From Casetext: Smarter Legal Research

Prechtel v. Fed. Commc'ns Comm'n

UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA
Sep 13, 2018
330 F. Supp. 3d 320 (D.D.C. 2018)

Summary

holding that an agency appropriately withheld electronic server logs whose release would give "future attackers a ‘roadmap’ to evade the [agency's] future defensive efforts"

Summary of this case from Long v. Immigration & Customs Enf't

Opinion

Case No. 17-cv-01835 (CRC)

09-13-2018

Jason PRECHTEL, Plaintiff, v. FEDERAL COMMUNICATIONS COMMISSION, et al., Defendants.

Joshua Hart Burday, Matthew Topic, Loevy & Loevy, Chicago, IL, for Plaintiff. Johnny Hillary Walker, III, U.S. Attorney's Office, Washington, DC, for Defendant.


Joshua Hart Burday, Matthew Topic, Loevy & Loevy, Chicago, IL, for Plaintiff.

Johnny Hillary Walker, III, U.S. Attorney's Office, Washington, DC, for Defendant.

MEMORANDUM OPINION

CHRISTOPHER R. COOPER, United States District Judge

In spring of 2017, the Federal Communications Commission ("FCC" or "Commission") promulgated a proposed rule to establish regulations for broadband internet service providers. Captioned "Restoring Internet Freedom," the rulemaking sought to repeal prior regulations promoting "net neutrality"—the principle that internet service providers afford equal access to all internet-enabled data. The proposal received significant public attention, garnering an unprecedented twenty-four million public comments on the administrative record. The number of fraudulent, duplicative, or otherwise dubious comments was equally unprecedented. These questionable comments have drawn the attention of FCC Commissioners, Members of Congress, and journalists including Jason Prechtel, the plaintiff in this case.

Prechtel filed Freedom of Information Act ("FOIA") requests seeking details about the use of two electronic comment-submission tools that the FCC had enabled to facilitate public participation in the regulatory process: comma-separated value (".CSV") files and an Application Programming Interface ("API"). These tools allowed members of the public to comment on the proposal without going directly to the Commission's website and accessing its comment platform (or Electronic Comment Filing System ("ECFS") ). A .CSV file is a template provided by the FCC—essentially, a spreadsheet in which every row contains a separate comment—that allows an individual or organization to solicit and compile multiple comments and upload them into ECFS in one fell swoop. These submissions are sometimes referred to as "bulk comments." By way of example, if an organization wanted its membership to submit comments supporting the FCC's proposed actions, it might ordinarily be forced to encourage each member to access the ECFS website and submit an individual comment. The bulk comment submission process enabled the organization to collect its members' comments, format them into the .CSV spreadsheet, and submit them all at once by transmitting that spreadsheet to ECFS.

An API, in turn, is a mechanism that facilitates communication between ECFS and other websites. As relevant here, it allows website developers to place comment-submission tools on third-party websites, meaning that visitors to those websites can submit comments to ECFS directly from those websites. For example, if a group opposing the Commission's proposed actions wanted visitors to its website to submit comments into the record, it might ordinarily include a link to ECFS, forcing a visitor to leave its website to submit a comment. The API instead enabled the group to place a comment form directly on its own website, allowing a visitor to type a comment and submit it into ECFS without leaving the site. Those seeking to host an API capable of communicating with ECFS must register for a "key," which confirms to ECFS that the information being transmitted comes from a registered source—essentially, a unique code that opens the door to ECFS so a comment can be left inside.

Prechtel filed two FOIA requests: one with the Commission and one with the General Services Administration ("GSA"), the executive agency that manages the Commission's API system. See Compl. Ex. A; Pl.'s Statement of Undisputed Material Facts ("SUMF") Ex. B. In this suit, Prechtel challenges how the agencies handled his requests. Specifically, he challenges the adequacy of the FCC's search for the requested records, its invocation of several statutory exemptions to withhold or redact those records, and the GSA's constructive denial of his FOIA request. Am. Compl. ¶¶ 24, 27-28; Pl.'s Mot. Summ. J. & Opp'n at 1. The Court addresses only the second challenge, aimed at the Commission's withholdings. Prechtel belatedly served the GSA and it has not had the opportunity to submit an affidavit clarifying its response to his FOIA request. Accordingly, the Court reserves judgment on the GSA's actions. And because a GSA affidavit should clarify ownership of the API keys, which implicates the adequacy of the FCC's search, the Court also reserves judgment on Prechtel's challenge to that search. The Court will thus deny without prejudice all parties' motions for summary judgment on those issues. Regarding Prechtel's challenge to the Commission's withholdings: The Court will grant the Commission's motion for summary judgment on its withholding of certain privileged emails and its server logs; grant Prechtel's motion for summary judgment on the email addresses used to submit .CSV files; and direct the parties to confer regarding the .CSV files themselves.

I. Background

On June 4, 2017, Prechtel filed FOIA requests with the GSA and the FCC. Am. Compl. ¶¶ 9, 16. His request to the GSA sought two sets of documents: (1) all public API keys used to submit online comments relating to the "Restoring Internet Freedom" proceeding, including the associated registration names and email addresses, and copies of all data files submitted through those API keys; and (2) logs of all dates and times that those API keys were used to submit comments. Id. ¶ 9. Prechtel's FOIA request to the FCC sought the same information as well as: (1) "the email addresses associated with .CSV comment uploads, along with all .CSV files uploaded in response to [the] Proceeding"; (2) "logs of all dates and times the email addresses submitted comments"; and (3) "all email inquiries to ECFSHelp@fcc.gov regarding .CSV comment submissions to the Proceeding." Id. ¶ 16.

