==================================================================
Note: Footnotes are marked as "/*/" in the text and are printed at
the end of this document.
==================================================================
UNITED STATES DISTRICT COURT
FOR THE DISTRICT OF COLUMBIA
COMPUTER PROFESSIONALS FOR )
SOCIAL RESPONSIBILITY, )
)
Plaintiff, )
)
v. ) C.A. No. 93-1074-RMU
)
NATIONAL SECURITY AGENCY, et al., )
)
Defendants. )
____________________________________)
MEMORANDUM IN SUPPORT OF PLAINTIFF'S CROSS-MOTION
FOR PARTIAL SUMMARY JUDGMENT AND IN OPPOSITION
TO DEFENDANT NSA'S MOTION FOR SUMMARY JUDGMENT
Plaintiff filed this action on May 28, 1993, seeking the
disclosure of documents withheld by defendants National Security
Agency ("NSA") and National Security Council ("NSC") under the
Freedom of Information Act ("FOIA"), 5 U.S.C. Sec. 552. By Order
filed on December 1, 1993, the Court granted defendant NSA a stay
in proceedings until July 29, 1994, to allow NSA additional time
to review the disputed documents. By Order dated September 1,
1994, the Court extended the stay until March 31, 1995. Pursuant
to stipulation, defendant NSA moved for summary judgment on August
14, 1995. Plaintiff opposes defendant's motion and cross-moves
for partial summary judgment./1/
Background
On April 16, 1993, plaintiff submitted a FOIA request to
defendant NSA, seeking copies of "all records in the possession of
NSA concerning new cryptographic technologies known as 'Clipper
Chips' or 'split key cryptographic systems.'" Exhibit A to
Declaration of Jon A. Goldsmith ("Goldsmith Decl."), attached to
Memorandum of Points and Authorities in Support of Defendant NSA's
Motion for Summary Judgment ("Def. Mem."). Attached to
plaintiff's request was a New York Times front-page article
titled, "New Communications System Stirs Talk of Privacy vs.
Eavesdropping," which identified NSA as the developer of the
system. Id.
NSA's processing of plaintiff's request resulted in the
identification of 423 responsive documents. Some of these
documents were released to plaintiff in their entirety, some were
released in redacted form, and some were withheld in their
entirety. See generally Vaughn Index (attached to Def. Mem.). In
support of its withholding decisions, defendant NSA relies upon
FOIA Exemptions 1, 2, 3, 4, 5 and 6. Id.
The "Clipper Chip" Encryption System
Plaintiff's FOIA request sought disclosure of NSA records
concerning the "Clipper Chip" -- an NSA-designed encryption device
that ensures government access to encrypted information. As is
set forth in Mr. Goldsmith's affidavit, encryption is "a process
for encoding or 'scrambling' the contents of any voice or data
communication with an algorithm (a mathematical formula) and a
randomly selected variable (associated with the algorithm) known
as a 'key.'" Goldsmith Decl., Para. 5. Fearing that encryption
technology might be used by criminals to impede the efforts of law
enforcement agencies to "intercept and understand" their
communications, the Administration embarked upon a "policy
initiative" known as "key escrow encryption." Id., Para. 6.
Although quite technical in its details, this initiative
basically involved the development and promotion of an encryption
technique that ensures government access to encrypted information.
This is accomplished through the "escrowing" of "key components"
that are capable of "unlocking" a particular encrypted
communication. Id., Paras. 8-9. According to defendant NSA, "a
law enforcement official seeking access to the plaintext of an
encrypted communication could obtain proper legal authorization,"
receive the key components from designated "escrow agents," and
decrypt the scrambled information. Id., Para. 10.
The Key Escrow Initiative's Law Enforcement Purpose
Notwithstanding the fact that NSA seeks to withhold the bulk
of the disputed information on "national security" grounds, the
key escrow initiative has, from its inception, been characterized
as a law enforcement initiative. When the Administration
announced the development of the Clipper Chip on April 16, 1993,
it made this clear:
[t]he President today announced a new initiative that will
bring the Federal Government together with industry in a
voluntary program to improve the security and privacy of
telephone communications while meeting the legitimate needs
of law enforcement.
* * *
... this technology preserves the ability of federal,
state and local law enforcement agencies to intercept
lawfully the phone conversations of criminals.
* * *
... We need the "Clipper Chip" and other approaches that
can both provide law-abiding citizens with access to the
encryption they need and prevent criminals from using it to
hide their illegal activities.
The White House, Statement by the Press Secretary (April 16, 1993)
("WH Statement I") (attached hereto as Exhibit A) at 1-2.
