Blog

By: Piotr Semeniuk

According to the National Conference of State Legislatures, last week the Department of Homeland Security confirmed that subsequent six states – Alabama, Florida, Kansans, Nebraska, Utah and Vermont – comply with the REAL ID Act. The Real ID Act, enacted with a motivation of enhancing national security after 9/11, sets minimum document criteria for state-issued driver’s licenses and identification cards.

Pursuant to the REAL ID Act, the non-compliant state IDs will be starkly underprivileged under the federal law. The bottom line is that the non-compliant IDs will not be accepted for the so-called federal “official purposes,” e.g., boarding a commercial plane or entering a federal facility.

Beloved by some conservative thinks tanks (such as the Heritage Foundation) and vivaciously questioned by civil rights advocates (such as ACLU) the act triggered some opposition among the states themselves. Last year several states, including the Montana’s governor Brian Schweitzer (listen to the governor discussing his opposition to REAL ID here), sent formal statements to Congress in which they underline the exorbitant costs of the REAL ID Act’s implementation as well as privacy concerns.

The opposition of some state gave rise to a weird legal and political landscape. In this landscape the DHS is regularly setting deadlines for implementation of the Real ID Act and states have constant troubles meeting the required deadlines (to say the least). As a result, the full implementation is being constantly delayed whereas the states and its citizens don’t face any sanctions. The recent deadline was to lapse on 15 January 2013. However, on December 2012 the DHS announced that after January 15, 2013 “states not found to meet the standards will receive a temporary deferment.” This means that residents of the non-compliant states (still the majority of states) will be allowed to enter federal buildings and use interstate plane connections. So far, the period of the determent period remains undefined, and the DHS is heralding to develop a schedule for the phased enforcement of the REAL ID states commitments “by early fall 2013.”

Where is it all going? It seems that the nationwide implementation of the Act is stuck in limbo. My guess is that the federal government would not resort to a sanction of rejecting the cards issued by non-compliant states. Such rejection would cause, with regard to the ban on boarding planes, a paralysis of the movement within the whole country. The DHS even admits its non-readiness to hit the ordinary people with sanctions by announcing that, while developing a schedule for the phased enforcement of the Act, residents of all states “will be treated in a fair manner.” Hence, at least so far, the rebellious states will likely have a final saying in relation to the implementation of the REAL ID Act.

However, these of advocates focusing on the Real Act should be cautious not to overlook another legislative effort that comes close to what some people call “a de facto ID national database.” What I have in mind is the so-called E-Verify system. E-Verify is a national, electronic database administered by the Department of Homeland Security (you can access E-Verify here) where employers can check if a person can legally work in the US. So far the system has been voluntary for employers. If they participate in E-Verify, when they hire an employee, they are required to enter information into the system via the web. E-Verify will then determine whether an employee got an approval or not. The system has been criticized for many flaws, including frequent errors leading to mischaracterization of the employees’ status (watch Chris Calbrese from ACLU discussing the downsides of E-Verify here).

Pursuant to ACLU, last week a group of eight bipartisan senators ( the so-called Gang of Eight) proposed a reform to federal immigrations laws expanding the scope of E-Verify. If the proposal was passed, E-Verify would come even closer to a de facto ID federal database. First, the proposal calls for the employers’ mandatory participation in E-Verify; second, if passed, it would require states to supply E-Verify with data on state driver’s licenses (including photographs).

It is up for discussion, whether it is a successful implementation of the Real ID Act or a potential modification to the E-Verify system that will bring the US closer to having a de facto ID national database. One thing is certain. There are forces in DC obstinately pushing for electronic collection of more and more identifying data.

By Sisi Wu

In 2011, Thomas Cooley Law School filed a defamation lawsuit against a former student who criticized the school on his blog, which he called “Thomas M. Cooley Law School Scam.” The blogger, “John Doe,” sought a protective order from the trial court to prevent Cooley from disclosing his real name in court documents. The trial court ruled against Doe, finding that slander per se (which Cooley sufficiently alleged in its complaint) is not protected by the First Amendment.

On April 4, 2013, the Michigan Court of Appeals reversed. The opinion surveyed various standards in other jurisdictions for determining when a plaintiff has the right to learn the identity of an anonymous defendant. Without adopting a clear standard, the appeals court determined that the trial court had abused its discretion in refusing Doe’s protective order by failing to properly consider Doe’s First Amendment rights.