On June 5, the GSA informed Prechtel that the requested files were not within its "jurisdiction." Pl.'s SUMF Ex. B, at 1 (GSA response to Prechtel's FOIA request). After several email exchanges, the GSA elaborated that the FCC was the "API owner" and therefore that Prechtel's request was "more appropriate[ly]" addressed to the FCC. Id. at 7.

After receiving no substantive response from the FCC, Prechtel filed this suit on September 7, 2017. See Compl.; id. ¶¶ 9-12. Twenty days later, the Commission released fifteen pages of documents responsive to the fifth part of his request—that seeking communications to the ECFSHelp@fcc.gov "help desk" email address. See Defs.' SUMF Ex. B, at 2 (FCC response to Prechtel's FOIA request). It redacted several emails within these records and withheld all records responsive to other aspects of Prechtel's request, invoking several of FOIA's statutory exemptions to justify its redactions and withholdings. Id. at 2-4. Further, it indicated that it did not maintain documents responsive to Prechtel's request for the API keys and associated information, asserting that the GSA maintains these records. Id. at 1-2.

The parties filed cross-motions for summary judgment, after which Prechtel amended his complaint to add the GSA as a defendant. See Am. Compl. ¶¶ 9-15, 21-24. However, Prechtel did not serve the GSA until after briefing had commenced. The GSA has joined the FCC's motion for summary judgment. But it has not provided an affidavit or declaration explaining its response to Prechtel or the extent to which it is in tension with the FCC's response regarding API keys and attendant information. The Court held a telephonic status conference with the parties regarding this issue, after which Prechtel served the GSA. Based on the status conference, the Court expects that the GSA will provide a declaration detailing how it handled Prechtel's FOIA request, which will clarify the issues surrounding the API keys and associated information. Consequently, the Court will deny without prejudice all parties' motions for summary judgment on matters not resolved in this opinion. The parties may renew such motions in the future, if necessary.

II. Legal Standards

FOIA requires federal executive agencies to produce their records upon request unless one of the Act's nine exemptions protects those records from disclosure. See 5 U.S.C. § 552(b). These exemptions "balance the public's interest in governmental transparency against ‘legitimate governmental and private interests [that] could be harmed by release of certain types of information.’ " United Techs. Corp. v. DOD, 601 F.3d 557, 559 (D.C. Cir. 2010) (alteration in original) (quoting Critical Mass Energy Project v. Nuclear Regulatory Comm'n, 975 F.2d 871, 872 (D.C. Cir. 1992) (en banc) ). "But these limited exemptions do not obscure the basic policy that disclosure, not secrecy, is the dominant objective of the Act." Dep't of Air Force v. Rose, 425 U.S. 352, 361, 96 S.Ct. 1592, 48 L.Ed.2d 11 (1976). Accordingly, when a plaintiff challenges an agency's withholding of records, the agency must show that one of FOIA's exemptions applies. ACLU v. DOD, 628 F.3d 612, 619 (D.C. Cir. 2011).

FOIA disputes are generally resolved on cross-motions for summary judgment. In evaluating each motion, the Court must view the record in the light most favorable to the non-movant. The agency may satisfy its burden of showing that a FOIA exemption applies through an affidavit or declaration that "describes the justifications for withholding the information with specific detail, demonstrates that the information withheld logically falls within the claimed exemption, and is not contradicted by contrary evidence in the record or by evidence of the agency's bad faith." Id.

III. Analysis

The Commission withheld all or part of three categories of records responsive to Prechtel's request: email exchanges between agency staff regarding how to respond to an inquiry to ECFSHelp@fcc.gov; .CSV files used to submit bulk comments and the email addresses of those who submitted them; and Commission server logs detailing the dates and times that .CSV files were submitted. The Court will evaluate each withholding in turn.

A. Email Threads

Prechtel requested all email inquiries to the Commission's ECFSHelp@fcc.gov "help desk" email address regarding .CSV submissions to the Restoring Internet Freedom proceeding. Am. Compl. ¶ 16. The Commission released fifteen pages of responsive documents and invoked the deliberative process privilege under FOIA Exemption 5 to redact certain email threads. See Defs.' SUMF Ex. B, at 2. The Court concludes that this withholding was proper. Exemption 5 allows agencies to withhold "inter-agency or intra-agency memorandums or letters that would not be available by law to a party other than an agency in litigation with the agency." 5 U.S.C. § 552(b)(5). In other words, it shields information that would be "normally privileged in the civil discovery context." NLRB v. Sears, Roebuck & Co., 421 U.S. 132, 149, 95 S.Ct. 1504, 44 L.Ed.2d 29 (1975).

The Commission also redacted the name of the agency representative who printed out the emails that the Commission released to Prechtel, invoking Exemption 6. See Defs.' SUMF Ex. A. Prechtel does not appear to challenge this withholding. In any event, the Court finds this withholding to be proper. As described in more detail in Section III.B, infra, Exemption 6 requires courts to balance the privacy interest in non-disclosure with the public interest in disclosure. Here, Prechtel has not advanced any public interest in disclosure of the employee's name, and the Court cannot think of any benefit to the public in revealing the name. "[E]ven a modest privacy interest[ ] outweighs nothing every time." Nat'l Ass'n of Retired Federal Emps. v. Horner, 879 F.2d 873, 879 (D.C. Cir. 1989).