On February 4, 1994, the government announced several actions
concerning the key escrow initiative, including the adoption of
the "Escrowed Encryption Standard" as a federal information
processing standard ("FIPS") by the National Institute of
Standards and Technology ("NIST"). Once again, the official
statements concerning the initiative stressed that it was
motivated by law enforcement considerations. A White House
statement reiterated that "[l]ast April, the Administration
released the Key Escrow chip (also known as the 'Clipper Chip')
that would provide Americans with secure telecommunications
without compromising the ability of law enforcement agencies to
carry out legally authorized wiretaps." The White House,
Statement by the Press Secretary (February 4, 1994) ("WH Statement
II") (attached hereto as Exhibit B) at 1. The government released
a set of "questions and answers" that stated:
Q. Why is the key escrow standard being adopted?
A. The key escrow mechanism will provide Americans and
government agencies with encryption products that are
more secure, more convenient, and less expensive than
others readily available today -- while at the same
time meeting the legitimate needs of law enforcement.
Questions and Answers about the Clinton Administration's
Encryption Policy (February 4, 1994) (attached hereto as Exhibit
C) at 2 (emphasis added).
Perhaps the most succinct statement concerning the purpose of
the initiative is contained in NIST's Federal Register notice
announcing the formal adoption of the Escrowed Encryption
Standard:
Key escrow technology was developed to address the
concern that widespread use of encryption makes lawfully
authorized electronic surveillance difficult. In the past,
law enforcement authorities have encountered very little
encryption because of the expense and difficulty in using
this technology. More recently, however, lower cost,
commercial encryption technology has become available for use
by U.S. industry and private citizens. The key escrow
technology provided by this standard addresses the needs of
the private sector for top notch communications security, and
of U.S. law enforcement to conduct lawfully authorized
electronic surveillance.
Approval of Federal Information Processing Standards Publication
185, Escrowed Encryption Standard (EES), 59 Fed. Reg. 5997, 5998
(February 9, 1994) (emphasis added)./2/
NSA's Role in the Key Escrow Initiative
In support of its summary judgment motion, defendant NSA
states that "[g]iven its expertise [in security techniques], NSA
has played an important role in connection with the development of
the Administration's policy initiative on 'key escrow
encryption.'" Def. Mem. at 3, citing Goldsmith Decl., Para. 3.
Aside from this general assertion, defendant provides no
explanation of its role in the initiative. Other official
statements do, however, shed additional light on NSA's involvement
in developing the Clipper Chip and key escrow technology. The
NIST Federal Register notice states that
... NSA, because of its expertise in the field of
cryptography and its statutory role as a technical advisor
to U.S. government agencies concerning the use of secure
communications, developed the technical basis for the
standard which allows for the widespread use of encryption
technology while affording law enforcement to access
encrypted communications under lawfully authorized
conditions. NSA worked in cooperation with the Justice
Department, the FBI and NIST to develop the escrowed
encryption standard.
59 Fed. Reg. 5998, 5999-6000 (February 9, 1994).
In congressional testimony on May 3, 1994, Vice Admiral J. M.
McConnell, Director of the NSA, provided a detailed explanation of
the agency's involvement in the key escrow initiative.
Our role in support of this initiative can be summed
up as "technical advisors" to the National Institute of
Standards and Technology (NIST) and the FBI.
As the nation's signals intelligence (SIGINT) authority
and cryptographic experts, NSA has long had a role to advise
other government organizations on issues that relate to the
conduct of electronic surveillance or matters affecting the
security of communications systems. Our function in the
latter category became more active with the passage of the
Computer Security Act of 1987. The Act states that the
National Bureau of Standards (now NIST) may, where
appropriate, draw upon the technical advice and assistance of
NSA. ... These statutory guidelines have formed the basis
for NSA's involvement with the key escrow program.
Subsequent to the passage of the Computer Security Act,
NIST and NSA formally executed a memorandum of understanding
(MOU) that created a Technical Working Group to facilitate
our interactions. The FBI, though not a signatory to the
MOU, was a frequent participant in our meetings. The FBI
realized that they had a domestic law enforcement problem --
the use of certain technologies in communications and
computer systems that can prevent the effective use of court
authorized wiretaps, a critical weapon in their fight against
crime and criminals. In the ensuing discussions, the FBI and
NIST sought our technical advice and expertise in
cryptography to develop a technical means to allow for the
proliferation of top quality encryption technology while
affording law enforcement the capability to access encrypted
communications under lawfully authorized conditions.
We undertook a research and development program with the
intent of finding a means to meet NIST's and the FBI's
concerns.
