================================================================== Note: Footnotes are marked as "/*/" in the text and are printed at the end of this document. ================================================================== UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA COMPUTER PROFESSIONALS FOR ) SOCIAL RESPONSIBILITY, ) ) Plaintiff, ) ) v. ) C.A. No. 93-1074-RMU ) NATIONAL SECURITY AGENCY, et al., ) ) Defendants. ) ____________________________________) MEMORANDUM IN SUPPORT OF PLAINTIFF'S CROSS-MOTION FOR PARTIAL SUMMARY JUDGMENT AND IN OPPOSITION TO DEFENDANT NSA'S MOTION FOR SUMMARY JUDGMENT Plaintiff filed this action on May 28, 1993, seeking the disclosure of documents withheld by defendants National Security Agency ("NSA") and National Security Council ("NSC") under the Freedom of Information Act ("FOIA"), 5 U.S.C. Sec. 552. By Order filed on December 1, 1993, the Court granted defendant NSA a stay in proceedings until July 29, 1994, to allow NSA additional time to review the disputed documents. By Order dated September 1, 1994, the Court extended the stay until March 31, 1995. Pursuant to stipulation, defendant NSA moved for summary judgment on August 14, 1995. Plaintiff opposes defendant's motion and cross-moves for partial summary judgment./1/ Background On April 16, 1993, plaintiff submitted a FOIA request to defendant NSA, seeking copies of "all records in the possession of NSA concerning new cryptographic technologies known as 'Clipper Chips' or 'split key cryptographic systems.'" Exhibit A to Declaration of Jon A. Goldsmith ("Goldsmith Decl."), attached to Memorandum of Points and Authorities in Support of Defendant NSA's Motion for Summary Judgment ("Def. Mem."). Attached to plaintiff's request was a New York Times front-page article titled, "New Communications System Stirs Talk of Privacy vs. Eavesdropping," which identified NSA as the developer of the system. Id. NSA's processing of plaintiff's request resulted in the identification of 423 responsive documents. Some of these documents were released to plaintiff in their entirety, some were released in redacted form, and some were withheld in their entirety. See generally Vaughn Index (attached to Def. Mem.). In support of its withholding decisions, defendant NSA relies upon FOIA Exemptions 1, 2, 3, 4, 5 and 6. Id. The "Clipper Chip" Encryption System Plaintiff's FOIA request sought disclosure of NSA records concerning the "Clipper Chip" -- an NSA-designed encryption device that ensures government access to encrypted information. As is set forth in Mr. Goldsmith's affidavit, encryption is "a process for encoding or 'scrambling' the contents of any voice or data communication with an algorithm (a mathematical formula) and a randomly selected variable (associated with the algorithm) known as a 'key.'" Goldsmith Decl., Para. 5. Fearing that encryption technology might be used by criminals to impede the efforts of law enforcement agencies to "intercept and understand" their communications, the Administration embarked upon a "policy initiative" known as "key escrow encryption." Id., Para. 6. Although quite technical in its details, this initiative basically involved the development and promotion of an encryption technique that ensures government access to encrypted information. This is accomplished through the "escrowing" of "key components" that are capable of "unlocking" a particular encrypted communication. Id., Paras. 8-9. According to defendant NSA, "a law enforcement official seeking access to the plaintext of an encrypted communication could obtain proper legal authorization," receive the key components from designated "escrow agents," and decrypt the scrambled information. Id., Para. 10. The Key Escrow Initiative's Law Enforcement Purpose Notwithstanding the fact that NSA seeks to withhold the bulk of the disputed information on "national security" grounds, the key escrow initiative has, from its inception, been characterized as a law enforcement initiative. When the Administration announced the development of the Clipper Chip on April 16, 1993, it made this clear: [t]he President today announced a new initiative that will bring the Federal Government together with industry in a voluntary program to improve the security and privacy of telephone communications while meeting the legitimate needs of law enforcement. * * * ... this technology preserves the ability of federal, state and local law enforcement agencies to intercept lawfully the phone conversations of criminals. * * * ... We need the "Clipper Chip" and other approaches that can both provide law-abiding citizens with access to the encryption they need and prevent criminals from using it to hide their illegal activities. The White House, Statement by the Press Secretary (April 16, 1993) ("WH Statement I") (attached hereto as Exhibit A) at 1-2. On February 4, 1994, the government announced several actions concerning the key escrow initiative, including the adoption of the "Escrowed Encryption Standard" as a federal information processing standard ("FIPS") by the National Institute of Standards and Technology ("NIST"). Once again, the official statements concerning the initiative stressed that it was motivated by law enforcement considerations. A White