice all parties’ motions for summary judgment

on matters not resolved in this opinion. The parties may renew such motions in the future, if

necessary.

 II.   Legal Standards

       FOIA requires federal executive agencies to produce their records upon request unless

one of the Act’s nine exemptions protects those records from disclosure. See 5 U.S.C. § 552(b).

These exemptions “balance the public’s interest in governmental transparency against ‘legitimate

governmental and private interests [that] could be harmed by release of certain types of

information.’” United Techs. Corp. v. DOD, 601 F.3d 557, 559 (D.C. Cir. 2010) (alteration in

original) (quoting Critical Mass Energy Project v. Nuclear Regulatory Comm’n, 975 F.2d 871,

872 (D.C. Cir. 1992) (en banc)). “But these limited exemptions do not obscure the basic policy

that disclosure, not secrecy, is the dominant objective of the Act.” Dep’t of Air Force v. Rose,

425 U.S. 352, 361 (1976). Accordingly, when a plaintiff challenges an agency’s withholding of

records, the agency must show that one of FOIA’s exemptions applies. ACLU v. DOD, 628

F.3d 612, 619 (D.C. Cir. 2011).

       FOIA disputes are generally resolved on cross-motions for summary judgment. In

evaluating each motion, the Court must view the record in the light most favorable to the non-

movant. The agency may satisfy its burden of showing that a FOIA exemption applies through

an affidavit or declaration that “describes the justifications for withholding the information with

specific detail, demonstrates that the information withheld logically falls within the claimed

exemption, and is not contradicted by contrary evidence in the record or by evidence of the

agency’s bad faith.” Id.




                                                 5
 III.   Analysis

        The Commission withheld all or part of three categories of records responsive to

Prechtel’s request: email exchanges between agency staff regarding how to respond to an inquiry

to ECFSHelp@fcc.gov; .CSV files used to submit bulk comments and the email addresses of

those who submitted them; and Commission server logs detailing the dates and times that .CSV

files were submitted. The Court will evaluate each withholding in turn.

        A. Email Threads

        Prechtel requested all email inquiries to the Commission’s ECFSHelp@fcc.gov “help

desk” email address regarding .CSV submissions to the Restoring Internet Freedom proceeding.

Am. Compl. ¶ 16. The Commission released fifteen pages of responsive documents and invoked

the deliberative process privilege under FOIA Exemption 5 to redact certain email threads. 1 See

Defs.’ SUMF Ex. B, at 2. The Court concludes that this withholding was proper. 2

        Exemption 5 allows agencies to withhold “inter-agency or intra-agency memorandums or

letters that would not be available by law to a party other than an agency in litigation with the




        1
          The Commission also redacted the name of the agency representative who printed out
the emails that the Commission released to Prechtel, invoking Exemption 6. See Defs.’ SUMF
Ex. A. Prechtel does not appear to challenge this withholding. In any event, the Court finds this
withholding to be proper. As described in more detail in Section III.B, infra, Exemption 6
requires courts to balance the privacy interest in non-disclosure with the public interest in
disclosure. Here, Prechtel has not advanced any public interest in disclosure of the employee’s
name, and the Court cannot think of any benefit to the public in revealing the name. “[E]ven a
modest privacy interest[] outweighs nothing every time.” Nat’l Ass’n of Retired Federal Emps.
v. Horner, 879 F.2d 873, 879 (D.C. Cir. 1989).
        2
          Prechtel’s FOIA request sought “all email inquiries to ECFSHelp@fcc.gov regarding
.CSV comment submissions to the Proceeding.” Am. Compl. ¶ 16 (emphasis added). It is
unclear why emails internal to the agency are responsive to this request for communications from
external parties to the agency, but the Commission has not raised this defense to its withholding.
Because the parties have briefed the Exemption 5 issue, the Court will proceed as though the
withheld emails were in fact responsive to Prechtel’s request.


                                                 6
agency.” 5 U.S.C. § 552(b)(5). In other words, it shields information that would be “normally

privileged in the civil discovery context.” NLRB v. Sears, Roebuck & Co., 421 U.S. 132, 149

(1975).

          The Commission invoked the deliberative process privilege protected by Exemption 5.

An agency invoking that privilege must show that withheld documents are both “predecisional”

and “deliberative.” Coastal States Gas Corp. v. Dep’t of Energy, 617 F.2d 854, 866 (D.C. Cir.

1980). Predecisional communications are those that “occurred before any final agency decision

on the relevant matter.” Nat’l Sec. Archive v. CIA, 752 F.3d 460, 463 (D.C. Cir. 2014).

