Elec. Privacy Info. Ctr. v. U.S. Dep't of Homeland Sec.

Full title: Electronic Privacy Information Center, Plaintiff, v. The United States…

Court: United States District Court, District of Columbia.

Date published: Aug 4, 2015

117 F. Supp. 3d 46 (D.D.C. 2015)

Opinion

Civil Action No. 12–0333 (GK)

2015-08-04

Electronic Privacy Information Center, Plaintiff, v. The United States Department of Homeland Security, Defendant.

Marc Rotenberg, Washington, DC, for Plaintiff. Lisa Zeidner Marcus, Tamra Tyree Moore, U.S. Department of Justice, Washington, DC, for Defendant.

Gladys Kessler, United States District Judge

Marc Rotenberg, Washington, DC, for Plaintiff.

Lisa Zeidner Marcus, Tamra Tyree Moore, U.S. Department of Justice, Washington, DC, for Defendant.

MEMORANDUM OPINION

Gladys Kessler, United States District Judge

Plaintiff Electronic Privacy Information Center (“Plaintiff” or “EPIC”) brings this action against Defendant the United States Department of Homeland Security (“the Government” or “DHS”) under the Freedom of Information Act (“FOIA”), 5 U.S.C. § 552. Plaintiff seeks records concerning the Defense Industrial Base Cyber Pilot (“DIB Cyber Pilot”), a cyber-security pilot program jointly conducted by the United States Department of Defense (“DoD”) and Defendant DHS. Government's Motion for Summary Judgment (“DHS's Mot.”) at 2 [Dkt. No. 53].

The program, which “aim[ed] ... to protect U.S. critical infrastructure [,] ... [and] furnished classified threat and technical information to voluntarily participating [ ] companies or their Commercial Service Providers [ ].” Id. EPIC, citing concerns from the Department of Justice about the program “[running] afoul of laws forbidding government surveillance of private Internet traffic[,] ... sought records to determine whether ... the DIB Cyber Pilot program complied with federal wiretap laws.” Plaintiff's Combined Opposition to Defendant's Motion for Summary Judgment and Cross–Motion for Summary Judgment (“Pl.'s Mot.”) at 2 [Dkt. No. 57].

DHS conducted a search for records responsive to EPIC's request, produced documents to EPIC, and provided a Vaughn index for all documents that were withheld in full or in part under one of FOIA's several exemptions. § 552(b); see also Defendant's Vaughn Index for Challenged Withholdings (“Vaughn index”) [Dkt. No. 53–4]. EPIC now challenges the sufficiency of the search conducted by DHS, as well as the Government's application of FOIA Exemptions 1, 3, 4, 5, and 7(D) to withhold certain responsive information.

Upon consideration of the Motions, Oppositions, Replies, the entire record herein, and for the reasons stated below, Plaintiffs' Motion for Summary Judgment shall be denied without prejudice with regard to Exemption 7D and otherwise denied in whole, and the Government's Motion for Summary Judgment shall be

granted in part and denied in part without prejudice.

I. BACKGROUND

A. FOIA

The Freedom of Information Act (“FOIA”), 5 U.S.C § 552, was enacted by Congress “to ensure an informed citizenry, vital to the functioning of a democratic society.” Critical Mass Energy Project v. Nuclear Regulatory Comm'n, 975 F.2d 871, 872 (D.C.Cir.1992) (“Critical Mass III”), cert. denied, 507 U.S. 984, 113 S.Ct. 1579, 123 L.Ed.2d 147 (1993) (citing FBI v. Abramson, 456 U.S. 615, 621, 102 S.Ct. 2054, 72 L.Ed.2d 376 (1982)). “In enacting FOIA, Congress struck the balance it thought right—generally favoring disclosure, subject only to a handful of specified exemptions—and did so across the length and breadth of the Federal Government.” Milner v. Dep't of the Navy, 562 U.S. 562, 571 n. 5, 131 S.Ct. 1259, 179 L.Ed.2d 268 (2011). FOIA's “basic purpose reflect[s] a general philosophy of full agency disclosure unless information is exempted under clearly delineated statutory language.” Dep't of the Air Force v. Rose, 425 U.S. 352, 360–361, 96 S.Ct. 1592, 48 L.Ed.2d 11 (1976) (internal citations and quotation marks omitted).

When an agency receives a request for records, the agency must conduct a sufficient search within the scope of the request, 5 U.S.C. § 552(a)(3)(A). The agency then must furnish the information in a timely manner, unless the information is precluded from disclosure by one of FOIA's nine exemptions. § 552(b). FOIA's “goal is broad disclosure, [thus] the exemptions must be given a narrow compass.” Milner, 562 U.S. at 563, 131 S.Ct. 1259 (citing United States Dep't of Justice v. Tax Analysts, 492 U.S. 136, 151, 109 S.Ct. 2841, 106 L.Ed.2d 112 (1989)). The Government always bears the burden of proving exemptions apply for any responsive information that is withheld. § 552(a)(4)(B).

B. Factual Background

1. EPIC'S FOIA Request

On July 26, 2011, EPIC submitted a FOIA request for documents to DHS, as well as requests for news media fee status and a fee waiver. Pl.'s Mot. at 2; DHS's Mot. at 2. EPIC's FOIA request was for records related to the DIB Cyber Pilot program “to monitor Internet traffic flowing through certain Internet Service Providers (“ISPs”) from Internet users to a select number of defense contractors.” Pl.'s Mot. at 2. Specifically, EPIC's request was for all information in the following categories:

1. All contracts and communications with Lockheed Martin, CSC, SAIC, Northrop Grumman or any other defense contractors regarding the new NSA [National Security Agency] pilot program;

2. All contracts and communications with AT & T, Verizon and CenturyLink or any other [ISPs] regarding the new NSA pilot program;

3. All analyses, legal memoranda, and related records regarding the new NSA pilot program;

4. Any memoranda of understanding between NSA and DHS or any other government agencies or corporations regarding the new NSA pilot program;

5. Any privacy impact assessment performed as part of the development of the new NSA pilot program.

Id. at 2–3.

