LONG et al v. IMMIGRATION AND CUSTOMS ENFORCEMENT et al
Filing
29
MEMRORANDUM OPINION AND ORDER granting in part and denying in part 17 Defendants' Motion for Summary Judgment and granting in part and denying in part 18 Plaintiffs' Cross-Motion for Summary Judgment. It is further ordered that, within 30 days of this date, Defendants shall be permitted to supplement their summary judgment briefing with additional evidence that supports their assertions that (1) disclosure of metadata and database schema "could reasonably be expected to risk c ircumvention of the law" under Exemption 7(E) and (2) they have conducted an adequate search for records in response to FOIA Request III. Thereafter, within seven days, Plaintiffs shall notify the court if they intend to challenge the newly submitted evidence, and if so, the parties shall propose a briefing schedule. Signed by Judge Amit P. Mehta on 12/14/2015. (lcapm2)
<![CDATA[
UNITED STATES DISTRICT COURT
FOR THE DISTRICT OF COLUMBIA
_________________________________________
)
Susan B. Long, et al.,
)
)
Plaintiffs,
)
)
v.
)
)
Immigration and Customs Enforcement, et al., )
)
Defendants.
)
_________________________________________ )
Civil No. 14-00109 (APM)
MEMORANDUM OPINION AND ORDER
I.
INTRODUCTION
Plaintiffs Susan B. Long and David Burnham bring this suit under the Freedom of
Information Act (“FOIA”).
Between October 13, 2010, and February 26, 2013, Plaintiffs
submitted seven FOIA requests to two federal agencies, Defendant Immigration and Customs
Enforcement and Defendant Customs and Border Patrol. They sought metadata and database
schema from databases used by both agencies, as well as “snapshots” of data contained within one
of the databases. Defendants produced some documents in response. But they withheld a host of
others, relying on FOIA Exemptions 3 and 7 and claiming that producing certain responsive
materials would be overly burdensome. Plaintiffs brought this suit claiming that Defendants
violated FOIA by failing to provide them with all materials responsive to their requests.
Upon consideration of the parties’ submissions and the record evidence, the court grants in
part and denies in part the parties’ Cross-Motions for Summary Judgment.
II.
BACKGROUND
Plaintiffs Susan B. Long and David Burnham are Co-Directors of the Transactional
Records Access Clearinghouse (“TRAC”), “a research center established by Syracuse University
that gathers information about the functioning of federal law enforcement and regulatory agencies,
analyzes the data, and publishes reports.” See Pls.’ Mot. Summ. J., ECF No. 18 [hereinafter Pls.’
Mot.], Decl. of Susan B. Long, ECF No. 18-2 [hereinafter Long Decl.], ¶ 2. TRAC’s primary
purpose is “to provide comprehensive information about the staffing, spending, and enforcement
activities of the federal government.” Id. Plaintiffs submitted seven FOIA requests either to
Immigration and Customs Enforcement (“ICE”), Customs and Border Patrol (“CBP”), or both,
which are described in further detail below.
A.
Requests for EID and IIDS Metadata and Database Schema
1.
FOIA Request I
By letter dated October 13, 2010, Plaintiffs submitted a FOIA request to ICE for
documentation related to the Enforcement Integrated Database (“EID”). See Defs.’ Mot., Ex. 1,
ECF No. 17-3 [hereinafter FOIA Request I]. The EID is a “shared common database repository
for all records created, updated, and accessed by a number of [Department of Homeland Security
(“DHS”)] law enforcement and homeland security software applications.” Defs.’ Mot. for Summ.
J., ECF No. 17 [hereinafter Defs.’ Mot.], Decl. of Karolyn Miller, ECF No. 17-1 [hereinafter Miller
Decl.], ¶ 12. EID “captures and maintains information related to the investigation, arrest, booking,
detention, and removal of persons encountered during immigration and criminal law enforcement
investigations and operations conducted by [ICE], [CBP], and U.S. Citizenship and Immigration
Services.” Id. EID contains an array of personally identifiable information about persons detained
for violating the Immigration and Nationality Act, including names, aliases, dates of birth,
2
telephone numbers, addresses, Alien Registration Numbers, Social Security Numbers, passport
numbers, and employment, educational, immigration, and criminal histories. Id. ICE uses the EID
database to manage cases from the time of an undocumented immigrant’s detention through the
person’s final case disposition. Defs.’ Mot., Decl. of Fernando Pineiro, ECF No. 17-2 [hereinafter
Pineiro Decl.], ¶ 47. Plaintiffs’ first FOIA request sought:
(1) a copy of the records identifying each and every database table in the EID and
describing all fields of information that are stored in each of these tables . . . (2) a
copy of records defining each code used in recording data contained [in] the EID.
This is a request for the contents of specific auxiliary tables—often referred to as
code or lookup tables—within the database itself where this information is stored .
. . (3) a copy of the EID’s database schema . . . [and] (4) records that identify the
[Database Management Software (“DBMS”)] (e.g., Oracle, DB2, Sybase, SQL
Server, etc.) including [the] Version No. used for the EID.
FOIA Request I at 1. In other words, Plaintiffs “sought a complete set of documentation on the
[EID].” Pineiro Decl. ¶ 6 (internal quotation marks omitted).
2.
FOIA Request II
On October 18, 2010, Plaintiffs submitted a second FOIA request to ICE for “a complete
set of documentation on the ‘ICE Integrated Decision Support . . . Database,’” known as “IIDS.”
Defs.’ Mot., Ex. 8, ECF No. 17-3 [hereinafter FOIA Request II], at 1. IIDS is “a subset of the EID
database repository . . . [that] provides a continuously updated snapshot of selected EID data.”
Miller Decl. ¶ 13. IIDS’ “intended purpose . . . is . . . to query EID data for operational or executive
reporting purposes and is typically used to generate management reports and statistics from EID
data.” Id. “Specifically, IIDS contains biographic information, information about encounters
between agents/officers and subjects, and apprehension and detention information about all
persons in EID.” Id. Plaintiffs’ second FOIA request sought the same information regarding the
IIDS database that the first request sought regarding the EID database. See FOIA Request II at 1.
3
In summary, FOIA Requests I and II sought documents that disclose the fields, variables,
codes, and structures of the EID and IIDS databases. It appears that TRAC, as part of its goal to
provide the public with information about law enforcement agencies, filed the requests in an
attempt to learn what types of data ICE and CBP collect and rely upon to perform their immigration
enforcement duties.
3.
Government Response to FOIA Requests I and II
In response to FOIA Requests I and II, ICE conducted a search of the System Lifecycle
Management repository database (“SLM”), which is “the authoritative place for technical
documents associated with EID and IIDS.” Defs.’ Mot., Decl. of Jeff Wilson, ECF No. 17-6
[hereinafter Wilson Decl.], at 5. SLM documents are divided into sections and, after searching the
EID and IIDS sections of the repository, ICE personnel reviewed responsive documents. Id. The
agency then released 97 responsive pages, with redactions, and withheld the remaining responsive
documents. Pineiro Decl. ¶ 19. CBP did not search its records in response to FOIA Requests I
and II. See Pls.’ Mot. at 10; Defs.’ Opp’n to Pls.’ Mot. for Summ. J. & Reply, ECF No. 25
[hereinafter Defs.’ Opp’n & Reply], at 18.
B.
Requests for Snapshots
1.
