FOIA Gallery 2021
Introduction to the Freedom of Information Act and EPIC
The Freedom of Information Act establishes a legal right for individuals to obtain records in the possession of government agencies. The FOIA is critical for the functioning of democratic government because it helps ensure that the public is fully informed about matters of public concern. The FOIA has helped uncover fraud, waste, and abuse in the federal government.
A hallmark of many of the surveillance measures and tools adopted by government agencies is their disregard for public accountability. As the government seeks to expand its power to collect and exploit information about individuals, it increasingly hides that power behind a wall of secrecy. Congress has long recognized this tendency in the Executive Branch and sought to limit government secrecy by creating legal obligations of openness under the FOIA and the Privacy Act of 1974. EPIC has used these open government laws—along with the Federal Advisory Committee Act, the E-Government Act of 2002, and state open government statutes—to enable public oversight of key government activities.
EPIC's open government work over the past year has resulted in disclosure of critical information about the activities of state and federal agencies. EPIC's litigation has also generated case law that benefits FOIA requesters and the open government community across the country.
Previous EPIC FOIA Galleries were published in 2001, 2002, 2003, 2004, 2005, 2006, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, and 2020
For more information about EPIC's FOIA work, see EPIC: Open Government and EPIC: FOIA Cases.
EPIC’s FOIA Work in 2020-2021
For EPIC’s Open Government Project, 2020-2021 was a year filled with success stories. Through vigorous and effective litigation, EPIC maintained its record as a champion for a more open and transparent government. In 2020, EPIC obtained formerly secret records from government agencies including the DHS, DOJ, CBP, and the National Security Commission on Artificial Intelligence (NSCAI) and states including Texas, Utah, and North Dakota.
Last year EPIC filed six FOIA lawsuits. Notably, EPIC continued its litigation efforts to obtain the unredacted Mueller Report.
EPIC Obtains More Previously Withheld Portions of the Mueller Report
EPIC’s 19-month legal effort to obtain the full, unredacted Special Counsel report on Russian interference in the 2016 presidential election resulted in the release of new sections of the Mueller Report. EPIC filed the first FOIA lawsuit in the country to obtain the complete, final report by Special Counsel Robert S. Mueller. At the beginning of the lawsuit, EPIC obtained an annotated version of the Mueller Report. The court ruled in EPIC's case that it would review the sections of the Mueller Report that the government has withheld from the public, citing "grave concerns about the objectivity of the process that preceded the public release of the redacted version of the Mueller Report[.]" The judge's review of the unredacted Mueller Report marks one of the most significant ”in camera” reviews in the history of the Freedom of Information Act.
In June 2020, the Justice Department disclosed previously unreleased portions of the Mueller Report concerning Roger Stone (Volume 1, Voume 2, Appendices), marking the first time that new material from the Mueller Report was published following the April 2019 release of the redacted Report. Stone was convicted of obstruction and other charges in connection with Special Counsel Robert S. Mueller's investigation into Russian interference in the 2016 presidential election. Judge Reggie B. Walton posed a series of questions to the DOJ about its redactions to the Report and a heavily redacted version of the DOJ’s response shows that Judge Walton questioned every legal basis asserted by the DOJ to withhold material in the Report.
In September 2020, the DOJ released another round of previously unpublished material from the Mueller Report. The disclosed passages are listed in the "Redaction" column of a DOJ Spreadsheet—though outside of their original context from the Mueller Report. The spreadsheet was originally drafted to answer questions from Judge Reggie B. Walton. Among the September 2020 disclosed material is an excerpt from an Internet Research Agency document that describes the Russian government's goal of "spread[ing] distrust towards the candidates and the political system in general" and states that "All the primaries are purchasable."
In November 2020, after Judge Walton completed his “in camera” review, the DOJ released extensive new material from the Mueller Report. The disclosed passages concern decisions by Special Counsel Robert S. Mueller not to charge particular individuals with criminal offenses. Pages 176-179 and 188-191 of Volume I show that the Special Counsel declined to bring "computer-intrusion conspiracy" and campaign finance charges against Roger Stone, Julian Assange, and Wikileaks.