On August 3, 2011, DHS sent a letter to EPIC acknowledging receipt of the FOIA request, notifying EPIC that no responsive documents had been found for category 5, and indicating that it had referred the request to the DHS National Protection and Programs Directorate (“NPPD”). Pl.'s Mot at 3; DHS's Mot. at 2. Despite deadlines imposed by FOIA, 5 U.S.C. § 552(a)(6)(A), DHS did not produce the requested documents or contact EPIC again for five months. Pl.'s Mot. at 3. On January 5, 2012,¹ EPIC faxed an administrative appeal to NPPD's FOIA Office, appealing NPPD's nonresponsiveness regarding categories 1–4 of EPIC's FOIA Request.² Id. On January 23, 2012, a FOIA Specialist from NPPD contacted EPIC by telephone regarding the status of the FOIA request and informed EPIC that DHS was processing it. DHS's Mot. at 3. On March 1, 2012, EPIC filed this Complaint for Injunctive Relief (“Complaint”) [Dkt. No. 1], and the Government filed its Answer on May 1, 2012 [Dkt. No. 7].

1 In Pl.'s Mot. and the Declaration of Amie Stepanovich [Dkt. No. 18–1], the date is listed as January 5, 2011. However, DHS's Mot. and additional materials in the record indicate the correct date is January 5, 2012.

2 Defendant disputes whether this constituted an administrative appeal, but whether it did or did not does not affect the Court's final ruling. DHS's Mot. at 3.

On August 31, 2012, EPIC narrowed its FOIA request, in part to exclude draft documents, and specifically requested:

1. All contracts and communications with Lockheed Martin, CSC, SAIC, Northrop Grumman or any other defense contractors regarding the DIB Cyber Pilot;

2. All contracts and communications with AT & T, Verizon and CenturyLink or any other [ISPs] regarding the DIB Cyber Pilot;

3. All legal and technical analyses, including legal memoranda, regarding the DIB Cyber Pilot;

4. Any memoranda of understanding between NSA and DHS or any other government agencies or corporations regarding the DIB Cyber Pilot.

Pl.'s Mot. at 4.

2. The Government's Search for Responsive Documents

In conducting its search for responsive records, DHS assigned EPIC's FOIA request to NPPD. Second Holzer Decl. ¶ 9. NPPD's FOIA Office (“NPPD FOIA”) began to process the request by “tasking out the search” to subcomponents likely to have responsive records, the Office of Cybersecurity and Communications (“CS & C”). Id. ¶¶ 11, 29. NPPD also provided the DHS Office of General Counsel and the Office for Selective Acquisitions with EPIC's FOIA request because those offices had been involved in supporting the DIB Cyber Pilot and might have had responsive records. Id. ¶ 16. NPPD did not search other offices or department components because it determined that those offices and department components were not likely to have any connection to the DIB Cyber Pilot. Id. ¶ 17.

NPPD FOIA met with “subject matter experts” in the agency who had been involved with the DIB Cyber Pilot to determine which suboffices would likely have responsive records. Id. ¶ 15. NPPD FOIA and the subject matter experts created keyword search terms to be used in electronic searches for responsive documents. Id. St 18. The keyword search terms were provided to the identified offices, where each employee was instructed to conduct searches using the keywords and their own personal “knowledge of how and where they stored their own documents ...” Id. ¶ 19.

NPPD FOIA worked with the identified offices to determine which employees were involved with the DIB Cyber Pilot. Id. ¶¶ 22–23. Each office and employee were instructed to conduct a search for responsive documents. Id. at ¶¶ 18–19. The employees who were involved with the DIB Cyber Pilot then searched electronic and hard copies of their office and personal files. A search of the classified network was also conducted. Id. ¶¶ 18–19, 26–27, 29–32.

Staff in one of the identified offices—the NPPD Office of the Undersecretary (“OUS”)—searched a database of taskings: records of which employees were tasked with various assignments and the files associated with those assignments. Id. at ¶¶ 22–23. OUS used the database to further identify all staff who may have been involved with the DIB Cyber Pilot. Id.

Staff in the NPPD Privacy Office and the CS & C, along with CS & C's subcomponents, searched electronic and hard copies of their personal files. Id. at ¶¶ 26–27, 29–32. Employees in those offices conducted a further search of the classified network. Id. The DHS Office of the General Counsel (“OGC”) identified two attorneys who would potentially have responsive documents and had them conduct extensive manual and electronic searches of their computers and files relating to the DIB Cyber Pilot. Id. at ¶¶ 33–38.

Staff in the Office of the Chief Procurement Officer (“OCPO”), responsible for contracting for NPPD and other offices, and the Office of Selective Acquisitions, an OCPO subcomponent which handles classified and sensitive contracts, did similar searches and located potentially responsive documents which were turned over to the DHS Privacy Office for further processing. Id. at ¶¶ 39–42. DHS did not search the various other offices within the agency that had no involvement with the DIB Cyber Pilot. Id. ¶ 17.

DHS's searches initially resulted in approximately 16,000 pages of potentially responsive documents. Id. ¶ 43. That number were reduced to roughly 10, 000 pages after initial review by a team of FOIA specialists and attorneys who spent several weeks reviewing the documents, removing duplicates, and removing documents that were clearly non-responsive. Id. The agency then took a “page-by-page and line-by-line” approach to determine if the documents were in fact responsive and whether any of FOIA's exemptions applied to a part or the entirety of each document. Id. ¶ 44.

On April 15, 2013, DHS produced 1,276 pages of responsive documents to EPIC; 117 pages of those records were released in their entirety and the remaining 1,159 pages were partially redacted pursuant to FOIA exemptions. Id. ¶ 46. On June 15, 2013, DHS provided a partial preliminary Vaughn Index, and on June 22, 2013, DHS provided the remaining preliminary Vaughn Index. Pl.'s Mot. at 6; see also Vaughn v. Rosen, 523 F.2d 1136 (D.C.Cir.1975).

After receiving the documents, EPIC noticed that several emails referenced attachments that EPIC believed were not included in the DHS production. DHS's Mot. at 6. On June 20, 2015, EPIC responded to DHS's initial production of documents with a list of 17 examples of documents that EPIC believed were missing from the production. Second Holzer Decl. ¶ 47; Pl.'s Mot. at 8.