House statement reiterated that "[l]ast April, the Administration released the Key Escrow chip (also known as the 'Clipper Chip') that would provide Americans with secure telecommunications without compromising the ability of law enforcement agencies to carry out legally authorized wiretaps." The White House, Statement by the Press Secretary (February 4, 1994) ("WH Statement II") (attached hereto as Exhibit B) at 1. The government released a set of "questions and answers" that stated: Q. Why is the key escrow standard being adopted? A. The key escrow mechanism will provide Americans and government agencies with encryption products that are more secure, more convenient, and less expensive than others readily available today -- while at the same time meeting the legitimate needs of law enforcement. Questions and Answers about the Clinton Administration's Encryption Policy (February 4, 1994) (attached hereto as Exhibit C) at 2 (emphasis added). Perhaps the most succinct statement concerning the purpose of the initiative is contained in NIST's Federal Register notice announcing the formal adoption of the Escrowed Encryption Standard: Key escrow technology was developed to address the concern that widespread use of encryption makes lawfully authorized electronic surveillance difficult. In the past, law enforcement authorities have encountered very little encryption because of the expense and difficulty in using this technology. More recently, however, lower cost, commercial encryption technology has become available for use by U.S. industry and private citizens. The key escrow technology provided by this standard addresses the needs of the private sector for top notch communications security, and of U.S. law enforcement to conduct lawfully authorized electronic surveillance. Approval of Federal Information Processing Standards Publication 185, Escrowed Encryption Standard (EES), 59 Fed. Reg. 5997, 5998 (February 9, 1994) (emphasis added)./2/ NSA's Role in the Key Escrow Initiative In support of its summary judgment motion, defendant NSA states that "[g]iven its expertise [in security techniques], NSA has played an important role in connection with the development of the Administration's policy initiative on 'key escrow encryption.'" Def. Mem. at 3, citing Goldsmith Decl., Para. 3. Aside from this general assertion, defendant provides no explanation of its role in the initiative. Other official statements do, however, shed additional light on NSA's involvement in developing the Clipper Chip and key escrow technology. The NIST Federal Register notice states that ... NSA, because of its expertise in the field of cryptography and its statutory role as a technical advisor to U.S. government agencies concerning the use of secure communications, developed the technical basis for the standard which allows for the widespread use of encryption technology while affording law enforcement to access encrypted communications under lawfully authorized conditions. NSA worked in cooperation with the Justice Department, the FBI and NIST to develop the escrowed encryption standard. 59 Fed. Reg. 5998, 5999-6000 (February 9, 1994). In congressional testimony on May 3, 1994, Vice Admiral J. M. McConnell, Director of the NSA, provided a detailed explanation of the agency's involvement in the key escrow initiative. Our role in support of this initiative can be summed up as "technical advisors" to the National Institute of Standards and Technology (NIST) and the FBI. As the nation's signals intelligence (SIGINT) authority and cryptographic experts, NSA has long had a role to advise other government organizations on issues that relate to the conduct of electronic surveillance or matters affecting the security of communications systems. Our function in the latter category became more active with the passage of the Computer Security Act of 1987. The Act states that the National Bureau of Standards (now NIST) may, where appropriate, draw upon the technical advice and assistance of NSA. ... These statutory guidelines have formed the basis for NSA's involvement with the key escrow program. Subsequent to the passage of the Computer Security Act, NIST and NSA formally executed a memorandum of understanding (MOU) that created a Technical Working Group to facilitate our interactions. The FBI, though not a signatory to the MOU, was a frequent participant in our meetings. The FBI realized that they had a domestic law enforcement problem -- the use of certain technologies in communications and computer systems that can prevent the effective use of court authorized wiretaps, a critical weapon in their fight against crime and criminals. In the ensuing discussions, the FBI and NIST sought our technical advice and expertise in cryptography to develop a technical means to allow for the proliferation of top quality encryption technology while affording law enforcement the capability to access encrypted communications under lawfully authorized conditions. We undertook a research and development program with the intent of finding a means to meet NIST's and the FBI's concerns. Director, National Security Agency, Testimony before the Senate Judiciary Committee's Technology and the Law Subcommittee (May 3, 1994) ("McConnell Testimony") (attached