Although the decision was lauded by free speech advocates for being protective of anonymous speech, observers (links below) criticized the court for failing to provide a clear standard for future cases and, particularly, for not establishing a notice requirement for subpoenas issued to obtain the identity of anonymous defendants. Without mandatory notice, defendants may not be aware that their personal information is being sought, and thus won’t file motions to quash. This uncertainty could have a chilling effect on anonymous speech.

More information and commentary:

http://www.citizen.org/litigation/forms/cases/getlinkforcase.cfm?cID=691

http://www.law.com/jsp/nlj/PubArticleNLJ.jsp?id=1202595256890&Cooley_Law_loses_bid_to_unmask_online_critic_on_appeal&slreturn=20130324223310

http://thefire.org/article/15705.html

http://www.techdirt.com/articles/20130405/15314122604/appeals-court-protects-anonymity-critics-cooley-law-school-could-have-done-more.shtml

By Josh Stager

Medical devices have the potential to significantly improve the quality of patient care, but recent innovations demonstrate that the convergence of health information technology and Big Data are testing the limits of health privacy law. As the Wall Street Journal recently explained, many new devices collect vast amounts of patient data – often without the patient’s knowledge. Medtronic is a leader in this field, as it manufactures many devices that wirelessly collect and transmit data from technology implanted inside patient’s bodies. For example, a defibrillator implant tracks a patient’s heartbeat and provides a shock if the heartbeat stops. It is an important device for people with serious heart conditions, and doctors can use the data collected by the device to provide better treatment. But patients wanting to see data about their own heartbeats are rebuffed.

The pivotal question is: who owns the data collected by such devices? The Health Insurance Portability and Accountability Act of 1996 allows patients to access medical data from hospitals and physicians. However, the data collected by many medical devices is transmitted wirelessly to the device maker. Doctors can only access the data through websites maintained by the device maker – and patients have only been able to access that data from doctors who are willing to share it. Consequently, the data falls outside the scope of HIPAA’s patient access provisions.

While the medical community apparently considers this data to be owned by the companies who develop the technology and store the data, the legal community is less certain. Some argue that HIPAA is too outdated to adequately address the issue, and many patients (and their doctors) have an instinctive sense that the patient must have some ownership rights to the data, given that it is derived from their own bodily functions. Stanford cardiologist Paul Zei articulates the question thusly: “Is the device itself a depository for medical records, or is it part of the patient, and an extension of vital signs that we download into a medical chart?”

While a few enterprising patients have gone to great lengths to access data from their implanted devices (the Wall Street Journal described a man who took a $2,000 training course to learn how to read his device’s data transmissions and persuaded his doctor to copy his data from the manufacturer’s website), patient demand is relatively weak – for now. Few patients actually realize their device is transmitting data until they learn about it through some happenstance disclosure during a checkup. As public awareness increases, patient demand for access to this data will likely grow. Health data analytics is a fast-growing area of smartphone app development, as many people use apps such as Fitbit to track their physical activity or monitor sleep patterns.

Big Data companies also have an interest in the data collected by medical devices. Medtronic has indicated that is looking into ways to monetize the data by selling it to interested third parties. While existing regulations prevent device makers and other third parties from selling data that is patient-identifiable, it is possible that anonymized data could be sold.

Smartphone apps raise another important question: what happens to medical data collected by apps? Such programs are not subject to FDA approval and fall outside the ambit of HIPAA. Nonetheless, phones are increasingly being used to collect and analyze medical data. In addition to health monitoring applications, phone and texting logs have been used by researchers to predict the onset of depression and stress disorders. In this environment, the definition of “medical data” is unclear. Technological innovation appears to be broadening the understanding of what constitutes medical data, but privacy law is stuck in a 20^th Century framework.

Unprotected data from implanted devices, smartphone apps, and other medical technology could ultimately be used against patients. Medtronic envisions a future in which health insurers require those at risk of heart disease to wear monitoring devices or face higher premiums. Harvard research fellow Tolu Odomusu worries that an auto insurance company might buy unprotected medical data to prove that a driver’s sleepiness was to blame for a car accident.

