Gabriel Gutiérrez

Documents Say NSA Pretends to be Facebook in Surveillance , from the Wall Street Journal’s Big Data Blog, written by Reed Albergotti and Danny Yadron

The article “reveals” that the NSA has disguised itself as Facebook to gain access to the computers of targets of investigations. Information on the technique is based on documents leaked by Snowden. The NSA says the accusations are false and Facebook representatives say the technique wouldn’t work anymore because of new security measures implemented by the company.

I thought the article was amusing because it depicts a company whose own privacy policies often spark criticism being used by the government to spy. Furthermore, the company’s own security measures seem to actually be protecting the privacy of targets. If true, the situation described illustrates that there is always a “bigger bully” and that privacy concerns – especially in the on-line setting – are very closely integrated. The article also touches on how the tactic isn’t directed towards mass data-gathering and instead targets specific individuals, presumably already under the NSA’s scrutiny for some suspicious activity.

 

 

 

Monica Perrigino

http://www.broadcastingcable.com/news/washington/ftc-report-gives-props-alcohol-marketing-self-regulation/129967

http://www.just-drinks.com/news/ftc-backs-industry-self-regulation-on-alcohol-advertising-study_id113187.aspx

On March 20, 2014, the Federal Trade Commission issued a 49-page report entitled “Self-Regulation in the Alcohol Industry” in which it expressed its support for the continued self-regulation over alcohol marketing in the country, deeming it “more prompt and flexible than government regulation.” This report provides an excellent, current example of industry self-regulation – illuminating the topic we have been studying in class this week by setting it in a real-life context.

This study is the FTC’s fourth major study on alcohol industry compliance with self-regulatory marketing guidelines, and it found that 93.1% of all measured media ad placements met the industry’s self-regulatory standard (the standard being that 70% or more of the measured audience must be at least 21 years old).

With respect to privacy interests, the report yielded generally positive results, finding that alcohol industry members “appear[ed] to have considered privacy impacts in the marketing of their products.” While the largest chunk of measured media consists of broadcast and print (nearly 1/3 of drinks’ companies marketing budgets are spent on traditional media, whereas only 8% are dedicated toward digital and online advertising), for the most part alcohol companies nevertheless advise consumers how their information will be used with respect to online registration opportunities. They also require consumers to opt-in to receive marketing information, and consumers can readily opt-out when they want to stop receiving such information. Furthermore, use of cookies and tracking tools on brand websites are limited to those needed to ensure that only consumers who have stated that they are 21 years old or older can re-enter the site.

Distilled Spirits Council president, Peter Cressy, spoke in regards to the report with pride. He asserted: “The FTC report clearly shows that the spirits industry directs its advertising to adults and is a leader in self-regulation” – further embodying a tone of positivity and optimism in regards to the success of self-regulation in this area.

Despite this positive feedback, the FTC has nevertheless made a series of recommendations for how to improve the system. Some recommendations for online marketing efforts include forcing consumers to enter their dates of birth, instead of just asking them to confirm that they are at least 21 years old and encouraging any medium where compliance falls below 90% to target an audience with a higher 21-plus audience so that it will meet the standard when the ad actually appears. Cressy insisted that “DISCUS will give careful consideration to the recommendations in the report.”

The full text of the report can be found here.

 

 

 

William Brewer

Privacy Group Calls for Federal Investigation of Facebook’s $19 Billion WhatsApp Deal

By Will Oremus

A DC information privacy think tank, Electronic Privacy Information Center (EPIC), has filed a complaint for the FTC to investigate the recent $19 billion acquisition of the cell phone app “WhatsApp” by Facebook. The crux of the investigation will focus on whether WhatsApp has made privacy policy promises to consumers that it will be unable to keep under new ownership. Due to Facebook’s history of collecting data from acquired companies, EPIC asserts that there is a legitimate fear that it will do so again. The worry, then, is that Facebook, upon acquisition, will extract user data gathered by WhatsApp before the acquisition, while the previous privacy policies were in place. It may be a separate (and additional) question whether there are sufficient safeguards against future privacy policy violations (post-merger) for WhatsApp users (e.g. WhatsApp users with previously held expectations of privacy not being able to opt-out of new Facebook practices). The starkness of privacy policies between WhatsApp and Facebook couldn’t be more pronounced. While Facebook is known for using user data for advertisements, etc., WhatsApp’s policy ensures that “contents of any delivered messages are not kept or retained by WhatsApp,” though it does keep some meta-deta (phone numbers and time-stamps).