FOIA Requests for Snapshots and Information About Snapshots
Plaintiffs also submitted FOIA requests to both ICE and CBP for “snapshots” of data from
the EID database. As noted, the EID database includes “information related to the investigation,
arrest, booking, detention, and removal of persons.” Miller Decl. ¶ 12. ICE and CBP maintain
several other databases, much like the IIDS database, that contain “subsets of EID data” and
“provide . . . continuously updated snapshot[s] of selected EID data.” Pls.’ Mot., Decl. of Jehan
A. Patterson, ECF No. 18-1 [hereinafter Patterson Decl.], Ex. A at 6. These snapshots allow CBP
4
and ICE “to query EID data for operational or executive reporting purposes.” Id. Collectively,
the snapshots allow ICE to search all of the information contained within the EID database at a
particular point in time. Wilson Decl. at 4. As described below, Plaintiffs’ additional FOIA
requests sought copies of certain snapshots.
On September 21, 2012, Plaintiffs submitted two FOIA requests to ICE. One sought
information about snapshots. It requested “records identifying any extracts and ‘snapshots’
prepared from the [EID] over the last 12 months, along with records relating to the frequency with
which such extracts and snapshots have been prepared, who was responsible for preparing any
snapshot or extract, the recipient(s) of the extracts/snapshots, as well as the EID system time
required in their preparation.” Defs.’ Mot., Ex. 16, ECF No. 17-3 [hereinafter FOIA Request III],
at 1. The other request sought a copy of a snapshot itself, in particular, a “current ‘snapshot’ of
ENFORCE prepared for [IIDS] system.” Defs.’ Mot., Ex. 19, ECF No. 17-3 [hereinafter FOIA
Request IV], at 1. ENFORCE consists of several “applications” that allow “DHS personnel [to]
create, modify, and access the data stored in the EID’s central data repository.” Patterson Decl.,
Ex. A at 2.
On February 25, 2013, Plaintiffs submitted a fifth FOIA request, this time to CBP, which
sought a “current ‘snapshot’ of [the] EID database prepared for [the] CBP data warehouse.” Defs.’
Mot., Ex. 21, ECF No. 17-3 [hereinafter FOIA Request V], at 1. The next day, Plaintiffs submitted
two final FOIA requests. The first was sent to ICE and sought “a current ‘snapshot’ of [the] EID
database prepared for the EARM Data Mart.” Defs.’ Mot., Ex. 23, ECF No. 17-3 [hereinafter
FOIA Requests VI], at 1. The second, which was sent to both ICE and CBP, sought “the current
‘snapshot’ of [the] EID database prepared for EID Data Mart.” Defs.’ Mot., Ex. 23, ECF No. 173 [hereinafter FOIA Requests VII], at 1. The EARM Datamart and the EID Datamart, like the
5
IIDS database, contain subsets of data from EID and are “typically used to generate management
reports and statistics from EID data.” Patterson Decl., Ex. A at 6. Specifically, the EARM
Datamart, which is used to track cases of undocumented immigrants who are in the removal
process, Pineiro Decl. ¶ 47, contains a host of information about immigration court proceedings
and the detention statuses and locations of persons subject to such proceedings, Patterson Decl.,
Ex. A at 7. And the EID Datamart contains data on, among other things, arrests and removal
processing, including personal information about persons subject to those proceedings. Id. at 7.
2.
Government Response to FOIA Requests III through VII
In response to FOIA Request III, ICE disclosed nine pages of records that it asserted were
responsive to the request, with redactions pursuant to FOIA exemptions 6, 7(C), and 7(E). Pineiro
Decl. ¶ 27. Neither ICE nor CBP, however, produced copies of the snapshots Plaintiffs requested
in FOIA Requests IV through VII.
3.
Summary of FOIA Requests
In summary, TRAC submitted seven FOIA requests. Five were directed to ICE only,
together requesting EID and IIDS metadata and database schema, as well as snapshots of data from
the EID database and information about those snapshots. See FOIA Requests I, II, III, IV, and VI.
One was directed to CBP only, requesting a snapshot of certain EID data. See FOIA Request V.
And one was directed to both ICE and CBP, again seeking from each agency a snapshot of certain
EID data. See FOIA Request VII.
C.
Procedural History
Plaintiffs filed this action on January 29, 2014, alleging that Defendants’ searches were
inadequate and that Defendants improperly withheld responsive materials under FOIA. See
generally Compl., ECF No. 1. On October 9, 2014, Defendants filed a Motion for Summary
6
Judgement. See generally Defs.’ Mot. In it, Defendants argued that their search was adequate as
they conducted searches in the SLM repository for documents responsive to Plaintiffs’ request for
the EID and IIDS metadata and database schema, and that they properly withheld responsive
documents pursuant to Exemptions 3, 7(A), and 7(E). Id. at 10-11, 15-26. With regard to the
snapshots, Defendants asserted that they were unable to produce any responsive documents,
because “the snapshots Plaintiffs requested were not retained for the date ranges of the subject
FOIA requests, . . . the requested information could not be produced with the technology currently
in the Agency’s possession, and . . . even if the information could be produced, Defendants were
not capable of redacting the information.” Id. at 11-12.
On November 13, 2014, Plaintiffs filed a Cross-Motion for Summary Judgment.
See generally Pls.’ Mot.
In the Motion, Plaintiffs argued that Defendants’ claimed FOIA
exemptions are inapplicable. Id. at 14-26. They also disputed the assertion that Defendants are
unable to produce the requested snapshots. Id. at 27-30. Plaintiffs further argued that Defendants’
search was inadequate because Defendants: (1) did not sufficiently respond to FOIA Request III;
(2) failed to search the EID and IIDS databases themselves for documents pertaining to the
metadata and database schema of each system; and (3) failed to search CBP records. Id. at 31-32.
III.
DISCUSSION
A.
Standard of Review
Under Federal Rule of Civil Procedure 56, a court must grant summary judgment “if the
movant shows that there is no genuine dispute as to any material fact and the movant is entitled to
judgment as a matter of law.” Fed. R. Civ. P. 56(a). When a court is applying this standard, “the
evidence of the non-movant is to be believed, and all justifiable inferences are to be drawn in his
favor.” Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 255 (1986). A dispute is “genuine” only
7
if a reasonable fact-finder could find for the nonmoving party, while a fact is “material” only if it
is capable of affecting the outcome of litigation. Id. at 248-49. A non-material factual dispute is
insufficient to prevent the court from granting summary judgment. Id. at 249.
FOIA cases often are appropriately decided on motions for summary judgment.
See Defenders of Wildlife v. U.S. Border Patrol, 623 F. Supp. 2d 83, 87 (D.D.C. 2009). A court
may award summary judgment in a FOIA case using solely the information included in the
agency’s affidavits or declarations if they are “relatively detailed and non-conclusory,” SafeCard
Servs., Inc. v. SEC, 926 F.2d 1197, 1200 (D.C. Cir. 1991) (citations and internal quotation marks
omitted), and describe “the documents and the justifications for nondisclosure with reasonably
specific detail, demonstrate that the information withheld logically falls within the claimed
exemption, and are not controverted by either contrary evidence in the record nor by evidence of
agency bad faith,” Military Audit Project v. Casey, 656 F.2d 724, 738 (D.C. Cir. 1981). “Unlike
the review of other agency action that must be upheld if supported by substantial evidence and not
arbitrary or capricious, the FOIA expressly places the burden ‘on the agency to sustain its action’
and directs the district courts to ‘determine the matter de novo.’” DOJ v. Reporters Comm. for
Freedom of Press, 489 U.S. 749, 755 (1989) (quoting 5 U.S.C. § 552(a)(4)(B)).
