                           UNITED STATES DISTRICT COURT
                           FOR THE DISTRICT OF COLUMBIA

ELECTRONIC PRIVACY                                )
INFORMATION CENTER,                               )
                                                  )
              Plaintiff,                          )
                                                  )   Civil Case No. 10-1533 (RJL)
              v.                                  )
                                                  )
NATIONAL SECURITY AGENCY,                         )
                                                  )
               Defendant.                         )


                              MEMORANDUM OPINION
                                (July)t, 2011) [#9, #11]

       Plaintiff Electronic Privacy Information Center ("EPIC" or "plaintiff') brings this

action against the National Security Agency ("NSA" or "defendant") for failure to

disclose information pursuant to the Freedom of Information Act ("FOIA"). Plaintiff

seeks material relating to NSA's possible relationship with Google following news of an

alleged cyber attack by hackers in China and of a subsequent cooperation agreement

between Google and NSA. Before this Court is defendant's Motion for Summary

Judgment and plaintiff's Cross-Motion for Summary Judgment. After due consideration

of the parties' pleadings, the relevant law, and the entire record herein, defendant's

motion is GRANTED and plaintiffs motion is DENIED.

                                     BACKGROUND

       On February 4, 2010, following media coverage of a possible partnership between

the NSA and Google relating to an alleged cyber attack by hackers in China, EPIC

submitted a FOIA request to NSA seeking:

                                              1
         1.    All records concerning an agreement or similar basis for collaboration, final or

               draft, between the NSA and Google regarding cyber security;

       2.      All records of communication between the NSA and Google concerning

               Gmail, including but not limited to Google's decision to fail to routinely

               encrypt Gmail messages prior to January 13,2010; and

       3.      All records of communications regarding the NSA's role in Google's decision

               regarding the failure to routinely deploy encryption for cloud-based

               computing service, such as Google Docs.

CompI.    ~   12.

       NSA denied EPIC's request. Letter from Pamela N. Phillips, NSA, FOIA/PA

Office, Mar. 10,2010 [#9-3]. While it acknowledged working "with a broad range of

commercial partners and research associates," the Agency refused to "confirm [or] deny"

whether it even had a relationship with Google. Id. In support of its response, NSA cited

Exemption 3 of FOIA and Section 6 of the National Security Agency Act of 1959 ("NSA

Act"), explaining that any response would improperly reveal information about NSA's

functions and activities. Id. Such a response - neither confirming nor denying the

existence of requested documents - is known as a Glomar response. I

      On May 7, 2010, EPIC appealed through the agency's internal appeal process.

Compi.   ~    21. However, after NSA failed to respond to EPIC's appeal within the statutory

deadline, EPIC filed the complaint initiating this lawsuit. PI.'s Opp'n to Mot. For Summ.

I The term "Glomar response" is derived from the ship the Glomar Explorer, and refers
to the C.I.A.'s refusal to acknowledge the existence or non-existence of any records
pertaining to the ship. Phillippi v. C.I.A., 546 F .2d 1009, 1011 (D.C. Cir. 1976).
                                                2
J. at 3 (Pl.'s Opp'n).2 On December 22, 2010, NSA filed its Motion for Summary

Judgment, contending that the use of a Glomar response was appropriate under the

circumstances and that the requested information was protected from release by FOIA

Exemption 3,5 U.S.C. § 552 (b)3, and Section 6 of the NSA Act, Sec. 6, Pub. L. No. 86-

36, 73 Stat. 63, 50 U.S.C. § 402 note. Def.'s Mem. in SUpp. of Mot. Summ. J. ("Def.'s

Mot.") at 3.

       In support of its motion, NSA submitted a declaration by Diane M. Janosek, the

Deputy Associate Director for Policy and Records for the NSA ("Janosek Declaration" or

·'Declaration"). Decl. of Diane M. Janosek, Dec. 20, 2010 ("Janosek Decl.") [#9-1].