Director, National Security Agency, Testimony before the Senate
Judiciary Committee's Technology and the Law Subcommittee (May 3,
1994) ("McConnell Testimony") (attached hereto as Exhibit D) at 1-
2./3/
The Computer Security Act
In light of Admiral McConnell's reference to the Computer
Security Act, Pub. L. 100-235, a discussion of the legislation is
appropriate. In enacting the statute, Congress sought to vest
civilian computer security authority in NIST and to limit the role
of NSA. The legislation was passed in reaction to National
Security Decision Directive ("NSDD") 145, which President Reagan
issued in 1984. The Presidential directive sought to grant NSA
new powers to issue policies and develop standards for "the
safeguarding of not only classified information, but also other
information in the civilian agencies and private sector." H. Rep.
No. 153 (Part 2), 100th Cong., 1st Sess. 6 (1987).
The House Report on the Computer Security Act notes that NSDD
145 "raised considerable concern within the private sector and the
Congress." Id. One of the principal objections to the directive
was that
it gave NSA the authority to use its considerable foreign
intelligence expertise within this country. This is
particularly troubling since NSA was not created by Congress,
but by a secret presidential directive and it has, on
occasion, improperly targeted American citizens for
surveillance.
Id. at 6-7; see also The National Security Agency and Fourth
Amendment Rights, Hearings Before the Senate Select Committee
to Study Governmental Operations with Respect to Intelligence
Activities, 94th Cong., 1st Sess. 2 (1975) (Congress has a
"particular obligation to examine the NSA, in light of its
tremendous potential for abuse. ... The danger lies in the
ability of NSA to turn its awesome technology against domestic
communications") (Statement of Sen. Church).
When Congress enacted the Computer Security Act, it also
expressed particular concern that NSA, a secretive military
intelligence agency, would improperly limit public access to
information concerning domestic, civilian computer security
activities. H. Rep. No. 153 (Part 2), 100th Cong., 1st Sess. 21
(1987). The House Report notes that NSA's
natural tendency to restrict and even deny access to
information that it deems important would disqualify that
agency from being put in charge of the protection of non-
national security information in the view of many officials
in the civilian agencies and the private sector.
Id.
To alleviate these concerns, Congress granted sole authority
to the National Bureau of Standards (now NIST) to establish
technical standards for civilian computer security (such as FIPS
185, the standard at issue here). NSA's role in the domestic,
civilian realm was limited to the provision of "technical advice
and assistance." Pub. L. 100-235, Sec. 2(b)(1). During Congress'
consideration of the legislation, "NSA opposed its passage and
asserted that NSA should be in control of this nation's computer
standards program." Id. at 7. Congress forthrightly rejected
NSA's position, noting that
[t]he [NSA] proposals would have charged NSA with the task
of developing "technical guidelines," and forced [NIST] to
use these guidelines in issuing standards.
Since work on technical security standards represents
virtually all of the research effort being done today, NSA
would take over virtually the entire computer standards
[program] from [NIST]. [NIST], in effect, would on the
surface be given the responsibility for the computer
standards program with little to say about most of the
program -- the technical guidelines developed by NSA.
This would jeopardize the entire Federal standards
program.
Id. at 25-26.
It is against this backdrop that this case arises. NSA
became involved in the key escrow encryption initiative because
"[t]he FBI realized that they had a domestic law enforcement
problem ...." McConnell Testimony at 2. The agency thus
"undertook a research and development program with the intent of
finding a means to meet NIST's and the FBI's concerns." Id. In
apparent reliance upon the Computer Security Act, "NSA worked in
cooperation with the Justice Department, the FBI and NIST to
develop the escrowed encryption standard," 59 Fed. Reg. 5998,
6000, and acted as "technical advisors," McConnell Testimony at 1.
As we discuss below, these facts bear directly upon the propriety
of the withholding claims at issue in this case.
ARGUMENT
As the Supreme Court has recognized, "[t]he basic purpose of
[the] FOIA is to ensure an informed citizenry, vital to the
functioning of a democratic society, needed to check against
corruption and to hold the governors accountable to the governed."
NLRB v. Robbins Tire & Rubber Co., 437 U.S. 214, 242 (1978). More
recently, the Court emphasized that "[o]fficial information that
sheds light on an agency's performance of its statutory duties
falls squarely within that statutory purpose." Department of
Justice v. Reporters Committee for Freedom of the Press, 489 U.S.
749, 773 (1989). The basic principles underlying the FOIA are
clearly implicated here, where the disputed documents shed light
upon defendant NSA's role in developing a security standard for
domestic, unclassified information systems -- an activity Congress
expressly sought to regulate and subject to public scrutiny
through passage of the Computer Security Act.