The author notes that acquisitions like this are rarely halted on privacy grounds, with the FTC relying often instead on competition-based effects for disapproval.

 

 

 

Ian Ratner

http://mashable.com/2014/03/21/microsoft-privacy-hotmail/

In March of 2014, Microsoft came under significant scrutiny after using a loophole in its privacy policy to read through a user’s Hotmail emails and instant messages. In conducting this search, Microsoft was seeking information regarding one former employee’s alleged misappropriation of trade secrets. The search itself was lawful because Microsoft owns Hotmail, the trade secretes were related to Microsoft software, and therefore the search was conducted to protect Microsoft’s own property – which is permissible under the Electronic Communications Privacy Act.

Despite its legality, the search obviously drew a lot of negative attention. Indeed, a separate article in the New York Times pointed out that many users felt hesitant to continue using Microsoft’s services given the loophole. As a result, Microsoft decided to publicly tweak its privacy policies to mitigate these concerns. This is particularly important with regard to information privacy law because the FTC not only concerns itself with a company’s privacy policy, but also with a company’s public statements and notice.

Microsoft’s new privacy policy relating to searches of its own users’ email and instant messages is complex. First, Microsoft will employ a legal team separate from its investigation team to assess the risk to Microsoft’s property. Second, if the legal team finds that there is sufficient evidence to warrant the search, then Microsoft will relay the information to a former judge to receive his or her opinion on the matter. These steps are intended to replicate the steps Microsoft would need to conduct if the warrant process were actually applicable. In the same vein, Microsoft proclaims that its legal team will also take steps to make sure that the search is confined to original risk to its property – i.e., that the search does not invade more of the user’s search than necessary. The last part of Microsoft’s new policy involves transparency: the company will include in its bi-annual reports data regarding the number of these searches that it conducts.

This new policy is important in the context of the FTC because the new policy would certainly be material to new users, which affects whether the FTC could find deceptive practices. In other words, this new policy will assuredly affect whether users continue to use Microsoft’s products, so it is important that Microsoft adheres to this policy going forward.

 

 

 

Sharon Steinerman

http://www.motherjones.com/politics/2014/01/are-fitbit-nike-and-garmin-selling-your-personal-fitness-data

Wearable technology has become increasingly popular over this past year, as technology companies have looked to market a new type of device to tech-savvy users who already own smart phones and tablet devices. Wearable tech has particularly taken off in the areas of health and fitness, as companies like Fitbit and Nike have begun successfully marketing smart watch-like devices that can serve as pedometers, calorie counters, sleep monitors, and general fitness trackers. Users can even sync up these devices with various apps on their phones and computers to better keep track of their fitness plans.

However, according to Mother Jones, the FTC has become increasingly concerned about the volume of data that the makers of these devices are collecting and, potentially, selling. In addition to tracking your location, these devices offer the option for users to input sensitive and ostensibly private medical information, such as blood pressure and glucose levels. Most devices also encourage users to input gender, weight, height, age, and other sensitive personal information. Although these companies have privacy policies that outline individual user identity protection, the information may still be collected in the aggregate and potentially sold to advertisers.

Other concerns stem from the interactions between these devices and other fitness applications. Fitbit, for example, a company that makes a range of fitness trackers that can monitor activity and sleep levels as well as nutritional information, allows and even encourages users to set their devices to interact with third-party applications for calorie counting and weight loss monitoring. These third party applications have their own privacy policies that may offer incredibly limited privacy protection, but the makers of these applications are similarly provided with sensitive health information by users of the wearable fitness technology. This information may then be sold to advertisers, all without users ever being aware of this gaping privacy breach.

 

 

 

Julie Ann Rosenberg

http://www.washingtonpost.com/blogs/the-switch/wp/2014/03/21/facebook-says-states-shouldnt-regulate-online-teen-privacy-the-ftc-disagrees/?tid=pm_business_pop

Facebook and the Federal Trade Commission (Hereinafter, “FTC”) currently disagree about the interpretation of a children’s privacy law. The FTC recently filed a brief in the current case, Batman v. Facebook.  If adopted, the FTC’s position would hurt Facebook’s argument in this ongoing district court case in California.