Prechtel's FOIA request sought "all email inquiries to ECFSHelp@fcc.gov regarding .CSV comment submissions to the Proceeding." Am. Compl. ¶ 16 (emphasis added). It is unclear why emails internal to the agency are responsive to this request for communications from external parties to the agency, but the Commission has not raised this defense to its withholding. Because the parties have briefed the Exemption 5 issue, the Court will proceed as though the withheld emails were in fact responsive to Prechtel's request.

The Commission invoked the deliberative process privilege protected by Exemption 5. An agency invoking that privilege must show that withheld documents are both "predecisional" and "deliberative." Coastal States Gas Corp. v. Dep't of Energy, 617 F.2d 854, 866 (D.C. Cir. 1980). Predecisional communications are those that "occurred before any final agency decision on the relevant matter." Nat'l Sec. Archive v. CIA, 752 F.3d 460, 463 (D.C. Cir. 2014). Deliberative communications are those that "reflect[ ] the give-and-take of the consultative process." Coastal States, 617 F.2d at 866.

According to the Commission's declaration, the emails contain "internal deliberations among IT staff regarding how to respond" to an inquiry about comment submissions, and "include[ ] a back-and-forth conversation regarding the best method for handling [the] ... request, including options considered and discarded." Decl. of Ryan J. Yates Supp. Defs.' Mot. for Summ. J. ("First Yates Decl.") ¶ 15. The agency withheld the exchange after concluding "that its release would chill the candid exchange of ideas among staff." Id. This is precisely what the deliberative process privilege is designed to protect: the agency staff's ability to have candid discussions and weigh options before making a final decision. See, e.g., Petroleum Info. Corp. v. Dep't of Interior, 976 F.2d 1429, 1434 (D.C. Cir. 1992) ("[D]ecisions on the ‘deliberativeness’ inquiry have focused on whether disclosure ... would tend to discourage candid discussion within an agency." (quotation marks omitted) ).

Contrary to Prechtel's assertions, the Commission's explanation is not "generic." Pl.'s Mot. Summ. J. & Opp'n at 17. The Commission has explained who deliberated (the Commission's IT staff), the agency action about which they deliberated (a response to an outside inquiry), the role the deliberations played in crafting that action (determining the best way to handle the inquirer's underlying request, including possibilities that eventually were rejected), and the harms that would result from disclosure (a chill on agency staff's ability to weigh options candidly to make decisions). The declaration provides appropriate details and stands in contrast to invocations of the deliberative process privilege that courts in this district have rejected as insufficient. See, e.g., Hunton & Williams LLP v. EPA, 248 F.Supp.3d 220, 242-43 (D.D.C. 2017) (rejecting invocation of the privilege because agency did not specify the topic of the deliberative process); Trea Senior Citizens League v. U.S. Dep't of State, 923 F.Supp.2d 55, 68 (D.D.C. 2013) (noting that agency declaration left it "unclear to which deliberative process this [withheld] document may have contributed or pertained.").

Prechtel claims that, even if some of the communications are privileged, any records reflecting the agency's final decision, the accompanying explanation, and any factual information are not exempt. See Pl.'s Mot. Summ. J. & Opp'n at 16. He is partially correct in his depiction of what the law requires. While "factual information generally must be disclosed," Petroleum Info. Corp., 976 F.2d at 1434, it is not per se non-exempt, see, e.g., Quarles v. Dep't of Navy, 893 F.2d 390, 392 (D.C. Cir. 1990). Prechtel is correct that a document is exempt in this context only if it is antecedent to the final agency decision, see, e.g., Nat'l Sec. Archive, 752 F.3d at 463, and, even then, can lose its predecisional status if adopted as the agency position, see, e.g., Coastal States, 617 F.2d at 866. But his argument is unavailing because it does little more than cast aspersions on the Commission's declaration by suggesting that there must be some non-exempt information that the declarant did not acknowledge. This claim is factually unfounded and thus legally inadequate. "Agency [declarations]—so long as they are relatively detailed and non-conclusory—are accorded a presumption of good faith, which cannot be rebutted by purely speculative claims." Mobley v. CIA, 806 F.3d 568, 581 (D.C. Cir. 2015) (quotation marks omitted). As discussed, the Commission's declaration is sufficiently detailed to support the deliberative process exemption, and Prechtel's rebuttal is pure speculation. Because the Commission properly invoked Exemption 5 to protect its deliberative process, the Court grants its motion for summary judgment on this issue.

The Court understands Prechtel's argument to refer to a final decision and accompanying explanation sent internally among agency staff. Any final decision and explanation sent externally as a response to the outside inquirer is not privileged. See, e.g., Ctr. for Int'l Envtl. Law v. Office of U.S. Trade Representative, 237 F.Supp.2d 17, 25 (D.D.C. 2002) ("[C]ommunications between agencies and outside parties are not protected under Exemption 5.").

B. The .CSV Files and Associated Email Addresses

Prechtel also requested the .CSV files used to submit bulk comments to the proceeding and the email addresses used to transmit those files. Am. Compl. ¶ 16. In response, the Commission invoked FOIA Exemption 6, which protects personal information from disclosure, to withhold the email addresses and instructed Prechtel that any other responsive information was already public. See Defs.' SUMF Ex. B, at 2.