hereto as Exhibit D) at 1- 2./3/ The Computer Security Act In light of Admiral McConnell's reference to the Computer Security Act, Pub. L. 100-235, a discussion of the legislation is appropriate. In enacting the statute, Congress sought to vest civilian computer security authority in NIST and to limit the role of NSA. The legislation was passed in reaction to National Security Decision Directive ("NSDD") 145, which President Reagan issued in 1984. The Presidential directive sought to grant NSA new powers to issue policies and develop standards for "the safeguarding of not only classified information, but also other information in the civilian agencies and private sector." H. Rep. No. 153 (Part 2), 100th Cong., 1st Sess. 6 (1987). The House Report on the Computer Security Act notes that NSDD 145 "raised considerable concern within the private sector and the Congress." Id. One of the principal objections to the directive was that it gave NSA the authority to use its considerable foreign intelligence expertise within this country. This is particularly troubling since NSA was not created by Congress, but by a secret presidential directive and it has, on occasion, improperly targeted American citizens for surveillance. Id. at 6-7; see also The National Security Agency and Fourth Amendment Rights, Hearings Before the Senate Select Committee to Study Governmental Operations with Respect to Intelligence Activities, 94th Cong., 1st Sess. 2 (1975) (Congress has a "particular obligation to examine the NSA, in light of its tremendous potential for abuse. ... The danger lies in the ability of NSA to turn its awesome technology against domestic communications") (Statement of Sen. Church). When Congress enacted the Computer Security Act, it also expressed particular concern that NSA, a secretive military intelligence agency, would improperly limit public access to information concerning domestic, civilian computer security activities. H. Rep. No. 153 (Part 2), 100th Cong., 1st Sess. 21 (1987). The House Report notes that NSA's natural tendency to restrict and even deny access to information that it deems important would disqualify that agency from being put in charge of the protection of non- national security information in the view of many officials in the civilian agencies and the private sector. Id. To alleviate these concerns, Congress granted sole authority to the National Bureau of Standards (now NIST) to establish technical standards for civilian computer security (such as FIPS 185, the standard at issue here). NSA's role in the domestic, civilian realm was limited to the provision of "technical advice and assistance." Pub. L. 100-235, Sec. 2(b)(1). During Congress' consideration of the legislation, "NSA opposed its passage and asserted that NSA should be in control of this nation's computer standards program." Id. at 7. Congress forthrightly rejected NSA's position, noting that [t]he [NSA] proposals would have charged NSA with the task of developing "technical guidelines," and forced [NIST] to use these guidelines in issuing standards. Since work on technical security standards represents virtually all of the research effort being done today, NSA would take over virtually the entire computer standards [program] from [NIST]. [NIST], in effect, would on the surface be given the responsibility for the computer standards program with little to say about most of the program -- the technical guidelines developed by NSA. This would jeopardize the entire Federal standards program. Id. at 25-26. It is against this backdrop that this case arises. NSA became involved in the key escrow encryption initiative because "[t]he FBI realized that they had a domestic law enforcement problem ...." McConnell Testimony at 2. The agency thus "undertook a research and development program with the intent of finding a means to meet NIST's and the FBI's concerns." Id. In apparent reliance upon the Computer Security Act, "NSA worked in cooperation with the Justice Department, the FBI and NIST to develop the escrowed encryption standard," 59 Fed. Reg. 5998, 6000, and acted as "technical advisors," McConnell Testimony at 1. As we discuss below, these facts bear directly upon the propriety of the withholding claims at issue in this case. ARGUMENT As the Supreme Court has recognized, "[t]he basic purpose of [the] FOIA is to ensure an informed citizenry, vital to the functioning of a democratic society, needed to check against corruption and to hold the governors accountable to the governed." NLRB v. Robbins Tire & Rubber Co., 437 U.S. 214, 242 (1978). More recently, the Court emphasized that "[o]fficial information that sheds light on an agency's performance of its statutory duties falls squarely within that statutory purpose." Department of Justice v. Reporters Committee for Freedom of the Press, 489 U.S. 749, 773 (1989). The basic principles underlying the FOIA are clearly implicated here, where the disputed documents shed light upon defendant NSA's role in developing a security standard for domestic, unclassified information systems -- an activity Congress expressly sought to regulate and subject to public scrutiny through passage of the Computer Security Act. In support of its decision to withhold a substantial