DHS analyzed the specific documents referenced by EPIC and found that 13 documents had been properly identified as nonresponsive, one responsive document had been inadvertently identified as non-responsive, and three documents had been inadvertently excluded. Second Holzer Decl. ¶ 48. DHS produced the four additional documents to EPIC on August 16, 2013. Id. ¶¶ 48–49. In total, DHS has produced 1,386 pages of documents, some released in full and some redacted, and withheld 362 pages of documents in full under several of FOIA's exemptions. Id. ¶ 50; DHS's Mot. at 1; see also 5 U.S.C. § 552(b).

C. Procedural Background

On August 30, 2013, DHS filed its Motion for Summary Judgment. On September 27, 2013, EPIC filed its combined Opposition to the Government's Motion and Cross–Motion for Summary Judgment. On November 4, 2013, the Government filed its Combined Opposition to Plaintiff's Motion for Summary Judgment and Reply in Further Support of Defendant's Motion for Summary Judgment (“DHS's Reply”) [Dkt. No. 61]. Finally, on November 25, 2013, Plaintiff filed its Reply in Further Support of Plaintiff's Motion for Summary Judgment (“Pl.'s Reply”) [Dkt. No. 63].

EPIC challenges the adequacy of the search performed by DHS in response to its FOIA request, Pl.'s Mot. at 6, and also contends that the Government improperly redacted and withheld many documents under FOIA Exemptions 1, 3, 4, 5, and 7(D). Pl.'s Mot. at 15, 24.

II. STANDARD OF REVIEW

A. Summary Judgment

Summary judgment should be granted only if the moving party has shown that there is no genuine dispute of material fact and that the moving party is entitled to judgment as a matter of law. See Fed.R.Civ.P. 56(a); Celotex Corp. v. Catrett, 477 U.S. 317, 325, 106 S.Ct. 2548, 91 L.Ed.2d 265 (1986); Waterhouse v. Dist. of Columbia, 298 F.3d 989, 991 (D.C.Cir.2002). “A fact is material if it ‘might affect the outcome of the suit under the governing law,’ and a dispute about a material fact is genuine ‘if the evidence is such that a reasonable jury could return a verdict for the nonmoving party.’ ” Steele v. Schafer, 535 F.3d 689, 692 (D.C.Cir.2008) (quoting Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 248, 106 S.Ct. 2505, 91 L.Ed.2d 202 (1986)). “The court must draw all reasonable inferences in favor of the nonmoving party, and it may not make credibility determinations or weigh the evidence.” Reeves v. Sanderson Plumbing Prods., Inc., 530 U.S. 133, 150, 120 S.Ct. 2097, 147 L.Ed.2d 105 (2000).

“To prevail on summary judgment [against a FOIA challenge], the defending ‘agency must show beyond material doubt [ ]that it has conducted a search reasonably calculated to uncover all relevant documents.’ ” Morley v. C.I.A., 508 F.3d 1108, 1114 (D.C.Cir.2007) (quoting Weisberg v. U.S. Dep't of Justice, 705 F.2d 1344, 1351 (D.C.Cir.1983)). “Summary judgment may be based on affidavit, if the declaration sets forth sufficiently detailed information ‘for a court to determine if the search was adequate.’ ” Students Against Genocide v. Dep't of State, 257 F.3d 828, 838 (D.C.Cir.2001) (quoting Nation Magazine v. U.S. Customs Serv., 71 F.3d 885, 890 (D.C.Cir.1995)).

If an agency denies disclosure of responsive records, either in whole or in part, based upon FOIA exemptions, it then “bears the burden of proving the applicability of claimed exemptions.” Am. Civil Liberties Union v. U.S. Dep't of Def., 628 F.3d 612, 619 (D.C.Cir.2011). “The government may satisfy its burden ... by submitting appropriate declarations and, where necessary, an index of the information withheld [ (known as a “Vaughn index”) ].” Am. Immigration Lawyers Ass'n v. U.S. Dep't of Homeland Sec., 852 F.Supp.2d 66, 72 (D.D.C. 2012) (citing Vaughn v. Rosen, 484 F.2d 820, 827–28 (D.C.Cir.1973)).

There is no set formula for a Vaughn index or declarations, but they must “provide[ ] a relatively detailed justification [for any nondisclosure], specifically identif[y] the reasons why a particular exemption is relevant and correlat[e] those claims with the particular part of a withheld document to which they apply.” Judicial Watch, Inc. v. Food & Drug Admin., 449 F.3d 141, 146 (D.C.Cir.2006) (quoting Mead Data Cent., Inc. v. Dep't of the Air Force, 566 F.2d 242, 251 (D.C.Cir.1977)). But, “exemptions from disclosure must be narrowly construed and conclusory and generalized allegations of exemptions are unacceptable.” Morley, 508 F.3d at 1114–15 (internal quotation marks and citations omitted).

III. ANALYSIS

A. Sufficiency of the Search Conducted by DHS

EPIC contends that DHS did not conduct a sufficient search for responsive documents because DHS failed to re-evaluate the sufficiency of its search in light of examples of missing email attachments discovered by EPIC after DHS's initial production. See Pl.'s Mot. at 8. EPIC believes there may be additional responsive documents and, subsequent to DHS's supplemental production, created an exhaustive list of every document referenced in the emails that are potentially missing. Id.; Third Declaration of Amie Stepanovich ¶ 19 [Dkt. No. 57–4].

DHS argues that EPIC relies on a mistaken belief that many or most of the “missing” documents EPIC references are responsive to the FOIA request but were overlooked in the initial search. DHS's Reply at 3. DHS states that the documents referenced by EPIC are simply non-responsive which would explain why they were not included in the DHS production. Id. at 5. DHS provided a chart examining a sample of the documents cited by EPIC as potentially missing, indicating that many of the documents were already released to EPIC, some documents were duplicates of documents that had been released or withheld, and other documents were withheld under a FOIA exemption and listed on the Vaughn index. DHS's Reply at 4; Third Declaration of James V.M.L. Holzer (“Third Holzer Decl.”) ¶ 5 [Dkt. No. 61–1]; Chart of Documents Referenced in Plaintiff's Exhibit 4 [Dkt. No. 61–2].