The disputed issue between the FTC and Facebook, is whether or not states can enforce their own laws governing teen privacy.  Currently, the Children’s Online Privacy and Protection Act (COPPA) only applies to and protects children under the age of 12.  Facebook contends that therefore states may not enforce their own state laws regulating teenagers’ privacy (children above 12 years of age).

The case arose from a 2012 settlement regarding Facebook’s “sponsored stories,” or advertisements that used users’ information.  The users who are challenging the settlement argue that the settlement violates state privacy laws, because it doesn’t require teens to receive permission from their parents before appearing in Facebook advertisements.  Facebook contends that since the COPPA (federal protections) only apply to children up to age 12, older teens’ Internet activities cannot be subject to restrictions, even under state law.  In its filing, the FTC directly disagreed with Facebook, and outright declared Facebook’s position as wrong, and unsupported by the language, structure, and legislative history.

 

 

 

Kate Englander

“Pot shops wary of privacy concerns in handling customer information”

Colorado Amendment 64, which went into effect on January 1, 2014, legalized the sale and personal consumption of marijuana through an amendment to the state’s constitution.  This article addresses the way in which Colorado’s marijuana dispensaries are addressing their customers’ privacy concerns after the passage of Amendment 64.  Because it is still illegal to sell and use marijuana under federal law, and because marijuana use is still largely taboo, many users are concerned about maintaining their privacy.

While consumers might freely give personal information, such as their name, phone number, and address, at many retail stores, marijuana retailers in Colorado are wary of the fact that their customers may not wish to have their name or personal information associated with marijuana use in any sort of collected database.  On the other hand, marijuana dispensaries must weigh the privacy concerns of their customers against their own objectives.  First, dispensaries have an interest in tracking their customers’ preferences and purchasing habits in order to target advertising and promotions to them.  Furthermore, some dispensary owners are concerned about verifying customers’ identity to protect against credit card fraud.

The amendment itself does not require dispensaries to collect personal data about customers – they need only verify that the customer is 21 or older under the law.  This requirement stands in contrast to the medical marijuana laws in California, where dispensaries are required to track patients’ personal information.

Often when we have considered the collection and dissemination of identities aggregated with commercial data, it has been difficult to identify the harm. Are there real quantifiable damages in the dissemination of consumer preferences, when they indicate that a certain customer prefers a certain brand of makeup, or frequently purchases high-end jewelry? Courts have often regarded the potential damages as relatively minimal.  However, the collection of personal information in connection with marijuana purchases provides an example collection of personal information in association with purchasing data can lead to definite harm to a person’s reputation or perhaps even to criminal liability.

 

 

 

Abigail Everdell

“Give Me Back My Online Privacy: Internet Users Tap Tech Tools That Protect Them From Prying Eyes” – Wall Street Journal

This article outlines a number of programs that have emerged as popular tools for limiting the collection of data on the internet. The article acknowledges that only 8% of internet users make use of such programs, a number the author seems to consider large, but which still strikes me as small in light of the high number of Americans who are concerned about data collection. Nevertheless, the article has a hopeful tone, suggesting that emerging programs are more successful at helping users find a “middle ground” of data collection–one which doesn’t block all collection, but does allow a certain measure of awareness or control regarding when and how data is being collected.

I thought this article was particularly relevant to our readings this week as it suggests that market self-regulation, while not a complete solution, may be making strides towards addressing the problem of indiscriminate commercial data collection on the internet. Professor Rubinstein, according to his article excerpted in our readings this week, might refer to these kinds of programs as “privacy-friendly PETs [Privacy Enhancing Technologies],” an aspect of “Privacy by Design.” The underlying assumption of the materials we read, however, seems to be that data collection companies must implement PETs on their own, and the financial incentives to do so are not compelling. The proliferation and growing popularity of third-party PETs described in this article, however, suggests that there may be hope for the market to better address consumer preferences in some regard.

 

 

 

Ann Lucas

Recent FTC Ruling Could Cloud Data Security Enforcement by John Moore, iHealthBeat Contributing Reporter
The FTC filed an administrative complaint under the Section 5(a)(1) of the FTC Act’s ban on “unfair … acts or practices” in August of 2013 against LabMD, a medical testing lab, for data security breaches involving consumer health data. More specifically, the complaint alleges that a LabMD spreadsheet containing names, social security numbers, dates of birth, medical treatment codes of more than 9,0000 consumers was found on a peer to peer network in 2008. On Jan 16, 2014, the FTC denied LABMD’s motion to dismiss by a 4-0 unanimous vote. Last week, LabMD filed suit in federal district in Northern Georgia claiming that the August 2013 administrative complaint filed by the FTC against the firm, “is arbitrary, capricious, an abuse of discretion and power, in excess of statutory authority and short of statutory right, and contrary to law and constitutional right.” LabMD alleges that the FTC lacks the jurisdiction under Section 5 of the Federal Trade Commission Act to regulate personal health information security practices. Moreover, the firm claims that HIPAA/OCR takes precedence over the FTC in the realm of data security with respect to health care.