An initial clarifying matter: Prechtel requested the .CSV files along with the email addresses used to submit them. The Commission's response that all non-exempt responsive information was already public appears to reveal a misunderstanding of Prechtel's request. While the submitted comments are publicly available on ECFS, the .CSV files themselves do not appear to be. See Defs.' Opp'n & Reply at 6 ("[A]s to Mr. Prechtel's request for the CSV files themselves , the FCC repeats that the information in those files other than the submitter email addresses is already publicly available on the FCC's website along with all other submitted comments.... Mr. Prechtel may access the content of those comments there." (emphases added) ). It is as though someone submitted hundreds of individual letters in an envelope and Prechtel has asked to inspect the return address on the envelope and the letters it contained. The Commission has declined to release the return address (on privacy grounds) and, instead of providing the envelope with return address redacted, has told Prechtel that copies of the letters are available among a pile of twenty-odd million letters.

But, as Prechtel points out, the .CSV files have independent value—principally, they reflect which comments were submitted together and, assuming disclosure of the bulk file submitters' email addresses, by whom. Whether or not the Commission properly withheld the email addresses of bulk submitters, it still must justify independently the withholding of the files themselves. If the Commission maintains access to the files and cannot show why they are independently exempt, it must disclose them. The Court will elaborate on each of these issues in turn.

1. Bulk Submitters' Email Addresses

The Court finds that the Commission improperly invoked Exemption 6 to withhold the bulk submitters' email addresses and orders the Commission to release those records.

Exemption 6 shields from disclosure "personnel and medical files and similar files the disclosure of which would constitute a clearly unwarranted invasion of personal privacy." 5 U.S.C. § 552(b)(6). The catchall provision "similar files" includes any "[g]overnment records on an individual which can be identified as applying to that individual." U.S. Dep't of State v. Wash. Post Co., 456 U.S. 595, 602, 102 S.Ct. 1957, 72 L.Ed.2d 358 (1982) (citation omitted). This definition encompasses email addresses. See, e.g., Bayala v. U.S. Dep't of Homeland Sec., 264 F.Supp.3d 165, 178 (D.D.C. 2017). But the Court's inquiry must go beyond this threshold observation. To determine whether the disclosure of these email addresses would constitute "a clearly unwarranted invasion of personal privacy," the Court must balance the "privacy interest in non-disclosure against the public interest in the release of the records." Lepelletier v. FDIC, 164 F.3d 37, 46 (D.C. Cir. 1999) (citation omitted). In balancing these interests, the Court is mindful that "under Exemption 6, the presumption in favor of disclosure is as strong as can be found anywhere in the Act." Wash. Post Co. v. U.S. Dep't of Health & Human Servs., 690 F.2d 252, 261 (D.C. Cir. 1982).

The bulk submitters' privacy interest in their email addresses is minimal in this context. Importantly, bulk submitters had ample indication that their email addresses could be made public, mitigating any expectation of privacy. Cf. Alliance for Wild Rockies v. Dep't of Interior, 53 F.Supp.2d 32, 37 (D.D.C. 1999) ("The notice of proposed rulemaking ... specified that the complete file for this proposed rule is available for inspection .... [T]he [agency] made it abundantly clear in its notice that the individuals submitting comments to its rulemaking would not have their identities concealed." (punctuation omitted) ). Individuals submitting a .CSV file into the public record did so through a widget on the FCC's website. See Pl.'s SUMF Ex. E (image of .CSV file submission webpage). The widget required them to provide an email address. Id. The text in the widget warned: "Note: You are filing a document into an official FCC proceeding. All information submitted, including names and addresses, will be publicly available via the web." Id. (emphasis added). This could hardly have been more straightforward. And bulk submitters were also told that the Commission would release individual commenters' email addresses. Id. Together, the message was clear: The email addresses of those intending to influence the Commission's decision-making were subject to public disclosure.

The Commission maintains that because bulk submitters merely transmitted files and did not necessarily comment on the proposal, they are more akin to "any other private individual[s]" than to public commenters and therefore have a "substantial" privacy interest in their email addresses. See Defs.' Opp'n & Reply at 4-5. The Court disagrees. While the Commission correctly notes that courts in this district have attached a "substantial" privacy interest to the email addresses of "private individual[s]," id. at 5, the facts of the cases cited by the Commission differ from those here. Judicial Watch, Inc. v. U.S. Department of State, for example, dealt with private email addresses used by government employees. 306 F.Supp.3d 97, 116-17 (D.D.C. 2018). Judicial Watch, in turn, cites Government Accountability Project v. U.S. Department of State, which dealt with the personal email addresses of several government officials and applicants considered, but not chosen, for job positions. 699 F.Supp.2d 97, 106 (D.D.C. 2010).

The Commission also cites Cornucopia Institute v. U.S. Department of Agriculture and Bayala v. U.S. Department of Homeland Security for the proposition that "Exemption 6 applies to email addresses." Defs.' Mot. Summ. J. at 12 n.5. Insofar as the Commission's point is that an email address is the type of information that triggers an Exemption 6 balancing test, the Court agrees. But insofar as the Commission attempts to graft the outcome in those cases onto this one, the Court rejects its argument. Neither of those cases is analogous. As relevant here, Cornucopia Institute involved the personal email addresses of third parties conducting inspections on behalf of the Department of Agriculture, see 282 F.Supp.3d 150, 164-65 (D.D.C. 2017), and Bayala dealt with the email addresses of interpreters, see 264 F.Supp.3d at 178. As with Judicial Watch and Government Accountability Project, neither case implicated the privacy interests of those petitioning the government.