In support of its decision to withhold a substantial portion
of the information responsive to plaintiff's FOIA request,
defendant NSA relies upon Exemptions 1 (classified national
security information); 2 (routine administrative information); 3
(information exempted from disclosure by statute); 4 (confidential
commercial information); 5 (privileged information); and 6
(personal information). See generally Vaughn Index (attached to
Def. Mem.). As is set forth below, plaintiff challenges defendant
NSA's invocation of Exemptions 1, 2 and 3, and Exemption 5 to the
extent that defendant seeks to withhold information on the basis
of the "deliberative process privilege." With respect to these
exemption claims, plaintiff submits that it is entitled to
judgment as a matter of law./4/
I. EXEMPTION 1 HAS BEEN IMPROPERLY ASSERTED IN THIS CASE
Defendant NSA seeks to withhold the bulk of the disputed
records under Exemption 1 on the ground that the material is
"properly classified" under the substantive standards of Executive
Order ("EO") 12356. Def. Mem. at 7-12; see generally Vaughn
Index. The exemption applies to records that are "specifically
authorized under criteria established by an Executive order to be
kept secret in the interest of national defense or foreign policy
and ... are in fact properly classified pursuant to such Executive
order." 5 U.S.C. Sec. 552(b)(1). Defendant bears the burden of
demonstrating that the information is "in fact properly classified
pursuant to" both procedural and substantive criteria contained in
the Executive Order. Goldberg v. Department of State, 818 F.2d
71, 77 (D.C. Cir. 1987); Lesar v. Department of Justice, 636 F.2d
472, 483 (D.C. Cir. 1980).
In support of its exemption claims, defendant provides a
substantial amount of boilerplate language concerning Exemption 1,
see Def. Mem. at 7-9, but very little information concerning the
specific applicability of the exemption to the material at issue
here. Defendant merely states that
[t]he documents for which FOIA Exemption 1 was asserted
contain information concerning NSA's INFOSEC-related
capabilities; Capstone, a version of the "Clipper Chip;"
cryptanalysis; the Skipjack algorithm and other encryption
algorithms; algorithm specifications and descriptions; NSA
technical reports regarding Capstone or "Clipper Chip;" and
other technical information on how key escrow encryption
technology works.
Id. at 11, citing Goldsmith Decl., Para. 20; and Vaughn Index.
Defendant asserts that this information "falls within the coverage
of EO 12356 Sec. 1.3(a)(2) (pertaining to the vulnerabilities or
capabilities of systems, installations, projects or plans relating
to the national security) and Sec. 1.3(a)(8) (relating to
cryptology)." Def. Mem. at 11./5/ Plaintiff submits that the
disputed material does not meet the substantive criteria for
classification contained in the Executive Order.
A. The Information Concerns Domestic Law
Enforcement, not National Security
Exemption 1 applies to information "specifically authorized
under criteria established by an Executive order to be kept secret
in the interest of national defense or foreign policy ...." Sec.
U.S.C. Sec. 552(b)(1) (emphasis added). Likewise, the Executive
Order on "National Security Information" provides for the
classification of information which, if disclosed, "reasonably
could be expected to cause damage to the national security." EO
12356, 3 C.F.R. 166 (1983), reprinted in 50 U.S.C. Sec. 401 note
(1988), at Sec. 1.3(b) (emphasis added). In this case, as we
have shown, the disputed information pertains to a domestic law
enforcement initiative -- not national defense, foreign policy,
nor national security. See, e.g., Goldsmith Decl., Para. 6; WH
Statement I at 1-2; WH Statement II at 1; 59 Fed. Reg. 5997, 5998;
McConnell Testimony at 1-2; Exhibit E. This point is reiterated
in a document released to plaintiff by NIST (attached hereto as
Exhibit F), which states that "[t]he Justice Department and FBI
turned to NSA who has experience in designing encryption
algorithms to provide a technical solution to their law
enforcement dilemma."
Defendant has failed to articulate any "national security"
rationale for withholding the disputed data. Indeed, the
technology at issue in this case -- the Escrowed Encryption
Standard -- was expressly developed for use in unclassified
government information systems. As FIPS 185 provides, "[t]he
standard may be used when ... [t]he data [to be protected] is not
classified." 59 Fed. Reg. 5997, 6003. There is simply no logical
basis for classifying the details of a security system intended
for the protection of unclassified information. If the underlying
information -- the encrypted data -- does not warrant
classification on national security grounds, how can the means of
protecting that information -- the algorithm and other technical
details -- warrant such protection?
In a document released to plaintiff by NSA, the reason for
the classification of the algorithm was clearly stated:
Why is the Encryption algorithm in CLIPPER Classified SECRET?
The purpose behind developing these chips was to provide
excellent security while preserving the legitimate need of
law enforcement to access encryption when lawfully
authorized. Secrecy of the algorithm advances both purposes.
