SHERIDAN v. U.S. OFFICE OF PERSONNEL MANAGEMENT
Filing
16
MEMORANDUM OPINION granting Defendant's 8 Motion for Summary Judgment and denying Plaintiff's 11 Cross-Motion for Summary Judgment. See attached document for details. Signed by Judge Ketanji Brown Jackson on September 29, 2017. (lckbj2)
<![CDATA[
UNITED STATES DISTRICT COURT
FOR THE DISTRICT OF COLUM B IA
RONALD L. SHERIDAN, JR.,
P laintiff,
v.
U.S. OFFICE OF P ERSONNEL
MANAGEMENT,
Defendant.
)
)
)
)
)
)
)
)
)
)
)
)
)
Case No. 16-cv-805 (KBJ)
M EM ORANDUM OPINION
P ro se plaintiff Ronald L. Sheridan seeks access to the computer software that
the Office of P ersonnel Management (“OP M”) uses to administer background
investigations to applicants for federal government jobs. (See Compl., ECF No. 1, ¶ 8.)
Sheridan submitted a records request to OP M in April of 2015, asking for “[c]omputer
files containing the source code” for the agency’s Electronic Questionnaires for
Investigations P rocessing (“e-QIP ”) system, as well as related “design and operations
documentation for e-QIP .” (Id. ¶ 9.) Sheridan filed the instant lawsuit after OP M
failed to respond to his request; he invokes the Freedom of Information Act (“FOIA”),
5 U.S.C. § 552, and asks this Court to declare OP M’s withholding “unlawful” and to
order OP M to produce the requested records “without further delay.” (Id., P rayer for
Relief, ¶¶ C–D.)
Before this Court at present are the parties’ cross-motions for summary
judgment. (S ee Mem. in Supp. of Def.’s Mot. for Summ. J. (“Def.’s Mem.”), ECF No.
8; P l.’s Mem. in Opp’n to Def.’s Mot. for Summ. J. & in Supp. of P l.’s Cross-Mot. for
Summ. J. (“P l.’s Mem.”), ECF No. 11.) In its motion, OP M argues that the e-QIP
source code and related documentation are exempt from disclosure under the FOIA
pursuant to Exemption 7(E), 5 U.S.C. § 552(b)(7)(E), because the e-QIP source code
and related documentation were compiled for a “law enforcement purpose” (see Def.’s
Mem. at 11–12), and producing those records could reasonably be expected to increase
the risk that undeserving individuals might successfully navigate the background
investigation process, and also the risk that the e-QIP system will be the target of
cyber-intrusion (see id . at 12– 13). 1 OP M further argues that because Exemption 7(E)
applies to the requested records in their entirety, no reasonably segregable, non-exempt
portions of those records can be produced to Sheridan (see id. at 15– 16), and that even
if some portions of the requested records are segregable, they would nevertheless be
exempt from disclosure pursuant to FOIA Exemption 2, which encompasses “matters
that are . . . related solely to the internal personnel rules and practices of an agency[,]”
5 U.S.C. § 552(b)(2). (S ee Def.’s Mem. at 13–15.) For his part, Sheridan maintains
that neither Exemption 7(E) nor Exemption 2 applies (see P l.’s Mem. at 10– 15), and
that even if they do, OP M has not adequately complied with the FOIA’s segregability
requirement (see id . at 15).
Although Sheridan’s written and oral presentation in regard to this matter was
exceptional for a non-lawyer advocate, for the reasons explained below, this Court
agrees with OP M that the requested records are exempt from disclosure pursuant to
Exemption 7(E), and that OP M has adequately complied with its obligation to identify
1
Pag e-number citations t o documents t he p arties have filed refer to t he p age n umbers t hat t he Co urt ’s
elect ronic filing system automatically assigns.
2
and produce any reasonably segregable, non-exempt portions of the requested records.
Accordingly, OP M’s motion for summary judgment will be GRANTED and Sheridan’s
cross-motion for summary judgment will be DENIED. A separate Order consistent
with this Memorandum Opinion will follow.
I.
B ACKGROUND 2
“OP M functions as the human resources service provider for Federal agencies
in the executive branch and, as part of that function, provides over 90% of the
Government’s background investigations, conducting over two million investigations a
year.” (Def.’s Statement of Material Facts Not in Genuine Dispute (“Def.’s SOMF”),
ECF No. 8, ¶ 2; see a lso Decl. of Lawrence W. Anderson (“Anderson Decl.”), ECF No.
8-2, ¶ 21.) OP M’s authority to conduct background investigations derives from
multiple statutes, see, e.g., 5 U.S.C. § 1304(a); 22 U.S.C. § 272b, as well as from an
Executive Order that requires background investigations in order to ensure that all
federal government employees are “reliable, trustworthy, of good conduct and
character, and of complete and unswerving loyalty to the United States[.]” Exec. Order
No. 10,450, 3 C.F.R. 936 (1949– 1953 Comp.). “The principal purpose of a background
investigation is to ensure that a prospective employee has not broken the law or
engaged in other conduct making her ineligible for the position.” M ittlema n v. OPM,
76 F.3d 1240, 1243 (D.C. Cir. 1996).
To conduct its work, OP M uses the e-QIP system, “which provides secure, webbased access for applicants to enter, update, and transmit” various background
2
Th e facts that are recited in t his Memorandum Op inion are n ot in dispute. (S ee Pl.’s Resp. to Def.’s
St at ement of M aterial Facts No t in Gen uine Dispute, ECF No . 11, ¶¶ 1–5.)