By contrast, the individuals here sought to influence agency decision-making by submitting scores of public comments into the administrative record. This makes them more akin to individual commenters who provide their email addresses when petitioning the government than to "any other private individual[s]" whose email addresses the government happens to possess. Any difference between public commenters' and bulk submitters' privacy interests is one of degree, not kind. And the degree of difference is minimal where, as here, a message directed to bulk submitters alerted them that "[a]ll information submitted" would be publicly available. In other words, when someone submits multiple comments to influence public policy and is told that her email address will become part of the public record, her privacy interest in that email address is not as strong as the Commission now suggests.

Still, bulk submitters have some privacy interest in non-disclosure of their email addresses. For Prechtel to successfully challenge the withholding, he must show that the public interest in disclosure of these email addresses outweighs that privacy interest. The "public interest" in this context must relate to FOIA's "core purpose" of "shed[ding] light on an agency's performance of its statutory duties." DOJ v. Reporters Comm. for Freedom of the Press, 489 U.S. 749, 773-75, 109 S.Ct. 1468, 103 L.Ed.2d 774 (1989) (citation omitted); see also Consumers' Checkbook Ctr. for Study of Servs. v. U.S. Dep't of Health & Human Servs., 554 F.3d 1046, 1051 (D.C. Cir. 2009) ("[I]nformation about private citizens that reveals little or nothing about an agency's own conduct does not serve a relevant public interest under FOIA." (punctuation and citation omitted) ).

Courts in this district have held that disclosing the identities of those seeking to influence an agency's actions can shed light on those actions. See, e.g., People for the Am. Way Found. v. Nat'l Park Serv., 503 F.Supp.2d 284, 306 (D.D.C. 2007) ; Lardner v. DOJ, 03-0180, 2005 WL 758267, at *18 (D.D.C. Mar. 31, 2005) ; cf. Edelman v. SEC, 239 F.Supp.3d 45, 55-56 (D.D.C. 2017) (articulating this principle while remanding to agency). But see Kidd v. DOJ, 362 F.Supp.2d 291, 297 (D.D.C. 2005) ; Voinche v. FBI, 940 F.Supp. 323, 329-30 (D.D.C. 1996). And while courts have sometimes allowed agencies to withhold information such as telephone numbers and home addresses, they have not done so automatically. The propriety of such withholdings depends largely on whether the information sought is independently valuable in illuminating the agency's actions. In Alliance for Wild Rockies v. Department of Interior, which considered disclosure of public comments on the proposed re-introduction of grizzly bears into a particular geographic ecosystem, the court found that disclosure of commenters' home addresses clarified whether the agency gave greater weight to the views of residents of the affected region than it did to those who lived elsewhere. 53 F.Supp.2d at 37. By contrast, the court in People for the American Way Foundation v. National Park Service declined to order the release of the telephone numbers and home addresses of individuals who had written to the government regarding a display at the Lincoln Memorial because, unlike in Alliance for Wild Rockies, plaintiffs had not indicated "any apparent significance attached to the individual commenters' geographical locations." 503 F.Supp.2d at 307 n.8.

This case is closer to the former than the latter. Never mind the plaintiff; here, the defendant , through its actions, has shown the significance attached to email addresses. The Commission has released the email addresses of over twenty million public commenters on the rulemaking. See FCC Public Notice, FCC Facilitates Review of Restoring Internet Freedom Record, WC Docket No. 17-108 (Nov. 7, 2017). Outside groups have examined this information and highlighted the extent to which public comments were associated with clearly fraudulent or otherwise dubious email addresses, such as example@example.com. See, e.g., Pew Research Ctr., Public Comments to the Federal Communications Commission About Net Neutrality Contain Many Inaccuracies and Duplicates (2017), https://perma.cc/B9SZ-JUWC.

Moreover, after dissenting Commissioners had called for a delay in the vote on a final rulemaking due to concerns about the fraudulent comments, see Hamza Shaban, FCC Commissioner, New York Attorney General Call for Delay of Net Neutrality Vote Over Fake Comments, Wash. Post (Dec. 4, 2017), https://perma.cc/WRD7-S8WZ, the Commission assured the public that "those comments in no way impeded the Commission's ability to identify or respond to material issues in the record," FCC, Declaratory Ruling, Report and Order, and Order, Restoring Internet Freedom, WC Docket No. 17-108, at ¶ 345 (rel. Jan. 4, 2018). The Commission's assurances highlighted thousands of easily discounted comments from email addresses that were obviously created with fake email generators. Id. ¶ 345 n.1178. The Commission cannot now turn around and say that there is no public interest or independent significance in information that will illuminate whether .CSV files containing scores of comments were submitted by similarly dubious email addresses.

To illustrate, if someone had used example@example.com or an email address created with a fake email generator to submit a .CSV file containing hundreds or thousands of comments, it would be at least as relevant as individual comments bearing those same indicia of fraud. The disclosure Prechtel seeks would thus reveal information at the heart of FOIA's purpose of illuminating agency action: It would clarify the extent to which the Commission succeeded—as it assured the American people it had—in managing a public-commenting process seemingly corrupted by dubious comments. The relative public value of this information might have been a slightly closer call had the Commission not already released over twenty million email addresses. But it has, and that information has generated significant questions about the agency's procedures; it cannot now claim that the outstanding information is irrelevant to the public's scrutiny of those procedures. Thus, Prechtel has convincingly shown the independent significance attached to the email addresses associated with bulk comment submissions.