portion of the information responsive to plaintiff's FOIA request, defendant NSA relies upon Exemptions 1 (classified national security information); 2 (routine administrative information); 3 (information exempted from disclosure by statute); 4 (confidential commercial information); 5 (privileged information); and 6 (personal information). See generally Vaughn Index (attached to Def. Mem.). As is set forth below, plaintiff challenges defendant NSA's invocation of Exemptions 1, 2 and 3, and Exemption 5 to the extent that defendant seeks to withhold information on the basis of the "deliberative process privilege." With respect to these exemption claims, plaintiff submits that it is entitled to judgment as a matter of law./4/ I. EXEMPTION 1 HAS BEEN IMPROPERLY ASSERTED IN THIS CASE Defendant NSA seeks to withhold the bulk of the disputed records under Exemption 1 on the ground that the material is "properly classified" under the substantive standards of Executive Order ("EO") 12356. Def. Mem. at 7-12; see generally Vaughn Index. The exemption applies to records that are "specifically authorized under criteria established by an Executive order to be kept secret in the interest of national defense or foreign policy and ... are in fact properly classified pursuant to such Executive order." 5 U.S.C. Sec. 552(b)(1). Defendant bears the burden of demonstrating that the information is "in fact properly classified pursuant to" both procedural and substantive criteria contained in the Executive Order. Goldberg v. Department of State, 818 F.2d 71, 77 (D.C. Cir. 1987); Lesar v. Department of Justice, 636 F.2d 472, 483 (D.C. Cir. 1980). In support of its exemption claims, defendant provides a substantial amount of boilerplate language concerning Exemption 1, see Def. Mem. at 7-9, but very little information concerning the specific applicability of the exemption to the material at issue here. Defendant merely states that [t]he documents for which FOIA Exemption 1 was asserted contain information concerning NSA's INFOSEC-related capabilities; Capstone, a version of the "Clipper Chip;" cryptanalysis; the Skipjack algorithm and other encryption algorithms; algorithm specifications and descriptions; NSA technical reports regarding Capstone or "Clipper Chip;" and other technical information on how key escrow encryption technology works. Id. at 11, citing Goldsmith Decl., Para. 20; and Vaughn Index. Defendant asserts that this information "falls within the coverage of EO 12356 Sec. 1.3(a)(2) (pertaining to the vulnerabilities or capabilities of systems, installations, projects or plans relating to the national security) and Sec. 1.3(a)(8) (relating to cryptology)." Def. Mem. at 11./5/ Plaintiff submits that the disputed material does not meet the substantive criteria for classification contained in the Executive Order. A. The Information Concerns Domestic Law Enforcement, not National Security Exemption 1 applies to information "specifically authorized under criteria established by an Executive order to be kept secret in the interest of national defense or foreign policy ...." Sec. U.S.C. Sec. 552(b)(1) (emphasis added). Likewise, the Executive Order on "National Security Information" provides for the classification of information which, if disclosed, "reasonably could be expected to cause damage to the national security." EO 12356, 3 C.F.R. 166 (1983), reprinted in 50 U.S.C. Sec. 401 note (1988), at Sec. 1.3(b) (emphasis added). In this case, as we have shown, the disputed information pertains to a domestic law enforcement initiative -- not national defense, foreign policy, nor national security. See, e.g., Goldsmith Decl., Para. 6; WH Statement I at 1-2; WH Statement II at 1; 59 Fed. Reg. 5997, 5998; McConnell Testimony at 1-2; Exhibit E. This point is reiterated in a document released to plaintiff by NIST (attached hereto as Exhibit F), which states that "[t]he Justice Department and FBI turned to NSA who has experience in designing encryption algorithms to provide a technical solution to their law enforcement dilemma." Defendant has failed to articulate any "national security" rationale for withholding the disputed data. Indeed, the technology at issue in this case -- the Escrowed Encryption Standard -- was expressly developed for use in unclassified government information systems. As FIPS 185 provides, "[t]he standard may be used when ... [t]he data [to be protected] is not classified." 59 Fed. Reg. 5997, 6003. There is simply no logical basis for classifying the details of a security system intended for the protection of unclassified information. If the underlying information -- the encrypted data -- does not warrant classification on national security grounds, how can the means of protecting that information -- the algorithm and other technical details -- warrant such protection? In a document released to plaintiff by NSA, the reason for the classification of the algorithm was clearly stated: Why is the Encryption algorithm in CLIPPER Classified SECRET? The purpose behind developing these chips was to provide excellent security while preserving the legitimate need of law enforcement to access encryption when lawfully authorized. Secrecy of the algorithm advances both purposes. First, preserving the