The potential for abuse of medical data is substantial, which is what motivated Congress to enact HIPAA 17 years ago. However, HIPAA is clearly straining to keep up with health information technology, as the advances in medical devices demonstrates. New devices reveal a loophole in privacy laws that device makers, data companies, and app developers have exploited. It seems the only actor not benefitting from outdated laws is the patient. Indeed, the FDA offers little guidance to patients seeking access to their device data, other than telling them to ask their doctors for it. The unsustainability of this situation and the inherent privacy risks should be a call to action for Congress to revise HIPAA for the 21^st Century.

By Scott Snyder

Earlier this month, the 11^th Circuit Court of Appeals ruled in favor of greater privacy protection for the medical data of deceased nursing home patients.  The issue arose when family members of a deceased patient in Florida sought medical records and were denied access.  According to the Health Insurance Portability and Accountability Act of 1996, a federal law, medical records may be released only to a designated “personal representative.”  This conflicted with a less restrictive Florida state law that required nursing homes to release records of deceased residents to spouses, guardians, surrogates, or attorneys.  According to the 11^th Circuit, the more restrictive federal law preempts.

However, while privacy advocates can celebrate this small victory, they face growing challenges from new technologies that spread medical information across more devices and media.  One such medium is health social networking websites, on which users can share information and connect with individuals with similar afflictions.  This creates a significant privacy concern, especially as users frequently do not understand the privacy settings on these websites.  There is also uncertain accountability for third-parties who may wish to access and use data from the sites.

In addition, the growing prevalence of Bring Your Own Device policies raises concerns that sensitive medical information could be gleaned from lost or stolen devices.  These policies can cut costs for businesses that would otherwise have to provide electronic accessories to their employees, but they create vulnerabilities even as they reduce expenses.  A Cisco survey of healthcare workers found that 89% of U.S. healthcare workers use their personal smartphones for work purposes.  Another survey of hospitals found that 85% of physicians and staff use personal devices at work; this usage includes reviewing medical records and transferring files, including radiology images and lab results.  These findings juxtapose starkly with a sample White House BYOD policy that would require users to refrain from downloading or transferring sensitive business data to their personal devices.

While the decision in Florida demonstrates the availability of legal protection for private medical information, gaps clearly remain.  More widespread use of technology is rapidly exacerbating the problem; policymakers will need to work quickly to ensure that the law keeps pace.

By Peter Van Valkenburgh

A Bill’s been floated in the Illinois State Senate that seeks to put an end to anonymous commenting on websites and blogs. The full text is here here: http://legiscan.com/IL/text/SB1614

But here’s the juicy part:

“Section 10. Anonymous internet poster; right to know. A web site administrator upon request shall remove any comments posted on his or her web site by an anonymous poster unless the anonymous poster agrees to attach his or her name to the post and confirms that his or her IP address, legal name, and home address are accurate. All web site administrators shall have a contact number or e-mail address posted for such removal requests clearly visible in any sections where comments are posted.”

The first thing to note is that the text of this bill is word-for-word identical to a bill floated last year in the NY State Legislature (more here: http://www.wired.com/threatlevel/2012/05/anonymous-online-speech-ban/). Is this just a case of copy-cat legislators or are some enterprising torts lawyers shopping a bill state-by-state? As we’ll see, the passage of such a bill would greatly increase a lawyer’s client-base should they just so happen to specialize in defamation and electronic communications.

This brings us to why these bills might be repeatedly cropping up. Given the present state of the law those harmed by online comments have absolutely no possibility of legal relief (damages or injunction) should they be unable to determine the identity of their virtual assailant. Section 230 of the Communications Decency Act provides near bullet-proof immunity to the interactive services (read: yelp, facebook, blogs) that solicit and display user-generated content (“UGC”) like blog comments. These sites are not required to remove and can’t themselves be sued for UGC that is defamatory (see Zeran v. AOL, 129 F.3d 327 (4th Cir. 1997)), or in violation of other state laws — like right to personality claims, right to privacy claims, state prohibitions on sexually explicit advertising (see Doe v. AOL, 783 So. 2d 1010, 1013-1017 (Fl. 2001)), false information (see Gentry v. eBay, 99 Cal. App. 4th 816, 830 (2002)), discriminatory housing ads (see Chicago Lawyers’ Committee v. Craigslist 519 F.3d 666 (7th Cir. 2008)), or threats (see Delfino v. Agilent Technologies, 145 Cal. App. 4th 790 (2006)).