3
investigation forms. (Def.’s SOMF ¶ 3; see also Anderson Decl. ¶ 14.) Individuals use
these forms to provide information regarding matters such as foreign contacts and
financial and criminal histories. (See Def.’s SOMF ¶ 4; Anderson Decl. ¶ 15.) Blank
versions of background investigation forms are publicly available 3; however, applicants
can only complete and submit these forms through e-QIP at the invitation of a
sponsoring agency. (S ee Def.’s SOMF ¶ 5; Anderson Decl. ¶ 15.) The e-QIP system
“allow[s] individuals to complete the appropriate investigative form and transmit the
data through the requesting Government agency to OP M’s central computer system.”
(Anderson Decl. ¶ 16.) Thus, the system is also “designed to house the completed
personnel security investigative forms.” (Def.’s SOMF ¶ 5.)
On April 15, 2015, Sheridan submitted a FOIA request to OP M, requesting
“[c]omputer files containing the source code to the Office of P ersonnel Management’s
‘Electronic Questionnaires for the Investigations P rocessing (e-QIP)’ application and
computer files or hardcopy records containing design and operations documents for eQIP .” (Def.’s SOMF ¶ 1.) After emailing twice for a status update to no avail (see
Compl. ¶¶ 14– 15; Exs. 3– 4 to Anderson Decl.), Sheridan treated the agency’s lack of
responsiveness as a “constructive denial” and filed an administrative appeal on
February 1, 2016. (Compl.¶ 23; see also Ex. 7 to Anderson Decl.) To date, OP M has
not issued any formal response to Sheridan’s appeal. (See Compl. ¶ 26; Def.’s Answer
to P l.’s Compl. (“Answer”), ECF No. 5, ¶ 26.) See also 5 U.S.C. § 552(a)(6)(C)(i)
(providing for constructive exhaustion of administrative remedies).
3
S ee, e.g., Standard Form 8 5P, Questionnaire fo r Public Trust Positions, U.S. Office o f Personnel
M g mt ., https://www.opm.gov/forms/pdf_fill/SF85P.pdf (last v isited Sept. 26, 2017).
4
On April 29, 2016, Sheridan filed the present lawsuit, alleging that OP M violated
the FOIA by failing to respond to his document request and by failing to produce the
requested documents. (S ee Compl. ¶¶ 27, 29.) Asserting claims under the FOIA,
Sheridan seeks a declaration that OP M’s failure to make a determination on whether or
not to comply with his FOIA request within twenty working days, failure to respond to
his administrative appeal within twenty working days, and failure to provide the
requested records are unlawful. (See id., P rayer for Relief, ¶¶ A– C.) Sheridan also
asks the Court to order OP M to produce the requested records and award him litigation
costs. (S ee id., P rayer for Relief, ¶¶ D–E.)
The parties have filed cross-motions for summary judgment under Federal Rule
of Civil P rocedure 56 that are now ripe for this Court’s review. 4 OPM’s motion reports
that the agency has searched for the records that Sheridan requested and has located
several responsive items: specifically, the e-QIP source code (which is purportedly
stored across 3,241 different electronic files), and also a 79-page design manual and a
109-page operations manual. (S ee Def.’s Mem. at 9; Anderson Decl. ¶¶ 18– 19.) 5
However, OP M has declined to produce these records to Sheridan, and it argues that its
withholding is justified because the records are exempt from the FOIA under Exemption
7(E), which protects from disclosure certain “‘records or information compiled for law
enforcement purposes’” if such disclosure might risk compromising an agency’s law
4
S ee Def.’s M em.; Pl.’s Mem.; Combined Reply M em. in Supp. o f Def.’s Mot . fo r Su mm. J. and in
Op p ’n t o Pl.’s Cross-Mot. (“Def.’s Reply”), ECF No. 13; Pl.’s Reply in Supp. o f Pl.’s Cross-Mot. for
Su mm. J. (“Pl.’s Reply”), ECF No . 15.
5
Co u rts in this District h ave p reviously held that computer p rogram files const itute “records” as that
t erm is u sed in the FOIA, see,e.g., C leary, Gottlieb, S teen & Hamilton v. Dep’t o f Health & Hu man
S ervs., 844 F. Supp. 770, 782 (D.D.C. 1993), and OPM does not argue t o the contrary in this case (see
Hrg . Tr. at 3–4).
5
enforcement function. (Def.’s Mem. at 12 (quoting 5 U.S.C. § 552(b)(7)(E)).) OPM
argues that, because the agency uses e-QIP to process background-investigation
information, the agency’s disclosure of the system’s source code, structure, and
operation would render e-QIP vulnerable to hacking and phishing, and would also
enable undeserving individuals to pass the background-check process successfully.
(S ee Def.’s Mem at 11– 13.) In making this argument, OP M further contends that
“Exemption 7(E) applies to all of the requested information and that non-exempt
material could not be segregated in a manner that would provide meaningful
information.” (Id. at 16 (emphasis added).) In the alternative, OP M argues that even
assuming that some of the requested information “is not subject to Exemption 7(E), and
that any such information could be segregated in a meaningful manner from the rest of
the requested information, that same information [would be] subject to Exemption 2”
(id .), which protects from disclosure matters that are “related solely to the internal
personnel rules and practices of an agency[.]” 5 U.S.C. § 552(b)(2). In OP M’s view,
Exemption 2 encompasses any segregable information in the requested records, because
the records relate to hiring practices and because there is no legitimate public interest in
the e-QIP source code. (S ee Def.’s Mem. at 13– 15.)