ability of law enforcement to access this encryption when authorized depends on having a means to ensure users cannot use this encryption without the law enforcement access feature. If the encryption algorithm were public, anyone could build compatible products which did not have the law enforcement access feature, thus defeating this purpose of the program. Second, the security of any encryption is enhanced when both the algorithm and the key are kept secret. This provides an extra layer of protection against exploitation. Thus, it is good INFOSEC practice to keep algorithms secret. The specific algorithm in CLIPPER was approved for and is currently used in certain DoD military and intelligence systems that process unclassified information. The algorithm was classified to ensure the security of these DoD systems. Publishing it would diminish this security. Exhibit G (attached hereto), identified by NSA as document number 93; see also Vaughn index at 27 (describing document as "explanation of why the encryption algorithm in Clipper is classified"). This document offers two explanations for the classification of the technical details: 1) preserving law enforcement access to data encrypted with the Clipper system; and 2) enhancing the security of the encryption system. As plaintiff has noted, the preservation of a law enforcement capability can not properly be characterized as affecting "national security." Likewise, enhancing the security of a system used to protect unclassified information does not implicate national security interests. The NSA explanation raises an additional issue -- whether the publication of the Clipper algorithm would "diminish" the security of the system. B. Secrecy of the Algorithm and Related Technical Details is not Required for System Security Notwithstanding the NSA assertion that "it is good INFOSEC practice to keep algorithms secret," and that "the algorithm was classified to ensure the security" of the system, the great weight of expert cryptographic opinion holds that secrecy does not enhance the security of an encryption algorithm. See, e.g., B. Schneier, Applied Cryptography (1994) at 5 ("if your security depends on the secrecy of the algorithm, then there is only minimal security"), 7 ("a good algorithm can be made public without worry"); D. Denning, Cryptography and Data Security (1983) at 8 ("The security of the system should depend only on the secrecy of the keys and not on the secrecy of the algorithms"). In its Federal Register notice announcing the adoption of the Escrowed Encryption Standard, NIST addressed the widespread public criticism of the use of a classified algorithm. Significantly, NIST did not cite security as a reason for the classification -- it relied entirely upon the need to preserve the law enforcement access feature of the system: A classified algorithm is essential to the effectiveness of the key escrow solution. The use of a classified algorithm assures that no one can produce devices that use the algorithm without the key escrow feature and thereby frustrate the ability of government agencies to acquire the content of communications encrypted with the algorithm, in conjunction with lawfully authorized interception. NIST finds that, because the algorithm needs to remain secret in order to preserve the key escrow feature, it would be neither practicable nor in the public interest to publish the algorithm. 59 Fed. Reg. 5997, 5999 (emphasis added). It is thus clear that the algorithm and related details have been classified to serve law enforcement interests, and that the security of the encryption system is not a real concern. In any event, plaintiff reiterates its contention that a system designed to protect unclassified information cannot itself properly be classified./6/ II. EXEMPTION 2 HAS BEEN IMPROPERLY INVOKED IN THIS CASE Defendant NSA invokes Exemption 2 "to withhold information that pertains to safeguards and security measures, such as reverse engineering protection, for the Skipjack algorithm used in Clipper Chip or Capstone." Def. Mem. at 13-14 (footnote and citation omitted). Defendant correctly notes that our circuit has devised a two-part test for the so-called "high 2" application of the exemption: 1) the material must be "predominantly internal;" and 2) disclosure must significantly risk circumvention of agency regulations or statutes. Def. Mem. at 13, citing Crooker v. Bureau of Alcohol, Tobacco & Firearms, 670 F.2d 1051, 1073-1074 (D.C. Cir. 1981) (en banc). In this case, however, neither condition has been met. First, information concerning the technical details of the Escrowed Encryption Standard cannot be deemed "predominantly internal." This information is an integral part of a standard adopted by NIST that "is applicable to all Federal departments and agencies and their contractors." 