First, preserving the ability of law enforcement to access
this encryption when authorized depends on having a means to
ensure users cannot use this encryption without the law
enforcement access feature. If the encryption algorithm were
public, anyone could build compatible products which did not
have the law enforcement access feature, thus defeating this
purpose of the program. Second, the security of any
encryption is enhanced when both the algorithm and the key
are kept secret. This provides an extra layer of protection
against exploitation. Thus, it is good INFOSEC practice to
keep algorithms secret.
The specific algorithm in CLIPPER was approved for and
is currently used in certain DoD military and intelligence
systems that process unclassified information. The algorithm
was classified to ensure the security of these DoD systems.
Publishing it would diminish this security.
Exhibit G (attached hereto), identified by NSA as document number
93; see also Vaughn index at 27 (describing document as
"explanation of why the encryption algorithm in Clipper is
classified").
This document offers two explanations for the classification
of the technical details: 1) preserving law enforcement access to
data encrypted with the Clipper system; and 2) enhancing the
security of the encryption system. As plaintiff has noted, the
preservation of a law enforcement capability can not properly be
characterized as affecting "national security." Likewise,
enhancing the security of a system used to protect unclassified
information does not implicate national security interests. The
NSA explanation raises an additional issue -- whether the
publication of the Clipper algorithm would "diminish" the security
of the system.
B. Secrecy of the Algorithm and Related Technical
Details is not Required for System Security
Notwithstanding the NSA assertion that "it is good INFOSEC
practice to keep algorithms secret," and that "the algorithm was
classified to ensure the security" of the system, the great weight
of expert cryptographic opinion holds that secrecy does not
enhance the security of an encryption algorithm. See, e.g., B.
Schneier, Applied Cryptography (1994) at 5 ("if your security
depends on the secrecy of the algorithm, then there is only
minimal security"), 7 ("a good algorithm can be made public
without worry"); D. Denning, Cryptography and Data Security (1983)
at 8 ("The security of the system should depend only on the
secrecy of the keys and not on the secrecy of the algorithms").
In its Federal Register notice announcing the adoption of the
Escrowed Encryption Standard, NIST addressed the widespread public
criticism of the use of a classified algorithm. Significantly,
NIST did not cite security as a reason for the classification --
it relied entirely upon the need to preserve the law enforcement
access feature of the system:
A classified algorithm is essential to the effectiveness of
the key escrow solution. The use of a classified algorithm
assures that no one can produce devices that use the
algorithm without the key escrow feature and thereby
frustrate the ability of government agencies to acquire the
content of communications encrypted with the algorithm, in
conjunction with lawfully authorized interception. NIST
finds that, because the algorithm needs to remain secret in
order to preserve the key escrow feature, it would be neither
practicable nor in the public interest to publish the
algorithm.
59 Fed. Reg. 5997, 5999 (emphasis added).
It is thus clear that the algorithm and related details have
been classified to serve law enforcement interests, and that the
security of the encryption system is not a real concern. In any
event, plaintiff reiterates its contention that a system designed
to protect unclassified information cannot itself properly be
classified./6/
II. EXEMPTION 2 HAS BEEN IMPROPERLY INVOKED IN THIS CASE
Defendant NSA invokes Exemption 2 "to withhold information
that pertains to safeguards and security measures, such as reverse
engineering protection, for the Skipjack algorithm used in Clipper
Chip or Capstone." Def. Mem. at 13-14 (footnote and citation
omitted). Defendant correctly notes that our circuit has devised
a two-part test for the so-called "high 2" application of the
exemption: 1) the material must be "predominantly internal;" and
2) disclosure must significantly risk circumvention of agency
regulations or statutes. Def. Mem. at 13, citing Crooker v.
Bureau of Alcohol, Tobacco & Firearms, 670 F.2d 1051, 1073-1074
(D.C. Cir. 1981) (en banc). In this case, however, neither
condition has been met.
First, information concerning the technical details of the
Escrowed Encryption Standard cannot be deemed "predominantly
internal." This information is an integral part of a standard
adopted by NIST that "is applicable to all Federal departments and
agencies and their contractors." 59 Fed. Reg. 5997, 6003. "In
addition, this standard may be adopted and used by non-Federal
Government organizations. Such use is encouraged ...." Id.
Under similar circumstances in Don Ray Drive-A-Way Co. v. Skinner,
785 F. Supp. 198, 200 (D.D.C. 1992), this Court held that a
computer algorithm used by the Department of Transportation was
not sufficiently "internal" given that "its effect ... [is]
adopted by other agencies without further analysis or discretion."
Likewise, the algorithm and technical details at issue here are
intended for widespread use within the government and the private
sector, belying any claim that they are "predominantly internal."