In his cross-motion, Sheridan responds to each of OP M’s arguments in turn.
With respect to Exemption 7(E), Sheridan argues that the requested records are not
exempt because there “would be no harm in their disclosure[,]” in light of the fact that
“[u]nderstanding the information collected by e-QIP does not provide an applicant with
any more information about the investigation adjudication process than simply reading
the paper forms” that are already publicly available. (P l.’s Mem. at 12.) During the
6
Court’s motion hearing, Sheridan added that even if certain portions of the e-QIP source
code might reveal aspects of how background investigations are processed and
adjudicated—one of OP M’s stated concerns—it is likely that other, segregable portions
of the code would not implicate that concern, because source code is often stored in
separate “modules” that perform different functions, and OP M’s representation that the
e-QIP code is stored across “3,241 source code files” (see Anderson Decl. ¶ 18)
suggests that that is the case here. (See Hrg. Tr. at 38– 39.) Finally, with respect to
Exemption 2, Sheridan argues that even assuming, arg uendo, that OP M has correctly
characterized e-QIP as pertaining to the “internal personnel rules and practices of an
agency[,]” 5 U.S.C. § 552(b)(2), Exemption 2 does not cover the requested records
because that exemption is inapplicable when there is a “‘genuine and important public
interest’” in the records (P l.’s Mem. at 13 (quoting Dep ’t o f th e Air Fo rce v. Ro se, 425
U.S. 352 (1976))), and in this case, “there are significant benefits to both the public and
the government when source code can be shared” because “source code can be re-used,
re-purposed, and improved” (id. at 14). 6 The Court held a hearing on the parties’ crossmotions on July 25, 2017. (S ee Min. Entry of July 25, 2017.)
II.
LEGAL STANDARDS
A. Summary Judgme nt In The FOIA Co ntext
FOIA cases typically are decided on motions for summary judgment. See
Lib erma n v. U.S . Dep’t o f Tra nsp., 227 F. Supp. 3d 1, 8 (D.D.C. 2016). Summary
judgment is warranted when “the movant shows that there is no genuine issue as to any
6
Sh eridan’s cross-motion also argues t hat OPM d id not conduct an adequate search in response to h is
FOIA request (see Pl.’s Mem. at 9– 10), b ut h e expressly abandoned t his argument d uring t he Co urt’s
mo t io n h earing (see Hrg. Tr. at 48–49).
7
material fact and the movant is entitled to a judgment as a matter of law.” Fed. R. Civ.
P . 56(a). “In a FOIA case, summary judgment may be granted to the government if the
agency proves that it has fully discharged its obligations under the FOIA, after the
underlying facts and the inferences to be drawn from them are construed in the light
most favorable to the FOIA requester.” M edia Research Ctr. v. U.S. Dep’t of Justice,
818 F. Supp. 2d 131, 136– 37 (D.D.C. 2011) (internal quotation marks and citation
omitted).
B. Exe mption 7(E)
The FOIA “mandates that an agency disclose records on request, unless they fall
within one of nine exemptions.” M ilner v. Dep’t of Navy, 562 U.S. 562, 565 (2011).
“An agency that has withheld responsive documents pursuant to a FOIA exemption can
carry its burden to prove the applicability of the claimed exemption by affidavit, and
[courts] review the agency’s justifications therein de novo.” Larson v. Dep’t of Sta te,
565 F.3d 857, 862 (D.C. Cir. 2009). One of these exemptions—‘Exemption 7’—
permits an agency to withhold “records or information compiled for law enforcement
purposes, but only to the extent that the production of such law enforcement records or
information” would result in one of several enumerated harms. 5 U.S.C. § 552(b)(7).
One of the listed harms—codified in subsection (E) of section 552(b)(7)—is implicated
where the agency’s production of law enforcement records “would disclose techniques
and procedures for law enforcement investigations or prosecutions, or would disclose
guidelines for law enforcement investigations or prosecutions if such disclosure could
reasonably be expected to risk circumvention of the law[.]” 5 U.S.C. § 552(b)(7)(E).
Thus, the text of Exemption 7(E) appears to permit an agency to withhold records only
if certain criteria are satisfied: (1) the records were “compiled for law enforcement
8
purposes,” (2) production of the records “would disclose” either “techniques and
procedures for law enforcement investigations or prosecutions” or “guidelines for law
enforcement investigations or prosecutions[,]” and (3) “such disclosure could
reasonably be expected to risk circumvention of the law[.]” Id.; see also Sack v. U.S.
Dep ’t o f Def., 823 F.3d 687, 693– 94 (D.C. Cir. 2016).
The requirement that records have been “compiled for law enforcement
purposes” can be satisfied “even when the materials have not been compiled in the
course of a specific investigation.” Ta x An a lysts v. IRS, 294 F.3d 71, 79 (D.C. Cir.
2002). “Law enforcement entails more than just investigating and prosecuting
individuals a f ter a violation of the law[,]” Pu b . Emp s. Fo r En vtl. Resp onsibility v. U.S.
S ection , In t’l Boundary and Water Comm’n, 740 F.3d 195, 203 (D.C. Cir. 2014)
(emphasis in original); it also includes “‘proactive steps designed to prevent criminal
activity and to maintain security.’” Id. (quoting M iln er, 562 U.S. at 582 (Alito, J.,
concurring)). Moreover, “[t]he term ‘law enforcement’ in Exemption 7 refers to the act
of enforcing the law, both civil and criminal.” Id.