 

This article highlights the steep costs of an FTC enforcement action. LabMD has ceased operations due to the high costs of its legal battle with the FTC. Additionally, although FTC fines amount to only $16,000 per violation and are lower than HIPAA’s maximum fines, which are capped at $1.5 million, the 20-year privacy audits add to the high cost of such actions. Mac McMillan, the CEO of an IT consulting firm estimates that the cost of conducting periodic audits could prove more expensive in the long run than a HIPAA fine. “You’ve got the cost of an external monitor for 20 years,” McMillan said, noting that the audits are conducted by a third party. He said, “It’s not just the cost, but being under the microscope for 20 years,” adding, “That is an awfully long time to have the government … reviewing what you are doing.”

 

 

 

Ilana Broad

The United States government has been struggling to maintain open honesty under President Obama in the recent years. New statistics regarding the amount of time it takes the federal government to respond to a FOIA request and the frequency with which they deny FOIA requests show an increase in, both, the time it took to get a response and the number of rejections. [1] The study, based on government-released statistics from almost 100 federal agencies over six years, shows a major setback in the government’s response to citizens’ desires for government openness and accountability.

While FOIA requests were up approximately 8% in the last year, government response to FOIA requests for information went up only 2%, and the documents released were censored more often than ever before. White House spokesman Eric Scultz believes that these statistics are good – they show that the government is responding to FOIA requests more often and more quickly than ever. The problem with his perspective on these statistics, frankly, is that it’s wrong – federal agencies, on average, took longer to respond to FOIA requests than in previous years. Perhaps some of the issue stems from a lack of inter-agency communication in an era when information crosses agency borders very often. In fact, there have been instances where FOIA requests by one agency were answered with very censored documents, and when other requests for the same documents from another agency/representative come back with entirely open documents. [2]

Most importantly, 36% of all FOIA requests (that means including the requests that don’t get responses) are rejected or censored. The reasons cited for refusal to grant a FOIA request speak volumes about this troubling trend. Reliance on the national security exception to FOIA openness has doubled since Obama’s first year in office. The NSA saw a 138% increase in number of FOIA requests – which may account for some of the increase in reliance on the national security exception – but the NSA denied full access to information requested 98% of time.

Reporters have noted how “abysmal” federal openness has been, and even our Congress-people are on notice as to how dissatisfied FOIA applicants have been. Some people blame it on bureaucracy and some find more grim conspiracies to point to. Regardless of the reasons behind this increase in government secrecy, it’s important to remember how necessary government openness and accountability are for a democratic society. The Electronic Frontier Foundation has been on the forefront of keeping the government, specifically the NSA, honest. [3] In the last five years, EFF litigation has been responsible for exposing numerous domestic investigations done without Congressional or court approval, and sketchy attempts at maintaining secrecy and undisclosed information practices.[4]

 

 

 

 

 

 

Jeffrey Ritholtz

http://washingtonexaminer.com/obama-administration-faces-foia-fire-over-ambassador-picks/article/2545253

http://washingtonexaminer.com/examiner-editorial-foia-reform-a-step-forward-for-government-transparency/article/2544763

The Obama administration has come under fire in recent weeks for its failure to publicize the “Certificates of Demonstrated Competence” that the State Department fills out and submits to the Senate Foreign Relations Committee prior to nomination hearings for foreign ambassador candidates. The American Foreign Service Association, a labor union for diplomats, has filed two FOIA requests as of February 28 asking for release of these documents, but the administration has not yet responded. The union is concerned with the recent nomination of ambassadors to Iceland, Argentina, and Norway, each of whom has limited if any experience in diplomacy but has raised a significant amount of money for President Obama’s presidential campaign efforts. The State Department has maintained that it is working within parameters of the FOIA statute, which requires responses to FOIA requests on a first-come, first-served basis. It has noted that more than 18,000 FOIA requests are received by the government each year, requiring a great amount of time and resources to sort through. Not persuaded by the government’s claims, however, AFSA has threatened to sue if the requested documents are not revealed by an imposed deadline. The State Department has refused to disclose when it plans to respond to the outstanding FOIA requests for this documentation.