EPIC nonetheless still contends that DHS should have conducted a thorough additional search of email attachments in light of the additional documents produced, and therefore, its search is insufficient. Pl.'s Reply at 5.

“The court applies a ‘reasonableness' test to determine the ‘adequacy’ of a search methodology, consistent with congressional intent tilting the scale in favor of disclosure.” Morley, 508 F.3d at 1114 (internal quotation marks and citation omitted). To prevail in a summary judgment motion, an agency is not required to search every system possible, but must show that it made a good faith effort that would be reasonably expected to produce all the requested information. See Steinberg v. United States Dep't of Justice, 23 F.3d 548, 551 (D.C.Cir.1994). Summary judgment for an agency is inappropriate only if the agency's responses “raise serious doubts as to the completeness of the search or are for some other reason unsatisfactory....” Perry v. Block, 684 F.2d 121, 127 (D.C.Cir.1982).

While agencies have broad discretion in determining what constitutes a reasonable search under FOIA requests, the Government “must revise its assessment of what is “reasonable” in a particular case to account for leads that emerge during its inquiry ... [and] the court evaluates the reasonableness of an agency's search based on what the agency knew at its conclusion rather than what the agency speculated at its inception.” Campbell v. United States Dep't of Justice, 164 F.3d 20, 28 (D.C.Cir.1998). The revision requirement does not require an agency to “examine virtually every document in its files, following an interminable trail of cross-referenced documents” though, nor does “mere reference to other files ... establish the existence of documents that are relevant to [the] FOIA request.” Steinberg, 23 F.3d at 552 (D.C.Cir.1994).

In Steinberg, a FOIA requester brought suit challenging the sufficiency of the search conducted by two agency subdivisions. The second subdivision relied on an affidavit to demonstrate the adequacy of its search, “[describing] with particularity the files that were searched, the manner in which they were searched, and the results of the search.” Id. The requester contended that several specific documents “cross-referenced in several of the disclosed documents” had not been properly examined by the subdivision. Id. Our Court of Appeals disagreed, finding that the search had been adequate. Id. Several years later, our Court of Appeals reaffirmed this holding, finding that the agency would not be required to search every record referenced in disclosed documents in order to conduct a sufficient search. See Morley, 508 F.3d at 1121–22.

As discussed above, the Government has shown that the initial search conducted by DHS in response to EPIC's FOIA request was meticulous, organized, and thorough. As was done in the affidavit provided by the second subdivision in Steinberg, the Second Holzer Declaration explains in great detail how the search was conducted, which subdivisions and employees of DHS conducted the search, and the results of the search. See supra, Section I.B.2.

While EPIC contends that DHS should have performed an additional search after EPIC discovered the existence of crossreferenced documents, Pl.'s Mot. at 8, our Court of Appeals has made clear that agencies do not need to examine every crossreferenced document uncovered after an initial disclosure. See Morley, 508 F.3d at 1121. Although it is true that some documents were responsive, it was a very small number and in no way detracts from the Government's extraordinary efforts in executing its search. Although it is possible to envision circumstances in which the numerosity of overlooked documents calls into question the adequacy of the search, that is not the case here. EPIC has identified a limited number of potentially responsive documents it believes were overlooked, and DHS has sufficiently accounted for why many (although not all) of the documents flagged by EPIC were properly excluded.³ FOIA does not require DHS to track down every cross-referenced document. The Government here has done a commendable job in performing its search, and the Court concludes that it has shown completion of a sufficient search to satisfy FOIA.

3 DHS provided an additional affidavit, the Third Holzer Decl., and an additional chart to address EPIC's concern that documents cross-referenced in emails produced from DHS's initial disclosure had been overlooked.

B. Exemptions under FOIA

Next, EPIC argues that DHS improperly withheld and redacted documents under various FOIA exemptions. The Court will consider each exemption in turn.

1. FOIA Exemption 1

FOIA Exemption 1 precludes disclosure of documents that are “(A) specifically authorized under criteria established by an Executive order to be kept secret in the interest of national defense or foreign policy and (B) are in fact properly classified pursuant to such Executive order.” 5 U.S.C. § 552(b)(1).

DHS withheld information pursuant to FOIA Exemption 1 because the documents related to the classified activities of the National Security Agency (“NSA”). The Government has stated that “[t]he information in question reveals capabilities and/or vulnerabilities of systems relating to the national security, specifically electronic networks used by the defense industrial base sector.” Second Holzer Decl. ¶ 56.

As with all of FOIA's exemptions, the burden of proof lies with the Government to show proper application of Exemption 1. 5 U.S.C. § 552(a)(4)(B). The Court makes a presumption of good faith on the behalf of agency affidavits purporting to meet the Government's burden. Negley v. FBI, 169 Fed.Appx. 591, 594 (D.C.Cir.2006). Thus, “summary judgment may be granted on the basis of agency affidavits if they contain reasonable specificity of detail rather than merely conclusory statements, and if they are not called into question by contradictory evidence in the record or by evidence of agency bad faith.” Halperin v. Central Intelligence Agency, 629 F.2d 144, 148 (D.C.Cir.1980)

It is undisputed that the requirements for classifying information relevant to this request are contained in Executive Order 13292, which was in effect from March 2003 until June 2010, and Executive Order 13526, which went into partial effect on December 29, 2009, and into full effect in June 2010. The parties agree that the differences between the two Executive Orders do not impact the Exemption 1 analysis in this case. See DHS's Mot. at 20; Pl.'s Mot. at 9, n.1.

Executive Order 13526 provides that information may be classified if:

(1) an original classification authority is classifying the information;

(2) the information is owned by, produced by or for, or is under the control of the United States Government;

(3) the information falls within one or more of the categories of information listed in section 1.4 of this order; and

(4) the original classification authority determines that the unauthorized disclosure of the information reasonably could be expected to result in damage to the national security, which includes defense against transnational terrorism, and the original classification authority is able to identify or describe the damage.