EPIC Releases Report on Pretrial Risk Assessments
Through a series of records requests, EPIC obtained documents from several states about their use of pre-trial risk assessments. EPIC received documents from the District of Columbia’s Pretrial Services Agency about its risk assessment instrument developed and validated by Maxarth. Following a review in 2019, the government reduced the number of risk factors from 70 to 43 and placed more emphasis on recent criminal charges. EPIC also obtained a 2019 Validation Study and a Predictive Bias report. Using the records obtained through recodes requests, EPIC released a report on pretrial risk assessments. The report, Liberty at Risk: Pre-trial Risk Assessment Tools in the U.S., provides an overview of risk assessment tools that practitioners and scholars can use to understand the nature of these systems, learn about the contexts in which they are used, and help focus their evaluations of the fairness of such systems.
EPIC Obtains New Records from the AI Commission
In response to Freedom of Information Act lawsuit EPIC v. AI Commission, EPIC has obtained documents from the National Security Commission on Artificial Intelligence and the Department of Defense. The Commission was charged with developing recommendations on the use of AI in national security and defense contexts. The records include internal an correspondence and an unattributed report about China's social scoring, facial recognition tools, and AI-based surveillance. The internal report highlights the "draconian" consequences of China's AI use but states that "Mass surveillance is a killer application" for AI and that "having streets carpeted with cameras is good infrastructure for smart cities[.]" Also among the records are a report concerning best practices for advisory commissions that was delivered to the AI Commission in early 2019, internal emails from Commission chair and former Google CEO Eric Schmidt, and reports on AI research and "workforce automation." The AI Commission also released a third-party presentation provided to the AI Commission about the use of "psychology and AI" to "help prepare an AI-enabled workforce." The presentation endorses the use of AI job screening tools like HireVue and claims that "reducing time-to-hire is as important as making good decisions."
Additionally, the released documents include emails from Commission chair and former Google CEO Eric Schmidt illustrating Schmidt’s close relationship with members of Congress. The records reveal that the ethics disclosure form Schmidt filed with the Commission—a document that usually tops out at a dozen pages—was 38 pages long. EPIC’s FOIA request was highlighted in an American Prospect article on Schmidt’s role in Rebellion Defense, “a shadowy defense startup” that markets AI systems to the Defense Department.
Early in its existence, the AI Commission regularly held closed-door meetings with tech firms and defense contractors without soliciting input from the American public. Ruling in EPIC v. AI Commission, a federal court ordered the AI Commission to open its meetings to the public and proactively publish its records in the future.
EPIC Obtains Records About DHS’s Initial Response to Election Cybersecurity Threats
In response to FOIA lawsuit EPIC v. DHS, the Department of Homeland Security released hundreds of pages of records about the agency's role in election cybersecurity. The documents obtained by EPIC reveal DHS’s slow response to election cybersecurity threats and how it underscored risks posted by new voting technologies.
The documents include: the DHS's contacts with election officials, state reports of election security incidents going back to 2016, meeting minutes from the DHS Election Task Force in 2017, and a September 2016 Election Infrastructure Cyber Risk Characterization Report. The incident logs reveal difficulties contacting campaign officials in the lead up to the 2016 Election and concern voiced within the agency about "unbalanced" outreach. DHS contacts with state election officials were somewhat limited, as some were wary that the critical infrastructure designation "would at a later time lead to regulation on states." In the September 2016 Election Infrastructure Cyber Risk Characterization Report, the DHS Office of Cyber and Infrastructure Analysis found that compromises in voter registration databases resulted in the potential release of personally identifiable information but not the modification of the underlying records. The DHS determined that exposure of this information could undermine public confidence in election systems. The DHS also counseled strongly against untested voting technologies, finding that the "introduction of new technologies in the voting system will increase vulnerabilities to the election system in the future," particularly the implementation of internet-connected voting systems.
As a result of EPIC’s ongoing litigation efforts leading up to the 2020 election, the agency released additional information regarding the DHS’s contacts with election officials and information regarding state reports of election security incidents from 2016. The spreadsheet of DHS’s initial contacts with election officials following the 2016 presidential election show some states' willingness to work with the newly formed sub-agency tasked with protecting election infrastructure. A smaller subset of states, such as Arkansas and Mississippi, expressed initial concerns about the government’s role in overseeing election systems. Since the creation of the Cybersecurity & Infrastructure Security Agency, a sub-component of DHS, the agency has provided election security resources to state election officials on a voluntary basis in order to strengthen election infrastructure from malicious interference.