B.
EID and IIDS Metadata and Database Schema
The court first considers Plaintiffs’ challenge to Defendants’ invocation of FOIA
Exemptions 7(E), 7(A), and 3 to withhold and redact materials responsive to Plaintiffs’ requests
for EID and IIDS metadata and database schema. “The basic purpose of FOIA is to ensure an
informed citizenry, vital to the functioning of a democratic society, needed to check against
corruption and to hold the governors accountable to the governed.” NLRB v. Robbins Tire &
Rubber Co., 437 U.S. 214, 242 (1978) (citation omitted). Because of FOIA’s critical role in
8
promoting transparency and accountability, “[a]t all times courts must bear in mind that FOIA
mandates a ‘strong presumption in favor of disclosure.’” Nat’l Ass’n of Home Builders v. Norton,
309 F.3d 26, 32 (D.C. Cir. 2002) (quoting Dep’t of State v. Ray, 502 U.S. 164, 173 (1991)). But
“an agency’s justification for invoking a FOIA exemption is sufficient if it appears logical or
plausible.” Larson v. Dep’t of State, 565 F.3d 857, 862 (D.C. Cir 2009) (citations and internal
quotation marks omitted).
1.
Exemption 7(E)
Defendants rely primarily on Exemption 7(E) to withhold records responsive to Plaintiffs’
request for metadata and database schema. Once again, the metadata and database schema sought
in this case are the fields, variables, codes, and structures of the EID and IIDS databases. Under
Exemption 7(E), an agency may withhold information “compiled for law enforcement purposes”
if, among other reasons, its release “would disclose techniques and procedures for law enforcement
investigations or prosecutions, or would disclose guidelines for law enforcement investigations or
prosecutions if such disclosure could reasonably be expected to risk circumvention of the law.”
5 U.S.C. § 552(b)(7)(E). Exemption 7(E) “sets a relatively low bar for the agency to justify
withholding,” Blackwell v. FBI, 646 F.3d 37, 42 (D.C. Cir. 2011), and “where an agency
‘specializes in law enforcement, its decision to invoke [E]xemption 7 is entitled to deference,’”
Lardner v. DOJ, 638 F. Supp. 2d 14, 31 (D.D.C. 2009) (quoting Campbell v. DOJ, 164 F.3d 20,
32 (D.C. Cir. 1998). This does not excuse an agency, however, from the requirement of describing
its “justifications for withholding the information with specific detail.” ACLU v. Dep’t of Defense,
628 F.3d 612, 619 (D.C. Cir. 2011)).
Plaintiffs challenge Defendants’ invocation of Exemption 7(E) on a host of grounds.
Specifically, they argue that: (a) the records sought were not compiled for law enforcement
9
purposes; (b) the records do not disclose law enforcement techniques, procedures, or guidelines;
and (c) disclosure of the records does not present a risk of circumvention of the law. The court
considers each of these arguments in turn.
a.
Compiled for law enforcement purposes
Defendants contend that they “engage in law enforcement activity and the records
responsive to the subject FOIA request were compiled for law enforcement purposes.” Defs.’ Mot.
at 20. According to a declaration submitted by ICE’s Deputy FOIA Officer, Fernando Pineiro, the
databases at issue—namely, EID and IIDS—contain “law enforcement sensitive information
relating to investigations, enforcement operations, and checks of other law enforcement
databases.” Defs.’ Mot. at 20 (quoting Pineiro Decl. ¶ 47). ICE uses IIDS, in particular, “to rapidly
run reports and queries on data stored in other ICE databases, particularly [EID].” Pineiro Decl.
¶ 47. Responding to Defendants’ claim, Plaintiffs argue “[t]hat [just because] the databases
themselves may contain information compiled for law enforcement purposes does not, as the
government assumes, mean that all information about the databases—especially information that,
like the information requested here, serves data management and administrative purposes—was
also compiled for law enforcement purposes.” Reply Mem. in Supp. of Pls.’ Mot. for Summ. J.,
ECF No. 27 [hereinafter Pls.’ Reply], at 2.
The court has little trouble rejecting Plaintiffs’ argument. A record is deemed “compiled
for a law enforcement purpose” so long as there is (1) a rational “nexus” between the record and
the agency’s law enforcement duties and (2) a connection between the subject of the record and a
possible security risk or violation of federal law. See Campbell, 164 F.3d at 32; see also Pratt v.
Webster, 673 F.2d 408, 420 (D.C. Cir. 1982). The latter requirement must be satisfied “to establish
that the agency acted within its principal function of law enforcement, rather than merely engaging
10
in a general monitoring of individuals’ activities.” Pratt, 673 F.3d at 420. Plaintiffs concede that
Defendants use the EID and IIDS databases for law enforcement purposes—to assist ICE and CBP
with deporting people who are unlawfully in the United States, to arrest those who violate federal
immigration laws, and to track investigations and court proceedings of those apprehended.
See Pls.’ Mot. at 4. Thus, records concerning how these databases are constructed and how they
operate—like the data itself—clearly have a rational “nexus” to Defendants’ law enforcement
duties. The second prong of the “law enforcement purpose” test is also satisfied because of the
clear connection between the records and possible security risks or violations of law. These are
not the kind of records compiled for generalized snooping of individuals’ lives, but were prepared
to effectuate the agencies’ law enforcement responsibilities. The court thus concludes that the
withheld records easily qualify as records or information “compiled for law enforcement
purposes.”
b.
Techniques, procedures, or guidelines
Plaintiffs next argue that the withheld records concerning database metadata and database
schema would not, if released, disclose “techniques,” “procedures,” or “guidelines” for law
enforcement investigations or prosecutions, as those terms are used in Exemption 7(E). Plaintiffs
contend that “the fact that data is used by law enforcement personnel in carrying out their duties
does not mean that revealing information about a database discloses the techniques and methods
that law enforcers employ in using it.” Pls.’ Reply at 4. For their part, Defendants offer the
following, from ICE’s Deputy FOIA Officer, Fernando Pineiro, in opposition to Plaintiffs’
position:
ICE employed certain law enforcement techniques and methods designed to obtain
information in furtherance of the nation’s immigration and customs laws, and ICE
law enforcement officers use the database and systems that are the subjects of
Plaintiffs’ FOIA request to maintain that information and carry out those duties.
11
Pineiro Decl. ¶ 50; see also Defs.’ Mot. at 20-22.
Although the court views the Pineiro Declaration as providing a rather thin explanation for
why the metadata and database schema qualify as a law enforcement technique, procedure, or
guideline, the court ultimately agrees with Defendants based on the Court of Appeals’ decision in
Blackwell v. FBI, 646 F.3d 37 (D.C. Cir. 2011), as well as analogous district court cases. In
Blackwell, the FBI sought to protect under Exemption 7(E) “methods of data collection,
organization and presentation contained” in certain reports. Id. at 42 (internal quotation marks
omitted). The FBI’s declarant explained that “the manner in which the data is searched, organized
and reported to the FBI is an internal technique, not known to the public,” and the “method was
developed by [the vendor] to meet the specific investigative needs of the FBI.” Id. (internal
quotation marks omitted).
Based on those averments (as well as an additional attestation
concerning how disclosure could give rise to the potential risk of circumvention of the law), the
Court of Appeals concluded that the FBI had properly invoked Exemption 7(E). Id.