Deliberative communications are those that “reflect[] the give-and-take of the consultative

process.” Coastal States, 617 F.2d at 866.

          According to the Commission’s declaration, the emails contain “internal deliberations

among IT staff regarding how to respond” to an inquiry about comment submissions, and

“include[] a back-and-forth conversation regarding the best method for handling [the] . . .

request, including options considered and discarded.” Decl. of Ryan J. Yates Supp. Defs.’ Mot.

for Summ. J. (“First Yates Decl.”) ¶ 15. The agency withheld the exchange after concluding

“that its release would chill the candid exchange of ideas among staff.” Id. This is precisely

what the deliberative process privilege is designed to protect: the agency staff’s ability to have

candid discussions and weigh options before making a final decision. See, e.g., Petroleum Info.

Corp. v. Dep’t of Interior, 976 F.2d 1429, 1434 (D.C. Cir. 1992) (“[D]ecisions on the

‘deliberativeness’ inquiry have focused on whether disclosure . . . would tend to discourage

candid discussion within an agency.” (quotation marks omitted)).

          Contrary to Prechtel’s assertions, the Commission’s explanation is not “generic.” Pl.’s

Mot. Summ. J. & Opp’n at 17. The Commission has explained who deliberated (the




                                                  7
Commission’s IT staff), the agency action about which they deliberated (a response to an outside

inquiry), the role the deliberations played in crafting that action (determining the best way to

handle the inquirer’s underlying request, including possibilities that eventually were rejected),

and the harms that would result from disclosure (a chill on agency staff’s ability to weigh options

candidly to make decisions). The declaration provides appropriate details and stands in contrast

to invocations of the deliberative process privilege that courts in this district have rejected as

insufficient. See, e.g., Hunton & Williams LLP v. EPA, 248 F. Supp. 3d 220, 242-43 (D.D.C.

2017) (rejecting invocation of the privilege because agency did not specify the topic of the

deliberative process); Trea Senior Citizens League v. U.S. Dep’t of State, 923 F. Supp. 2d 55, 68

(D.D.C. 2013) (noting that agency declaration left it “unclear to which deliberative process this

[withheld] document may have contributed or pertained.”).

       Prechtel claims that, even if some of the communications are privileged, any records

reflecting the agency’s final decision, the accompanying explanation, 3 and any factual

information are not exempt. See Pl.’s Mot. Summ. J. & Opp’n at 16. He is partially correct in

his depiction of what the law requires. While “factual information generally must be disclosed,”

Petroleum Info. Corp., 976 F.2d at 1434, it is not per se non-exempt, see, e.g., Quarles v. Dep’t

of Navy, 893 F.2d 390, 392 (D.C. Cir. 1990). Prechtel is correct that a document is exempt in

this context only if it is antecedent to the final agency decision, see, e.g., Nat’l Sec. Archive, 752

F.3d at 463, and, even then, can lose its predecisional status if adopted as the agency position,




       3
           The Court understands Prechtel’s argument to refer to a final decision and
accompanying explanation sent internally among agency staff. Any final decision and
explanation sent externally as a response to the outside inquirer is not privileged. See, e.g., Ctr.
for Int’l Envtl. Law v. Office of U.S. Trade Representative, 237 F. Supp. 2d 17, 25 (D.D.C.
2002) (“[C]ommunications between agencies and outside parties are not protected under
Exemption 5.”).


                                                  8
see, e.g., Coastal States, 617 F.2d at 866. But his argument is unavailing because it does little

more than cast aspersions on the Commission’s declaration by suggesting that there must be

some non-exempt information that the declarant did not acknowledge. This claim is factually

unfounded and thus legally inadequate. “Agency [declarations]—so long as they are relatively

detailed and non-conclusory—are accorded a presumption of good faith, which cannot be

rebutted by purely speculative claims.” Mobley v. CIA, 806 F.3d 568, 581 (D.C. Cir. 2015)

(quotation marks omitted). As discussed, the Commission’s declaration is sufficiently detailed to

support the deliberative process exemption, and Prechtel’s rebuttal is pure speculation. Because

the Commission properly invoked Exemption 5 to protect its deliberative process, the Court

grants its motion for summary judgment on this issue.

       B. The .CSV Files and Associated Email Addresses

       Prechtel also requested the .CSV files used to submit bulk comments to the proceeding

and the email addresses used to transmit those files. Am. Compl. ¶ 16. In response, the

Commission invoked FOIA Exemption 6, which protects personal information from disclosure,

to withhold the email addresses and instructed Prechtel that any other responsive information

was already public. See Defs.’ SUMF Ex. B, at 2.