EPIC Obtains DOJ Report on Predicting Policing and AI
Through a Freedom of Information Act lawsuit EPIC v. DOJ, and negotiated settlement, EPIC obtained a 2014 report from the Department of Justice to former President Obama warning about the dangers of predictive analytics and algorithms in law enforcement. The Justice Department report highlights the risks of "making decisions about sentencing—where individual liberty is at stake in the most fundamental way—based on historical data about other people,” stating that “equal justice demands that sentencing determinations be based primarily on the defendant’s own conduct and criminal history." Even when algorithms "seem neutral, any model is susceptible to importing any biases reflected in the underlying data,” the report Predictive Analytics in Law Enforcement explains. Former U.S. Attorney General Eric Holder has said that "basing sentencing decisions on static factors and immutable characteristics . . . may exacerbate unwarranted and unjust disparities that are already far too common in our criminal justice system and in our society." The case, which was before the D.C. Circuit Court of Appeals, has now settled and EPIC received attorney’s fees for its work on the matter.
EPIC Obtains Documents on Tech Industry and Countering Violent Extremism
Through a Freedom of Information Act request, EPIC obtained documents about a 2016 meeting with the leaders of the tech industry on countering violent extremism. The meeting included Attorney General Loretta Lynch, FBI Director James Comey, and Director of National Intelligence James Clapper. The documents EPIC obtained reveal the attendees, agenda items, and email discussions in preparation for the meeting. Reports at the time indicated that tech leaders and administration officials were concerned about extremist content on social media. Administration officials at the time also raised concerns about encryption.
EPIC Obtains North Dakota Contact Tracing App Contract
Through a state records request, EPIC obtained the contract between North Dakota and ProudCrowd, LLC for the Care19 contact tracing app launched in response to the COVID-19 pandemic. The one-year software license agreement between ProudCrowd and North Dakota provides the state use of the contact tracing app and use of server space. According to the state, the Care19 app generates a random ID number for each user when it is tracking users' movements. North Dakota's privacy policy stated that the location data is kept private (not sent to third parties) and stored securely on ProudCrowd servers. The state has not explained why it would store private health data on a storage system not controlled by the government. But a report indicated that the Care19 app goes against its original privacy policy and sends location data and a unique user identifier to Foursquare and a software bug tracking company called Bugfender. The app also sent the phone's advertising ID to Google. ProudCrowd later revised its privacy policy shortly after public scrutiny to only give third parties temporary access to user data for specific data processing tasks.
EPIC Obtains Records About Utah’s Contact Tracing App
Through a state records request, EPIC obtained records concerning Utah’s "Healthy Together” COVID-19 app. The documents include a presentation from Twenty Holdings, Inc., the company that developed the app, and include details of its development. The records reveal that “[o]nce the economy resumes normalcy, the App will continue to provide the mechanism to monitor any emerging risks.” It has been reported that Twenty hopes to sell the app and app back end to other states and private companies. The developers of the app plan to integrate the Apple/Google API when it is available. The app’s methodology relies on collated location data from all users rather than decentralized proximity tracking. The Utah Governor’s Office of Management and Budget found no records of any audits or independent privacy assessments of the contact tracing app.
EPIC Obtains Records on White House COVID-19 Response for Location Data Tracking
Through a Freedom of Information Act request, EPIC obtained hundreds of pages of records (1, 2, 3, 4) from the Office of Science and Technology Policy about the White House’s response to the COVID-19 pandemic and proposals to use location data for public health surveillance. The records show that a tech sector task force closely aligned with the White House sought to aggregate “non-clinical location data” for “disease surveillance,” including cell phone location data, Uber trip data, and Google search data. OSTP described the location tracking proposals as “certainly interesting” and sought to “establish a portal/clearinghouse” for such submissions, but also told the tech sector task force that it was “not engaged in any activities relating to location data.” In one example from March 2020, the executive director of the National Fusion Center Association proposed an “automate[d] contact tracing and notification” system to the White House. Fusion Centers are centralized systems that pool and analyze intelligence from federal, state, local, and private sector entities. In an unusual development, the White House directed EPIC to delete one set of records because OSTP had "inadvertently and erroneously" provided EPIC with an unredacted copy of the records. Although EPIC voluntarily decided to redact personal contact information contained in the documents, EPIC still made the records available to the public.