The requirement that records “would disclose techniques and procedures for law
enforcement investigations or prosecutions,” 5 U.S.C. § 552(b)(7)(E), is met, in ter a lia,
where a record would disclose details about a law enforcement technique or procedure
itself, see Blackwell v. FBI, 646 F.3d 37, 42 (D.C. Cir. 2011) (forensic examination of a
computer); Sack, 823 F.3d at 694 (polygraphs), or would disclose information regarding
“when . . . agencies are likely to employ” certain techniques or procedures, Sack, 823
F.3d at 694. And it is also satisfied if the record would disclose assessments about
whether certain techniques or procedures “are effective.” Id.
9
The final element of Exemption 7(E)—i.e., the requirement that disclosure of a
record “could reasonably be expected to risk circumvention of the law,” 5 U.S.C.
§ 552(b)(7)(E)—“sets a relatively low bar for the agency to justify withholding[.]”
Bla ckwell, 646 F.3d at 42. In fact, “the exemption looks not just for [actual]
circumvention of the law, but for a risk of circumvention; not just for an actual or
certain risk of circumvention, but for an expected risk; not just for an undeniably or
universally expected risk, but for a reasonably expected risk; and not just for certitude
of a reasonably expected risk, but for the chance of a reasonably expected risk.” M ayer
Bro wn LLP v. IRS, 562 F.3d 1190, 1193 (D.C. Cir. 2009). Consequently, “[r]ather than
requiring a highly specific burden of showing how the law will be circumvented,
exemption 7(E) only requires that the [agency] demonstrate[] logically how the release
of [the requested] information might create a risk of circumvention of the law.” Id. at
1194 (third and fourth alterations in original) (internal quotation marks and citation
omitted).
C. Ex e mption 2
FOIA Exemption 2 protects “matters that are . . . related solely to the internal
personnel rules and practices of an agency.” 5 U.S.C. § 552(b)(2). “An agency’s
‘personnel rules and practices’ are its rules and practices dealing with employee
relations or human resources.” Milner, 562 U.S. at 570. The “rules and practices”
referenced in Exemption 2 “concern the conditions of employment in federal agencies—
such matters as hiring and firing, work rules and discipline, compensation and
benefits.” Id. And to be covered by Exemption 2, these matters must be “internal,”
which means that “the agency must typically keep the records to itself for its own use.”
10
Id . at 570 n.4. Finally, Exemption 2 only encompasses those matters that relate
“solely” to an agency’s internal rules and practices, 5 U.S.C. § 552(b)(2), which means
that it does not exempt “matters [that are] subject to . . . a genuine and significant
public interest[.]” Dep’t of the Air Fo rce v. Ro se, 425 U.S. at 369; see also Shapiro v.
U.S . Dep ’t of Justice, 153 F. Supp. 3d 253, 278 (D.D.C. 2016) (explaining that the
“public interest” limitation from Ro se survives the Supreme Court’s more recent
decision in M ilner).
D. Se gregability
The FOIA “requires that even if some materials from the requested record are
exempt from disclosure, any ‘reasonably segregable’ information from those documents
must be disclosed after redaction of the exempt information unless the exempt portions
are ‘inextricably intertwined with exempt portions.’” Johnson v. Exec. Office o f U.S.
Atto rn eys, 310 F.3d 771, 776 (D.C. Cir. 2002) (quoting 5 U.S.C. § 552(b)). “In order to
demonstrate that all reasonably segregable material has been released, the agency must
provide a detailed justification for its non-segregability.” Id. (internal quotation marks
and citation omitted). “However, the agency is not required to provide so much detail
that the exempt material would be effectively disclosed.” Id. “Agencies are entitled to
a presumption that they complied with the obligation to disclose reasonably segregable
material.” Sussman v. U.S. Marshals Serv., 494 F.3d 1106, 1117 (D.C. Cir. 2007).
III.
ANALYSIS
OP M argues that it properly withheld the e-QIP computer source code and
related design and operation documents under Exemption 7(E), and in the alternative,
Exemption 2, and that there is no reasonably segregable, non-exempt information that is
11
not inextricably intertwined with exempt information. As explained fully below, the
Court agrees with OP M that Exemption 7(E) applies to the requested records in this
case, and the Court also concludes that OP M has satisfied its burden of demonstrating
that the requested records do not contain any reasonably segregable, non-exempt
information. 7
A. OPM Prope rly Withhe ld The Requested Records Under Exemption
7(E)
As explained above, Exemption 7(E) allows an agency to withhold “records or
information compiled for law enforcement purposes, but only to the extent that
production of such [records] . . . would disclose techniques and procedures for law
enforcement investigations or prosecutions, or would disclose guidelines for law
enforcement investigations or prosecutions if such disclosure could reasonably be
expected to risk circumvention of the law[.]” 5 U.S.C. § 552(b)(7)(E). The Court
agrees with OP M that the e-QIP source code and related design and operation
documents were created for law-enforcement purposes, and that releasing those
documents could reasonably be expected to increase two risks, both of which relate to
circumvention of the law: the risk that undeserving job applicants will evade the
background-investigation process, and the risk of cyber-intrusion into OP M’s electronic
files.
1. The Requested Records Were “Compiled For Law Enforcement
P urposes”
The core objectives of OP M’s background-investigation function are to “ensure
that a prospective employee has not broken the law or engaged in other conduct making
7
Because the Court concludes t hat t he requested records are exemp t from d isclosure in their entirety
u n d er Exemp tion 7(E), t he Court d oes n ot evaluate wh ether Exemp tion 2 applies as well.
