UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA COMPUTER PROFESSIONALS FOR ) SOCIAL RESPONSIBILITY, ) ) Plaintiff, ) ) v. ) C.A. 92-0972-RCL ) NATIONAL INSTITUTE OF STANDARDS ) AND TECHNOLOGY, et al., ) ) Defendants. ) ____________________________________) PLAINTIFF'S MEMORANDUM IN OPPOSITION TO DEFENDANT'S MOTION FOR SUMMARY JUDGMENT AND IN SUPPORT OF PLAINTIFF'S CROSS-MOTION FOR PARTIAL SUMMARY JUDGMENT Plaintiff filed this action on April 22, 1992, seeking the disclosure of documents withheld by defendants under the Freedom of Information Act ("FOIA"), 5 U.S.C. Sec. 552. Defendants were granted a stay in proceedings to allow the National Security Agency ("NSA") to review the disputed documents. Now defendants -- largely on behalf of NSA -- have moved for summary judgment and asked the Court to sustain their withholding of a substantial portion of the requested information. Plaintiff opposes the government's motion and cross-moves for partial summary judgment. Background In August 1991, plaintiff submitted a FOIA request to defendant National Institute of Standards and Technology ("NIST"), seeking copies of "all documentation and research materials" used or developed by NIST during its selection of a proposed digital signature standard. The Digital Signature Standard A digital signature is the result of a cryptographic process. It provides a means of authenticating the integrity of electronically transmitted data and the identity of the sender, much as a hand-written signature verifies the authenticity of a paper record. On August 30, 1991, NIST announced its selection of a proposed digital signature standard ("DSS") that would be "applicable to all federal departments and agencies for the protection of unclassified information," and would be "intended for use in electronic mail, electronic funds transfer, electronic data interchange, software distribution, data storage, and other applications which require data integrity assurance and data origin authentication." 56 Fed. Reg. 42981 (August 30, 1991). In its Federal Register notice, NIST stated that it had selected the DSS after evaluating several alternatives and that the agency had "followed the mandate contained in section 2 of the Computer Security Act of 1987 that NIST develop standards and guidelines to ' ... assure the cost-effective security and privacy of sensitive information in Federal systems.'" The reference to the Computer Security Act, P.L. 100-235, was significant because, in enacting the statute, Congress sought to vest civilian computer security authority in NIST and to limit the role of NSA. The legislation was passed in reaction to National Security Decision Directive ("NSDD") 145, which President Reagan issued in 1984. The Presidential directive sought to grant NSA new powers to issue policies and develop standards for "the safeguarding of not only classified information, but also other information in the civilian agencies and private sector." H. Rep. No. 153 (Part 2), 100th Cong., 1st Sess. 6 (1987). Concerns About NSA's Role The House Report on the Computer Security Act notes that NSDD 145 "raised considerable concern within the private sector and the Congress." Id. One of the principal objections to the directive was that it gave NSA the authority to use its considerable foreign intelligence expertise within this country. This is particularly troubling since NSA was not created by Congress, but by a secret presidential directive and it has, on occasion, improperly targeted American citizens for surveillance. Id. at 6-7; see also The National Security Agency and Fourth Amendment Rights, Hearings Before the Senate Select Committee to Study Governmental Operations with Respect to Intelligence Activities, 94th Cong., 1st Sess. 2 (1975) (Congress has a "particular obligation to examine the NSA, in light of its tremendous potential for abuse. ... The danger lies in the ability of NSA to turn its awesome technology against domestic communications") (Statement of Sen. Church). When Congress enacted the Computer Security Act, it also expressed particular concern that NSA, a secretive military intelligence agency, would improperly limit public access to information concerning civilian computer security activities. H. Rep. No. 153 (Part 2), 100th Cong., 1st Sess. 21 (1987). The House Report notes that NSA's natural tendency to restrict and even deny access to information that it deems important would disqualify that agency from being put in charge of the protection of non-national security information in the view of many officials in the civilian agencies and the private sector. Id. To alleviate these concerns, Congress granted sole authority to the National Bureau of Standards (now NIST) to establish technical standards for civilian computer security. During Congress' consideration of the legislation, "NSA opposed its passage and asserted that NSA should be in control of this nation's computer standards program." Id. at 7. Congress forthrightly rejected NSA's position, noting that [t]he proposals would have charged NSA with the task of developing "technical guidelines," and forced [NIST] to use these guidelines in issuing standards. Since work on technical security standards represents virtually all of the research effort being done today, NSA would take over virtually the entire computer standards [program] from [NIST]. [NIST], in effect, would on the surface be given the responsibility for the computer standards program with little to say about most of the program -- the technical guidelines developed by NSA. This would jeopardize the entire Federal standards program. Id. at 25-26. NIST's Response to Plaintiff's FOIA Request Since the enactment of the Computer