Other cases from this Circuit are to similar effect. For instance, in Strunk v. DOJ, 905
F. Supp. 2d 142 (D.D.C. 2012), the court concluded that withheld computer screen transaction
codes, computer transaction codes, and computer function codes—similar to the codes at issue
here—from a CBP database known as TECS, though not themselves law enforcement “techniques
and procedures,” were protected “guidelines for law enforcement investigations and prosecutions”
under Exemption 7(E). Id. at 148 (citation omitted). Similarly, in Skinner v. DOJ, 893 F. Supp.
2d 109 (D.D.C. 2012), the court agreed that computer access codes associated with the TECS
database were, at the least, law enforcement guidelines under Exemption 7(E), id. at 114. And
other decisions have treated law enforcement database codes or fields in the same way. See Ortiz
v. DOJ, 67 F. Supp. 3d 109, 123 (D.D.C. 2014) (granting Exemption 7(E) protection to “violator
12
identifier codes”); Miller v. DOJ, 872 F. Supp. 2d 12, 29 (D.D.C. 2012) (permitting agency to
withhold law enforcement numerical database codes used to identify information and individuals,
as well as codes “relate[d] to procedures concerning the use of law enforcement resources and
databases . . ., as well as case program and access codes”); McRae v. DOJ, 869 F. Supp. 2d 151,
169 (D.D.C. 2012) (holding that “codes, case numbers, and other computer information pertaining
to the TECS, NCIC, and databases maintained by the North Carolina authorities are techniques
and procedures for law enforcement investigation”).
Blackwell and these district court decisions teach that internal database codes, fields, and
other types of identifiers used by law enforcement agencies to conduct, organize, and manage
investigations and prosecutions qualify, at least, as law enforcement guidelines, if not also law
enforcement methods and techniques. Thus, the court rejects Plaintiffs’ argument that the EID
and IIDS metadata and database schema do not qualify for withholding under Exemption 7(E).
c.
Circumvention of the law
The parties’ final area of disagreement about the application of Exemption 7(E) is also their
most significant. They dispute whether disclosure of the metadata and database schema “could
reasonably be expected to risk circumvention of the law.” 5 U.S.C. § 522(b)(7)(E). Defendants
assert that disclosure of the EID and IIDS metadata and database schema would enable
“individuals to access [ICE]’s law enforcement database, including its investigative files,
manipulate data within those databases, and launch a full scale cyber-attack against [ICE].” Defs.’
Mot. at 21. To establish the risk of such an attack, Defendants offer the affidavit of Karolyn Miller,
an Information Technology Specialist in Information Security at ICE, who identifies a specific
13
kind of risk—a Structured Query Language injection attack, or a “SQL injection attack,” on the
EID and IIDS databases. Miller Decl. ¶ 16. As Miller explains:
The SQL injection attack . . . is a technique used by malicious intruders or
“hacktivists” to exploit web sites by changing the intended effect of an SQL query
by inserting new SQL keywords or operators into the query. Basically, the attacker
inserts or “injects” SQL instructions in a web application Search field to cause the
program to malfunction. The program’s error allows the attacker to then access
otherwise restricted parts of the database to view or steal information . . . that will
allow the attacker to not only access the full database, but . . . also potentially allow
access to other parts of the IT system . . . by using the stolen credentials.
Id. She concludes that, “[s]hould ICE be required to provide . . . database schema, tables, codes,
code values, and database version, ICE will have disclosed the exact information that an SQL
[injection] attacker needs to penetrate the EID and IIDS databases and systems, and potentially the
ICE network.” Id. ¶ 19.
i.
Plaintiffs’ legal interpretation of Exemption 7(E)
Plaintiffs offer two rejoinders—one legal, the other factual—to Defendants’ ominous
prediction of a potentially debilitating cyber-attack resulting from disclosure. Plaintiffs first argue
that, “[a]lthough a cyber-attack would undoubtedly constitute a violation of law, such a violation
does not constitute circumvention of a relevant law within the meaning of Exemption 7(E).” Pls.’
Mot. at 16. Instead, according to Plaintiffs, “the exemption allows an agency to withhold
techniques, procedures, and guidelines that it uses to enforce particular laws . . . if disclosure of
those techniques, procedures, or guidelines would allow an individual to circumvent those laws.”
Id. In other words, Plaintiffs contend that Exemption 7(E) applies only if the risk that there will
be a violation of law relates to those laws that the subject law enforcement agency is tasked with
enforcing.
Plaintiffs thus argue that an unlawful cyber-attack cannot serve as a basis for
withholding EID and IIDS metadata and database schema because such information, if disclosed,
does not risk circumvention of the laws enforced by Defendants.
14
The FOIA statute, however, cannot be read so narrowly. Exemption 7(E) plainly states
that withholding is permissible under that provision if “disclosure could reasonably be expected to
risk circumvention of the law”—“the law,” period. 5 U.S.C. § 552(b)(7)(E). Congress did not
qualify or modify “the law” in any way to circumscribe the types of laws that might be violated in
the event of disclosure for Exemption 7(E) to apply. Thus, a plain reading of the statute does not
support Plaintiffs’ interpretation.
Nor have courts read the exemption as Plaintiffs have proposed. Indeed, courts in this
District have recognized the risk of a cyber-attack or a breach of a law enforcement database as
valid grounds for withholding under Exemption 7(E). In Skinner, the court upheld the agency’s
decision to withhold data under Exemption 7(E) where the agency showed that release of the
subject data would “(1) permit unauthorized users to avoid recognition, instant detection and
apprehension, (2) give them near-unfettered access to one of the nation’s most critical electronic
law enforcement infrastructures, and (3) arm these intruders with the ability to irreparably corrupt
the integrity of [the database] by altering or manipulating it.” 893 F. Supp. 2d at 113 (internal
quotation marks omitted). Likewise, in Strunk, the court recognized a risk of circumvention where
disclosure of data could “facilitate[ ] access to and navigation through [a law enforcement
database] and reveal[ ] mechanisms for access to and navigation through [the database].” 905
F. Supp. 2d at 147. There, the agencies asserted that “individuals who knew the meaning of the
codes . . . would gain access to CBP law enforcement techniques and procedures that would permit
them to . . . corrupt[ ] the integrity of ongoing investigations.” Id. at 148. Skinner and Strunk
make clear that the potential for a cyber-attack or data breach is the kind of risk of circumvention
of the law that justifies withholding under Exemption 7.
15
ii.
Plaintiffs’ factual challenge to the asserted risk of a cyberattack
This case, however, differs from Skinner and Strunk in one important respect: Plaintiffs
here have aggressively challenged Defendants’ assertion that disclosure of the metadata and
database schema would expose the EID and IIDS databases to a SQL injection attack. In support,
Plaintiffs have offered the declaration of an expert in data security, Dr. Paul Clark, President and
Chief Technology Officer of SecureMethods, Inc., and Paul C. Clark, LLC,1 who disputes the
potential for a SQL attack. He explains:
A SQL injection attack is a type of remote execution attack. In other words,
someone who is not physically on the premises where a computer system is located
nonetheless can launch an attack by transmitting malicious instructions through a
web interface that has a direct connection to a database that will accept and execute
such instructions . . . . [R]emote execution is not a credible threat to the EID or
IIDS systems . . . [because] there is no publicly accessible web interface to the EID
or IIDS, nor do agencies outside of [DHS] have access to the database systems.
Pls.’ Mot., Decl. of Paul C. Clark, ECF No. 18-3 [hereinafter Clark Decl.], ¶¶ 11-12 (emphasis
added).