EPIC Obtains Records About Texas’s Use of Aerial Surveillance
Through a Public Information Act request to the Texas Department of Public Safety, EPIC obtained records about the department's use of two Pilatus surveillance planes, including videos recorded during the George Floyd protests. Reports have indicated that these planes, purchased by the state for border operations, were used to surveil cities hundreds of miles from the border. EPIC obtained flight logs from January 1, 2018 to June 15, 2020, plane technical specifications, and the department's video retention policy. The flight logs revealed that the surveillance planes flew an average of one flight per day between May 25 to June 15, 2020, with a total of 103 hours of total flight time. In over ninety percent of these flights, the planes recorded no video. The planes reportedly cost an average of $474 an hour to fly, and the Texas DPS spent roughly $49,000 to record three videos over the three-week span. The Texas DPS withheld three videos recorded during the height of the George Floyd protests—despite its video retention policy stating that "all retained video copies . . . will be subject to open records requests."
EPIC Obtains the Number of Location Data Requests from Delaware U.S. Attorney’s Office
The Department of Justice has, after more than three years, finally begun to respond to EPIC's request for cell phone surveillance orders issued by federal prosecutors. EPIC first requested copies of the orders in 2017 and then filed a lawsuit against the DOJ in 2018 when the agency failed to respond. The agency has now begun issuing responses from five U.S. Attorneys' offices. The first response, received from the District of Delaware, revealed 150 applications and 2703(d) orders for cell phone location data from 2016 to 2019. Over that same period, federal prosecutors in Delaware handled 351 criminal cases. EPIC is still waiting for responses from four other U.S. Attorneys' offices. EPIC will maintain a comparative table as each district releases more information. Federal prosecutors do not currently release any comprehensive or uniform data about their collection of cell phone location data. In contrast, the Administrative Office for the U.S. Courts releases detailed reports each year about the use of federal wiretap authority.
EPIC Obtains Records About CBP’s Electronic Device Border Search Audits
Through Freedom of Information Act lawsuit EPIC v. CBP, EPIC obtained records about CBP’s warrantless search of electronic devices at the border, including records about the auditing mechanism required by the agency’s 2018 directive. The documents include access control procedures, auditing procedures, a device search audit chart, user agreements, and memos regarding the Inspector General’s field audit reviews of border searches of electronic devices, among other records. A 2018 audit described the current status of monthly audit scores for the time period from 2017 to 2018, showing average scores based on a 6-point scale. All of the monthly audits during that time period are below 5, and some even scored below 4. In another audit sample, all the average audit scores were below 5. In 2019, CBP conducted a pilot test for new equipment to conduct advance searches of electronic devices. Advance searches are conducted with a device that connects to the electronic device, like a cell phone, and has analytical capabilities to examine time and location data and can copy all content on the device.
EPIC Obtains Records About USCIS’s Privacy Policy and Handling of DACA Data
Through a Freedom of Information Act request, EPIC obtained documents about the Deferred Action for Childhood Arrivals (DACA) program prior to its rescission in September 2017. DACA shields immigrants that arrived in the U.S. as minors from being deported. In December 2020, DACA was fully restored to its pre-September 2017 status. The partially withheld records include emails between USCIS agency officials reviewing and updating its privacy policy. Notably, EPIC obtained undated drafts of a memo that provided guidance and procedures for USCIS’s updated privacy policy when then President Trump issued an executive order to rescind the protections of the Privacy Act to non-citizens. The draft memo states that USCIS would treat all personally identifiable information consistent with the Fair Information Practice Principles, regardless of immigration status. If the personally identifiable information is not protected by the Privacy Act or Judicial Redress Act, the agency must use an analysis under the FOIA to determine whether information may be released. USCIS did not publish the finalized policy. The DACA program forms included a pledge to not share information provided to USCIS with immigration enforcement agents. Former administrations and agency officials made statements to Congress and in federal courts about this information-sharing policy governing DACA information. But according to internal emails obtained by ProPublica, ICE can access the DACA application database and has already had that information.
Share this page:
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.