59 Fed. Reg. 5997, 6003. "In addition, this standard may be adopted and used by non-Federal Government organizations. Such use is encouraged ...." Id. Under similar circumstances in Don Ray Drive-A-Way Co. v. Skinner, 785 F. Supp. 198, 200 (D.D.C. 1992), this Court held that a computer algorithm used by the Department of Transportation was not sufficiently "internal" given that "its effect ... [is] adopted by other agencies without further analysis or discretion." Likewise, the algorithm and technical details at issue here are intended for widespread use within the government and the private sector, belying any claim that they are "predominantly internal." Second, defendant's claims concerning "circumvention of statutes" are deficient. Defendant first cites 18 U.S.C. Sec. 798(a)(1), which "specifically prohibits the disclosure to any unauthorized person of classified information relating to any code, cipher, or cryptographic system of the United States." Def. Mem. at 14. As we discuss more fully in our analysis of defendant's Exemption 3 claims, infra, the applicability of the cited statute necessarily entails a determination of the propriety of the classification of the cryptographic information. As we have shown, the material at issue in this case does not properly fall within the category of information that may be classified on national security grounds. Defendant also asserts that disclosure of the withheld information would risk circumvention of 10 U.S.C. Sec. 130, as it "could ... result in the illegal export of cryptography and related technical information." Def. Mem. at 14. Defendant's argument carries little weight under the circumstances of this case, given that the Department of State has announced that "key- escrow products may now be exported to most end users." Statement of Dr. Martha Harris, Assistant Secretary of State (February 4, 1994) (attached hereto as Exhibit H). As the White House reiterated, "[a]fter an initial review of the product, the State Department will permit the export of devices incorporating key escrow technology to most end users." Questions and Answers about the Clinton Administration's Encryption Policy (February 4, 1994) (attached hereto as Exhibit C) at 2. Defendant has proffered no evidence even suggesting that export control issues are implicated here. It is thus clear that the export of this technology could not in any way constitute a violation of U.S. export law. In sum, defendant NSA has failed to demonstrate that the withheld material is exempt from disclosure under Exemption 2. III. EXEMPTION 3 HAS BEEN IMPROPERLY INVOKED IN THIS CASE The Court's analysis of defendant's claims under Exemption 3 will necessarily be similar to its analysis of the Exemption 1 claims. Defendant NSA once again cites "national security" concerns and seeks to withhold many of the same documents that are classified./7/ Again, the Court must consider the propriety of secrecy claims growing out of an activity that was undertaken for domestic law enforcement purposes, and not for national security reasons. A. Public Law No. 86-36 is not Applicable Here First, defendant invokes Section 6 of Public Law No. 86-36, 50 U.S.C. Sec. 402 note, to withhold information that pertains to "NSA's critical INFOSEC mission." Def. Mem. at 18 (citations omitted). Section 6 provides, in pertinent part, that "nothing in this Act or any other law ... shall be construed to require the disclosure of the organization or any function of the National Security Agency, [or] of any information with respect to the activities thereof ...." 50 U.S.C. Sec. 402 note. While Section 6 does qualify as a "statute" within the meaning of Exemption 3, its application is not as sweeping as defendant suggests. In Hayden v. National Security Agency, 608 F.2d 1381, 1389 (D.C. Cir. 1979), the D.C. Circuit held that only where a particular NSA "function or activity is authorized by statute and not otherwise unlawful" will "NSA materials integrally related to that function or activity fall within Public Law No. 86-36 and Exemption 3." (emphasis added). Thus, application of Section 6 requires the Court to consider the statutory authority and the propriety of the "function" or "activity" that is being protected. The fact that Section 6 authorizes NSA to exercise discretion in withholding or disclosing information in no way negates the Court's obligation to review the agency's determination de novo. "Congress made no provision in FOIA for a lower standard of review in [Exemption 3] cases; instead, review was expressly made de novo under all the exemptions in [the Act]." Long v. Internal Revenue Service, 742 F.2d 1173, 1182 (9th Cir. 1984). Such review "better serve[s] the congressional purpose of assuring that any particular nondisclosure decision was the product of legislative rather than executive judgment." Id. (footnote omitted). In support of its exemption claim, defendant NSA has failed to articulate any statutory authority for the activity at issue here. The sole representation concerning NSA's mission is contained in the Goldsmith declaration: NSA was established by Presidential Directive in October 1952 as a separately organized agency within the Department of Defense, under the direction, authority, and control of the Secretary of Defense, who was designated by the President as Executive Agent of the Government for conducting the communications security activities (now expanded to information systems security ("INFOSEC") activities) and signals intelligence activities of the United States. Inherent in its missions, NSA is responsible for providing technology and techniques both to make encryption codes to protect the security of