Exec. Order No. 13526, 75 FR 707, 707 (Dec. 29, 2009).

EPIC bases its Exemption 1 challenge exclusively on whether DHS has sufficiently shown that David J. Sherman, Associate Director for Policy and Records at the National Security Agency, has original classification authority pursuant to the Executive Orders. Without original classification authority, the withheld documents could not be properly classified. Pl.'s Mot. at 10. EPIC thus contends DHS could not properly invoke Exemption 1 as the basis for withholding any information, because the Government did not prove Sherman has original classification authority or that the documents were properly classified.

The Government explained in the Second Holzer declaration that Sherman, “who serves as a TOP SECRET classification authority[,] ... determined that certain information [related to the NSA] ... meets the criteria for classification and is ... properly classified ... in accordance with E.O. 13526.” Second Holzer Decl. ¶ 55.

Neither party cites to any case directly addressing the issue—possibly because the issue is rarely contested.

In Darui v. U.S. Dep't of State, 798 F.Supp.2d 32, 40 (D.D.C.2011), a FOIA requester did dispute an agency's application of Exemption 1, and specifically challenged an agency official's original classification authority based on an affidavit that merely stated the official had such authority. The court found that the agency official's declaration established that she was a proper classifying authority, reasoning that the requester had brought forth “no evidence to support [the] contentions that [the official] lacks the authority to classify information, that [the official] is perjuring herself in her declaration, or that she has failed to comply with the Executive Order's requirements for classification authority.” Darui, 798 F.Supp.2d at 40.

EPIC contends that the Second Holzer Declaration, which states that Sherman has TOP SECRET classification authority, was insufficient because it did not “offer any basis to support [Holzer's] claim of [ ] Sherman's alleged classification authority.” Pl's Mot. at 11. EPIC argues that DHS needed to provide a declaration by Sherman himself, or other (unspecified) documentation of Sherman's authority status. Pl.'s Mot. at 10–11. However, EPIC fails to provide support for why the Government's documents are insufficient.⁴ Pl.'s Mot. at 11. As in Darui, EPIC does not allege that Sherman actually lacks original classification authority, that either Holzer or Sherman's declarations are perjured, or that Sherman failed to comply with the requirements for classification authority.⁵

4 EPIC argues that Holzer did not allege personal knowledge of Sherman's classification authority and cites only to Weisberg v. Dept. of Justice, 627 F.2d 365 (D.C.Cir.1980). Pl.'s Mot. at 11. In that case, a declarant did not assert personal knowledge over whether evidence had been destroyed, but instead stated what he believed likely occurred, and thus the Court found a “permissible inference [for summary judgment purposes] ... that [the declarant] [was] incorrect in his belief.” Weisberg, 627 F.2d at 369. However, in this case, the Holzer declaration clearly asserts personal knowledge that “Sherman ... serves as a TOP SECRET classification authority.” Second Holzer Decl. ¶ 55.

5 Although it believes the Holzer Declaration to be sufficient, the Government also provided a declaration by Sherman from a different matter explaining his credentials as an original classification authority. DHS's Exhibit E–2 ¶¶ 1–2 [Dkt. No. 61–31

In that case, the FOIA requester did not challenge Sherman's classification authority, but rather challenged Exemption 1 withholdings on other grounds. Elec. Frontier Found . v. Dep't of Justice, 57 F.Supp.3d 54 (D.D.C.2014). The Court found, without any reference to Sherman, that Exemption 1 was properly applied.

As the Court gives a presumption of good faith to Mr. Holzer's affidavit, and because EPIC has provided no support for its allegation that the declarations provided by DHS are insufficient, the Court concludes that the Second Holzer declaration, along with the Sherman declaration from another case, are sufficient to establish that he is an authority on classified materials who properly identified documents to be withheld under the Executive Orders pursuant to Exemption 1.

2. FOIA Exemption 3

FOIA Exemption 3 precludes release of information that has been:

specifically exempted from disclosure by [another] statute [that] ... (i) requires that the matters be withheld from the public in such a manner as to leave no discretion on the issue; or (ii) establishes particular criteria for withholding or refers to particular types of matters to be withheld.

5 U.S.C. § 552(b)(3). In determining whether Exemption 3 properly applies, the Court conducts a two-part test: whether “1 the statute in guestion [is] a statute of exemption as contemplated by exemption 3[and] ... 2 the withheld material satisf[ies] the criteria of the exemption statute.” Fitzgibbon v. C.I.A., 911 F.2d 755, 761 (D.C.Cir.1990) (citing C.I.A. v. Sims, 471 U.S. 159, 167, 105 S.Ct. 1881, 85 L.Ed.2d 173 (1985)).

The Government withheld documents under Exemption 3 based on two statutes: 18 U.S.C. § 798 (“Section 798”) and Section 6 of the National Security Agency Act of 1959, Pub.L. No. 86–36, 73 Stat. 64 (codified at 50 U.S.C. § 3605) (“Section 6”). DHS's Mot. at 24–25. While EPIC concedes “that Section 6 of the NSA Act and Section 798 are Exemption 3 statutes for the purposes of FOIA,” Pl.'s Mot. at 12, thus satisfying the first prong of the Exemption 3 test, EPIC contends that the second prong is not satisfied because the Government has not demonstrated how the statutes apply to nondisclosure.

Section 798 prohibits disclosure:

[O]f any classified information ... concerning the communication [of] intelligence activities of the United States or any foreign government ... [or] obtained by the processes of communication intelligence from the communications of any foreign government....

18 U.S.C. § 798.

EPIC's sole argument for why the Government's withholding of information under Section 798 was improper is based on its prior contention that the Government has not shown that Sherman has original classification authority and therefore the documents are not properly classified. Thus, EPIC argues, the documents are outside the scope of Exemption 3. Pl.'s Mot at 12–13. Since the Court has found that the Government met its burden to show that Sherman has such authority, this argument is not persuasive.

Section 6 of the NSA Act of 1939 requires information related to NSA functions or activities be precluded from release, stating in relevant part that:

[N]othing in this [Act] or any other law ... shall be construed to require the disclosure of the organization or any function of the National Security Agency, of any information with respect to the activities thereof, or of the names, titles, salaries, or number of the persons employed by such agency.