This story is particularly important in light of the bill recently passed by the House, which intends to simplify and expedite the FOIA request process. The bill would create a “presumption of disclosure” for all FOIA requests, consistent with a recent executive memorandum from President Obama. Perhaps more importantly, the FOIA Oversight and Implementation Act of 2014 would expand the online platform for FOIA requests and centralize the requests in a single online web portal supervised by the Office of Management and Budget. Essentially, the bill would remove the current hurdles of inter-agency coordination and communication that currently obscure the FOIA process and lead to major lags in response time to FOIA requests. Furthermore, the web portal would permit updated tracking of requests in the system, granting submitters knowledge of where their specific requests stand in the process and greatly increasing the transparency of the system. Finally, the bill would establish an Open Government Advisory Committee that would be responsible for creating an ongoing dialogue about the effectiveness of FOIA and potential reforms to the statute.

These proposed reforms to the FOIA statute would seemingly prevent situations like the one discussed earlier involving President Obama’s choices for foreign diplomats. Under the new statute, AFSA would no longer have to constantly press the State Department about its requests through the media, but rather it would be able to submit its requests online and track them fully throughout the review process. In addition, the whole system would be sped up by the centralization proposed in the bill, so that AFSA would likely have already received a response to its requests under the new legislation. Because FOIA was originally intended to shed light on some dark areas of the federal government by allowing access to previously undisclosed information, it seems appropriate that the system itself should be transparent enough to permit relatively quick and painless responses to disclosure requests. If the proposed bill should pass through Congress, we will hopefully begin to see the development of such transparency.

 

 

Jennifer Gautier

 http://www.ibtimes.com/edward-snowden-sxsw-2014-what-whistleblower-said-about-nsa-surveillance-protecting-privacy-online

This article discusses Edward Snowden’s recent Google Hangout event at SXSW 2014.  The former CIA and NSA employee, now infamous for whistleblowing and disclosing thousands of classified documents revealing a global surveillance program run by the NSA and other government agencies, addressed a crowd of more than 7,000 SXSW attendees and countless others via live stream Monday morning. Through a live video feed broadcast from an undisclosed location in Russia (and bounced through many proxies around the world to help maintain location anonymity) Snowden spoke to the audience with Chris Soghoian, the principal technologies at the ACLU, and Ben Wizner, the director of the ACLE’s Speech, Privacy and Technology Program.

Snowden used this platform as a sort of call to arms to the tech community, calling on them to create solutions to privacy violations that would be accessible by the average Internet user. Snowden and Soghoian stated that many of the tools that currently exist to protect privacy and security online are too difficult for the average person to use; they need an easier way to encrypt their data.  According to Snowden, the out of the box solutions currently available to the average user are not effective at circumventing the NSA’s surveillance programs. In response to a question asking what steps the average Internet user can take today, Snowden suggested that people encrypt their physical hard drives and networks, and use the program Tor to encrypt their web traffic. (For more on Tor, see this article from The Guardian.)

Ultimately, Snowden believes in order to combat mass surveillance, “we need to think of encryption not as an arcane, dark art, but as a basic protection”. Encryption alone will not defend against a targeted spy attempt against an individual, but the presenters believe it is the best strategy to defend against mass surveillance, as it will make it too expensive to spy on everyone. Snowden believes that by forcing the government to focus not on mass monitoring and data collection, but on the targeted surveillance of suspects, the surveillance programs will pose less of a privacy threat to average citizens and will also be more effective at preventing crimes. Snowden claims that if the NSA focused less on mass surveillance, it might have been able to prevent the Boston Marathon bombings.

The event also included discussion on data collection by private companies and accountability standards for government organizations. Snowden concluded his presentation by commenting on the motivation behind his decision to leak the NSA documents that lead to his worldwide notoriety and exile. “I took an oath to support the Constitution, and I felt the Constitution was violated on a massive scale,” he said. “The interpretation of the Constitution had been changed in secret to ‘no unreasonable search and seizure’ to ‘any seizure is fine, just don’t search it’ and that’s something that the public ought to know.”