Second, defendant's claims concerning "circumvention of
statutes" are deficient. Defendant first cites 18 U.S.C. Sec.
798(a)(1), which "specifically prohibits the disclosure to any
unauthorized person of classified information relating to any
code, cipher, or cryptographic system of the United States." Def.
Mem. at 14. As we discuss more fully in our analysis of
defendant's Exemption 3 claims, infra, the applicability of the
cited statute necessarily entails a determination of the propriety
of the classification of the cryptographic information. As we
have shown, the material at issue in this case does not properly
fall within the category of information that may be classified on
national security grounds.
Defendant also asserts that disclosure of the withheld
information would risk circumvention of 10 U.S.C. Sec. 130, as it
"could ... result in the illegal export of cryptography and
related technical information." Def. Mem. at 14. Defendant's
argument carries little weight under the circumstances of this
case, given that the Department of State has announced that "key-
escrow products may now be exported to most end users." Statement
of Dr. Martha Harris, Assistant Secretary of State (February 4,
1994) (attached hereto as Exhibit H). As the White House
reiterated, "[a]fter an initial review of the product, the State
Department will permit the export of devices incorporating key
escrow technology to most end users." Questions and Answers about
the Clinton Administration's Encryption Policy (February 4, 1994)
(attached hereto as Exhibit C) at 2. Defendant has proffered no
evidence even suggesting that export control issues are implicated
here. It is thus clear that the export of this technology could
not in any way constitute a violation of U.S. export law.
In sum, defendant NSA has failed to demonstrate that the
withheld material is exempt from disclosure under Exemption 2.
III. EXEMPTION 3 HAS BEEN IMPROPERLY INVOKED IN THIS CASE
The Court's analysis of defendant's claims under Exemption 3
will necessarily be similar to its analysis of the Exemption 1
claims. Defendant NSA once again cites "national security"
concerns and seeks to withhold many of the same documents that are
classified./7/ Again, the Court must consider the propriety of
secrecy claims growing out of an activity that was undertaken for
domestic law enforcement purposes, and not for national security
reasons.
A. Public Law No. 86-36 is not Applicable Here
First, defendant invokes Section 6 of Public Law No. 86-36,
50 U.S.C. Sec. 402 note, to withhold information that pertains to
"NSA's critical INFOSEC mission." Def. Mem. at 18 (citations
omitted). Section 6 provides, in pertinent part, that "nothing in
this Act or any other law ... shall be construed to require the
disclosure of the organization or any function of the National
Security Agency, [or] of any information with respect to the
activities thereof ...." 50 U.S.C. Sec. 402 note.
While Section 6 does qualify as a "statute" within the
meaning of Exemption 3, its application is not as sweeping as
defendant suggests. In Hayden v. National Security Agency, 608
F.2d 1381, 1389 (D.C. Cir. 1979), the D.C. Circuit held that only
where a particular NSA "function or activity is authorized by
statute and not otherwise unlawful" will "NSA materials integrally
related to that function or activity fall within Public Law No.
86-36 and Exemption 3." (emphasis added). Thus, application of
Section 6 requires the Court to consider the statutory authority
and the propriety of the "function" or "activity" that is being
protected.
The fact that Section 6 authorizes NSA to exercise discretion
in withholding or disclosing information in no way negates the
Court's obligation to review the agency's determination de novo.
"Congress made no provision in FOIA for a lower standard of review
in [Exemption 3] cases; instead, review was expressly made de novo
under all the exemptions in [the Act]." Long v. Internal Revenue
Service, 742 F.2d 1173, 1182 (9th Cir. 1984). Such review "better
serve[s] the congressional purpose of assuring that any particular
nondisclosure decision was the product of legislative rather than
executive judgment." Id. (footnote omitted).
In support of its exemption claim, defendant NSA has failed
to articulate any statutory authority for the activity at issue
here. The sole representation concerning NSA's mission is
contained in the Goldsmith declaration:
NSA was established by Presidential Directive in October
1952 as a separately organized agency within the Department
of Defense, under the direction, authority, and control of
the Secretary of Defense, who was designated by the President
as Executive Agent of the Government for conducting the
communications security activities (now expanded to
information systems security ("INFOSEC") activities) and
signals intelligence activities of the United States.
Inherent in its missions, NSA is responsible for providing
technology and techniques both to make encryption codes to
protect the security of certain U.S. communications and
computer systems and to unmask the codes other nations use
to protect their communications.
Goldsmith Decl., Para. 3. This representation cites no statutory
basis for the activity at issue here, nor does it establish the
propriety of NSA activity in support of domestic law enforcement
interests. On the present record, defendant has not demonstrated
the applicability of Public Law No. 86-36.