50 U.S.C. § 3605. EPIC contends that documents withheld under Section 6 are not related solely to NSA functions or activities, and thus do not satisfy the criteria of Section 6. Pl.'s Mot. at 13; Pl.'s Reply at 10. If Section 6, which is the underlying exemption statute, is not applicable, then Exemption 3 is also not applicable. EPIC argues that the statements made in the Vaughn index are insufficient to justify nondisclosure of information under Exemption 3. Pl.'s Mot. at 13.

However, the Government contends that “[t]he redactions of information made by DHS on behalf of NSA consists of information relating to the Agency's internal processes, and activities, such as handling instructions for classified information ...” DHS's Mot. at 26. The Government provided many examples of why application of Exemption 3 is appropriate. It also provided some examples of unredacted text where the documents themselves plainly showed they were related to NSA activities. See DHS's Reply at 8.

Thus, the Court concludes that DHS has provided sufficient details justifying application of Exemption 3 and the information was properly withheld under Section 6 and Section 798.

3. FOIA Exemption 4

FOIA Exemption 4 precludes an agency from disclosing certain commercial information when the following three requirements are met: it is “1 ... commercial or financial information 2 obtained from a person and 3 privileged or confidential.” 5 U.S.C. § 552(b)(4); see also Pub. Citizen Health Research Group v. Food & Drug Admin., 704 F.2d 1280, 1290 (D.C.Cir.1983); COMPTEL v. FCC, 910 F.Supp.2d 100, 114–115 (D.D.C.2012).

EPIC contends that the Government improperly redacted and withheld the identities of companies who participated in the DIB Cyber Pilot under Exemption 4⁶ because the company names are not commercial information, were not obtained from a person, and are not confidential. Pl.'s Mot. at 15. The Government maintains that it has proven that the identities of participating companies are properly withheld.

6 EPIC also challenges the Government's assertion of Exemption 7(D) to withhold the same information. Pl.'s Mot. at 24. That argument is addressed later in this section.

a. Commercial or Financial Information

The first element of Exemption 4 requires that the information sought to be withheld be commercial or financial in nature. § 552(b)(4). “The terms in Exemption 4 are to be given their ordinary meanings, and information is commercial under this exemption if, in and of itself, it serves a commercial function or is of a commercial nature. Nat'l Ass'n of Home Builders v. Norton, 309 F.3d 26, 38 (D.C.Cir.2002).

While commercial information is broadly interpreted to “include any information in which the submitter has a ‘commercial interest,’ such as business sales statistics, research data, overhead and operating costs, and financial conditions,” it is not all encompassing. COMPTEL, 910 F.Supp.2d at 115 (internal citations omitted). Information may be deemed commercial “even if the provider's [ ] interest in gathering, processing, and reporting the information is noncommercial.” Critical Mass Energy Project v. Nuclear Regulatory Comm'n, 830 F.2d 278, 281 (D.C.Cir.1987) (“Critical Mass I”), vacated on other grounds, 975 F.2d 871 (D.C.Cir.1992) (en banc).

EPIC contends that the identities of companies participating in the DIB Cyber Pilot are not commercial because a company's name cannot be information in which a company would have a commercial interest. Pl.'s Mot. at 15. EPIC cites Hodes v. United States Dept. of Hous. a nd Urban Dev., 532 F.Supp.2d 108 (D.D.C.2008) for the proposition that “identities of corporations [are] not exempt from disclosure under Exemption 4.” Pl.'s Mot. at 17. The Hodes court was not stating a bright line rule, but rather noted in dicta that if corporations preferred to be anonymous, they could take steps to protect their own identities. Hodes, 532 F.Supp.2d at 118. While the issue of disclosure of corporate identities in this case arises in an entirely different context than in Hodes, these companies nonetheless have taken affirmative steps to protect their identities by using confidentiality agreements.

The Government argues, and the Court agrees, that while a company may not always have a commercial interest in its name and identity, the Court may also consider the context in which the issue arises. The identities of which companies have participated in the DIB Cyber Pilot, if disclosed, could have a commercial or financial impact on the companies involved. DHS's Mot. at 24. The companies are commercial enterprises doing business with the Government and the reason they seek protection from having their participation disclosed is because of the potential effect that disclosure would have on their businesses. Id. Consequently, the Court concludes that the names of participants in the DIB Cyber Pilot are correctly considered commercial information in this particular context.

b. Obtained From a Person

Information is considered “obtained from a person” if the information originated from an individual, corporation, or other entity, and so long as the information did not originate within the federal government. Bd. of Trade of City of Chicago v. Commodity Futures Trading Commission , 627 F.2d 392, 404 (D.C.Cir.1980). Additionally, even if information originated within the government, it is protected if the information “summarize[s] information obtained from another person.” COMPTEL, 910 F.Supp.2d at 115 (citing Gulf & W. Indus. v. United States, 615 F.2d 527, 529–30 (D.C.Cir.1979)).

EPIC contends that the identities of the participating companies were improperly withheld because many of the redacted documents appear to be email correspondence between DHS staff, and thus, EPIC argues the information could not possibly have been obtained from a person. Pl.'s Mot. at 16. EPIC is correct that inter-agency emails generally cannot be “obtained from a person.” See Id. However, the information redacted from the emails in this case was the underlying identities of the participating companies in the DIB Cyber Pilot. Declaration of Mark H. Herrington (“Herrington Decl.”) ¶ 10 [Dkt. No. 53–5]. While those companies' identities may have been discussed between DHS employees in email conversations, the information originated with the corporations which provided their identities to DHS in order to participate in the program.

c. Privileged or Confidential

Our Court of Appeals, sitting en banc, has distinguished between tests of confidentiality under Exemption 4 based on whether the information was submitted to the government voluntarily or involuntarily. See Critical Mass III, 975 F.2d at 874. Thus, in evaluating whether information responsive to a FOIA request is confidential, it must first be determined whether the information was provided voluntarily or involuntarily.⁷

7 Initially and without providing any case support, EPIC states that before the Court can address confidentiality, information must be established to be “private” because DHS characterized the withheld information as “private information.” Pl.'s Mot. at 18–19. However, no authority has been cited to support this statement.