12
her ineligible for the position[,]” and to “determine whether there are any law
enforcement or security issues in [her] past that could affect [her] ability . . . to carry
out the position.” M ittleman, 76 F.3d at 1243 (second, third, and fourth alterations in
original) (internal quotation marks and citation omitted). The D.C. Circuit has long
held that these are “law enforcement purposes” within the meaning of FOIA Exemption
7. S ee M orley v. CIA, 508 F.3d 1108, 1128 (D.C. Cir. 2007) (“Background
investigations conducted to assess an applicant’s qualification . . . inherently relate to
law enforcement.”). Indeed, in M ittleman, the Circuit specifically held that OP M
properly withheld certain responsive documents that it compiled in the course of
performing an individual job applicant’s background investigation, see 76 F.3d at 1242,
reasoning that, because OP M had compiled the requested records in service of the
objective of conducting a background check, the records had been “compiled for law
enforcement purposes” and thus were properly withheld under Exemption 7. 8
Sheridan attempts to distinguish M ittlema n on the grounds that that case
“addressed background investigation information itself, not the tools or processes that
support the background investigation process.” (Pl.’s Mem. at 11.) Sheridan is correct
that M ittleman addressed OP M’s withholding of information from a particular
individual’s background-investigation file—and in fact, only certain information from
that file (i.e., the identities of two confidential sources that OP M consulted during the
background investigation process, see 76 F.3d at 1242)—but this Court discerns no
meaningful difference between records that are collected during a background
8
A lt hough Mittleman addressed t he applicabilit y of Exemp tion 7(D), not 7(E), b oth subsections o f
Exemp t io n 7 req uire the agency t o d emonstrate t hat t he requested records were “comp iled for law
en fo rcement p urposes[.]” 5 U.S.C. § 552(b)(7)(D)–(E).
13
investigation and records that are related to the background-investigation system
generally when it comes to the question of whether those records “were compiled for
law enforcement purposes[.]” 5 U.S.C. § 552(b)(7). Indeed, the compilation
requirement can be satisfied “even when the materials have not been compiled in the
course of a specific investigation.” Ta x An a lysts, 294 F.3d at 79. And in a case that
concerned the disclosure of “[t]he CIA’s security clearance techniques[,]” which
“involve a general process applied to all background investigations of its officers[,]”
the D.C. Circuit considered the statutory requirement to have been met, on the theory
that “[b]ackground investigations conducted to assess an applicant’s qualification . . .
inherently relate to law enforcement.” M orley, 508 F.3d at 1128– 29; see also, e.g.,
S a ck, 823 F.3d at 694 (concluding that “reports about polygraph use were compiled for
law enforcement purposes[,]” in part on the grounds that agencies use polygraphs
during background investigations of job applicants).
Similarly, here, there is no dispute that the e-QIP source code and the related
design and operations manuals exist to serve OP M’s background-investigation function.
Therefore, this Court has little trouble concluding that records concerning the e-QIP
source code and related design and operation manuals were “compiled for law
enforcement purposes” for the purpose of section 552(b)(7). (See Def.’s Mem. at 11–
12.)
2. P roducing The Requested Records “Would Disclose Techniques And
P rocedures For Law Enforcement Investigations Or P rosecutions”
The Court also agrees with OP M that the requested records “would disclose
techniques and procedures for law enforcement investigations or prosecutions[.]”
5 U.S.C. § 552(b)(7)(E). (S ee Def.’s Mem. at 13.) The agency’s affidavit explains that
14
the e-QIP system “provides secure, web-based access for applicants to enter, update,
and transmit electronic versions of” various background investigation forms.
(Anderson Decl. ¶ 14.) The affidavit further explains that “[t]he source code and
related operations and design manuals created for the system serve[] as an architectural
diagram or roadmap of e-QIP .” (Id. ¶ 29.) Furthermore and notably, the agency’s
affiant asserts that the source code reveals “how the data is analyzed [by OP M],”
including “what types of information triggers further investigation, [and] which data
fields are compared to search for inconsistencies[.]” (Id. ¶ 31 (emphasis added).)
These assertions clearly support OP M’s argument that the requested records would
reveal law enforcement “techniques and procedures.” See Sack, 823 F.3d at 694
(holding that reports about agency use of polygraph tests during background
investigations would disclose law enforcement “techniques and procedures themselves,
including when the agencies are likely to employ” polygraphs); Bla ckwell v. FBI, 646
F.3d 37, 42 (D.C. Cir. 2011) (holding that “details about procedures used during the
forensic examination of a computer by an FBI forensic examiner . . . are undoubtedly
‘techniques’ or ‘procedures’ used for ‘law enforcement investigations’” (internal
quotation marks and citation omitted)).
3.
P roducing The Requested Records “Could Reasonably Be Expected
To Risk Circumvention Of The Law”
Under the most natural reading of Exemption 7(E), this Court’s analysis would
end with its conclusions that the requested records were “compiled for law enforcement
purposes” (see su pra P art III.A.1), and that producing the records would disclose
investigative “techniques and procedures” (see supra P art III.A.2), because, in this
Court’s view, the plain text of Exemption 7(E) establishes that if a record satisfies those
15
two criteria, then the agency is entitled to withhold it without needing to further
demonstrate that disclosure might risk circumvention of the law. See 5 U.S.C. § 552(b)
(“This section does not apply to matters that are . . . (7) records or information
compiled for law enforcement purposes, but only to the extent that production of such
law enforcement records or information . . . (E) would disclose techniques or
procedures for law enforcement investigations or prosecutions, or would disclose
guidelines for law enforcement investigations or prosecutions if such disclosure could
reasonably be expected to risk circumvention of the law[.]”). The text separately
references the disclosure of “techniques and procedures” on the one hand, and the
disclosure of “guidelines” on the other, and mentions risk of “circumvention of the law”
only with respect to the latter. Cf . Lo ckhart v. Un ited S ta tes, 136 S. Ct. 958, 962– 63
(2016) (discussing the “last antecedent” canon of interpretation).