Defendants offer a relatively limp response to Dr. Clark’s critique. They do not disagree
that a hacker would require an external access point to execute a SQL injection attack; nor do they
claim that the EID or IIDS databases are in fact accessible through an external access point.
Rather, through the affidavit of Jeff Wilson, Unit Chief of the Information Technology
Management Unit within Enforcement and Removal Operations, Law Enforcement and Systems
Analysis at ICE, Defendants state: “[T]here are still dangers associated with providing information
and records associated with system development, data tables and fields, outage times, etc., whether
or not the database has a ‘publically accessible web interface.’” Defs.’ Opp’n & Reply, Suppl.
1
See Pls.’ Mot., Decl. of Paul C. Clark, ECF No. 18-3, at 11.
16
Decl. of Jeff Wilson, ECF No. 25-1 [hereinafter Wilson Suppl. Decl.], ¶ 9. Wilson cites as the
sole example a 2014 cyber-attack against Home Depot, which was executed using malware
inserted at point-of-sale machines in stores in the United States and Canada. Id. Wilson Suppl.
Decl. ¶ 9. Wilson adds:
Intimate knowledge of tables, codes, and schemas can be used to create a more
sophisticated attack that lasts days, weeks or even months. Additional technical
dangers include: cross site scripting, session hijacking, SQL injection, race
conditions, unformatted error messages, improper html rendering and submittals,
among others.
Id. ¶ 10. But nowhere does he say that any of those “additional technical dangers” could be
accomplished when a system, like the one at issue here, has no an external access point.
Plaintiffs offer an obvious retort to Wilson’s statements. In a supplemental declaration,
Dr. Clark states: “In the Home Depot example [Wilson] cites, access was obtained not through a
web interface, but through point-of-sale devices that connected to Home Depot’s system. ICE
obviously does not use point-of-sale devices that would provide an attacker with access to its
systems, and Mr. Wilson does not suggest that any comparable means of access to ICE’s systems
exists.” Pls.’ Reply, Suppl. Decl. of Paul C. Clark., ECF 27-2 [hereinafter Clark Suppl. Decl.],
¶ 4. When pressed at oral argument, counsel for Defendants was unable to identify any SQL
injection attacks that have occurred without a public access point and asked to further brief the
question whether a SQL injection attack could be achieved only via a public access point.
Hr’g Tr. at 21:3-23:14, Oct. 28, 2015 (Draft).
In evaluating whether Plaintiffs have carried their burden of showing a risk of
circumvention of the law, the court is fully cognizant of the low bar that the Court of Appeals has
set for establishing such risk. See, e.g., Pub. Employees for Envtl. Responsibility v. U.S. Section,
17
Int’l Boundary & Water Comm’n, U.S.-Mexico, 740 F.3d 195, 204-05 (D.C. Cir. 2014); Blackwell
v. FBI, 646 F.3d at 42. Trial courts are to:
[L]ook[ ] not just for circumvention of the law, but for a risk of circumvention; not
just for an actual or certain risk of circumvention, but for an expected risk; not just
for an undeniably or universally expected risk, but for a reasonably expected risk;
and not just for certitude of a reasonably expected risk, but for the chance of a
reasonably expected risk.
Mayer Brown LLP v. IRS, 562 F.3d 1190, 1193 (D.C. Cir. 2009). Courts must heed that low bar,
especially in cases where an agency has warned that disclosure could lead to a cyber-attack on, or
security breach of, an agency data system containing sensitive law enforcement and personal
information. Judges are not cyber specialists, and it would be the height of judicial irresponsibility
for a court to blithely disregard such a claimed risk.
But the standard of review of a claimed 7(E) exemption, while highly deferential, is not
“vacuous.”
Campbell, 164 F.3d at 32 (quoting Pratt, 673 F.2d at 421).
Courts have a
responsibility to ensure that an agency is not simply manufacturing an artificial risk and that the
agency’s proffered risk assessment is rooted in facts. Based on the present record, the court cannot
find that Defendants have carried their burden of showing that disclosure of the IED and IIDS
metadata and database schema increases the risk of a cyber-attack of the kind Defendants posit.
The sole risk that Defendants claim might be heightened by the release of metadata and database
schema is that of a SQL injection attack. On the present record, however, it is undisputed that a
SQL injection attack requires an external point of entry, such as a website or point-of-sale machine,
and that the IED and IIDS databases are not so exposed. The court is thus left unconvinced, at this
juncture, that the sole risk of circumvention of the law claimed by Defendants—a SQL injection
attack—would be increased if the requested metadata and database schema were disclosed. The
court, therefore, denies Defendants’ Motion for Summary Judgment as to its invocation of
18
Exemption 7(E) to withhold information concerning IED and IIDS metadata and database
schema.2
The court, however, will not at this juncture order Defendants to disclose the withheld
material. Rather, in the exercise of its discretion, the court will permit Defendants to supplement
the record with additional affidavits or other evidence to establish that disclosure of the IED and
IIDS metadata and database schema will increase the risk of a cyber-attack, data breach, or any
other circumvention of the law.3 See Wolf v. CIA, 569 F. Supp. 2d 1, 10 (D.D.C. 2008) (“Where
an agency’s declarations are deficient, courts generally will request that an agency supplement its
supporting declarations rather than order discovery.” (citation and internal quotation marks
omitted)); see also Hall v. CIA, 668 F. Supp. 2d 172, 188-93 (D.D.C. 2009) (granting in part and
denying in part the agency’s and the plaintiff’s cross-motions for summary judgment, and
permitting the agency to submit a “supplemental filing” in support of its invocation of certain
FOIA exemptions).
2.
Exemption 3
Defendants alternatively argue that their withholding of metadata and database schema is
justified under FOIA Exemption 3. Generally speaking, that exemption protects a record from
disclosure if it has been “specifically exempted from disclosure by statute.” 5 U.S.C. § 552(b)(3).
Here, Defendants have argued that the withheld materials are exempt from disclosure under the
2
Defendants also invoke Exemption 7(A) to justify withholding the metadata and database schema. However,
Defendants’ invocation of Exemption 7(A) relies on arguments substantially identical to those presented in connection
with their Exemption 7(E) claim. That is, disclosure of the requested information would expose the databases to
potential cyber-attacks. See Defs.’ Opp’n and Reply at 22-23; Hr’g Tr. 26:5-28:9. Thus, for the same reason that the
court has denied summary judgment on Defendants’ invocation of Exemption 7(E), it does so as to Defendants’
invocation of Exemption 7(A).
3
Defendants’ briefing also suggests the possibility of an “inside job” where someone within ICE or CBP, who
otherwise does not have access to the requested information, could use it to gain unauthorized access to the databases.
See Defs.’ Opp’n. and Reply at 10; see also Hr’g Tr. at 24:8-25:3. But Defendants have not presented any evidence
of how the requested disclosures might increase the risk of such an attack. Defendants may wish to address this risk
in its supplemental submission.
19
Federal Information Security Management Act (“Management Act”), 44 U.S.C. §§ 3541-49. They
are incorrect.
Exemption 3 applies only if a statute “requires that matters be withheld from the public in
such a manner as to leave no discretion on the issue” or “establishes particular criteria for
withholding or refers to particular types of matters to be withheld.” 5 U.S.C. § 552(b)(3)(A).
Exemption 3 further provides that, “if [the statute was] enacted after the date of enactment of the
OPEN FOIA Act of 2009,” Exemption 3 applies only if the statute “specifically cites to this
paragraph.” Id. § 552(b)(3)(B).