       An initial clarifying matter: Prechtel requested the .CSV files along with the email

addresses used to submit them. The Commission’s response that all non-exempt responsive

information was already public appears to reveal a misunderstanding of Prechtel’s request.

While the submitted comments are publicly available on ECFS, the .CSV files themselves do not

appear to be. See Defs.’ Opp’n & Reply at 6 (“[A]s to Mr. Prechtel’s request for the CSV files

themselves, the FCC repeats that the information in those files other than the submitter email

addresses is already publicly available on the FCC’s website along with all other submitted




                                                 9
comments. . . . Mr. Prechtel may access the content of those comments there.” (emphases

added)). It is as though someone submitted hundreds of individual letters in an envelope and

Prechtel has asked to inspect the return address on the envelope and the letters it contained. The

Commission has declined to release the return address (on privacy grounds) and, instead of

providing the envelope with return address redacted, has told Prechtel that copies of the letters

are available among a pile of twenty-odd million letters.

        But, as Prechtel points out, the .CSV files have independent value—principally, they

reflect which comments were submitted together and, assuming disclosure of the bulk file

submitters’ email addresses, by whom. Whether or not the Commission properly withheld the

email addresses of bulk submitters, it still must justify independently the withholding of the files

themselves. If the Commission maintains access to the files and cannot show why they are

independently exempt, it must disclose them. The Court will elaborate on each of these issues in

turn.

               1. Bulk Submitters’ Email Addresses

        The Court finds that the Commission improperly invoked Exemption 6 to withhold the

bulk submitters’ email addresses and orders the Commission to release those records.

        Exemption 6 shields from disclosure “personnel and medical files and similar files the

disclosure of which would constitute a clearly unwarranted invasion of personal privacy.” 5

U.S.C. § 552(b)(6). The catchall provision “similar files” includes any “[g]overnment records on

an individual which can be identified as applying to that individual.” U.S. Dep’t of State v.

Wash. Post Co., 456 U.S. 595, 602 (1982) (citation omitted). This definition encompasses email

addresses. See, e.g., Bayala v. U.S. Dep’t of Homeland Sec., 264 F. Supp. 3d 165, 178 (D.D.C.

2017). But the Court’s inquiry must go beyond this threshold observation. To determine




                                                 10
whether the disclosure of these email addresses would constitute “a clearly unwarranted invasion

of personal privacy,” the Court must balance the “privacy interest in non-disclosure against the

public interest in the release of the records.” Lepelletier v. FDIC, 164 F.3d 37, 46 (D.C. Cir.

1999) (citation omitted). In balancing these interests, the Court is mindful that “under

Exemption 6, the presumption in favor of disclosure is as strong as can be found anywhere in the

Act.” Wash. Post Co. v. U.S. Dep’t of Health & Human Servs., 690 F.2d 252, 261 (D.C. Cir.

1982).

         The bulk submitters’ privacy interest in their email addresses is minimal in this context.

Importantly, bulk submitters had ample indication that their email addresses could be made

public, mitigating any expectation of privacy. Cf. Alliance for Wild Rockies v. Dep’t of Interior,

53 F. Supp. 2d 32, 37 (D.D.C. 1999) (“The notice of proposed rulemaking . . . specified that the

complete file for this proposed rule is available for inspection . . . . [T]he [agency] made it

abundantly clear in its notice that the individuals submitting comments to its rulemaking would

not have their identities concealed.” (punctuation omitted)). Individuals submitting a .CSV file

into the public record did so through a widget on the FCC’s website. See Pl.’s SUMF Ex. E

(image of .CSV file submission webpage). The widget required them to provide an email

address. Id. The text in the widget warned: “Note: You are filing a document into an official

FCC proceeding. All information submitted, including names and addresses, will be publicly

available via the web.” Id. (emphasis added). This could hardly have been more

straightforward. And bulk submitters were also told that the Commission would release

individual commenters’ email addresses. Id. Together, the message was clear: The email

addresses of those intending to influence the Commission’s decision-making were subject to

public disclosure.