certain U.S. communications and computer systems and to unmask the codes other nations use to protect their communications. Goldsmith Decl., Para. 3. This representation cites no statutory basis for the activity at issue here, nor does it establish the propriety of NSA activity in support of domestic law enforcement interests. On the present record, defendant has not demonstrated the applicability of Public Law No. 86-36. B. 18 U.S.C. Sec. 798(a)(1) is not Applicable Here Defendant also invokes 18 U.S.C. Sec. 798, a criminal statute prohibiting the disclosure of "any classified information" concerning cryptography. Once again, in applying this provision, the Court must consider whether the material is properly classified under the terms of the Executive Order. Seeking to avoid such scrutiny, defendant asserts that "[u]nder Sec. 798, the propriety of the classification of the information is irrelevant." Def. Mem. at 19 n.15, citing United States v. Boyce, 594 F.2d 1246, 1251 (9th Cir.), cert. denied, 444 U.S. 855 (1979). Boyce, however, involved a criminal prosecution and does not stand for the proposition that the statute bars disclosure under FOIA if the Court finds that the material is not properly classified in the first instance. In short, application of both Public Law No. 86-36 and 18 U.S.C. Sec. 798 requires consideration of the underlying NSA activity at issue in this case (development of key escrow encryption technology) and a determination of whether that activity is reasonably related to "national security". C. 10 U.S.C. Sec. 130 is not Applicable Here Finally, defendant NSA asserts Exemption 3 on the basis of 10 U.S.C. Sec. 130, which concerns certain controls on the export of "technical data with military or space application." As plaintiff has shown in its discussion of Exemption 2, defendant's export control argument is unavailing under the facts of this case. The Department of State has stated officially that "key-escrow products may now be exported to most end users." Statement of Dr. Martha Harris, Assistant Secretary of State (February 4, 1994) (attached hereto as Exhibit H). The White House has confirmed this position. Questions and Answers about the Clinton Administration's Encryption Policy (February 4, 1994) (attached hereto as Exhibit C) at 2. Defendant NSA has failed to meet its burden of establishing the applicability of the cited statutory provision. IV. MATERIAL HAS BEEN IMPROPERLY WITHHELD UNDER EXEMPTION 5 As noted, plaintiff does not challenge defendant NSA's invocation of Exemption 5 to the extent that defendant seeks to withhold material described as "attorney work-product" and "attorney-client communications." See Def. Mem. at 34-36. Plaintiff does, however, dispute defendant's claim that a substantial amount of material is exempt from disclosure on "deliberative process privilege" grounds. Def. Mem. at 30-34. Defendant has failed in several respects to establish the applicability of Exemption 5. First, defendant ignores the fact that the deliberative process privilege applies only to those documents which reflect the personal opinions of the writer rather than the policy of the agency. Formaldehyde Institute v. Department of Health and Human Services, 889 F.2d 1118, 1122 (D.C. Cir. 1989); Coastal States Gas Corp. v. Department of Energy, 617 F.2d 853, 866 (D.C. Cir. 1980). Defendant nowhere in the record attempts to differentiate material reflecting personal opinions from statements of agency policies. Indeed, under the circumstances of this case, it is likely that NSA policies, as opposed to individual opinions, are at issue. Defendant has also failed to distinguish between factual material and deliberative material contained in the withheld or redacted documents. See generally Environmental Protection Agency v. Mink, 410 U.S. 73, 87-88 (1973); Montrose Chemical Corp. v. Train, 491 F.2d 63, 66 (D.C. Cir. 1974). Such a distinction is particularly important in a case such as this one, where much of the withheld material is admittedly "technological data of a purely factual nature." Ethyl Corp. v. Environmental Protection Agency, 478 F.2d 47, 50 (4th Cir. 1973). Finally, defendant has failed to establish that the "predecisional" material it seeks to withhold was not subsequently adopted as the basis of the "Escrowed Encryption Standard" adopted as FIPS 185 by NIST in February 1994. See 59 Fed. Reg. 5997. The Supreme Court has held that a document may lose its protection under the deliberative process privilege if an agency decisionmaker chooses to "adopt or incorporate [it] by reference" as a basis for a decision. NLRB v. Sears, Roebuck & Co., 421 U.S. 132, 161 (1975); see also Afshar v. Department of State, 702 F.2d 1125, 1140 (D.C. Cir. 1983). Even absent formal adoption of a pre-decisional document, this Court has found an inference of adoption where the decisionmaker accepted a staff recommendation without providing a separate statement of reasons for the decision. See, e.g., American Society of Pension Actuaries v. Internal Revenue Service, 746 F. Supp. 188, 191 (D.D.C. 1990) (Exemption 3 does not protect "documents expressing the views actually relied upon by the government in making policy"). See also Coastal States Gas Corp., 617 F.2d at 866 ("even