Specifically, the Declaration states that, as part of its Information Assurance mission,

NSA is responsible for "protecting Department of Defense and other national-security

information systems, as well as providing direct support to other agencies that help

protect other U.S. government information systems and the nation's critical infrastructure

and key resources." Id.   ~   4. The NSA also performs government vulnerability discovery

and security testing, and participates in public-private security initiatives relating to the

commercial technology that the U.S. Government uses for its information systems. Id.            ,-]~


5-6.

       With respect to EPIC's specific request, the Declaration states that "[t]o confirm

or deny the existence of any such records would be to reveal whether the NSA ...

determined that vulnerabilities or cybersecurity issues pertaining to Google or certain of



2Once the suit was filed, NSA stopped processing EPIC's appeal and filed an answer on
October 27,2010 to EPIC's complaint. Def.'s Mot. at 4.
                                               3
its commercial technologies could make U.S. government information systems

susceptible to exploitation or attack." Id.   ~   l3. The Declaration further clarifies that even

an acknowledgement of a relationship between the NSA and a commercial entity could

potentially alert "adversaries to NSA priorities, threat assessment, or countermeasures,"

and that, as such, the information relates to the Agency's core functions and activities

under its Information Assurance mission. Id.          ~~   l3-14.

       In response to NSA's Motion, EPIC filed a cross-motion on January 28, 2011.

EPIC asserts two arguments: first, that NSA was required under FOIA to search for

relevant records and segregate and disclose non-exempt information prior to issuing a

Glomar response; and second, that the Janosek Declaration was "vague and conclusory,"

and, therefore, insufficient under the law of this Circuit. Pl.'s Opp'n at 4. For the

following reasons, I disagree.

                                         ANALYSIS

       Summary judgment is appropriate when the record demonstrates that there is no

genuine issue of material fact in dispute and that the moving party is entitled to judgment

as a matter of law. Fed. R. Civ. P. 56(a). The moving party bears the burden, and the

court will draw "all justifiable inferences" in favor of the non-moving party. Anderson v.

Liberty Lobby, Inc., 477 U.S. 242, 255 (1986). Nevertheless, the non-moving party "may

not rest upon the mere allegations or denials of his pleading, but ... must set forth

specific facts showing that there is a genuine issue for trial." Id. at 248 (internal

quotations omitted). Factual assertions in the moving party's affidavits may be accepted



                                                  4
as true unless the opposing party submits its own affidavits, declarations or documentary

evidence to the contrary. Neal v. Kelly, 963 F .2d 453,456 (D.C. Cir. 1992).

       "When assessing a motion for summary judgment under FOIA, the Court shall

determine the matter de novo." Judicial Watch, Inc. v. U. S. Dep't 0/ Homeland Sec., 598

F. Supp. 2d 93, 95 (D.D.C. 2009) (citing 5 U.S.C. § 552(a)(4)(B». While the "burden is

on the agency to sustain its action," 5 U.S.C § 552 (a)(4)(B), courts must give substantial

weight to an agency's affidavits, Hayden v. NSAICSS, 608 F.2d 1381, 1387 (D.C. Cir.

1979), see Military Audit Project v. Casey, 656 F.2d 724,745 (D.C. Cir. 1981). The

court may rely on the agency's affidavits or declarations if they contain reasonable

specificity of detail rather than merely conclusory statements, and if they are not called

into question by contradictory evidence in the record or by evidence of agency bad faith.

See Halperin v CI.A., 629 F.2d 144, 150 (D.C. Cir. 1980). "Ultimately, an agency's

justification for invoking a FOIA exemption is sufficient if it appears logical or

plausible." Larson v. Us. Dep 't a/State, 565 F.3d 857, 862 (D.C. Cir. 2009) (internal

quotations omitted).