The statute upon which Defendants rely—the Management Act—was repealed in its
entirety on December 18, 2014—after this case was filed—and replaced by the Federal
Information Security Modernization Act of 2014 (“Modernization Act”), 44 U.S.C. § 3551 et seq.
(2014). As the Modernization Act is the law in effect at the time the court is rendering its decision,
it is the controlling law in the present dispute. See Bradley v. School Bd. of City of Richmond, 416
U.S. 696, 711 (1974) (stating the “principle that a court is to apply the law in effect at the time it
renders its decision, unless doing so would result in manifest injustice or there is statutory direction
or legislative history to the contrary”).
The Modernization Act does not enable Defendants to invoke Exemption 3 here for two
reasons. First, because the Modernization Act was enacted after the OPEN FOIA Act of 2009, for
it to protect records from disclosure under Exemption 3 it must “specifically cite[ ] to [Exemption
3].” 5 U.S.C. § 552(b)(3)(B). It does not do so. Second, to the extent that the Modernization Act
does cite to FOIA, it does not alter agencies’ obligations under the FOIA statute.
The
Modernization Act expressly states that “[n]othing in this subchapter . . . may be construed as
affecting the authority of . . . the head of any agency, with respect to the authorized use or
20
disclosure of information, including . . . the disclosure of information under section 552 of title 5.”
44 U.S.C. § 3558. Therefore, Defendants’ claim that the requested materials can be withheld
pursuant to Exemption 3 fails.
C.
Copies of Snapshots of Data from the EID Database
The parties’ second major dispute concerns Defendants’ non-production of copies of
“snapshots” of data from the EID database. Again, “snapshots” are continuously updated extracts
of portions of the EID database that enable Defendants to search and manipulate the EID data.
Plaintiffs assert that Defendants have not complied with FOIA because they failed to disclose
copies of the requested snapshots and did not perform an adequate search for them. Defendants
offer two reasons why they cannot comply with Plaintiffs’ requests for copies of snapshots. First,
they argue that their “document system is not capable of producing the information for distribution
to Plaintiffs.” Defs.’ Mot. at 13. Second, they argue that even if they could produce the snapshots,
“Defendants lack[ ] the technology to redact the information.” Id. at 14.
Under FOIA, “an agency shall provide the record in any form or format requested by the
person if the record is readily reproducible by the agency in that form or format.” 5 U.S.C.
§ 552(a)(3)(B) (emphasis added). The key term, “readily reproducible,” “is not . . . synonymous
with technical[ly] feasible.” Scudder v. CIA, 25 F. Supp. 3d 19, 38 (D.D.C. 2014). Rather, “[t]he
Court may consider the burden on the defendant agency in determining whether the documents at
issue are ‘readily reproducible.’” Id. To justify withholding otherwise responsive materials, the
“agency’s evidence of burden . . . must be not only compelling, but also demonstrate that
compliance with a request would impose a significant burden or interference with the agency’s
operation.” Public.Resource.Org v. IRS, 78 F. Supp. 3d 1262, 1266 (N.D. Cal. 2015) (citing TPS,
Inc. v. DOD, 330 F.3d 1191, 1195 (9th Cir. 2003)). Among the factors that a court may consider
21
in assessing the claimed burden are the amount of time, expense, and personnel that would be
required to complete document searches and production, as well as whether the agency has the
existing technology or would have to purchase new technology to perform those tasks. See Wolf
v. CIA, 569 F. Supp. 2d at 9 (“Courts often look for a detailed explanation by the agency regarding
the time and expense of a proposed search in order to assess its reasonableness.” (citation
omitted)); Pinson v. DOJ, 80 F. Supp. 3d 211, 217 (D.D.C. 2015) (holding that DOJ did not carry
its burden by merely asserting that the search would require a “burdensome effort” without
offering estimates of “the time required to conduct [the] requested search, the cost of such a search,
or the number of files that would have to be manually searched”).
Consistent with these principles, courts have held that agencies need not disclose records
when conducting a search for requested materials would impose an unreasonable burden. See, e.g.,
Nation Magazine, Washington Bureau v. U.S. Customs Serv., 71 F.3d 885, 891-92 (D.C. Cir. 1995)
(determining that a request that required an agency to search through 23 years of unindexed files
imposed an unreasonable burden); Am. Fed’n of Gov’t Employees, Local 2782 v. U.S. Dep’t of
Commerce, 907 F.2d 203, 208-09 (D.C. Cir. 1990) (holding that a request that required a search
of “every chronological office file and correspondent file, internal and external, for every branch
office [and] staff office” was overbroad); Nat’l Sec. Counselors v. CIA., 960 F. Supp. 2d 101, 16162 (D.D.C. 2013) (concluding that a request that sought copies of all federal intelligence agency
records pertaining to a supercomputer and required a search of all agency offices was so broad as
to impose an unreasonable burden upon the agency). Courts also have held that agencies are
excused from complying with FOIA requests where “review[ing], redact[ing], and arrang[ing] for
inspection [of] a vast quantity of material” presents an unreasonable burden. Am. Fed’n of Gov’t
Employees, 907 F.2d at 209; see also Vietnam Veterans of Am. Conn. Greater Hartford Chapter
22
120 v. DHS, 8 F. Supp. 3d 188, 203 (D. Conn. 2014) (FOIA request for which agency would need
to locate, review, and make heavy redactions to 26,000 packets, each of which contained 50 pages,
was unreasonably burdensome); Hainey v. Dep’t of Interior, 925 F. Supp. 2d 34, 45 (D.D.C. 2013)
(holding that it would be unreasonably burdensome to require the agency to search and review
every email sent or received by 25 different employees throughout a two-year time period).
Particularly relevant here, one court has held that the process of making redactions to 20 million
responsive records within a database was sufficiently burdensome to justify the agency’s
withholding of the entirety of the requested information. See Ayuda, Inc. v. FTC, 70 F. Supp. 3d
247, 276-77 (D.D.C. 2014) (“[B]ecause the agency aims to protect the private information of
citizens by withholding the data fields at issue, and because the manual review needed for redacting
such information is unreasonably burdensome, the Court concludes that the FTC properly withheld
the data fields.”).
Consistent with the above cases, the court finds that Defendants have demonstrated that
producing and redacting the requested snapshots would be unduly burdensome. According to
Defendants’ affiant Jeff Wilson, “[c]urrently, there is no specific product, report or snapshot
generated during the Extract-Transform-Load (ETL) process where information from the EID is
transferred to IIDS and the datamarts . . . . [T]his process is automatic and occurs through a link
established between two databases with no tangible extract files.” Wilson Suppl. Decl. ¶ 15; see
also Wilson Decl. at 8 (“To produce an extract in a format that could be consumed by the external
entity, a new record would need to be created. It would require the design, development, and
implementation of a different process for this new record that does not include law enforcement
sensitive and/or personally identifiable information[.]”). In other words, according to Wilson,
when EID data is collected, organized, and transferred to a functional database like IIDS, no
23
reproducible extract or copy of the transferred data, or snapshot, is created to provide to a FOIA
requester. Wilson adds: “ICE does not currently have the technology to [produce the requested
snapshots]. It is difficult to assess what it would take to provide a severable copy because the EID
is comprised of so many data elements.” Wilson Decl. at 9. At a minimum, Wilson explains,
duplication and production of snapshots would “require a new contract to facilitate the extract
process and associated databases in the hundreds of thousands to millions of dollars.” Id. The
contract would have to provide for the hiring of additional information technology specialists,
including experts in database design and maintenance, large data storage and transfer, networking,
and programming, as well as the hiring of experts to remove or redact sensitive law enforcement
data. Id.