Nevertheless, there appears to be “some disagreement” among courts about
“whether the ‘risk of circumvention’ requirement applies to records containing
‘techniques and procedures’ or only to records containing ‘guidelines.’” Citizen s f or
Resp o nsibility & Eth ics in Wash. v. Dep’t o f Ju stice, 746 F.3d 1082, 1102 n.8 (D.C. Cir.
2014); a cco rd Pub. Emps., 740 F.3d at 204 n.4. Indeed, in at least two recent decisions
reviewing agency withholdings under Exemption 7(E), the D.C. Circuit has proceeded
to evaluate whether production of certain records could risk circumvention of the law,
even after concluding that the records “were compiled for law enforcement purposes”
and would disclose law enforcement “techniques and procedures.” See Sack, 823 F.3d
at 694– 95; Black well, 646 F.3d at 42. Thus, out of an abundance of caution, this Court
will now do the same.
16
As mentioned above, the burden of establishing that producing the requested
records “could reasonably be expected to risk circumvention of the law,” 5 U.S.C.
§ 552(b)(7)(E), is relatively easy to shoulder, because “[r]ather than requiring a highly
specific burden of showing how the law will be circumvented, exemption 7(E) only
requires that the [agency] demonstrate logically how the release of [the requested]
information might create a risk of circumvention of the law.” M ayer Brown LLP, 562
F.3d at 1194 (third alteration in original) (internal quotation marks and citation
omitted). Here, OP M’s affiant maintains that there is a risk that “[a]n individual
seeking to circumvent the background investigation process could use the source code”
to “leverage knowledge of the methods [by which] the data is analyzed to circumvent
the law.” (Anderson Decl. ¶ 31.) In this regard, the affidavit specifically asserts that
such an individual could “find out how the data is analyzed, what types of information
triggers further investigation, [and] which data fields are compared to search for
inconsistencies” (id.), and that “[a]ccess to all o[r] part of the e-QIP source code and
design documents would provide [such] an individual the roadmap to manipulate this
intricate computer software when [the government is] conducting personnel
investigations for new and current employees” (id. ¶ 33).
These are logical risks of exactly the sort that Exemption 7(E) empowers
agencies to avoid. S ee M o rley, 508 F.3d at 1129 (“It is self-evident that information
revealing security clearance procedures could render those procedures vulnerable and
weaken their effectiveness at uncovering background information on potential
candidates.”); see also M a yer Brown LLP, 562 F.3d at 1192 (stating that if a record
contained “the words most likely to trigger increased surveillance during a wiretap,”
17
then “the applicability of [Exemption 7(E)] would be obvious”). In fact, in M orley, the
D.C. Circuit concluded that an agency had demonstrated the requisite logical risk of
circumvention of the law with an affidavit that stated merely “that release of th[e]
information could ‘provide insight’ into the [agency’s] security clearance procedure,”
508 F.3d at 1129, and OP M has gone far beyond that in the instant case. Thus, OP M
has carried its burden of demonstrating that producing the requested records could
reasonably be expected to risk circumvention of the law based on the logical possibility
that applicants for federal jobs might glean information about how background
investigation forms are processed and use that information to pass their background
checks undeservedly.
If that were not enough, OP M’s affidavit also highlights risks related to cyberintrusion that could materialize if the requested records are produced. First, the
affidavit contends that producing the e-QIP source code and related manuals could
increase the risk that a malicious actor might hack into the e-QIP system and access
confidential data from completed background investigation forms. (See Anderson Decl.
¶¶ 28– 29.) In particular, the affidavit notes that, “[a]lthough P laintiff’s request does
not cover the individual records in the e-QIP system, because the system is both an
interface for entering individuals’ records and a data repository for the records,
divulging the requested information renders the data housed in the system vulnerable as
well.” (Id . ¶ 28.) In its briefing, OP M points out that this risk “is more than
hypothetical[,]” because “OP M has previously been the subject of cyber-intrusions that
impacted background investigation records similar to the information contained in the
e-QIP system.” (Def.’s Mem. at 13.) In addition, and relatedly, OP M’s affidavit
18
contends that releasing the e-QIP source code and design and operations manuals could
increase the risk of a phishing scam—a form of identity theft in which a malicious actor
tricks an unwitting victim into divulging personal identifying information by mimicking
a trusted entity. (S ee Anderson Decl. ¶ 30.) See generally Jennifer Lynch, Id en tity
Th ef t in Cyberspace: Crime Control M ethods and Their Ef fectiveness in Co mb atin g
Ph ish ing Attacks, 20 Berkeley Tech. L.J. 259 (2005). In this regard, OP M’s affidavit
specifically posits that
if someone has the e-QIP source code and intend[s] to circumvent
the law, that individual can determine what the system looks like to
[a] customer organization. In this case the individual would have no
need to breach e-QIP , [because] they could work to ‘make
themselves look like e-QIP ’ for the purposes of attacking a customer
organization system.