In addition to enabling scrutiny of how the Commission handled dubious comments during the rulemaking, disclosure would illuminate the Commission's forward-looking efforts to prevent fraud in future processes. The Commission, its Chairman, Members of Congress, and more than a dozen state attorneys general have all expressed concern about the extent to which fake comments were submitted into the rulemaking record. See Pl.'s SUMF Ex. F (letter from Members of Congress to FCC Chairman Ajit Pai); id. Ex. J (letter from state attorneys general to FCC Chairman and Commissioners); Pl.'s Reply Ex. A (letters from FCC Chairman Ajit Pai to Sens. Jeff Merkley and Patrick J. Toomey). The Government Accountability Office has agreed to investigate the issue. See Pl.'s SUMF Ex. I (letter from GAO to Rep. Frank Pallone, Jr.). The Commission's Chairman has expressed a desire to implement mechanisms to prevent future abuses of the public-commenting process. See Pl.'s Reply Ex. A. He has suggested that longstanding Commission policies might be partly to blame, which implies that they might be revisited. Id. at 2, 5. In other words, the public-commenting process appears to have been corrupted by endemic fraud and the Commission hopes to take action to ensure that this problem will not reoccur. Disclosure of the email addresses and .CSV files will enable interested observers to scrutinize that action (or its absence) by defining the scope of the problem. It may be the case, for example, that hundreds of comments were submitted in bulk .CSV files by plainly fake email addresses, or that the comments submitted through .CSV files were all above-board and most problematic comments were submitted through other means. In either instance, Prechtel seeks information that sheds light on the suitability of the Commission's efforts to prevent future public-commenting fraud and abuse. It is surely in the public interest to further the oversight of agency action to protect the very means by which Americans make their voices heard in regulatory processes.

The Commission maintains that the email addresses cannot illuminate its actions because they were stored by a third party and not accessed during the relevant agency action. See Defs.' Opp'n & Reply at 5. But knowing whether dubious email addresses were used to submit bulk comments will shed light on the relative wisdom of the Commission's non-scrutiny of this information. Given the controversy surrounding dubious comments and the Commission's subsequent assurances that its response was adequate, the public has an interest in knowing whether a keener eye (i.e. , accessing the information) could have revealed information that would have enabled the Commission to better distinguish between real and fake comments. The Commission notes that Prechtel has not explained why a .CSV file submitted with a fraudulent email address would compel the Commission to reject the underlying comments. Id. True, Prechtel has not argued that the Commission must discount such comments. But FOIA exists to illuminate not just whether an agency complied with its statutory duties, but also how it chose to do so. Prechtel need not allege that the Commission had to act a certain way to seek information about its chosen actions.The public interest in disclosure of bulk submitters' email addresses is significant when compared to the privacy interest at stake. The Court therefore grants Prechtel's motion for summary judgment on this issue.

2. .CSV Files

To the extent that the Commission maintains access to the .CSV files themselves, their disclosure would further illuminate the agency's actions, particularly in light of the ordered disclosure of the email addresses.

Disclosure of the files would allow scrutiny of the Commission's success in combatting fraud. If, for example, a .CSV file contained 1,000 comments, 800 of which were dubious on their face, the public might question the validity of the remaining 200. Or, if a .CSV file containing 1,000 seemingly legitimate comments were submitted by a plainly suspicious email address, the public might question whether the Commission should have discounted those comments.

Moreover, disclosure of the full .CSV files alongside the email addresses could shed light on whose comments the Commission placed most weight. The Commission's release of over twenty million email addresses belies its argument that there is no public interest in the email addresses of those seeking to influence the Commission's actions here. The already released email addresses can reveal important information about the identity of commenters, which in turn might suggest to whom the government is responsive: Technology experts or laypeople? Consumers or industry? Internet service providers or social media companies? Courts have repeatedly recognized the public interest in this information. See, e.g., People for the Am. Way, 503 F.Supp.2d at 306 ; Lardner, 2005 WL 758267, at *18 ; Alliance for Wild Rockies, 53 F.Supp.2d at 37. But the already public information paints only a part of the picture. The .CSV files will reveal which public comments were submitted together and—with disclosure of the bulk submitter email addresses—by whom. The public might better understand the agency's responsiveness to various constituencies if it knows which stakeholders solicited and facilitated bulk public comments and which comments they submitted.

For example, a public comment submitted by someone with the email address domain @USTelecom.org might indicate affiliation with a large trade group of internet service providers supporting the Commission's actions; a public comment submitted by someone with the email address domain @InternetAssociation.org might indicate affiliation with a large trade group representing companies that opposed the Commission's actions.

This value depends on the email address disclosure: Because bulk submitters did not have to provide their names, the information to be gleaned from the email addresses is the only information from which the public can potentially learn something about their identities and the relative weight the Commission placed on the comments they submitted.

The Commission's non-use of the email addresses does not negate this value. Disclosure illuminates the relative weight an agency places on various constituencies' comments whether or not that weighing is conscious or overt. There is heuristic value for assessing an agency's actions when disclosure reveals that an agency relied more heavily on certain constituencies' comments, or that its reasoning aligned with the preferences of one constituency over another. That value is independent of what the agency knew at the time.

To be sure, courts have sometimes depicted the public interest in disclosure as "knowing who may be exerting influence on [agency] officials sufficient to convince them to" make policy changes, People for the Am. Way, 503 F.Supp.2d at 306, which implies that the agency must have had knowledge of the relevant identity for the interest to attach. In other cases, however, the interest has been framed as knowing to whose comments agencies "give greater weight" in regulatory processes, Alliance for Wild Rockies, 53 F.Supp.2d at 37, which does not necessitate overt weighing.