Security Act, plaintiff has sought to monitor the agencies' compliance with its provisions. In keeping with those efforts, plaintiff requested relevant information from NIST concerning its development of the DSS -- the agency's first proposed computer security standard since passage of the legislation. In response to plaintiff's FOIA request, defendant NIST initially withheld all responsive documents. The agency claimed that the material was "advisory and predecisional in nature," and that "some of the materials pertain to pending patent applications." NIST made no reference to NSA or any other agency, despite Commerce Department regulations providing for the prompt referral of documents to other interested agencies and notification to the requester of such referral. Plaintiff appealed NIST's decision to defendant Department of Commerce on October 1, 1991, but did not receive a determination of the appeal until June 22, 1992 -- two months after the filing of this action. For the first time, defendants acknowledged that documents responsive to plaintiff's request originated at, or related to, the National Security Agency. Then, in support of their motion to stay proceedings, defendants revealed that the vast majority of responsive documents fell within the disclosure authority of NSA; 142 pages were within NIST's jurisdiction while 1,138 pages were under the control of NSA. NSA's Role in Developing the DSS As the foregoing demonstrates, defendants initially sought to conceal NSA's involvement in developing the proposed DSS. The Federal Register announcement of the proposed standard made no mention of NSA, and the fact that the vast majority of relevant documents was under the control of NSA was not disclosed until after the initiation of this litigation. On April 22, 1993 (the day defendants filed their summary judgment motion), NIST released to plaintiff a number of documents that provide more insight into the role NSA played in the development process. The documents -- released in heavily redacted form at NSA's behest -- suggest that NSA dictated the selection of the digital signature standard in contravention of Congress' clear intent, as described above. For instance, a document dated March 26, 1990, states that NSA provided NIST with two documents during an inter- agency working group meeting. The first, classified CONFIDENTIAL, contained NSA's proposal to NIST containing a cryptographic algorithm and a hashing function which can be used as bases for an unclassified standard for digital signatures used by the U.S. Government. ... The second document, classified TOP SECRET CODEWORD, was a position paper which discussed reasons for the selection of the algorithms identified in the first document. This document is available at NSA for review by properly cleared senior NIST officials. This material suggests that the development process may have become precisely what Congress sought to avoid when it rejected NSA's legislative proposal that "[NIST], in effect, would on the surface be given the responsibility for the computer standards program with little to say about most of the program -- the technical guidelines developed by NSA." H. Rep. No. 153 (Part 2), 100th Cong., 1st Sess. 26 (1987). There is substantial public interest in the emerging issues surrounding civilian cryptography, generally, and in these documents, specifically. The New York Times recently reported on the information plaintiff has obtained through this litigation and highlighted the issue of whether NSA is acting in compliance with the Computer Security Act. Markoff, U.S. as Big Brother of Computer Age, New York Times, May 6, 1993, at D1. See also Directive Issued to Create New Classification Order, Access Reports, May 12, 1993, at 1-3 ("the records released to CPSR tend to make the case that the NSA has continued to play a dominant role [in civilian computer security]"). As we discuss below, the public interest in this material likely has a direct (and improper) bearing upon defendants' reluctance to disclose it. ARGUMENT As the Supreme Court has recognized, "[t]he basic purpose of [the] FOIA is to ensure an informed citizenry, vital to the functioning of a democratic society, needed to check against corruption and to hold the governors accountable to the governed." NLRB v. Robbins Tire & Rubber Co., 437 U.S. 214, 242 (1978). More recently, the Court emphasized that "[o]fficial information that sheds light on an agency's performance of its statutory duties falls squarely within that statutory purpose." Department of Justice v. Reporters Committee for Freedom of the Press, 489 U.S. 749, 773 (1989). The basic principles underlying the FOIA are clearly implicated here, where the disputed documents shed light upon an inter-agency relationship Congress expressly sought to regulate through the Computer Security Act. I. EXEMPTION 1 HAS BEEN IMPROPERLY ASSERTED IN THIS CASE Defendants seek to withhold "NSA information" contained in 14 documents under Exemption 1 on the ground that the material is "properly classified" under the substantive standards of Executive Order ("EO") 12356. The exemption applies to records that are "specifically authorized under criteria established by an Executive order to be kept secret in the interest of national defense or foreign policy and ... are in fact properly classified pursuant to such Executive order." 