                                                  11
           The Commission maintains that because bulk submitters merely transmitted files and did

not necessarily comment on the proposal, they are more akin to “any other private individual[s]”

than to public commenters and therefore have a “substantial” privacy interest in their email

addresses. See Defs.’ Opp’n & Reply at 4-5. The Court disagrees. While the Commission

correctly notes that courts in this district have attached a “substantial” privacy interest to the

email addresses of “private individual[s],” id. at 5, the facts of the cases cited by the Commission

differ from those here. Judicial Watch, Inc. v. U.S. Department of State, for example, dealt with

private email addresses used by government employees. 306 F. Supp. 3d 97, 116-17 (D.D.C.

2018). Judicial Watch, in turn, cites Government Accountability Project v. U.S. Department of

State, which dealt with the personal email addresses of several government officials and

applicants considered, but not chosen, for job positions. 699 F. Supp. 2d 97, 106 (D.D.C.

2010). 4

           By contrast, the individuals here sought to influence agency decision-making by

submitting scores of public comments into the administrative record. This makes them more

akin to individual commenters who provide their email addresses when petitioning the

government than to “any other private individual[s]” whose email addresses the government


           4
           The Commission also cites Cornucopia Institute v. U.S. Department of Agriculture and
Bayala v. U.S. Department of Homeland Security for the proposition that “Exemption 6 applies
to email addresses.” Defs.’ Mot. Summ. J. at 12 n.5. Insofar as the Commission’s point is that
an email address is the type of information that triggers an Exemption 6 balancing test, the Court
agrees. But insofar as the Commission attempts to graft the outcome in those cases onto this
one, the Court rejects its argument. Neither of those cases is analogous. As relevant here,
Cornucopia Institute involved the personal email addresses of third parties conducting
inspections on behalf of the Department of Agriculture, see 282 F. Supp. 3d 150, 164-65 (D.D.C.
2017), and Bayala dealt with the email addresses of interpreters, see 264 F. Supp. 3d at 178. As
with Judicial Watch and Government Accountability Project, neither case implicated the privacy
interests of those petitioning the government.



                                                  12
happens to possess. Any difference between public commenters’ and bulk submitters’ privacy

interests is one of degree, not kind. And the degree of difference is minimal where, as here, a

message directed to bulk submitters alerted them that “[a]ll information submitted” would be

publicly available. In other words, when someone submits multiple comments to influence

public policy and is told that her email address will become part of the public record, her privacy

interest in that email address is not as strong as the Commission now suggests.

       Still, bulk submitters have some privacy interest in non-disclosure of their email

addresses. For Prechtel to successfully challenge the withholding, he must show that the public

interest in disclosure of these email addresses outweighs that privacy interest. The “public

interest” in this context must relate to FOIA’s “core purpose” of “shed[ding] light on an agency’s

performance of its statutory duties.” DOJ v. Reporters Comm. for Freedom of the Press, 489

U.S. 749, 773-75 (1989) (citation omitted); see also Consumers’ Checkbook Ctr. for Study of

Servs. v. U.S. Dep’t of Health & Human Servs., 554 F.3d 1046, 1051 (D.C. Cir. 2009)

(“[I]nformation about private citizens that reveals little or nothing about an agency’s own

conduct does not serve a relevant public interest under FOIA.” (punctuation and citation

omitted)).

       Courts in this district have held that disclosing the identities of those seeking to influence

an agency’s actions can shed light on those actions. See, e.g., People for the Am. Way Found. v.

Nat’l Park Serv., 503 F. Supp. 2d 284, 306 (D.D.C. 2007); Lardner v. DOJ, 03-0180, 2005 WL

758267, at *18 (D.D.C. Mar. 31, 2005); cf. Edelman v. SEC, 239 F. Supp. 3d 45, 55-56 (D.D.C.

2017) (articulating this principle while remanding to agency). But see Kidd v. DOJ, 362 F.

Supp. 2d 291, 297 (D.D.C. 2005); Voinche v. FBI, 940 F.Supp. 323, 329-30 (D.D.C. 1996). And

while courts have sometimes allowed agencies to withhold information such as telephone




                                                 13
numbers and home addresses, they have not done so automatically. The propriety of such

withholdings depends largely on whether the information sought is independently valuable in

illuminating the agency’s actions. In Alliance for Wild Rockies v. Department of Interior, which

considered disclosure of public comments on the proposed re-introduction of grizzly bears into a

particular geographic ecosystem, the court found that disclosure of commenters’ home addresses

clarified whether the agency gave greater weight to the views of residents of the affected region

than it did to those who lived elsewhere. 53 F. Supp. 2d at 37. By contrast, the court in People

for the American Way Foundation v. National Park Service declined to order the release of the

telephone numbers and home addresses of individuals who had written to the government

regarding a display at the Lincoln Memorial because, unlike in Alliance for Wild Rockies,

plaintiffs had not indicated “any apparent significance attached to the individual commenters’

geographical locations.” 503 F. Supp. 2d at 307 n.8.