This case is distinguishable from Edelman v. SEC, 302 F.Supp.3d 421 (D.D.C. 2018), a recent decision in which a court in this district found minimal public interest due to limited agency use of the underlying information. There, plaintiff sought the names of those who had submitted consumer complaints to an agency; the court held that the balance tipped away from disclosure because the agency had used the underlying complaints only for a limited purpose, which did not include policy development. Id. at 427-28. Here, even though the Commission did not rely on the information Prechtel seeks, it did consider the underlying submissions associated with that information.

Because the Commission's apparent misunderstanding of Prechtel's request left the issue unbriefed, it is unclear whether the Commission currently possesses the .CSV files themselves and, if so, how they are stored. The Court therefore directs the parties to meet and confer regarding the release of the .CSV files, applying the analysis set forth in this opinion to the relevant facts. If a dispute remains, the Commission may file a renewed motion for summary judgment on this issue. Any such motion shall include a declaration providing a factual explanation of whether and how the Commission stores the .CSV files.

The Court is unsure whether the Commission maintains possession or control of the .CSV files after the comments they contain are placed into ECFS. Likewise, it is not clear whether, if the Commission maintains those files, it stores them in a manner that renders them reasonably segregable from otherwise exempt information such as that discussed in Section III.C of this opinion, infra.
--------

C. The Server Logs

Finally, Prechtel sought the release of FCC electronic server logs detailing all dates and times that .CSV files were submitted. Am. Compl. ¶ 16. The purpose of this request was apparently to examine the logs for signs of nefarious activity. The Commission withheld these logs in their entirety, claiming that some of the information in the logs is protected under FOIA Exemptions 6 and 7(E) and not reasonably segregable from the non-exempt information. See Defs.' SUMF Ex. B, at 3-4. The Court finds that the Commission has properly invoked Exemption 7(E) and has shown that the properly withheld information is not reasonably segregable from the other information; therefore, there is no need to address the invocation of Exemption 6. The Court will grant the Commission's motion for summary judgment on the server log withholding.

1. Exemption 7(E)

FOIA's Exemption 7(E), as relevant here, allows agencies to withhold "records or information" that "would disclose techniques and procedures for law enforcement investigations or prosecutions ... if such disclosure could reasonably be expected to risk circumvention of the law." 5 U.S.C. § 552(b)(7). This provision creates "a relatively low bar for the agency [to meet] to justify withholding." Blackwell v. FBI, 646 F.3d 37, 42 (D.C. Cir. 2011). "[T]he exemption looks not just for circumvention of the law, but for a risk of circumvention; not just for an actual or certain risk of circumvention, but for an expected risk; not just for an undeniably or universally expected risk, but for a reasonably expected risk; and not just for certitude of a reasonably expected risk, but for the chance of a reasonably expected risk." Mayer Brown LLP v. IRS, 562 F.3d 1190, 1193 (D.C. Cir. 2009). And an agency need not meet a "highly specific burden of showing how the law will be circumvented," but only must "demonstrate logically how the release of the requested information might create a risk of circumvention of the law." Id. at 1194 (punctuation and citation omitted).

In this case, the Commission's IT staff fears that revealing the requested server logs would expose both general security measures and specific steps it has taken to fend off past cyber-attacks. The Commission explains in its declaration that its "IT staff concluded that release of the server logs would reveal sensitive information regarding [its] IT architecture, including security measures [it] takes to protect its systems from malicious activity." First Yates Decl. ¶ 18. Additionally, the Commission's IT staff explained that "the logs would also disclose detailed information about the steps the FCC took in response to the spike in ECFS traffic during the period in question, thereby giving future attackers a ‘roadmap’ to evade the Commission's future defensive efforts." Id. Courts have repeatedly "recognized the risk of a cyber-attack ... as valid grounds for withholding under Exemption 7(E)." Long v. ICE, 149 F.Supp.3d 39, 51 (D.D.C. 2015).

Prechtel does not question the risk of renewed attacks but maintains that disclosure will not aggravate the risk of any such attacks' success. He contends that "the techniques for detecting fraud, spam, and unique internet traffic are well known" and the Commission could have used only two well-known techniques. Pl.'s Mot. Summ. J. & Opp'n at 15. The Commission counters that "[t]he timing and nature of how [it] deployed those tools would provide malicious actors with insight into how exactly [it] protects its systems and improve their ability to defeat those protections." Suppl. Decl. of Ryan J. Yates Supp. Defs.' Mot. Summ. J. ("Second Yates Decl.") ¶ 13. Contrary to Prechtel's assertions, these are not legally inadequate "conclusory" and "vague or sweeping claims." Pl.'s Reply at 9. The Commission has explained its concerns and has rebutted specifically Prechtel's contention that they are misplaced. This more than suffices to meet its burden. " ‘[J]udges are not cyber specialists, and it would be the height of judicial irresponsibility for a court to blithely disregard ... a claimed risk’ of cyber-attack or a security breach." Levinthal v. FEC, 219 F.Supp.3d 1, 7 (D.D.C. 2016) (quoting Long, 149 F.Supp.3d at 53 ).