(Anderson Decl. ¶ 30.) These additional cyber-intrusion risks further support the
Court’s conclusion that the agency has sufficiently demonstrated that producing the
requested records “could reasonably be expected to risk circumvention of the law[.]”
5 U.S.C. § 552(b)(7)(E); see Long v. Immigration & Customs Enf., 149 F. Supp. 3d 39,
51 (D.D.C. 2015) (noting that “courts in this District have recognized the risk of a
cyber-attack or a breach of a law enforcement database as valid grounds for withholding
under Exemption 7(E)”).
Sheridan offers two vigorous rebuttals to OP M’s arguments regarding a risk of
circumvention of the law under the stated circumstances, but ultimately neither is
persuasive. First, Sheridan contends that OP M’s own description of the functionality of
the e-QIP system does not substantiate the risks that OP M highlights. (See P l.’s Mem.
at 11– 12.) For example, Sheridan says that because “[t]he description of e-QIP
provided by the Defendant makes no mention of the implementation of any
19
investigatory process, or for that matter any function of e-QIP beyond simple collection
and transmission of information that was formerly collected on publicly available paper
forms[,]” e-QIP likely functions as a mere repository such that producing the requested
records could not possibly create a risk of job applicants cheating the background check
process. (Id. at 11 (citing Anderson Decl. ¶¶ 14– 16).) Sheridan adds that “no e-QIP
functionality is described that would be used to eva lu ate the applicant’s submitted
information or execute any process designed to actually adj udicate the clearance
request.” (Id. (emphasis added).) But this account undervalues the specific statement
of OP M’s affiant that the requested records could reveal “how the data is analyzed,
what types of information triggers further investigation, [and] which data fields are
compared to search for inconsistencies” (Anderson Decl. ¶ 31), each of which
implicates aspects of the agency’s evaluation process in a manner that transcends a
mere storage function. And in the absence of any contrary evidence in the record or
blatant inconsistencies in OP M’s affidavit, this Court must credit OP M’s assessment of
what processes the requested records would reveal. See M ayer Brown LLP, 562 F.3d at
1193 (describing the low burden that an agency must meet to demonstrate a risk of
circumvention of the law); see also Clemente v. FBI, 867 F.3d 111, 117 (D.C. Cir.
2017) (noting courts’ “presumption that agency affidavits are made in good faith”).
Second, Sheridan takes issue with the cyber-intrusion-related risks that OP M
posits, on the grounds that those risks are present anyway and would not be
meaningfully increased if the e-QIP source code and related documents became public.
(S ee P l.’s Mem. at 13.) In support of this theory, Sheridan submits the affidavit of
Karim Said, “an information security professional currently employed by NASA[,]”
20
who has performed a security risk assessment of the e-QIP system based on publicly
available information, and has concluded that “there is no significant difference in risk
to the e-QIP information system posed by releasing the source code to e-QIP ” because
there are tools already available that malicious actors can use to compromise computer
software in many circumstances. (Decl. of Karim A. Said, Ex. to P l.’s Mem., ECF No.
11, ¶¶ 1, 23). To underscore this point, Sheridan emphasizes that the previous hack that
OP M admittedly experienced (see Def.’s Mem. at 13 (referencing prior hack as
evidence that the cyber-intrusion risk is real)) “was performed, notably, without access
to the source code to the system.” (P l.’s Mem. at 13.) Thus, says Sheridan, OP M
already has inadequate cyber defenses, so protecting the requested source code from
disclosure in order to guard against cyber-intrusion is like “insisting that we lock the
front door even though the back door is wide open[.]” (Hrg. Tr. at 68.)
These arguments appeal to basic common sense and are entirely rational. But the
law requires more: courts must account for the language and purposes of a statute as
precedents have interpreted it, and it is by now well established that an agency that
invokes Exemption 7(E) need not show that an identified risk will actually increase
substantially, or that the risks it relies upon will necessarily come to fruition; rather,
“exemption 7(E) only requires that the [agency] demonstrate lo g ically how the release
of [the requested] information might create a risk of circumvention of the law.” M a yer
Bro wn LLP, 562 F.3d at 1194 (emphasis added) (second alteration in original) (internal
quotation marks and citation omitted).
This Court is satisfied that OP M has done so here. The agency contends
unequivocally that “releasing [the] source code [even] for systems that leverage the
21
most up-to-date security sensitive features increases the risk of malicious activities for
those systems[,]” and that “releasing the source code for older software is far worse.”
(Anderson Decl. ¶ 30.) It also maintains that, “at the very least[,]” a release of the eQIP source code would “identify the ‘locked doors’ that have been designed into the
software (telling a malicious actor where and how to attempt to breach a system).” (Id.)
In this Court’s view, the fact that a malicious actor does not need the help and could
easily endeavor to find the key on his own (which is Sheridan’s main point) does not
rebut OP M’s assertion that this disclosure would make the system easier to breach.
Moreover, and in any event, the agency’s assessment of cyber-intrusion risks reflects its
access to more information than is available to either Sheridan or this Court, and is
entitled to some deference. See Lo ng, 149 F. Supp. 3d at 53 (“Judges are not cyber
specialists, and it would be the height of judicial irresponsibility for a court to blithely
disregard . . . a claimed risk” of “a cyber-attack on, or security breach of, an agency
data system containing sensitive law enforcement and personal information.”); see a lso
Levin thal v. FEC, 219 F. Supp. 3d 1, 7 (D.D.C. 2016) (crediting FEC’s contention that
“information contained in the [requested records] could be used to gain unlawful access
to the Commission’s technology systems, obtain and manipulate sensitive and
confidential data about candidates, officeholders, party committees, and others who
interact with the Commission, or obtain and manipulate data stored within the
Commission’s systems regarding [Commission] enforcement matters” (second alteration
in original)).