Effectively, CDA 230 immunizes the electronic republishers and distributors of content from all liability stemming from UGC (except liability under federal criminal law (see 47 U.S.C. §§ 230(e)(1)) or federal copyright law (see id. at (e)(2))). So, if you are somehow harmed by UGC and the remedy for that harm would be under state law, your only option is to sue the original author of the content. Trouble is, most of the particularly offensive or damaging UGC out there is, for this very reason, anonymously posted.

With the full legal picture in mind, it is clear why some lawmakers (or the enterprising young defamation lawyers who probably drafted both of these bills) are trying to force UGC contributors to identify themselves. Moreover, to be clear, this wouldn’t just force the identification of comment trolls on blogs — this would “out” yelp reviewers, social networking posters, wikipedia editors, basically the whole kit-and-kaboodle of web 2.0 contributors. Accordingly, you could finally identify and sue the dissatisfied diner that wrote a scathing Yelp review about your restaurant, or the the unhappy couple who claims on Angie’s List that your plumbing company flooded their basement. Moreover, even if your defamation claim isn’t great, you could probably scare them into removing the content or settling by merely raising the spectre of costly litigation.

I can appreciate arguments that the CDA’s sweeping section 230 immunities need to be revisited in light of the complete inability of genuine UGC victims to legally compel intermediaries to remove truly damaging content. But these proposals don’t touch the CDA; instead, they strike at the core of our first amendment right to freely speak in the manner we so choose. Your choice to identify or not is a part of the content of your speech (see McIntyre v. Ohio Elections Commission, 514 U.S. 334 (1995)) . Requiring that all electronic speech include identification is no different than any other sort of content-based restriction on speech. It’s unconstitutional and antithetical to the preservation of a flourishing democracy and a flourishing online marketplace of ideas.

By: Amanda Levendowski

In January, the Department of Homeland Security (DHS) quietly published its long-awaited “Civil Rights/Civil Liberties Impact Assessment” of border searches of electronic devices. The actual impact may be an equally quiet erosion of Fourth Amendment rights.

As of 2009, DHS is lawfully allowed to both search and seize devices like smart phones, laptop computers, and other data storage devices (including disks and flash drives) at the border without reasonable suspicion that the devices were involved in a crime. Then-Secretary Napolitano explained that these searches struck “the balance between respecting the civil liberties of travelers while ensuring DHS can take the lawful actions necessary to secure our borders.”

The Impact Assessment executive summary is three pages long, and its treatment of the Fourth Amendment amounts to fewer than ten lines of text. The summary concludes that “current border policy searches comply with the Fourth Amendment,” and that “imposing a requirement that officers have reasonable suspicion in order to conduct a border search of an electronic device would be operationally harmful without concomitant civil rights/civil liberties benefits.” The executive summary points to “longstanding constitutional authority” permitting warrantless, suspicionless searches at the border, that authority being directives issued by Immigrations and Customs Enforcement (ICE) and Customs and Border Protection (CBP). While agency directives are persuasive, the summary relies on these directives as if agencies have the power to abridge Fourth Amendment rights.

As American Civil Liberties Union staff attorney Katie Hass explains, the summary “draws the highly questionable conclusion that the border search policy does not violate our Fourth Amendment right to privacy,” but fails to “explain any of the evidence or reasoning its conclusions are based on.”  The ACLU has filed a FOIA request seeking disclosure of the entire assessment, as well as records and data used to compile the report, but no additional information has yet been disclosed.

The DHS executive summary effects many more individuals than just those crossing into Canada or Mexico for holiday. According to 8 CFR § 287.1, the “border” extends 100 miles inland of any external boundary. The government’s definition of a border subjects more than 190 Americans to the possibility of warrantless, suspicionless searches of electronic devices, and more than 6,500 people had their electronic devices searched at the border since 2008.