B. 18 U.S.C. Sec. 798(a)(1) is not Applicable Here
Defendant also invokes 18 U.S.C. Sec. 798, a criminal statute
prohibiting the disclosure of "any classified information"
concerning cryptography. Once again, in applying this provision,
the Court must consider whether the material is properly
classified under the terms of the Executive Order. Seeking to
avoid such scrutiny, defendant asserts that "[u]nder Sec. 798, the
propriety of the classification of the information is irrelevant."
Def. Mem. at 19 n.15, citing United States v. Boyce, 594 F.2d
1246, 1251 (9th Cir.), cert. denied, 444 U.S. 855 (1979). Boyce,
however, involved a criminal prosecution and does not stand for
the proposition that the statute bars disclosure under FOIA if the
Court finds that the material is not properly classified in the
first instance.
In short, application of both Public Law No. 86-36 and 18
U.S.C. Sec. 798 requires consideration of the underlying NSA
activity at issue in this case (development of key escrow
encryption technology) and a determination of whether that
activity is reasonably related to "national security".
C. 10 U.S.C. Sec. 130 is not Applicable Here
Finally, defendant NSA asserts Exemption 3 on the basis of 10
U.S.C. Sec. 130, which concerns certain controls on the export of
"technical data with military or space application." As plaintiff
has shown in its discussion of Exemption 2, defendant's export
control argument is unavailing under the facts of this case. The
Department of State has stated officially that "key-escrow
products may now be exported to most end users." Statement of Dr.
Martha Harris, Assistant Secretary of State (February 4, 1994)
(attached hereto as Exhibit H). The White House has confirmed
this position. Questions and Answers about the Clinton
Administration's Encryption Policy (February 4, 1994) (attached
hereto as Exhibit C) at 2. Defendant NSA has failed to meet its
burden of establishing the applicability of the cited statutory
provision.
IV. MATERIAL HAS BEEN IMPROPERLY WITHHELD UNDER EXEMPTION 5
As noted, plaintiff does not challenge defendant NSA's
invocation of Exemption 5 to the extent that defendant seeks to
withhold material described as "attorney work-product" and
"attorney-client communications." See Def. Mem. at 34-36.
Plaintiff does, however, dispute defendant's claim that a
substantial amount of material is exempt from disclosure on
"deliberative process privilege" grounds. Def. Mem. at 30-34.
Defendant has failed in several respects to establish the
applicability of Exemption 5. First, defendant ignores the fact
that the deliberative process privilege applies only to those
documents which reflect the personal opinions of the writer rather
than the policy of the agency. Formaldehyde Institute v.
Department of Health and Human Services, 889 F.2d 1118, 1122 (D.C.
Cir. 1989); Coastal States Gas Corp. v. Department of Energy, 617
F.2d 853, 866 (D.C. Cir. 1980). Defendant nowhere in the record
attempts to differentiate material reflecting personal opinions
from statements of agency policies. Indeed, under the
circumstances of this case, it is likely that NSA policies, as
opposed to individual opinions, are at issue.
Defendant has also failed to distinguish between factual
material and deliberative material contained in the withheld or
redacted documents. See generally Environmental Protection Agency
v. Mink, 410 U.S. 73, 87-88 (1973); Montrose Chemical Corp. v.
Train, 491 F.2d 63, 66 (D.C. Cir. 1974). Such a distinction is
particularly important in a case such as this one, where much of
the withheld material is admittedly "technological data of a
purely factual nature." Ethyl Corp. v. Environmental Protection
Agency, 478 F.2d 47, 50 (4th Cir. 1973).
Finally, defendant has failed to establish that the
"predecisional" material it seeks to withhold was not subsequently
adopted as the basis of the "Escrowed Encryption Standard" adopted
as FIPS 185 by NIST in February 1994. See 59 Fed. Reg. 5997. The
Supreme Court has held that a document may lose its protection
under the deliberative process privilege if an agency
decisionmaker chooses to "adopt or incorporate [it] by reference"
as a basis for a decision. NLRB v. Sears, Roebuck & Co., 421 U.S.
132, 161 (1975); see also Afshar v. Department of State, 702 F.2d
1125, 1140 (D.C. Cir. 1983).
Even absent formal adoption of a pre-decisional document,
this Court has found an inference of adoption where the
decisionmaker accepted a staff recommendation without providing a
separate statement of reasons for the decision. See, e.g.,
American Society of Pension Actuaries v. Internal Revenue Service,
746 F. Supp. 188, 191 (D.D.C. 1990) (Exemption 3 does not protect
"documents expressing the views actually relied upon by the
government in making policy"). See also Coastal States Gas Corp.,
617 F.2d at 866 ("even if the document is predecisional at the
time it is prepared, it can lose that status if it is adopted,
formally or informally, as the agency position on an issue")
(emphasis added).