The test for voluntarily submitted information was first adopted by our Court of Appeals in Critical Mass III in 1992. See 975 F.2d 871. The Court ruled that voluntarily submitted information subject to a FOIA request is confidential under Exemption 4 when the information “is of a kind that would customarily not be released to the public by the person from whom it was obtained.” Id. at 879; see also Baker & Hostetler LLP v. United States DOC, 473 F.3d 312, 320 (D.C.Cir.2006). Critical Mass III, 975 F.2d at 879. Moreover, “[t]he court will generally defer to the agency's predictive judgments as to the repercussions of disclosure.” Jurewicz v. U.S. Dep't of Agric., 741 F.3d 1326, 1331 (D.C.Cir.2014) (citing United Techs. Corp. v. Dep't of Def., 601 F.3d 557, 563 (D.C.Cir.2010)) (internal quotation marks omitted).

The Government explains that companies participating in the DIB Cyber Pilot did so on a voluntary basis and provided information to the Government voluntarily, but with the understanding that company identities would be kept confidential. See Herrington Decl. ¶¶ 5, 7.

Companies voluntarily participated in the DIB Cyber Pilot to allow DHS to help the companies better protect their own information systems and enhance their cyber-security. See Second Holzer Decl. ¶¶ 3–7. Participating companies and the DoD Chief Information Officer signed a confidentiality agreement stating that the Government would take measures to protect the identities of the participating companies. DHS's Mot. at 25.

EPIC's attempt to distinguish volunteering in the DIB Cyber Pilot from volunteering one's identity is unsuccessful. The very act of participating in the program included the act by which companies volunteered their identity to the government.

In Critical Mass III, a FOIA requester sought nuclear safety reports that were voluntarily provided by a nonprofit corporation to a federal government agency under an agreement of confidentiality and nondisclosure. 975 F.2d at 874. The agency denied the request after determining the information was “confidential commercial information ... protected from disclosure by Exemption 4,” in part because it was disclosed to third parties only upon consent from the nonprofit. Id.; see also Critical Mass I, 830 F.2d at 280 (earlier proceeding explaining the circumstances of the request). The Court of Appeals agreed with the agency that the information was submitted voluntarily and would not ordinarily be disclosed to the public. Critical Mass III, 975 F.2d at 880. Therefore, it was confidential information and met the requirement for application of Exemption 4. Id.

The Court in Critical Mass III considered the parties' nondisclosure agreements when determining whether the information was confidential and of the sort not customarily released to the public. 975 F.2d at 880; see also Critical Mass I, 830 F.2d at 282. While such agreements are not sufficient in and of themselves to establish confidentiality under Exemption 4, Green v. Department of Commerce, 489 F.Supp. 977, 980 (D.D.C.1980), they are useful to the Court in evaluating whether intent existed to shield the information from the public. Here, the confidentiality agreements clearly reflect the desire of the companies to shield their identities as participants in the program.

In addition, as the Herrington Decl. explains, the need to keep the information confidential is essential because:

If a company's participation in the DIB Cyber Pilot were publicly known, that company could face increased cyber targeting, exposing the company to greater business or financial loss ... [and] participation ... could be viewed as an admission of cyber vulnerability; a company could face competitive disadvantages or market loss if its participation were revealed.

Herrington Decl. ¶ 10. The Government further explains that, to encourage participation from companies in the DIB Cyber Pilot and similar programs in the future, the companies need to be assured that their participation will be confidential and not revealed to the public. See Id. ¶ 11; cf. Critical Mass III, 975 F.2d at 874 (considering impairment to agency's ability to acquire information in the future if agency not permitted to honor confidentiality commitment).

EPIC makes a number of additional unpersuasive arguments.⁸ For instance, EPIC states that because defense contracting companies have preexisting, publically known relationships with DHS, and because only defense contracting companies could have participated in the DIB Cyber Pilot, the identities of the participating companies are already publically known. Pl.'s Reply at 11 n.2. If this were true, it is not clear why EPIC is still seeking the information. In any event, in invoking Exemption 4, the identities of which companies participated in this particular program is at issue, not whether the companies are publically known in other endeavors.

8 For example, EPIC argues that allowing the names of any and all companies to be considered confidential under Exemption 4 ‘would create a black hole for all access requests concerning business records in the possession of a federal agency.‘ Pl.'s Mot. at 22. Whether identities of companies are released in record requests. in the future will turn on the actual circumstances involved, and thus a finding of confidentiality here will not leave any ‘black hole‘ in its wake.

In considering the parties' confidentiality agreements, the potential consequences of the information becoming public, and the government's need for future cooperation from the companies, the Court concludes that the identities of the companies would not ordinarily be released to the public and are confidential. Thus, DHS has met its burden of showing why Exemption 4 applies to the identities of participants in the DIB Cyber Pilot program.

4. FOIA Exemption 5

FOIA Exemption 5 protects from disclosure “inter-agency or intra-agency memorandums or letters which would not be available by law to a party other than an agency in litigation with the agency.” 5 U.S.C. § 552(b)(5). Courts have construed this language to exempt “those documents [,] normally privileged in the civil discovery context,” including those protected by the attorney work product and attorney client privileges. NLRB v. Sears, Roebuck & Co., 421 U.S. 132, 149, 95 S.Ct. 1504, 44 L.Ed.2d 29 (1975); see also Coastal States Gas Corp. v. Department of Energy, 617 F.2d 854, 862 (D.C.Cir.1980); Martin v. Dep't of Justice, 488 F.3d 446, 455 (D.C.Cir.2007). In addition, “[t]he privilege ... extends to all situations in which an attorney's counsel is sought on a legal matter.” Coastal States, 617 F.2d at 862. Therefore, “it is clear that an agency can be a “client” and agency lawyers can function as “attorneys” within the relationship contemplated by the privilege” Id. at 863.

EPIC contends that the Government did not meet its burden of proving that a redacted portion of one particular document produced by the Government—Document 276—was a privileged attorneyclient communication. See Pl.'s Reply at 12–13.