Just after the DHS executive summary was released, the Ninth Circuit sitting en banc heralded United States v. Cotterman as a “watershed” case. Judge McKeown acknowledged that when American citizens travel now, we carry all manner of electronic devices, from company Blackberries and laptops to personal e-readers and iPhones. Any one of these devices reveals more sensitive, personal information than other items that may have been subject to border searches in the past, and the court noted that a persons “digital life ought not be hijacked simply by crossing a border.”  Because of the unique nature of electronic devices, the Ninth Circuit determined that “reasonable suspicion” is required for border searches. Cotterman is not the godsend case that many privacy advocates hoped for: the reasonable suspicion standard is only applicable to “forensic examinations,” only evocable along portions of the Mexico-US and US-Canada border, and the facts that established reasonable suspicion were frighteningly thin, Cotterman may be a step in the right direction, but the path towards protecting Fourth Amendment rights at the border remains a long one.

By: Bio Kim

Following 9/11 the U.S. government went through extensive reforms to improve the communication and coordination between intelligence officials and law enforcement authorities. The recent Boston Marathon bombing provides a small window into the inner workings of agencies involved in national security. Even though Judge Posner criticized the dual nature of the FBI in conducting both domestic intelligence investigations and criminal investigations, the FBI has evolved by assuming a greater role as a domestic-intelligence-gathering agency.

In tandem with the FBI wearing both hats, the FISA walls, which proved to be a great source of confusion before 9/11 in the sharing of information, have been largely dismantled. The agencies involved in national security now have at their disposal an expanded legal and technical resources. This course of development owes to the increased acceptance by the public of heightened government searches and seizures in the face of terrorism.

Nevertheless, there is also a valid concern that the government could be abusing its power at the cost of people’s privacy. Part of this fear comes from the fact that the Foreign Intelligence Surveillance Court’s (FISC) opinions are kept secret. It is worth noting that even though it is also true that the unique nature of FISC dictates that it “operates primarily in secret” to ensure the “proper functioning of the FISA process,” the FISA court has not definitively concluded that FISA meets the Fourth Amendment requirements. In re Sealed Case.

More information available at:

http://www.govexec.com/technology/2013/04/how-government-searches-boston-marathon-bomber/62613/

http://www.wired.com/threatlevel/2013/04/secret-surveillance-court/

By: Caitlyn Hall

Although Congress is currently contemplating revising the twenty-seven year-old Electronic Communications Privacy Act in response to privacy concerns, it is also considering other legislation that could pose significant threats to the privacy of internet users. In April 2012, the House of Representatives passed the Cyber Intelligence Sharing and Protection Act (CISPA). The bill, which has prompted widespread criticism from civil liberties groups, would allow private entities to share information relating to potential cyber-threats originating from foreign nations with the NSA and other members of the intelligence community.

CISPA’s proponents argue that it protects American business and intellectual property and ensures that government is adequately equipped to deal with web-based attacks from abroad, and that the bill provides adequate privacy protections, including prohibiting the government from forcing private entities to share information with the government and encouraging firms to minimize the information they share with the government. Critics, however, say that the bill does not contain adequate privacy safeguards, such as requiring service providers to remove irrelevant data before passing information along to the government, and add that CISPA in fact provides legal protections for entities that choose to cooperate with the NSA.

The House Select Committee on Intelligence, which is responsible for the bill, has made a number of amendments in response to concerns from privacy advocates, including adding a provision that limits the private sector’s use of cybersecurity information received to only cybersecurity uses, prohibiting private entities from “counter-hacking,” and removing language that would allow the government to use the data collected for “national security” purposes. But critics respond that the changes made have been mostly cosmetic, and warn that CISPA could permit government surveillance of email communications, and might allow private firms to share geolocation and other user data. The White House has threatened to veto CISPA, citing privacy and civil liberties issues raised by the bill.

http://bits.blogs.nytimes.com/2013/04/16/civil-liberties-fears-dooms-house-cybersecurity-bill/

http://www.cio.com.au/article/458812/critics_cispa_still_government_surveillance_bill/

http://dailycaller.com/2013/04/16/white-house-threatens-to-veto-cyber-bill/

http://www.govtrack.us/congress/bills/113/hr624

By: David Gold

Should police officers be required to obtain a warrant before searching an arrestee’s cell phone? Under the California Supreme Court’s 2011 opinion in People v. Diaz, the answer, at least under the Fourth Amendment, is no. That court held that the defendant’s cell phone was immediately associated with his person at the time of his arrest and, even without a warrant, was searchable incident to his lawful custodial arrest. In the decision, the court rejected the dissent and defendant’s argument that cell phones should not be searchable without a warrant because of the amount of sensitive personal data contained within the devices.