       This case is closer to the former than the latter. Never mind the plaintiff; here, the

defendant, through its actions, has shown the significance attached to email addresses. The

Commission has released the email addresses of over twenty million public commenters on the

rulemaking. See FCC Public Notice, FCC Facilitates Review of Restoring Internet Freedom

Record, WC Docket No. 17-108 (Nov. 7, 2017). Outside groups have examined this information

and highlighted the extent to which public comments were associated with clearly fraudulent or

otherwise dubious email addresses, such as example@example.com. See, e.g., Pew Research

Ctr., Public Comments to the Federal Communications Commission About Net Neutrality

Contain Many Inaccuracies and Duplicates (2017), https://perma.cc/B9SZ-JUWC.

       Moreover, after dissenting Commissioners had called for a delay in the vote on a final

rulemaking due to concerns about the fraudulent comments, see Hamza Shaban, FCC




                                                14
Commissioner, New York Attorney General Call for Delay of Net Neutrality Vote Over Fake

Comments, Wash. Post (Dec. 4, 2017), https://perma.cc/WRD7-S8WZ, the Commission assured

the public that “those comments in no way impeded the Commission’s ability to identify or

respond to material issues in the record,” FCC, Declaratory Ruling, Report and Order, and

Order, Restoring Internet Freedom, WC Docket No. 17-108, at ¶ 345 (rel. Jan. 4, 2018). The

Commission’s assurances highlighted thousands of easily discounted comments from email

addresses that were obviously created with fake email generators. Id. ¶ 345 n.1178. The

Commission cannot now turn around and say that there is no public interest or independent

significance in information that will illuminate whether .CSV files containing scores of

comments were submitted by similarly dubious email addresses.

       To illustrate, if someone had used example@example.com or an email address created

with a fake email generator to submit a .CSV file containing hundreds or thousands of

comments, it would be at least as relevant as individual comments bearing those same indicia of

fraud. The disclosure Prechtel seeks would thus reveal information at the heart of FOIA’s

purpose of illuminating agency action: It would clarify the extent to which the Commission

succeeded—as it assured the American people it had—in managing a public-commenting

process seemingly corrupted by dubious comments. The relative public value of this information

might have been a slightly closer call had the Commission not already released over twenty

million email addresses. But it has, and that information has generated significant questions

about the agency’s procedures; it cannot now claim that the outstanding information is irrelevant

to the public’s scrutiny of those procedures. Thus, Prechtel has convincingly shown the

independent significance attached to the email addresses associated with bulk comment

submissions.




                                               15
       In addition to enabling scrutiny of how the Commission handled dubious comments

during the rulemaking, disclosure would illuminate the Commission’s forward-looking efforts to

prevent fraud in future processes. The Commission, its Chairman, Members of Congress, and

more than a dozen state attorneys general have all expressed concern about the extent to which

fake comments were submitted into the rulemaking record. See Pl.’s SUMF Ex. F (letter from

Members of Congress to FCC Chairman Ajit Pai); id. Ex. J (letter from state attorneys general to

FCC Chairman and Commissioners); Pl.’s Reply Ex. A (letters from FCC Chairman Ajit Pai to

Sens. Jeff Merkley and Patrick J. Toomey). The Government Accountability Office has agreed

to investigate the issue. See Pl.’s SUMF Ex. I (letter from GAO to Rep. Frank Pallone, Jr.). The

Commission’s Chairman has expressed a desire to implement mechanisms to prevent future

abuses of the public-commenting process. See Pl.’s Reply Ex. A. He has suggested that

longstanding Commission policies might be partly to blame, which implies that they might be

revisited. Id. at 2, 5. In other words, the public-commenting process appears to have been

corrupted by endemic fraud and the Commission hopes to take action to ensure that this problem

will not reoccur. Disclosure of the email addresses and .CSV files will enable interested

observers to scrutinize that action (or its absence) by defining the scope of the problem. It may

be the case, for example, that hundreds of comments were submitted in bulk .CSV files by

plainly fake email addresses, or that the comments submitted through .CSV files were all above-

board and most problematic comments were submitted through other means. In either instance,

Prechtel seeks information that sheds light on the suitability of the Commission’s efforts to

prevent future public-commenting fraud and abuse. It is surely in the public interest to further

the oversight of agency action to protect the very means by which Americans make their voices

heard in regulatory processes.