 

 

Cynthia Benin

Feds Refuse to Release Public Comments on NSA Reform — Citing Privacy

Article by David Kravets

The Obama administration’s newly professed commitment to transparency was called into question recently when the Office of the Director of National Intelligence (ODNI) refused to produce documents pursuant to a FOIA request for information about third-party proposals for managing NSA cell-phone metadata.

The backstory: On January 17th, President Obama announced that he would explore several of the recommendations set forth by an outside review group he assembled to evaluate the NSA’s current practices and identify areas for reform.  One such recommendation would remove vast stores of bulk data from the government’s control and instead enlist third parties or cell phone service providers to store the data and pass on small bits of information to the government in response to specific queries.  Obama expressed skepticism at the feasibility of such arrangement but instructed the intelligence community and the attorney general to develop options and report back.

In early February, ODNI chief James Clapper put forth a Request For Information (RFI) soliciting information “about existing commercially viable capabilities” for storing telephone metadata.  Twenty-eight proposals were received by the end of the submission period on February 12th. Wired magazine immediately submitted a FOIA request seeking release of these documents. Two weeks later, Wired received the response that the ODNI was withholding the material in its entirety.

In its denial, the ODNI cited FOIA exemptions (b)(4), which corresponds to trade secrets and confidential commercial data, and (b)(6), which applies to personnel and similar files which release would cause an “unwarranted invasion of personal privacy.” Wired contests the validity of such exemptions given that the RFI explicitly advised responding companies to “ensure that the submitted material has been approved for public release.”  Wired is currently appealing the denial.

 

 

Ben Notterman

A February 25th article by Nate James of the National Security Archive examines the FOIA Oversight and Implementation Act, recently passed by the House and presently under review by the Senate Committee on the Judiciary. Despite well-documented frustration with the government’s general approach to issues of privacy, this FOIA reform bill has attracted relatively little media attention. James offers a useful analysis of how the bill in present form would improve FOIA and how, more notably, it would not.

First, James approves of a provision requiring all agencies to update their FOIA regulations within 180 days of the bill’s passage. Many agencies have exacerbated FOIA’s shortcomings by failing to update regulations to reflect policy changes, including those required by the OPEN Government Act of 2007. The Federal Trade Commission, for instance, last updated its regulations in 1975. Given that society now depends more than ever on the free transmission of information, this sort of administrative inaction should not be taken lightly.

Section Three of the bill calls for the creation of an online FOIA request system, enabling citizens to issue and track requests for all federal agencies through one “centralized portal.” While this system would almost certainly make FOIA more efficient and user-friendly, James urges Congress to “take the final, logical step and require that agencies join the 21^st century” by posting all disclosures online, thereby extending access from a single requestor to the entire public, at no additional expense. (First-party releases would, of course, be excluded).

James makes a good point. It is difficult to conjure up a legitimate basis for not posting disclosures online for the general public, such that “a release to one is a release to all.” Indeed, FOIA’s mandate for granting disclosures presupposes a right of access to all members of the public, not merely those willing and able to make requests. Online posting would more directly stimulate public debate and render FOIA more transparent, while avoiding redundant disclosures and lowering operating costs. Furthermore, when it comes to keeping the government in check, there is great power in numbers, for the gaze of a thousand voters is more difficult to ignore than the gaze of one. As James insinuates, excluding such a policy from the bill undercuts the administration’s purported commitment to a “new era of openness.”

The bill does codify a general “presumption of disclosure,” a policy previously articulated in a 2003 DOJ memorandum from former Attorney General John Ashcroft. The presumption’s practical effect is unclear, however, since the burden of nondisclosure already rest with the government. Perhaps it was meant as a symbol of the administration’s renewed commitment to government transparency, to diffuse throughout the 101 agencies subject to FOIA. Of course, achieving government transparency requires more than airy declarations and symbolic gestures; more practical changes would focus on narrowing FOIA’s various exemptions.

To that end, James targets a few exemptions he believes are particularly in need of reform. The first is provision b(3), covering all information “specifically exempted from disclosure” by other statutes. James points out that no fewer than 170 such statutory exemptions are triggered by b(3), covering a broad range of peculiar subject matter, from “cigarette additive information” to  “obscene matter”  to “information on watermelon growers.” As an alternative to b(3)’s categorical exemptions, James proposes the use of a judicial “harm test,” which would balance the government’s interest in nondisclosure with the public’s interest in learning the requested information. James also calls for revision of exemption b(5), excluding all “inter-agency or intra-agency” communications. To be sure, the sheer volume of information implicated by b(5) is enormous, and there is little to prevent agencies from exploiting this exemption prospectively, by framing documents as “internal” memoranda to provide basis for future nondisclosure.