And, according to Wilson, even if Defendants could replicate the snapshot for production,
they would face tremendous challenges in redacting sensitive personal and law enforcement
material, which even Plaintiffs concede are subject to valid FOIA exemptions. The tables available
in the EID consist of more than 6.7 billion rows of data, with the total amount of information
contained within the EID exceeding five terabytes. Id. at 7. Wilson equated the volume of data to
“1.8 million songs on an iPod” or an audiobook that “would take approximately 9.5 years to read.”
Id. Further employing the example of an iPod, Wilson stated that redacting exempt information
would be akin to “redacting every artist, album, and song name as well as significant portions of
the song[s].” Id. at 8. According to Wilson, “[a]t this particular time, the ICE FOIA Office does
not have the existing technology or expertise for processing this data.” Wilson Suppl. Decl. ¶ 16.
Although Wilson could have been more descriptive in explaining precisely what it would take to
redact exempt information and why such process would be unduly burdensome, he does state the
following: “The redaction process for this request is expensive for a federal agency. It requires a
24
modification to an existing contract, clearances, background screenings, training, and ramp up
time.” Id.
Plaintiffs dispute Defendants’ contention that producing and redacting the requested
snapshots would impose an undue burden on the agencies. Plaintiffs offer their own expert
declaration from Michael Hasan, a software engineer employed by Plaintiffs’ research institute,
TRAC. To rebut Defendants’ contention that reproducing a snapshot would impose an undue
burden, Hasan states that “[e]xtraction is a built-in functionality of any commercial [DBMS]
software that allows any database object or table to be queried and extracted into text or another
electronic representation. . . . Thus, it should be an easy and inexpensive process to extract data
using such software.” Pls.’ Mot., Decl. of Michael Hasan, ECF No. 18-4 [hereinafter Hasan Decl.],
¶ 10. As to Defendants’ contentions concerning the burdensomeness of redacting the snapshots,
Hasan states, “[r]edaction is another built-in functionality that is common across commercial
DBMS packages. It is a trivial matter to redact a column of information (for example, a column
containing Social Security numbers of individuals apprehended by defendants) by executing a
simple . . . command that either deletes the data in the column or replaces the data with a special
symbol to denote redaction.” Id. ¶ 13.
Although Hasan’s Declaration raises some questions about whether the snapshots are
indeed readily reproducible and redactable, the court ultimately finds those questions insufficient
to create a genuine dispute of material fact that would preclude a grant of summary judgment in
Defendants’ favor. FOIA requires courts to “accord substantial weight to an affidavit of an agency
concerning the agency’s determination as to technical feasibility . . . and reproducibility[.]”
See 5 U.S.C. § 552(a)(4)(B) (emphasis added); see also Scudder, 25 F. Supp. 3d at 39
(“[S]ubstantial deference is due an agency’s ‘reproducibility’ determination[.]”).
25
Here,
Defendants’ declarant, Jeff Wilson, has attested, based on his specific knowledge of and
experience with the EID database and associated datamarts that replicating and redacting the
snapshots would create an undue burden on the agencies. The court, as it must, accords that view
substantial weight. Plaintiffs’ declarant, though an expert in the field of database systems and
management, has not offered any evidence that specifically rebuts Wilson’s assertions about the
agencies’ present technological capabilities as to the EID database and associated datamarts or
regarding the burden that reproduction and redaction of the snapshots would impose on them.
Instead, Hasan offers only observations about commercial databases in general—his declaration
reveals no specific knowledge about the EID database and its associated operations. Hasan,
naturally, is limited by his lack of first-hand experience with the EID database and the datamarts
at issue in this case. But once, as here, an agency has proffered a declaration as to the technical
feasibility and reproducibility of a records request—which, by statute, must be accorded
substantial weight—a plaintiff must offer more than generalities about technical capabilities of
generic systems to overcome or raise questions about that declaration. Plaintiffs have failed to do
so here.
Plaintiffs make one additional argument in an effort to rebut Defendants’ contention that
reproducing and redacting would impose an undue burden. Plaintiffs argue that Defendants must
be able to produce and redact the snapshot because they have previously provided Plaintiffs with
redacted portions of snapshots in response to other FOIA requests. Long Decl. ¶¶ 16-20.
Defendants do not deny the past productions but argue that Plaintiffs’ present requests are
meaningfully different in scope and scale. Whereas Plaintiffs’ previous, fulfilled requests sought
specific information contained in the snapshots, the present requests seek the snapshots in their
entirety. Defs.’ Mot. at 14. For example, one previous request sought “anonymous case-by-case
26
information on each removal and return for January 2014.” Wilson Suppl. Decl. ¶ 12 (emphasis
added).
“The request specifically asked for 54 data elements for each individual
removed/returned; the data elements include[d], inter alia, biographical information, criminal
history, and immigration history for every individual removed/returned for a limited time period.”
Id. As to that request, ICE reviewed the relevant information and created new spreadsheets in
order to provide it to Plaintiffs. See id. ICE also created codes that it used to alter exempt
information contained in the requested data set so that such information was not released.
See Hr’g Tr. at 15:1-16; see also Wilson Suppl. Decl. ¶ 12. Defendants thus contend that these
past productions serve as poor comparators for the present, far more expansive requests.
The court agrees. The court again accords substantial weight to the representations of
Defendants’ affiant, Jeff Wilson. According to Wilson, a request for a snapshot of the entire
database is “vastly different” from Plaintiffs’ previous requests and, as a consequence, the manner
in which ICE responded to the prior requests is “wholly inadequate for responding to a request for
all the data replicated at unspecified points in time into other datamarts.” Wilson Suppl. Decl.
¶ 13. Wilson adds that “the replication or copying of all data from EID data into the IIDS, and
other datamarts[,] is not a pull of data,” which was sufficient to respond to past requests. Id.
Plaintiffs have not offered any evidence specific to the databases at issue here that rebuts those
contentions. The court therefore concludes that FOIA does not require Defendants to produce
redacted copies of the requested snapshots.
D.
Request for Discovery
In a related argument, Plaintiffs request that the court allow them to conduct discovery on
the factual issues concerning Defendants’ capacity to produce and redact the extracts and snapshots
from their databases. They argue that they “have introduced facts casting serious doubt on
27
defendants’ assertions that they lack the technology to produce and redact data extract files and
that they would have to spend ‘hundreds of thousands to millions of dollars,’ Wilson Decl. at 9,
on a contract to create a new database.” Pls.’ Mot. at 30.
Courts have “broad discretion to manage the scope of discovery” in FOIA cases. SafeCard
Servs., 926 F.2d at 1200. “Discovery in FOIA is rare and should be denied where an agency’s
declarations are reasonably detailed, submitted in good faith and the court is satisfied that no
factual dispute remains.” Schrecker v. DOJ, 217 F. Supp. 2d 29, 35 (D.D.C. 2002); see also Baker
& Hostetler LLP v. U.S. Dep’t of Commerce, 473 F.3d 312, 318 (D.C. Cir. 2006). Here,
Defendants have set forth detailed affidavits explaining that they currently lack the technology to
produce and redact copies of the requested snapshots and that acquiring the necessary technology
and marshalling the resources necessary to produce and redact copies of the snapshots would be
unduly burdensome.