                                                16
       The Commission maintains that the email addresses cannot illuminate its actions because

they were stored by a third party and not accessed during the relevant agency action. See Defs.’

Opp’n & Reply at 5. But knowing whether dubious email addresses were used to submit bulk

comments will shed light on the relative wisdom of the Commission’s non-scrutiny of this

information. Given the controversy surrounding dubious comments and the Commission’s

subsequent assurances that its response was adequate, the public has an interest in knowing

whether a keener eye (i.e., accessing the information) could have revealed information that

would have enabled the Commission to better distinguish between real and fake comments. The

Commission notes that Prechtel has not explained why a .CSV file submitted with a fraudulent

email address would compel the Commission to reject the underlying comments. Id. True,

Prechtel has not argued that the Commission must discount such comments. But FOIA exists to

illuminate not just whether an agency complied with its statutory duties, but also how it chose to

do so. Prechtel need not allege that the Commission had to act a certain way to seek information

about its chosen actions.

       The public interest in disclosure of bulk submitters’ email addresses is significant when

compared to the privacy interest at stake. The Court therefore grants Prechtel’s motion for

summary judgment on this issue.

               2. .CSV Files

       To the extent that the Commission maintains access to the .CSV files themselves, their

disclosure would further illuminate the agency’s actions, particularly in light of the ordered

disclosure of the email addresses.

       Disclosure of the files would allow scrutiny of the Commission’s success in combatting

fraud. If, for example, a .CSV file contained 1,000 comments, 800 of which were dubious on




                                                17
their face, the public might question the validity of the remaining 200. Or, if a .CSV file

containing 1,000 seemingly legitimate comments were submitted by a plainly suspicious email

address, the public might question whether the Commission should have discounted those

comments.

       Moreover, disclosure of the full .CSV files alongside the email addresses could shed light

on whose comments the Commission placed most weight. The Commission’s release of over

twenty million email addresses belies its argument that there is no public interest in the email

addresses of those seeking to influence the Commission’s actions here. The already released

email addresses can reveal important information about the identity of commenters, 5 which in

turn might suggest to whom the government is responsive: Technology experts or laypeople?

Consumers or industry? Internet service providers or social media companies? Courts have

repeatedly recognized the public interest in this information. See, e.g., People for the Am. Way,

503 F. Supp. 2d at 306; Lardner, 2005 WL 758267, at *18; Alliance for Wild Rockies, 53 F.

Supp. 2d at 37. But the already public information paints only a part of the picture. The .CSV

files will reveal which public comments were submitted together and—with disclosure of the

bulk submitter email addresses—by whom. The public might better understand the agency’s

responsiveness to various constituencies if it knows which stakeholders solicited and facilitated

bulk public comments and which comments they submitted. 6




       5
          For example, a public comment submitted by someone with the email address domain
@USTelecom.org might indicate affiliation with a large trade group of internet service providers
supporting the Commission’s actions; a public comment submitted by someone with the email
address domain @InternetAssociation.org might indicate affiliation with a large trade group
representing companies that opposed the Commission’s actions.
       6
          This value depends on the email address disclosure: Because bulk submitters did not
have to provide their names, the information to be gleaned from the email addresses is the only


                                                18
       The Commission’s non-use of the email addresses does not negate this value. Disclosure

illuminates the relative weight an agency places on various constituencies’ comments whether or

not that weighing is conscious or overt. 7 There is heuristic value for assessing an agency’s

actions when disclosure reveals that an agency relied more heavily on certain constituencies’

comments, or that its reasoning aligned with the preferences of one constituency over another. 8

That value is independent of what the agency knew at the time.

       Because the Commission’s apparent misunderstanding of Prechtel’s request left the issue

unbriefed, it is unclear whether the Commission currently possesses the .CSV files themselves

and, if so, how they are stored. 9 The Court therefore directs the parties to meet and confer

regarding the release of the .CSV files, applying the analysis set forth in this opinion to the