Defendant's vague representations provide no basis upon which
the applicability of this caselaw can be determined. Indeed,
defendant NSA does not even cite FIPS 185, let alone explain the
relationship of the withheld information to the decisionmaking
process that culminated in the formal adoption of the standard.
Defendant simply cannot shield the underlying rationale for final
policy from public scrutiny. See Sears, 421 U.S. at 152 ("the
public is vitally concerned with the reasons which did supply the
basis for an agency policy actually adopted")./8/
In sum, defendant NSA has failed to demonstrate that the
"predecisional" material at issue in this case is properly
exemption from disclosure.
Conclusion
Plaintiff's motion for partial summary judgment should be
granted; defendant NSA's motion for summary judgment should be
denied.
Respectfully submitted,
/sig/
_________________________________
DAVID L. SOBEL
D.C. Bar No. 360418
MARC ROTENBERG
D.C. Bar No. 422825
Electronic Privacy Information Center
666 Pennsylvania Avenue, S.E.
Suite 301
Washington, DC 20003
(202) 544-9240
Counsel for Plaintiff
--------------------------------------
1 Defendant NSC was initially granted a stay of proceedings
until July 29, 1994. Order filed on December 1, 1993. The NSC
subsequently moved to stay proceedings pending the resolution of
another action then pending before the district court. By Order
dated September 1, 1994, the Court denied NSC's motion. On April
14, 1995, the NSC filed a "renewed motion to stay proceedings,"
pending resolution of Armstrong v. Executive Office of the
President, No. 95-5057 (D.C. Cir.). By Order dated September 27,
1995, the Court granted NSC's motion.
2 FIPS 185 provides that the SKIPJACK algorithm (upon which the
Escrowed Encryption Standard is based) "has been approved for
government applications requiring encryption of sensitive but
unclassified data telecommunications ...." Id., at 6003 (emphasis
added). Indeed, the algorithm may not be used to protect
classified information -- the FIPS explicitly provides that
"[t]his standard may be used when ... [t]he data is not classified
according to Executive Order 12356, entitled "National Security
Information," or to its successor orders ...." Id.
3 The law enforcement purpose of the initiative, and of NSA's
involvement, is further demonstrated by a letter from Admiral
McConnell to Attorney General William P. Barr, dated October 28,
1992:
Regarding your request of 7 October 1992, we are
prepared to provide the Department of Justice (DOJ) and the
Federal Bureau of Investigation (FBI) technical advice and
assistance in addressing the challenges to law enforcement
posed by the sale and use of products to encrypt voice
communications.
Letter dated October 28, 1992 (attached hereto as Exhibit E).
4 Plaintiff does not challenge defendant's withholding under
Exemption 3 of a small amount of information that purportedly
names NSA employees and identifies the "designators" of NSA
internal organizations. See Goldsmith Decl., Para. 24.
Nor does plaintiff challenge the withholding of Central
Intelligence Agency information from document number 33, as
described in the Declaration of William H. McNair (attached to
Def. Mem.), and document number 291, as described in the
Declaration of Eunice M. Evans (attached to Def. Mem.).
5 Defendant also asserts that "information was withheld from
one document pursuant to EO 12356 Sec. 1.3(a)(5) (pertaining to
the foreign relations or foreign affairs of the United States)."
Id. Plaintiff does not challenge this exemption claim.
6 Under the facts of this case, the Court must also determine
whether it is "proper" for information to be classified under
circumstances in which Congress expressly intended that it would
not be. As plaintiff has shown, one of the primary reasons for
placing civilian computer security authority with NIST was
Congress' concern that NSA's "natural tendency to restrict and
even deny access to information that it deems important would
disqualify that agency from being put in charge of the protection
of non-national security information." H. Rep. No. 153 (Part 2),
100th Cong., 1st Sess. 21 (1987). The evil Congress sought to
prevent -- the classification of information relating to the
development of civilian security standards -- has occurred in this
case. Such a direct contravention of congressional intent cannot
be deemed "proper" within the meaning of Exemption 1.
7 As noted, plaintiff does not challenge the withholding under
Exemption 3 of material that identifies NSA employees or NSA
organization designators.
8 Without any elaboration, defendant asserts that "[a]ll of the
documents at issue were created prior to the final resolution of
the issue regarding the issues [sic] presented by the Administra-
tion's key escrow encryption initiative. ... That initiative is
still ongoing." Def. Mem. at 32 (citing Goldsmith Decl., Para.
17; Vaughn Index at 2). Defendant fails to explain what aspect of
the initiative remains unresolved in light of the formal adoption
of FIPS 185 as a federal encryption standard.