The government points out that the document consisted of a string of emails, virtually all of which the Government does not object to releasing. However, the particular portion redacted by the Government contains a communication between a DHS employee and a DHS attorney seeking legal review and advice. See Third Holzer Decl. ¶ 10. Thus, there is no question that the redaction was properly exempted under the attorney-client privilege prong of Exemption 5.

5. FOIA Exemption 7(D)

FOIA Exemption 7(D) precludes disclosure of responsive documents, records or information that has been:

compiled for law enforcement purposes, but only to the extent that the production of such law enforcement records or information ... (D) could reasonably be expected to disclose the identity of a confidential source, including ... any private institution which furnished information on a confidential basis, and, in the case of a record or information compiled ... by an agency conducting a lawful national security intelligence investigation, information furnished by a confidential source.

5 U.S.C. § 552(b)(7).

Information withheld under Exemption 7 must “first meet a threshold requirement: that the records were compiled for law enforcement purposes.” Elec. Privacy Info. Ctr. v. U.S. Dep't of Homeland Sec., 777 F.3d 518, 522–23 (D.C.Cir.2015) (citing Pub. Employees for Env't Responsibility v. United States Section, Int'l Boundary & Water Comm'n, U.S.-Mexico, 740 F.3d 195, 202–03 (D.C.Cir.2014)) (internal quotation marks omitted). It is undisputed that the information withheld by DHS was compiled for law enforcement purposes and meets the threshold reguirement.

Part (D) of Exemption 7 requires that the information must come from a “confidential source.” 5 U.S.C. § 552(b)(7)(D). “Giving the word “source” its plain and ordinary meaning, it would appear simply to refer to the originator of information, encompassing within its scope nonfederal entities such as state, local, and foreign law enforcement agencies as well as individuals such as private citizens and paid informants.” Lesar v. U.S. Dep't of Justice, 636 F.2d 472, 489 (D.C.Cir.1980); see also Black's Law Dictionary 1522 (9th ed. 2009) (defining source as “[t]he originator or primary agent of an act, circumstance, or result”).

A source's confidentiality is determined on a case-by-case basis. U.S. Dep't of Justice v. Landano, 508 U.S. 165, 179–80, 113 S.Ct. 2014, 124 L.Ed.2d 84 (1993). There is no “presumption that a source is confidential within the meaning of Exemption 7(D) whenever the source provides information to [a law enforcement agency] in the course of a criminal investigation.” Id. at 181, 113 S.Ct. 2014. Rather, “[a] source is confidential within the meaning of Exemption 7(D) if the source provided information under an express assurance of confidentiality or in circumstances from which such an assurance could reasonably be inferred.” Williams v. F.B.I., 69 F.3d 1155, 1159 (D.C.Cir.1995) (quoting Landano, 508 U.S. at 172, 113 S.Ct. 2014).

DHS has withheld the identities of companies participating in DIB under Exemption 7(D), stating that the companies acted as sources and provided information under an express or implied understanding of confidentiality. EPIC challenges these withholdings, arguing that DHS improperly regards participants in DHS's program as “sources.” Pl.'s Mot. at 25–26. It does not dispute that any information provided by participating companies to the government was given under assurances of confidentiality, nor does it allege that a source loses its “source” status under Exemption 7 when the government provides the source with information.” Pl.'s Reply at 16.

The crux of EPIC's challenge is whether every participating company in the DIB Cyber Pilot actually provided information to the government, in addition to receiving information from the Government. For purposes of Exemption 7(D), sources include participating companies who have provided records or information under a promise of confidentiality. Companies that merely receive information but do not provide any information would not qualify for protection under Exemption 7(D).

EPIC contends that DHS improperly withheld “... records documenting exchanges of information between DIB participants and the government.” Pl.'s Mot. at 26 (emphasis added). EPIC further states, “[t]he main flow of information was not from DIB participants to the government, but from the government to the participants....” Id. at 27. Under EPIC's theory, the Government was the “source” of information to the companies—not the other way around.

Here, in most instances where Exemption 7(D) has been invoked in the Vaughn Index, the Government refers to the participating companies as “sources,” without sufficiently explaining why the companies are sources. For example, in many Vaughn index entries asserting a 7(D) exemption, the Government states that “[t]he participating companies volunteered with an express promise of confidentiality and are thus confidential sources of law enforcement information.” See, e.g., Vaughn index at 12.

While the express promise of confidentiality is relevant, DHS has not contended that the companies provided any information pursuant to that promise. Nor has DHS shown that mere participation in the DIB Cyber Pilot program turns each company into a “source” of information for purposes of Exemption 7(D).

DHS's other Exemption 7(D) explanations fare no better, merely stating that the document “could reasonably be expected to disclose the identity of a confidential source.” See e.g., id. at 209–11. Although the Government's reference to the companies as “sources” arguably implies that the companies provided information, the Court is not willing to rely on such a weak assumption. Therefore, the Vaughn index alone is not sufficiently detailed to justify withholding under Exemption 7(D).

For these reasons, the Court finds that the Government has failed to carry its burden to show that every participating company provided information to the Government. If in fact there are some companies that merely receive, but do not provide, information through the program, the Government has failed to distinguish between them. Thus, the Government's application of Exemption 7(D) is not justified.

IV. CONCLUSION

For the foregoing reasons, Plaintiffs' Motion for Summary Judgment shall be denied without prejudice with regard to Exemption 7D and otherwise denied in whole, and the Government's Motion for Summary Judgment shall be granted in part and denied in part without prejudice. The Government prevails on its Motion for Summary Judgment with respect to the adequacy of the search performed and its withholding under FOIA Exemptions 1, 3, 4, and 5. However, the Government has failed to meet its burden under FOIA Exemption 7(D). The Government shall have an opportunity to file a revised Vaughn Index, and therefore Plaintiff's Motion shall be denied without prejudice with respect to that Exemption. An Order shall accompany this Memorandum Opinion.⁹

9 The Court greatly regrets the delay in ruling on this Motion. Sometimes, Judges have no excuse to offer and this is one of those times.