5 U.S.C. Sec. 552(b)(1). Defendants bear the burden of demonstrating that the information is "in fact properly classified pursuant to" both procedural and substantive criteria contained in the Executive Order. Goldberg v. Department of State, 818 F.2d 71, 77 (D.C. Cir. 1987); Lesar v. Department of Justice, 636 F.2d 472, 483 (D.C. Cir. 1980). Under the facts of this case, the Court must determine whether it is "proper" for information to be classified under circumstances in which Congress expressly intended that it would not be. As plaintiff has shown, one of Congress' primary reasons for placing civilian computer security authority with NIST was its belief that NSA's "natural tendency to restrict and even deny access to information that it deems important would disqualify that agency from being put in charge of the protection of non- national security information." H. Rep. No. 153 (Part 2), 100th Cong., 1st Sess. 21 (1987). The evil Congress sought to prevent -- the classification of information relating to the development of civilian security standards -- has occurred in this case. Such a direct contravention of congressional intent cannot be deemed "proper" within the meaning of Exemption 1. The propriety of the classification under the express terms of EO 12356 is also highly questionable in this case. The Order provides that "[i]n no case shall information be classified in order to conceal violations of law ... [or] to prevent embarrass- ment to a person, organization or agency ...." EO 12356, 3 C.F.R. 166 (1983), reprinted in 50 U.S.C. Sec. 401 note (1988), at Sec. 1.6(a). This prohibition is clearly relevant here, where the withheld material relates to an inter-agency relationship that: 1) NSA opposed during congressional consideration of the Computer Security Act; 2) Congress established over the objection of NSA, rejecting proposals that NIST only be given authority "on the surface" for security standards; and 3) has generated public interest amid indications that NSA might, in fact, be acting as the de facto final authority on civilian computer security standards. Under such circumstances, the Court cannot foreclose the possibility that relevant information has been classified and withheld from disclosure for the improper purpose of "conceal[ing] violations of law ... [or] to prevent embarrassment." Indeed, as the record demonstrates, information concerning NSA's role in the development of the DSS has been only grudgingly (and belatedly) disclosed as this proceeding has unfolded. II. EXEMPTION 3 HAS BEEN IMPROPERLY INVOKED IN THIS CASE The Court's analysis of defendants' claims under Exemption 3 will necessarily be similar to its analysis of the Exemption 1 claims. Defendants once again cite "national security" concerns and seek to withhold the same 14 documents that are classified. Again, the Court must consider the propriety of secrecy claims growing out of an activity that Congress expressly intended would be open to public scrutiny. First, defendants invoke Section 6 of Public Law No. 86-36, 50 U.S.C. Sec. 402 note, to withhold information that pertains to "NSA's INFOSEC-related capabilities, the features of certain algorithms considered for use in the digital signature standard evaluation process, ... and the specific national security considerations that were implicated by the DSS evaluation process." Def. Mem. at 13 (footnote omitted). While Section 6 does qualify as a "statute" within the meaning of Exemption 3, its application is not as sweeping as defendants suggest. In Hayden v. National Security Agency, 608 F.2d 1381, 1389 (D.C. Cir. 1979), the D.C. Circuit held that only where a particular NSA "function or activity is authorized by statute and not otherwise unlawful" will "NSA materials integrally related to that function or activity fall within Public Law No. 86-36 and Exemption 3." (emphasis added). Thus, like EO 12356's prohibition against the classification of information to conceal violations of law, application of Section 6 requires the Court to consider the propriety of the "function" or "activity" that is being protected. The fact that Section 6 authorizes NSA to exercise discretion in withholding or disclosing information in no way negates the Court's obligation to review the agency's determination de novo. "Congress made no provision in FOIA for a lower standard of review in [Exemption 3] cases; instead, review was expressly made de novo under all the exemptions in [the Act]." Long v. Internal Revenue Service, 742 F.2d 1173, 1182 (9th Cir. 1984). Such review "better serve[s] the congressional purpose of assuring that any particular nondisclosure decision was the product of legislative rather than executive judgment." Id. Defendants also invoke 18 U.S.C. Sec. 798, a criminal statute prohibiting the disclosure of "any classified information" concerning cryptography. Once again, in applying this provision, the Court must consider whether the material is properly classified under the terms of the Executive Order. Seeking to avoid such scrutiny, defendants assert that "[u]nder Sec. 798, the propriety of the classification is irrelevant." Def. Mem. at 16 n.12, citing United States v. Boyce, 594 F.2d 1246, 1251 (9th Cir.), cert. denied, 444 U.S. 855 (1979). Boyce, however involved a criminal prosecution and does not stand for the proposition that the statute bars disclosure under FOIA if the Court finds that the material is not properly classified. In short, application of both Public Law No. 86-36 and 18 U.S.C. Sec. 798 requires consideration of the underlying NSA activity at issue in this case (development of the digital signature standard) and a determination of whether that activity is proper under the Computer Security Act. * * * [Material relating to other exemption claims deleted] * * * CONCLUSION For the foregoing reasons, defendants' motion for summary judgment should be denied and plaintiff's motion for partial summary judgment should be granted.
Return to: Digital Signature Standard Page Cryptography Policy Page EPIC Home Page