       When an agency issues a Glomar response - refusing to confirm or deny the

existence of documents - it must establish that the requested information is protected by

one of the nine recognized FOIA exemptions. 5 U.S.c. § 552(b)(3); see Wolfv. CI.A.,

473 F.3d 370, 375 (D.C. Cir. 2007). Exemption 3 permits an agency to prevent the

release of records that are "specifically exempted from disclosure by statute." 5 U.S.C. §

552(b)(3). Although FOIA requests are traditionally "narrowly construed," Dep't a/the

Air Force v. Rose, 425 U.S. 352, 361 (1976), Exemption 3 "differs from other FOIA

                                             5
exemptions in that its applicability depends less on the detailed factual contents of

specific documents," Goland v. C.I.A., 607 F. 2d 339,350 (D.C. Cir. 1978). Instead, "the

sole issue for decision is the existence of a relevant statute and the inclusion of withheld

material within that statute's coverage." ld.; see Ass 'n of Retired R.R. Workers v.    us.
R.R. Ret. Bd., 830 F.2d 331,336 (D.C. Cir. 1987).

       It is well established that Section 6 of the NSA Act is a statutory exemption under

Exemption 3. See Hayden, 608 F.2d at 1389; Founding Church of Scientology of

Washington, D.      c., Inc.   v. NS.A., 610 F.2d 824, 826 (D.C. Cir. 1979). Section 6 of the

NSA Act broadly prohibits the disclosure of information pertaining to the organization,

function, or activities of the NSA. National Security Agency Act of 1959, Sec. 6, Pub. L.

No. 86-36, 73 Stat. 63, 50 U.S.C. § 402 note. Specifically, the NSA need not disclose

"the organization or any function of the National Security Agency, [or] any information

with respect to the activities thereof." ld. While our Circuit has admonished that "courts

must be particularly careful when scrutinizing claims of exemptions based on such

expansive terms," as those included in Section 6, Scientology, 610 F.2d at 829, this

heightened scrutiny must be tempered by the recognition of the substantial challenges

posed to the NSA in maintaining operational security, see Hayden, 608 F.2d at 1390

(interpreting the NSA Act to reflect congressional recognition of the agency's "peculiar

security needs").

       Thus, once the agency, through affidavits, has created "as complete a public

record as is possible" and explained "in as much detail as is possible the basis for its

claim," Phillippi, 546 F .2d at 1013, the "court is not to conduct a detailed inquiry to

                                                  6
decide whether it agrees with the agency's opinions," Halperin, 629 F.2d at 148. Further,

"NSA is not required to show harm to national security under Section 6." Larson, 565

F.3d at 868; see also Hayden, 608 F.2d at 1390. As the Supreme Court explained in

C.I.A. v. Sims, "bits and pieces of data 'may aid in piecing together bits of other

information even when the individual piece is not of obvious importance in itself. '" 471

U.S. 159, 178 (1985) (quoting Halperin v. C.I.A., 629 F.2d 144,150 (D.C. Cir. 1980)).

       Here, NSA's supporting affidavits satisfy the criteria for non-disclosure under

Section 6. 3 The Janosek Declaration contains sufficient detail, pursuant to Section 6, to

support NSA's claim that the protected information pertains to "the organization or any

function of the National Security Agency, [or] ... to the activities thereof." 50 U.S.C. §

402 note; see Hayden, 608 F.2d at 1388 (granting summary judgment based on affidavits

that describe "the activity involved, the need for maintaining secrecy, and the reason for

believing that disclosure of any of the requested material could compromise legitimate

secrecy needs"); Miller v. Casey, 730 F.2d 773, 776 (D.C. Cir. 1984) (describing as

ample an affidavit which "demonstrates that the information withheld logically falls


3 Plaintiff s argument regarding the public dissemination of information relating to a
purported GooglelNSA agreement is misleading. The agency has not waived its FOIA
protections by official disclosure of the requested information. See Wolfv. C.I.A., 473
F.3d 370,378 (D.C. Cir. 2007). Nor does plaintiff ever contest this point. Rather,
plaintiff incorrectly argues that information, which is widely reported in the media, is
stripped of its FOIA protections. Pl.'s Opp'n at 9-10. Indeed, while Glomar responses
are deemed inappropriate when the specific information has already been officially and
publicly disclosed by the solicited agency, such disclosure "cannot be based on mere
speculation, no matter how widespread." Id. The agency, itself, must waive FOIA
protections through an official disclosure. Id.