if the document is predecisional at the time it is prepared, it can lose that status if it is adopted, formally or informally, as the agency position on an issue") (emphasis added). Defendant's vague representations provide no basis upon which the applicability of this caselaw can be determined. Indeed, defendant NSA does not even cite FIPS 185, let alone explain the relationship of the withheld information to the decisionmaking process that culminated in the formal adoption of the standard. Defendant simply cannot shield the underlying rationale for final policy from public scrutiny. See Sears, 421 U.S. at 152 ("the public is vitally concerned with the reasons which did supply the basis for an agency policy actually adopted")./8/ In sum, defendant NSA has failed to demonstrate that the "predecisional" material at issue in this case is properly exemption from disclosure. Conclusion Plaintiff's motion for partial summary judgment should be granted; defendant NSA's motion for summary judgment should be denied. Respectfully submitted, /sig/ _________________________________ DAVID L. SOBEL D.C. Bar No. 360418 MARC ROTENBERG D.C. Bar No. 422825 Electronic Privacy Information Center 666 Pennsylvania Avenue, S.E. Suite 301 Washington, DC 20003 (202) 544-9240 Counsel for Plaintiff -------------------------------------- 1 Defendant NSC was initially granted a stay of proceedings until July 29, 1994. Order filed on December 1, 1993. The NSC subsequently moved to stay proceedings pending the resolution of another action then pending before the district court. By Order dated September 1, 1994, the Court denied NSC's motion. On April 14, 1995, the NSC filed a "renewed motion to stay proceedings," pending resolution of Armstrong v. Executive Office of the President, No. 95-5057 (D.C. Cir.). By Order dated September 27, 1995, the Court granted NSC's motion. 2 FIPS 185 provides that the SKIPJACK algorithm (upon which the Escrowed Encryption Standard is based) "has been approved for government applications requiring encryption of sensitive but unclassified data telecommunications ...." Id., at 6003 (emphasis added). Indeed, the algorithm may not be used to protect classified information -- the FIPS explicitly provides that "[t]his standard may be used when ... [t]he data is not classified according to Executive Order 12356, entitled "National Security Information," or to its successor orders ...." Id. 3 The law enforcement purpose of the initiative, and of NSA's involvement, is further demonstrated by a letter from Admiral McConnell to Attorney General William P. Barr, dated October 28, 1992: Regarding your request of 7 October 1992, we are prepared to provide the Department of Justice (DOJ) and the Federal Bureau of Investigation (FBI) technical advice and assistance in addressing the challenges to law enforcement posed by the sale and use of products to encrypt voice communications. Letter dated October 28, 1992 (attached hereto as Exhibit E). 4 Plaintiff does not challenge defendant's withholding under Exemption 3 of a small amount of information that purportedly names NSA employees and identifies the "designators" of NSA internal organizations. See Goldsmith Decl., Para. 24. Nor does plaintiff challenge the withholding of Central Intelligence Agency information from document number 33, as described in the Declaration of William H. McNair (attached to Def. Mem.), and document number 291, as described in the Declaration of Eunice M. Evans (attached to Def. Mem.). 5 Defendant also asserts that "information was withheld from one document pursuant to EO 12356 Sec. 1.3(a)(5) (pertaining to the foreign relations or foreign affairs of the United States)." Id. Plaintiff does not challenge this exemption claim. 6 Under the facts of this case, the Court must also determine whether it is "proper" for information to be classified under circumstances in which Congress expressly intended that it would not be. As plaintiff has shown, one of the primary reasons for placing civilian computer security authority with NIST was Congress' concern that NSA's "natural tendency to restrict and even deny access to information that it deems important would disqualify that agency from being put in charge of the protection of non-national security information." H. Rep. No. 153 (Part 2), 100th Cong., 1st Sess. 21 (1987). The evil Congress sought to prevent -- the classification of information relating to the development of civilian security standards -- has occurred in this case. Such a direct contravention of congressional intent cannot be deemed "proper" within the meaning of Exemption 1. 7 As noted, plaintiff does not challenge the withholding under Exemption 3 of material that identifies NSA employees or NSA organization designators. 8 Without any elaboration, defendant asserts that "[a]ll of the documents at issue were created prior to the final resolution of the issue regarding the issues [sic] presented by the Administra- tion's key escrow encryption initiative. ... That initiative is still ongoing." Def. Mem. at 32 (citing Goldsmith Decl., Para. 17; Vaughn Index at 2). Defendant fails to explain what aspect of the initiative remains unresolved in light of the formal adoption of FIPS 185 as a federal encryption standard.