On the whole, I agree with James: the FOIA Oversight and Implementation Act is a small, yet significant step in the right direction. To achieve more meaningful reform, Congress must target FOIA’s capacious exemptions.

 

 

Reagan Lynch

http://www.politico.com/blogs/media/2014/02/house-unanimously-passes-foia-bill-184049.html

House Resolution 1211, the FOIA Oversight and Implementation Act of 2014, received unanimous approval in the House of Representatives on February 25, 2014.  The bipartisan bill was co-sponsored by Darrell Issa (R-CA) and Elijah Cummings (D-MD).

The bill would establish new procedures to increase the speed and efficiency of Freedom of Information Act (FOIA) requests including a centralized portal for filing FOIA requests under the oversight of the Office of Management and Budget (OMB) as well as mandating public disclosure of information when information is released to an individual pursuant to their FOIA request.

The bill reached the Congressional floor in response to the following Executive Letter issued by President Obama: http://www.whitehouse.gov/the-press-office/freedom-information-act.  In the letter, President Obama advocates for a clear policy position that when in doubt, agencies should disclose requested information rather than maintaining confidentiality.  He obliquely addresses concerns about the retention of embarrassing or otherwise non-confidential material and encourages the Department of Justice (DOJ) and OMB to implement new policies encouraging full and frank disclosure.  For a more in depth look at these issues, consider the 2011 study completed by the American Civil Liberties Union comparing non-redacted information disclosed by Wikileaks with the same documents obtained by subsequent FOIA requests. https://www.aclu.org/wikileaks-diplomatic-cables-foia-documents.

In its current form, there may be some concern about the House bill’s centralization of the FOIA process through OMB.  An argument might be made that this centralization could tighten the reins on FOIA disclosures; however, by exposing the request to both OMB and the agency holding the requested information, it is likely that the agency will be more likely to disclose non-confidential materials that may otherwise have been retained in the interest of the particular agency.  Similar concerns might be raised about the provision for full public disclosure in response to a FOIA request.  Where perhaps an agency might have been less circumspect when disclosing to a single individual, disclosure in a public forum may create a presumption against broad disclosure and undercut President Obama’s push for broader disclosure.

If the bill passes the Senate and is enacted, the merits of these procedural changes may be evaluated.  In combination with increased Executive Branch oversight through the DOJ, the bill will hopefully act to bring greater transparency and efficiency to the FOIA process.

 

 

Rebecca Shieh

http://www.bna.com/doctors-wary-cms-n17179882230/

The Centers for Medicare & Medicaid Services (CMS) is reversing its long-standing policy on the release of Medicare billing data. Under its previous policy, the agency would not disclose physician payment data in response to Freedom of Information Act (FOIA) requests, finding the public interest insufficient. This was largely influenced by the permanent injunction issued in Florida Medical Association, Inc., et al. v. Department of Health, Education, and Welfare, et al. (M.D. Fla. 1979). There, the court reasoned that physicians had a compelling right to privacy that would be violated by the release of such payment information. The injunction was eventually dissolved by the Middle District of Florida on May 31, 2013, after media outlets investigating alleged fraud and abuse by physicians pushed for the release of the data. In light of this, CMS reversed its policy in a January 17, 2014 notice, which goes into effect on March 18. FOIA requests will now be reviewed on a case by case to determine if “exemption 6” applies. FOIA Exemption 6 protects information about individuals in “personnel and medical files and similar files” when the disclosure of such information “would constitute a clearly unwarranted invasion of personal privacy.” 5 U.S.C. § 552(b)(6).

This touches upon the common tension between the public interest in disclosure and basic privacy interests. If the dialogue leading up to Sunshine Week (March 16-22) is any indication, physicians may experience further exposure of their coding and billing patterns as efforts to strengthen FOIA gain momentum. Just last month, the FOIA Oversight and Implementation Act passed unanimously in the House. The proposed legislation hopes to address some of the concerns brought up again during the March 11 Government Transparency hearing chaired by Senate Judiciary Committee Chairman Patrick Leahy, D-Vt. There, experts testified about a “culture of obfuscation,” extensive backlogs, and increased use of FOIA exemptions to prevent disclosure. A recently released federal agency scorecard by the Center for Effective Government supported this testimony, reporting long delays, inadequate regulations, and lack of user-friendly websites.