                                             7
within the claimed exemption, and [is] not controverted by either contrary evidence in the

record nor by evidence of agency bad faith" (internal quotations omitted)).

         Indeed, as the Janosek Declaration makes clear, the requested information relates

to the NSA' s cryptologic Information Assurance mission, which is designed to protect

national security information systems and critical infrastructure resources. Janosek Decl.

~   5. Because of the reliance by the U.S. government on commercial systems, this mission

includes the assessment of commercial technologies and the Agency's participation in

public-private security initiatives. Id.   ~~   5-6, 12.

        Thus, with respect to plaintiff s first request - all records concerning an agreement

between NSA and Google regarding cyber-security - the Janosek Declaration explains

that "any acknowledgement by NSA of the existence or nonexistence of a relationship or

agreement with Google ... would reveal whether or not NSA considered the alleged attack

to be of consequence for critical U.S. government information systems." Id.        ~   13.

Further, with respect to plaintiffs second and third requests - NSA/Google

communications regarding encryption of Gmail and cloud-based computing service, such

as Google Docs - the J anosek Declaration clarifies that "to confirm or deny the existence

of any such records would be to reveal whether NSA, in fulfilling one of its key missions,

determined that vulnerability or cyber security issues pertaining to Google or certain of

its commercial technologies could make U.S. government information systems

susceptible to exploitation or attack by adversaries ... " ld.   ~   13. The Declaration then

adds, "[i]n addition to revealing information about NSA functions and activities, such

information falling in either category could alert our adversaries to NSA priorities, threat

                                                   8
assessments, or countermeasures that mayor may not be employed against future

attacks." Id.

       This Declaration provides more than cursory details concerning the relationship

between the withheld material and NSA's organization and function. See Scientology,

610 F .2d at 831. To the contrary, it explains the relevance of the Information Assurance

mission to national security, the clear tie between the requested information and the

Information Assurance mission, and the cognizable harm posed by acknowledging the

existence/non-existence of the information. 4 Thus, because NSA' s answer is both logical

and plausible,5 the Declaration satisfies all the requirements set forth by our Circuit. See

Larson, 565 F.3d at 862; Halperin, 629 F.2d at 148; Hayden, 608 F.2d at 1388.




4 EPIC argues that the NSA's single supporting declaration is conclusory and fails to
demonstrate that the requested information pertains to the NSA's Information Assurance
mission and is protected by the NSA Act exemption. Pl.'s Opp'n at 7-8. EPIC also
challenges that its requests are broad enough to include documents that "do not reflect on
the NSA's activities in any way." PI.'s Opp'n at 6. These claims understate the Janosek
Declaration's depiction of the NSA's Information Assurance mission, as well as the
explanation of how the requested records would reveal information relating to NSA
activities. Simply put, it is the relationship between Google and the NSA not just the
content of records that warrants protections. See Goland, 607 F. 2d at 350.
5 NSA also argues that revealing a relationship with Google could dissuade other
companies from working with the agency in the future or self-reporting on problems.
Def.'s Reply at 10. This is a serious concern which also warrants finding for the NSA.
See Sims, 471 U.S. at 175.
                                             9
                                  CONCLUSION

      For all of the foregoing reasons, the Court GRANTS defendant's Motion for

Summary Judgment [#9] and DENIES plaintiffs Cross-Motion for Summary Judgment

[# 11]. An Order consistent with this decision accompanies this Memorandum Opinion.




                                         10