2. Segregability

But the Commission does not claim that all information in its server logs is exempt. So why isn't Prechtel entitled to the non-exempt information? Because under FOIA, while an agency must provide "[a]ny reasonably segregable portion of a record ... after deletion of the portions which are exempt," 5 U.S.C. § 552(b), it may withhold non-exempt portions of records if they are "inextricably intertwined with exempt portions," Mead Data Cent., Inc. v. U.S. Dep't of Air Force, 566 F.2d 242, 260 (D.C. Cir. 1977). In other words, FOIA anticipates situations like this one, in which an agency possesses information that it would ordinarily be required to release but that is intermingled with information protected from disclosure. "Agencies are entitled to a presumption that they complied with the obligation to disclose reasonably segregable material," Sussman v. U.S. Marshals Serv., 494 F.3d 1106, 1117 (D.C. Cir. 2007), but still must "carry [the] evidentiary burden and fully explain [their] decisions on segregability," Am. Immigration Council v. U.S. Dep't of Homeland Sec., 21 F.Supp.3d 60, 83 (D.D.C. 2014). The agency can meet this burden by showing with "reasonable specificity" that the non-exempt information is not reasonably segregable. See, e.g., Armstrong v. Exec. Office of the President, 97 F.3d 575, 578 (D.C. Cir. 1996).

The Commission has done so here. Its submissions explain that "[d]ue to the nature of how the server logs record information, non-sensitive information ... is interspersed throughout hundreds of millions of lines of .... exempt information, ... the disclosure of which would jeopardize the Commission's IT security." First Yates Decl. ¶ 18 n.4. Prechtel maintains that these submissions are insufficient because segregating server logs is an easy task, as demonstrated by the fact that another agency has done so in the past. Pl.'s Reply at 7-8. But another agency's action does not undermine the Commission's explanation. Agencies do not necessarily have parallel IT architectures or use identical techniques.

Prechtel also contends that, at most, the Commission's declaration indicates that segregation is possible, but involves multiple steps. Id. at 8. That may be the case, but the relevant statutory standard is whether the information can be reasonably segregated. The Commission has explained that "extracting any non-exempt information" is complicated "[d]ue to idiosyncrasies in how ECFS is built." Second Yates Decl. ¶ 15. Further, it notes that "[e]ven attempting to create the records [Prechtel] seeks would require substantial coding work by the Commission's IT staff to craft algorithms tailored to the Commission's server architecture." Id."Courts in this Circuit have held repeatedly that records [are] not reasonably segregable where the agency attest[s] that it lack[s] the technical capability to edit the records in order to disclose non-exempt portions." Milton v. DOJ, 842 F.Supp.2d 257, 260 (D.D.C. 2012). This is so even when plaintiffs indicate the availability of software that could undertake the task. Id. The same principle attaches here: The Commission need not "acquire new technological capacity in order to comply with disclosure requests," id., and FOIA does not require it to craft complicated algorithms to meet Prechtel's request. Because portions of its server logs were properly withheld under FOIA Exemption 7(E) and because the Commission has shown that the remaining portions cannot be reasonably segregated, the Court grants its motion for summary judgment on this issue.

IV. Conclusion

For the foregoing reasons, the Court will grant in part and deny in part both parties' cross-motions for summary judgment and directs the parties to confer regarding release of .CSV files in light of the analysis in this opinion. A separate order accompanies this memorandum opinion.


Summaries of

Prechtel v. Fed. Commc'ns Comm'n

UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA
Sep 13, 2018
330 F. Supp. 3d 320 (D.D.C. 2018)

holding that an agency appropriately withheld electronic server logs whose release would give "future attackers a ‘roadmap’ to evade the [agency's] future defensive efforts"

Summary of this case from Long v. Immigration & Customs Enf't

finding that notwithstanding agency promise of disclosure, individuals retained "some privacy interest in non-disclosure" of personal information

Summary of this case from WP Co. v. U.S. Small Bus. Admin.

finding that the definition for similar files "encompasses email addresses."

Summary of this case from Hall & Assocs. v. U.S. Envtl. Prot. Agency

concluding that "minimal" privacy interest paled in comparison to "significant" public interest in disclosure, which could help root out "fraud and abuse" and "clarify the extent to which the [agency] succeeded" in managing allegedly corrupted process

Summary of this case from WP Co. v. U.S. Small Bus. Admin.

concluding "catchall provision 'similar files' includes any "[g]overnment records on an individual which can be identified as applying to that individual" and "encompasses email addresses."

Summary of this case from Buzzfeed, Inc. v. U.S. Dep't of Air Force

noting that "courts in this district have attached a substantial privacy interest to the email addresses of private individuals"

Summary of this case from Hall & Assocs. v. U.S. Envtl. Prot. Agency

noting that FOIA likely would require the disclosure of .CSV files, which are "essentially ... spreadsheet in which every row contains a separate comment" if the FCC maintains the files

Summary of this case from N.Y. Times Co. v. Fed. Commc'ns Comm'n
Case details for

Prechtel v. Fed. Commc'ns Comm'n

Case Details

Full title:JASON PRECHTEL Plaintiff, v. FEDERAL COMMUNICATIONS COMMISSION, et al…

Court:UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA

Date published: Sep 13, 2018

Citations

330 F. Supp. 3d 320 (D.D.C. 2018)

Citing Cases

WP Co. v. U.S. Small Bus. Admin.

Another court determined that an agency could not withhold commenters’ email addresses in part because the…

Hall & Assocs. v. U.S. Envtl. Prot. Agency

Based on this precedent, courts in this District have held that Exemption 6 applies to email addresses. See…