information from which the public can potentially learn something about their identities and the
relative weight the Commission placed on the comments they submitted.
       7
         To be sure, courts have sometimes depicted the public interest in disclosure as
“knowing who may be exerting influence on [agency] officials sufficient to convince them to”
make policy changes, People for the Am. Way, 503 F. Supp. 2d at 306, which implies that the
agency must have had knowledge of the relevant identity for the interest to attach. In other
cases, however, the interest has been framed as knowing to whose comments agencies “give
greater weight” in regulatory processes, Alliance for Wild Rockies, 53 F. Supp. 2d at 37, which
does not necessitate overt weighing.
       8
          This case is distinguishable from Edelman v. SEC, 302 F. Supp. 3d 421 (D.D.C. 2018),
a recent decision in which a court in this district found minimal public interest due to limited
agency use of the underlying information. There, plaintiff sought the names of those who had
submitted consumer complaints to an agency; the court held that the balance tipped away from
disclosure because the agency had used the underlying complaints only for a limited purpose,
which did not include policy development. Id. at 427-28. Here, even though the Commission
did not rely on the information Prechtel seeks, it did consider the underlying submissions
associated with that information.
       9
          The Court is unsure whether the Commission maintains possession or control of the
.CSV files after the comments they contain are placed into ECFS. Likewise, it is not clear
whether, if the Commission maintains those files, it stores them in a manner that renders them
reasonably segregable from otherwise exempt information such as that discussed in Section III.C
of this opinion, infra.


                                                 19
relevant facts. If a dispute remains, the Commission may file a renewed motion for summary

judgment on this issue. Any such motion shall include a declaration providing a factual

explanation of whether and how the Commission stores the .CSV files.

       C. The Server Logs

       Finally, Prechtel sought the release of FCC electronic server logs detailing all dates and

times that .CSV files were submitted. Am. Compl. ¶ 16. The purpose of this request was

apparently to examine the logs for signs of nefarious activity. The Commission withheld these

logs in their entirety, claiming that some of the information in the logs is protected under FOIA

Exemptions 6 and 7(E) and not reasonably segregable from the non-exempt information. See

Defs.’ SUMF Ex. B, at 3-4. The Court finds that the Commission has properly invoked

Exemption 7(E) and has shown that the properly withheld information is not reasonably

segregable from the other information; therefore, there is no need to address the invocation of

Exemption 6. The Court will grant the Commission’s motion for summary judgment on the

server log withholding.

               1. Exemption 7(E)

       FOIA’s Exemption 7(E), as relevant here, allows agencies to withhold “records or

information” that “would disclose techniques and procedures for law enforcement investigations

or prosecutions . . . if such disclosure could reasonably be expected to risk circumvention of the

law.” 5 U.S.C. § 552(b)(7). This provision creates “a relatively low bar for the agency [to meet]

to justify withholding.” Blackwell v. FBI, 646 F.3d 37, 42 (D.C. Cir. 2011). “[T]he exemption

looks not just for circumvention of the law, but for a risk of circumvention; not just for an actual

or certain risk of circumvention, but for an expected risk; not just for an undeniably or

universally expected risk, but for a reasonably expected risk; and not just for certitude of a




                                                 20
reasonably expected risk, but for the chance of a reasonably expected risk.” Mayer Brown LLP

v. IRS, 562 F.3d 1190, 1193 (D.C. Cir. 2009). And an agency need not meet a “highly specific

burden of showing how the law will be circumvented,” but only must “demonstrate logically

how the release of the requested information might create a risk of circumvention of the law.”

Id. at 1194 (punctuation and citation omitted).

       In this case, the Commission’s IT staff fears that revealing the requested server logs

would expose both general security measures and specific steps it has taken to fend off past

cyber-attacks. The Commission explains in its declaration that its “IT staff concluded that

release of the server logs would reveal sensitive information regarding [its] IT architecture,

including security measures [it] takes to protect its systems from malicious activity.” First Yates

Decl. ¶ 18. Additionally, the Commission’s IT staff explained that “the logs would also disclose

detailed information about the steps the FCC took in response to the spike in ECFS traffic during

the period in question, thereby giving future attackers a ‘roadmap’ to evade the Commission’s

future defensive efforts.” Id. Courts have repeatedly “recognized the risk of a cyber-attack . . .

as valid grounds for withholding under Exemption 7(E).” Long v. ICE, 149 F. Supp. 3d 39, 51

(D.D.C. 2015).

       Prechtel does not question the risk of renewed attacks but maintains that disclosure will

not aggravate the risk of any such attacks’ success. He contends that “the techniques for

detecting fraud, spam, and unique internet traffic are well known” and the Commission could

have used only two well-known techniques. Pl.’s Mot. Summ. J. & Opp’n at 15. The

Commission counters that “[t]he timing and nature of how [it] deployed those tools would

provide malicious actors with insight into how exactly [it] protects its systems and improve their

ability to defeat those protections.” Suppl. Decl. of Ryan J. Yates Supp. Defs.’ Mot. Summ. J.