22
Therefore, upon consideration of all the arguments and evidence, this Court
concludes that OP M has adequately demonstrated that the requested release carries
potential risks of circumvention of the law.
B. OPM Has M ade A Sufficie nt Sho wing That The re Are No Re asonably
Se g regable, No n-Exempt Po rtions Of The Re quested Records
Finally, this Court also agrees with OP M’s contention that the FOIA entitles it to
withhold the requested records in their entirety because there are no “reasonably
segregable” portions of the e-QIP source code and related manuals. 5 U.S.C. § 552(b).
OP M’s affidavit asserts that “[p]roviding any of the information requested would allow
an individual to have a blueprint of the” e-QIP system, and that “[a]ccess to all or p a rt
of the e-QIP source code and design documents would provide an individual the
roadmap to manipulate this intricate computer software when conducting personnel
investigations for new and current employees.” (Anderson Decl. ¶ 33 (emphasis
added).) See also Levinthal, 219 F. Supp. 3d at 7 (crediting assertion in agency
affidavit that one of the requested records “‘provides a blueprint to the Commission’s
networks’ and that its public disclosure ‘could thus enable hackers to bypass the
Commission’s current protection mechanisms’” (citation omitted)). “With respect to
the source code” in particular, OP M’s affidavit specifically asserts that “every portion
of potentially nonexempt information is inextricably intertwined with exempt
information, rendering review and release of only nonexempt portions very difficult, if
not impossible to accomplish.” (Anderson Decl. ¶ 34.) Furthermore, “[w]ith respect to
the design and operations manuals P laintiff has requested,” the affidavit adds that “any
portion of the detailed information contained in [those documents] could potentially and
foreseeably be used to discover, map and target vulnerabilities in the system based on
23
. . . detailed knowledge of applications, servers, architecture, and controls.” (Id. ¶ 35.)
These are sufficiently “detailed justification[s]” for OP M’s determinations regarding
segregability to warrant deferring to OP M’s decision to withhold the requested records
in full. M ead Data Cent. v. Dep’t o f th e Air Fo rce, 566 F.2d 242, 261 (D.C. Cir. 1977).
Sheridan dismisses OP M’s support for its segregability determination as “[m]ere
conclusory statements[,]” and argues that OP M needed to say more in order to
demonstrate that there are truly no reasonably segregable, non-exempt portions of the
requested records. (P l.’s Mot. at 15.) Specifically, Sheridan notes that “computer
source code is generally organized in ‘functions,’ ‘procedures,’ or ‘methods,’ each of
which generally perform a single specific task[,]” and he contends that “[s]uch structure
lends itself to segregability” because, even if some portions of the source code might
reveal investigative techniques, there will inevitably be at least some portions that do
not. (P l.’s Reply at 15.) During the motion hearing, Sheridan pointed to the fact that
the e-QIP source code is stored across many different files as evidence that it exhibits
exactly the sort of segregable structure that he describes. (See Hrg. Tr. at 38–39; see
a lso Anderson Decl. ¶ 18 (“There are about 3,241 source code files that make up the
system[.]”).) But counsel for OP M persuasively responded that the risks of cyberintrusion that it has identified—and in particular the risk of phishing—apply uniformly
throughout the source code and related manuals, including to portions that would not
otherwise be exempt because they do not themselves reveal investigative techniques.
(S ee Hrg. Tr. at 59 (“[T]he more of those seemingly innocuous screens that [malicious
actors] can replicate because they have the source code, the better and better that
24
phishing exercise [and the] more effective it will be.”); see also Anderson Decl. ¶¶ 34–
35.)
All in all, the Court concludes that OP M has offered a sufficient and plausible
explanation for its segregability decision, and Sheridan has not done enough to rebut
the “presumption” that OP M “complied with the obligation to disclose reasonably
segregable material.” Sussman, 494 F.3d at 1117.
IV.
CONCLUSION
Sheridan has requested the source code and related design and operations
manuals for the e-QIP system, which OP M indisputably uses to facilitate the
background investigations that it conducts for a huge swath of prospective federal
government employees. According to OP M, producing these records could enable
malicious actors to cheat the background investigation process or to engage in various
forms of cyber-intrusion, and ultimately, this Court finds that argument persuasive.
Specifically, this Court concludes that the requested records satisfy all of the
requirements for withholding under Exemption 7(E), because the e-QIP source code and
manuals were “compiled for law enforcement purposes,” producing them “would
disclose techniques and procedures for law enforcement investigations or prosecutions,”
and “such disclosure could reasonably be expected to risk circumvention of the law[.]”
5 U.S.C. § 552(b)(7)(E). The Court further concludes that OP M has satisfied its burden
of establishing that these records can be withheld in full, because no “reasonably
segregable” non-exempt information can be disclosed. Id. § 552(b).
25
Accordingly, as set forth in the accompanying Order, OP M’s motion for
summary judgment will be GRANTED and Sheridan’s cross-motion for summary
judgment will be DENIED.
Date: September 29, 2017
Ketanji Brown Jackson
KETANJI BROWN JACKSON
United States District Judge
26
]]>
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?
