A court ordered the Department of Homeland Security on Tuesday to follow through with a request from the Electronic Privacy Information Center, which asked for papers regarding a cybersecurity pilot program via a Freedom of Information Act (FOIA) request back in July of 2011.
The Department of Justice additionally requested the ability to “claw back” documents that they determine, at a later time, to have breached their classification or jeopardize the program in any way. The court denied this request.
Judge Gladys Kessler noted the DHS did not take EPIC’s original request seriously and it wasn’t until the Center filed a lawsuit against the government agency in March of last year that they began to process any documents.
The program in question is a joint effort by the Department of Homeland Security and National Security Agency to prevent cyber attacks on government contractors and their ISPs. The program has yet to be given a public name, but the NSA partnered with AT&T, Verizon, and CenturyLink (all ISPs) to intercept defense contractors’ communications.
The NSA denies any “direct” monitoring of the networks, but the Department of Justice has expressed concern about, once again, the legality and ethics of such monitoring. It also appears that such activity necessitates scanning all information, which could, hypothetically, then be translated, surveyed, and assessed.
The one-of-a-kind program would include surveillance of the contractors’ e-mail correspondence and other traffic, according to The Washington Post’s original report on the pilot program in 2011. The topic has since all but disappeared from discussion.
EPIC filed their request for documents no more than a month after the Washington Post story was published, and has been engaged in a court battle for the information ever since. The DHS acknowledged the request in August 2011, but on one point they could not acquiesce: “Any privacy impact assessment performed as part of the development of the new NSA pilot program.” To this, “the DHS determined they could not locate or identify any responsive records.”
Apparently, this was because the “pilot program belongs to another agency.” The DHS referred the request to the appropriate agency, which sits under the DHS, called the National Protection and Programs Directorate (NPPD). EPIC was not contacted until January 23, 2012, by phone, with no official response ever transmitted to the center.
The DHS continued to request more time to begin handing over information to EPIC, including one 16-month delay.
Now, almost a year and a half later, EPIC has yet to receive a single page of documentation for review. Interestingly, only last week, the 2013 National Defense Authorize Act (NDAA) was signed into law. This year’s budget includes a provision that distinctly calls out defense contractors’ obligation to hand over to the government any cybersecurity threats, breaches, and all subsequent relevant information regarding such activity.
Sure, cybersecurity is an important branch of national security, but the concern lies within the deployment of such technologies into general domestic web traffic. In 2011, James X. Dempsey, a public policy expert at the Center for Democracy and Technology, which tracks civil liberties, notes, “We wouldn’t want this [type of program] to become a backdoor form of surveillance.”
The protective order attempted by the DHS is, according to the director of EPIC’s open government program, in blatant violation of FOIA and contrary to the law which makes public information about government activity available. A slow erosion of government transparency is more dangerous than a sudden 180, for it is such subversion of civil liberties that leaves them lost for good.