The FOIA Oversight and Implementation Act would make it more difficult for agencies to withhold information and move more FOIA processing online. Changes include a presumption of openness which requires agencies to justify withholding information rather than requiring the public to justify release, a centralized online portal for all information requests, and the publication of documents requested three or more times. If such reforms come to pass, CMS will find it more difficult to deny requests for physician billing information and this previously unavailable data is certain to become more easily accessible.

 

Robyn Lym

The Definition of an Adequate Determination under FOIA

Last April, the U.S. Court of Appeals for the District of Columbia ruled that in order for a government agency to comply with the FOIA deadline for a determination within 20 days, the agency’s response must be meaningful. Under FOIA, the requester must exhaust administrative appeals within the agency before the requester can can sue the agency in federal court for not producing documents. If the agency complies with the request by the deadline, the agency has complied with its requirements under the statue and a requester must appeal within the agency to appeal the decision. If the agency does not comply with the request, the exhaustion requirement is satisfied and the requester may sue the agency in federal court. The court considered what constitutes a sufficient determination.

The FEC and the DOJ argued that it is sufficient response to inform the requester by the deadline that the agency will be producing nonexempt documents in the future and claiming exemptions. However, the D.C. Circuit held that agencies must state which documents they are producing, which documents they are withholding and why. The article argues that the interpretation of the statue proposed by the government would undermine the purpose of the statue, as allowing agencies to answer requests with vague language does not further the policy objectives of FOIA.

 

 

Edward Rooker       

“Freedom of Information Act law ‘terribly, terribly broken,’ expert tells Senate panel”

Lejla Sarcevic, Washington Examiner

The Senate Judiciary Committee is currently reviewing the FOIA Oversight and Implementation Act of 2014.  The bill, which passed the House unanimously in February[1], is being strongly advocated for by journalists who believe that the current FOIA law is ineffective. This article highlights the criticisms from the journalism community that were presented to the Senate Judiciary Committee by David Cuillier, the President of the Society of Professional Journalists, as well as from other individuals.

A majority of the criticisms of the current FOIA system is the backlog of requests that have built up as a result of the lack of oversight.  The Center for Effective Government recently graded the 15 federal agencies that receive the most FOIA requests, placing a large amount of weight on the an agencies’ ability to process information requests in a timely fashion.[2] This report card resulted in 7 of the 15 federal agencies receiving failing grades.

In response, the Departments of Justice’s Office of Information Privacy, the group tasked with overseeing FOIA compliance within the executive branch, pointed out that of the 99 agencies subject to FOIA, 29 had no backlog at all and 73 have a backlog of a one hundred requests or less.  Nevertheless, the backlog of FOIA requests does not seem to be getting any better.  As the article points out, the DOJ’s own backlog has worsened over the past three years.

Members of the Senate Judiciary Committee also expressed their displeasure with the current system.  Senator Chuck Grassley (R-IA) said there was a culture of obfuscation” among FOIA officials and Committee Chairman Patrick Leahy (D-VT) pointed out a 41% increase in the federal agencies use of FOIA exception 5.[3]  These issues combined with the current climate of public skepticism of government and a weakening of public support for government secrecy, even for issues of national security, seems to set the stage perfectly for Congressional reform of FOIA.

The amendments proposed by the FOIA Oversight and Implementation Act of 2014 would address the failures of the current FOIA system and the backlog that has been created.  One of the proposed amendments would give increased oversight to the Office of Government Information Services of the administration of FOIA requests.  The bill would also create a presumption of disclosure for all FOIA decisions with an exemption only for a “foreseeable harm from disclosure.”  This change shifts the burden of proof from the requester to the government agency.  The amendments would also require the Office of Management and Budget to create a single website for submitting FOIA requests and checking on the status of such requests. The bill would require the agency to release information publicly once it is released to individual journalists.

It doesn’t seem like this bill will face any opposition from the President.  The bill itself has been described as a mere codification of President Obama’s executive memorandum issued January 21^st, 2009, the President’s first full day in office.[4]  With this in mind and the bill now sitting with the Democratically controlled Senate, it seems that amendments to the current FOIA system are imminent.  Only time will tell if these  amendments will bring the changes in government efficiency and transparency that the journalism community and the American public as a whole are hoping for.