US Department of Homeland Security seal (in the public domain)

Over a week ago, a federal judge ruled documents the Department of Homeland Security (DHS) was ordered to produce in a Freedom of Information Act (FOIA) lawsuit could not be subjected to a protective order.

The development has received minimal attention, but the case seems important, as the government sought to use an innovative tactic to provide documents it owed an organization while at the same time preventing the public from reading the documents. Had the judge allowed the protective order or “clawback,” it would have been a complete perversion of FOIA.

The Electronic Privacy Information Center (EPIC) submitted a FOIA request on July 26, 2011, for documents “regarding a joint National Security Agency (“NSA”) and Department of Homeland Security (“DHS”) pilot program, which has not been publicly named, designed to monitor all internet traffic routed to several defense contractors and attempts to detect whether there are malicious programs within this internet traffic designed to compromise the defense contractor security.”

An article published on June 16 by the Washington Post revealed the NSA partnered with internet service providers (ISPs)—AT&T, Verizon and Century Link to “filter the traffic of fifteen defense contractors, including Lockheed Martin, CSC, SAIC and Northrop Grunman.” EPIC noted the Justice Department had “misgivings” that this could “run afoul of privacy laws forbidding government surveillance of private Internet traffic.”

The Electronic Communications Privacy Act (“ECPA”), 18 U.S.C. § 2510, prohibits the interception of electronic communications without a court order or consent from one of the parties. The NSA has alleged that the Agency “will not directly filter the traffic or receive the malicious code captured by Internet providers.” It is unclear how the program can detect malicious code and prevent its execution without “captur[ing]” it in violation of federal law.

DHS refused to process or produce any documents. As in other cases, a high-ranking official selectively leaked information he was willing to make public about the program. The Post story quoted Deputy Secretary of Defense William J. Lynn III, who outlined the scope of the program and that it was being run by the NSA with DHS as a partner. EPIC filed a lawsuit on March 1, 2012 to force the release of documents.

The US District Court for the District of Columbia ordered the production of all the documents on May 24. The Court also ordered the production of a Vaughn Index, which would identify each document withheld, the claimed statutory exemption and how disclosure of the information would damage interests, by August 24.

The government requested a ten-day stay, then another ten-day stay and then a “sixteen-month extension,” which EPIC opposed. The extension was denied. And, on October 16, 2012, a scheduling order included provisions for a protective order that would make it possible to address DHS’s concern that classified and/or sensitive information might be “inadvertently” disclosed. (Also, it notably ordered the DHS to cull out of the 9,200 pages of documents it has already identified as potentially responsive those documents containing legal analyses including legal memoranda regarding the DIB Cyber Pilot.”)

James V.M.L. Holzer, director of Disclosure and FOIA Operations for DHS, stated in a declaration the documents identified as responsive “contained a significant amount of very sensitive classified information.” Holzer added, “on its face,” the request “seeks information that relates to collaborative national security efforts of multiple federal agencies, [and] it is highly likely that the vast majority of these documents will be exempt from disclosure under FOIA. “Nonetheless, DHS is committed to reviewing the potentially relevant classified documents to determine whether any non-exempt portions of them can be segregated and produced.

DHS had previously been ordered to complete “all productions on a rolling basis within five months, which it claimed was “less than one third of the time that the Director of Disclosure and FOIA Operations for the DHS Privacy Office estimated would be required. It suggested a protective order “to facilitate the rapid processing and production of documents ordered by the Court, by providing a safety net.” EPIC opposed.

On January 8 of this year, Judge Gladys Kessler ruled there would be no “protective order.” DHS would not have to make “rolling productions,” but it would have to review at least 1,500 pages per month. The deadline for reviewing 5,200 documents was April 15. A Vaughn’s Index was to be provided by June 1. Some time in the final months of the year, the Court would hear argument and review the documents to see if procedures had been properly followed and if any documents should be produced.

The judge noted, “The government has already processed 4,000 of the 9,200 pages it believes were in question after the last Status Conference. Interestingly, the Government concluded that not a single one of those 4,000 pages should be produced to Plaintiff.  Consequently, Plaintiff has still not received a single page in response to its request.” In other words, no legal memoranda had been given to EPIC, as a court order had directed.

The government claimed it had a precedent to release documents to EPIC in a manner where they were protected until they could ultimately find no classified or sensitive documents had been released. In Public Citizen Health Research Group v. Food and Drug Administration, DHS noted a “protective order restricting dissemination of a document that had been inadvertently released under FOIA” had been issued. This was to allow the court to “control the information at issue” until it determined whether it qualified for non-disclosure.”

But, EPIC plainly noted that in Stonehill v. IRS, a court had ruled, “[W]hile information disclosed during discovery is limited to the parties and can be subject to protective orders against further disclosure, when a document must be disclosed under FOIA, it must be disclosed to the general public and the identity of the requester is irrelevant to whether disclosure is required.”

Once there is a disclosure, that information belongs to the general public. An organization cannot be required to keep the information secret from citizens for any time period. This was the position of the Justice Department in 2004, which concluded, “It is well settled that it is not appropriate for a court to order disclosure of information to a FOIA requester with a special restriction, either explicit or implicit, that the requester not further disseminate the information received.”

The FOIA process already is dysfunctional with many loopholes allowing agencies to not produce documents, even if sued. One can only imagine what the process would be like if the government routinely utilized some power to further pervert the FOIA process by providing documents with restrictions that they not be made public for an indefinite period. It would conveniently shift responsibility and liability to the requester and make it possible to obstruct transparency while at the same time allowing agencies to claim they had made documents “public” because they did, in fact, fill the request.

Given that, the judge’s decision to not limit the dissemination of information, which should be available to the public, was an appropriate display of legal sanity.