Although Plaintiffs have offered rebuttal declarations that raise some
questions about Defendants’ assertions, for the reasons already discussed, Plaintiffs have not
offered any evidence that is specific to the EID and other databases at issue in this case, to create
a factual dispute that might otherwise justify allowing Plaintiffs to take discovery. Cf. Scudder,
25 F. Supp. 3d at 37 (finding that factual disputes existed where the plaintiff “provided reasonable
evidence, based on his purported personal experience and observations, that the documents
requested do exist in the format requested . . . even alert[ing] the defendant’s FOIA staff as to
where within the defendant’s computer systems the electronically stored documents [we]re
located”). Accordingly, Plaintiffs’ request for discovery is denied.
E.
Adequacy of the Search
Plaintiffs argue that Defendants’ search was inadequate in three ways. First, Plaintiffs
argue that Defendants failed to provide any information regarding their search for FOIA Request
28
III—that is, “records identifying any extracts and ‘snapshots’ prepared from the [EID] over the
last 12 months, along with records relating to the frequency with which such extracts and snapshots
have been prepared, who was responsible for preparing any snapshot or extract, the recipient(s) of
the extracts/snapshots, as well as the EID system time required in their preparation.” FOIA
Request III at 1; see also Pls.’ Mot. at 31. Second, they argue that Defendants’ search for the
metadata and database schema was inadequate because Defendants did not search the EID and
IIDS databases for responsive records.
Pls.’ Mot. at 31-32.
Finally, Plaintiffs argue that
Defendants’ search was inadequate because they failed to search any CBP records. Id. at 32.
FOIA requires an agency to conduct a search for responsive records that is “reasonably
calculated to discover the requested documents.” SafeCard Servs., 926 F.2d at 1201. “In general,
the adequacy of a search is ‘determined not by the fruits of the search, but by the appropriateness
of [its] methods.’” Hodge v. FBI, 703 F.3d 575, 579 (D.C. Cir. 2013) (quoting Iturralde v.
Comptroller of the Currency, 315 F.3d 311, 315 (D.C. Cir. 2003)). In order to prevail on summary
judgment, “the agency must show that it made a good faith effort to conduct a search for the
requested records, using methods which can be reasonably expected to produce the information
requested.” Oglesby v. U.S. Dep’t of the Army, 920 F.2d 57, 68 (D.C. Cir. 1990) (citation omitted).
To carry this burden, the agency may submit a “reasonably detailed affidavit, setting forth the
search terms and the type of search performed, and averring that all files likely to contain
responsive materials (if such records exist) were searched.” Id. “The adequacy of the search, in
turn, is judged by a standard of reasonableness and depends, not surprisingly, upon the facts of
each case.” Weisberg v. DOJ, 745 F.2d 1476, 1485 (D.C. Cir. 1984) (citation omitted).
The court agrees with Plaintiffs’ first contention that Defendants have not explained what
search, if any, they undertook to locate extract identification and preparation records sought in
29
FOIA Request III. Indeed, the government does not even respond to this argument. See Defs.’
Reply at 17-18. Because Defendants do not address what search, if any, they conducted, the court
will deny summary judgement as to the adequacy of their search in response to FOIA Request III.
See Oglesby, 920 F.2d at 68. Defendants shall submit an affidavit that sets forth the search efforts
undertaken in response to FOIA Request III.
Plaintiffs next argue that the search Defendants conducted in response to FOIA Requests I
and II was inadequate. Plaintiffs’ first two FOIA requests sought metadata and data schema from
the EID and IIDS databases, including “records identifying the database tables . . . records defining
the codes . . . database schema, and records that identify the DBMS software.” FOIA Request I at
1; FOIA Request II at 1. According to declarant Jeff Wilson, ICE conducted the following search:
On July 15, 2014, the ICE [Office of the Chief Information Officer (“OCIO”)]
searched the [SLM] repository and located 2,793 documents. The SLM repository
is the authoritative place for technical documents associated with the EID and IIDS.
As a result, no other databases were required to be searched by OCIO. SLM
documents are organized by sections so personnel located the “EID” and “IIDS”
sections throughout the repository and transferred applicable documents for review.
Wilson Decl. at 5. Plaintiffs contend that this search was inadequate because Defendants did not
search the EID and IIDS databases themselves for responsive documents. Pls.’ Mot. at 31-32.
According to Plaintiffs, “[l]ocating and copying the responsive information from the [EID and
IIDS] databases would require only the execution of simple commands, and would provide the
most accurate and current records responsive to the requests for database schema and code tables.”
Pls.’ Reply at 24 (citing Pls.’ Reply, Second Decl. of Michael Hasan, ECF No. 27-3 [hereinafter
Sec. Hasan Decl.], ¶¶ 9-10).
The court disagrees with Plaintiffs and finds that Defendants’ search of the SLM repository
for the requested records was adequate. “There is no requirement that an agency search every
record system.” Oglesby, 920 F.2d at 68 (citations omitted). The agency responded to the FOIA
30
request by searching the “authoritative” database where responsive records were likely to be held.
It identified the sections of that database where responsive documents were likely to be found and
reviewed the responsive documents. Though Plaintiffs may be correct that “[t]he database schema
and [metadata] are actually a built-in part of any modern database,” Sec. Hasan Decl. ¶ 10, and
therefore, are necessarily contained within the EID and IIDS databases, they have not offered any
reason to believe that responsive records—other than the database schema and codes themselves,
which Defendants are not required to produce at this juncture—would be found within the
databases. Absent such a showing, the court is satisfied that Defendants conducted a proper search
for the EID and IIDS database schema and metadata. See Mobley v. CIA, Civ. No. 11-cv-02072,
Civ. No. 11-cv-02073, 2015 WL 7423687, *8 (D.C. Cir. Nov. 13, 2015) (“Agency affidavits—so
long as they are ‘relatively detailed and non-conclusory’—are ‘accorded a presumption of good
faith, which cannot be rebutted by ‘purely speculative claims about the existence and
discoverability of other documents.’” (citations omitted)).
Plaintiffs last contend that the search was inadequate because Defendants failed to search
CBP records for responsive documents. Of Plaintiffs’ seven FOIA requests at issue in this case,
only FOIA Requests V and VII were directed to CBP. Both of those were requests for copies of
the requested snapshots. Because the court already has concluded that Defendants need not
produce copies of snapshots, the court does not reach the issue of the adequacy of Defendants’
search of CBP records.
IV.
CONCLUSION AND ORDER
For the reasons set forth above, Defendants’ Motion is granted in part and denied in part
and Plaintiffs’ Cross-Motion is granted in part and denied in part. Judgment is entered in favor of
31
Defendants as to (1) the adequacy of the search for FOIA Requests I and II and (2) their
withholding of copies of snapshots in response to FOIA Requests IV through VII.
As for the grounds on which the court has denied Defendants’ Motion, within 30 days of
this date, Defendants shall be permitted to supplement their summary judgment briefing with
additional evidence that supports their assertions that (1) disclosure of metadata and database
schema “could reasonably be expected to risk circumvention of the law” under Exemption 7(E)
and (2) they have conducted an adequate search for records in response to FOIA Request III.
Thereafter, within seven days, Plaintiffs shall notify the court if they intend to challenge the newly
submitted evidence, and if so, the parties shall propose a briefing schedule.
Dated: December 14, 2015
Amit P. Mehta
United States District Judge
32
]]>
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?