                                                  21
(“Second Yates Decl.”) ¶ 13. Contrary to Prechtel’s assertions, these are not legally inadequate

“conclusory” and “vague or sweeping claims.” Pl.’s Reply at 9. The Commission has explained

its concerns and has rebutted specifically Prechtel’s contention that they are misplaced. This

more than suffices to meet its burden. “‘[J]udges are not cyber specialists, and it would be the

height of judicial irresponsibility for a court to blithely disregard . . . a claimed risk’ of cyber-

attack or a security breach.” Levinthal v. FEC, 219 F. Supp. 3d 1, 7 (D.D.C. 2016) (quoting

Long, 149 F. Supp. 3d at 53).

                2. Segregability

        But the Commission does not claim that all information in its server logs is exempt. So

why isn’t Prechtel entitled to the non-exempt information? Because under FOIA, while an

agency must provide “[a]ny reasonably segregable portion of a record . . . after deletion of the

portions which are exempt,” 5 U.S.C. § 552(b), it may withhold non-exempt portions of records

if they are “inextricably intertwined with exempt portions,” Mead Data Cent., Inc. v. U.S. Dep’t

of Air Force, 566 F.2d 242, 260 (D.C. Cir. 1977). In other words, FOIA anticipates situations

like this one, in which an agency possesses information that it would ordinarily be required to

release but that is intermingled with information protected from disclosure. “Agencies are

entitled to a presumption that they complied with the obligation to disclose reasonably

segregable material,” Sussman v. U.S. Marshals Serv., 494 F.3d 1106, 1117 (D.C. Cir. 2007), but

still must “carry [the] evidentiary burden and fully explain [their] decisions on segregability,”

Am. Immigration Council v. U.S. Dep’t of Homeland Sec., 21 F. Supp. 3d 60, 83 (D.D.C. 2014).

The agency can meet this burden by showing with “reasonable specificity” that the non-exempt

information is not reasonably segregable. See, e.g., Armstrong v. Exec. Office of the President,

97 F.3d 575, 578 (D.C. Cir. 1996).




                                                  22
        The Commission has done so here. Its submissions explain that “[d]ue to the nature of

how the server logs record information, non-sensitive information . . . is interspersed throughout

hundreds of millions of lines of . . . . exempt information, . . . the disclosure of which would

jeopardize the Commission’s IT security.” First Yates Decl. ¶ 18 n.4. Prechtel maintains that

these submissions are insufficient because segregating server logs is an easy task, as

demonstrated by the fact that another agency has done so in the past. Pl.’s Reply at 7-8. But

another agency’s action does not undermine the Commission’s explanation. Agencies do not

necessarily have parallel IT architectures or use identical techniques.

        Prechtel also contends that, at most, the Commission’s declaration indicates that

segregation is possible, but involves multiple steps. Id. at 8. That may be the case, but the

relevant statutory standard is whether the information can be reasonably segregated. The

Commission has explained that “extracting any non-exempt information” is complicated “[d]ue

to idiosyncrasies in how ECFS is built.” Second Yates Decl. ¶ 15. Further, it notes that “[e]ven

attempting to create the records [Prechtel] seeks would require substantial coding work by the

Commission’s IT staff to craft algorithms tailored to the Commission’s server architecture.” Id.

“Courts in this Circuit have held repeatedly that records [are] not reasonably segregable where

the agency attest[s] that it lack[s] the technical capability to edit the records in order to disclose

non-exempt portions.” Milton v. DOJ, 842 F. Supp. 2d 257, 260 (D.D.C. 2012). This is so even

when plaintiffs indicate the availability of software that could undertake the task. Id. The same

principle attaches here: The Commission need not “acquire new technological capacity in order

to comply with disclosure requests,” id., and FOIA does not require it to craft complicated

algorithms to meet Prechtel’s request. Because portions of its server logs were properly withheld

under FOIA Exemption 7(E) and because the Commission has shown that the remaining portions




                                                  23
cannot be reasonably segregated, the Court grants its motion for summary judgment on this

issue.

         IV.    Conclusion

         For the foregoing reasons, the Court will grant in part and deny in part both parties’

cross-motions for summary judgment and directs the parties to confer regarding release of .CSV

files in light of the analysis in this opinion. A separate order accompanies this memorandum

opinion.




                                                               CHRISTOPHER R. COOPER
                                                               United States District Judge
Date: September 13, 2018




                                                  24