On March 19, 2013, the ACLU, together with the law firm Pillsbury Winthrop Shaw Pittman LLP, acting as pro bono assistant counsel, filed a complaint against the City and County of San Francisco claiming that a police officer’s warrantless search of the defendant’s cell phone, which was on the defendant’s person at the time of his lawful arrest, violated both the California Constitution and the First Amendment of the US Constitution. Through its complaint, the ACLU’s lawsuit seeks to circumvent the Diaz decision and require police officers to obtain warrants prior to searching the data content on cell phones on grounds other than Fourth Amendment search and seizure. Article 1, Section 1 of the California Constitution explicitly identifies a right to privacy, which, the ACLU argues, makes the state constitution more protective of privacy rights than the US Constitution, since the latter does not explicitly establish privacy rights. Article 1, Section 13 similarly is argued to offer greater protection than the Fourth Amendment against unreasonable searches and seizures. Finally, the ACLU argues that phones contain a great amount of communication, and that allowing for these searches will have a chilling effect on speech, which is not permissible under the First Amendment in this instance, because even though the information on phones is relevant, the search will only be permitted if it furthers a compelling interest.

The ACLU complaint is filled with a detailed factual record of the capacity for cell phones, and particularly smart phones. Not only does it describe in great detail the current ability of phones, but it also notes the expansion of data capacity on the horizon. Additionally, the ACLU argues that there is sensitive personal information of friends, family members, and co-workers contained on an individual’s cell phone, in addition to highly sensitive personal information, such as credit card information. Furthermore, the ACLU challenged that cell phones do not pose a physical threat to police officers and that police officers do not need to search the contents of the phone immediately because no evidence will be destroyed given that officers may use a Faraday Bag, which prevents third parties from accessing and deleting or changing information on the phone.

Since the California Supreme Court has already determined that such phone searches do not violate the Fourth Amendment, if the ACLU loses on these claims, there will be little room to challenge such searches in California, and only a ruling by the US Supreme Court would overrule such a holding. Perhaps, given that cell phones contain information in different applications, there is a workable middle ground approach, that officers may only access information in certain application without a warrant. Or, as the ACLU points out, perhaps Faraday Bags should become commonplace, allowing officers to seize control of an arrestee’s cell phone and prevent any evidence on it from being destroyed, but not search its contents until a warrant is issued. Discussion about these alternatives will only really be relevant if the California Court decides in favor of the ACLU, since a decision for San Francisco will allow officers to search the entire cell phone device of an arrestee without a warrant.

Fun fact from the ACLU complaint: early mobile phones used to weigh almost 90 pounds!

Articles:

http://www.aclu.org/technology-and-liberty/aclu-lawsuit-challenges-warrantless-searches-cell-phones

http://consumerist.com/2013/03/20/aclu-files-suit-to-stop-police-from-searching-cell-phones-without-warrant/

ACLU-Pillsbury Complaint

https://www.aclunc.org/news/press_releases/asset_upload_file321_12297.pdf

People v. Diaz Decision:

http://epic.org/privacy/devicesearch/People_v_Diaz.pdf

By: Josh Baker

Article: http://www.wired.com/threatlevel/2013/04/secret-surveillance-court/

Government’s brief: http://www.wired.com/images_blogs/threatlevel/2013/04/fisacourt.pdf

The Electric Frontier Foundation (EFF), a digital rights group in San Francisco, brought suit in the District Court for the District of Columbia after the government denied EFF’s Freedom of Information Act (FOIA) request to disclose a ruling of the Foreign Intelligence Surveillance Court (FISC).  FISC opinions are almost never disclosed to the public as a general matter.

In this case, the opinion was not revealed, but Sen. Ron Wyden was briefed on the ruling as a member of the Intelligence Committee.  Wyden was authorized to reveal that FISC had found an instance of surveillance that “circumvented the spirit of the law” and failed Fourth Amendment reasonableness scrutiny, violating the FISA Amendments Act.  The declassified statements also noted that “government has remedied these concerns and the FISC has continued to approve []

collection [pursuant to Section 702] as consistent with the statute and reasonable under the Fourth Amendment.”  The public would not have been aware of the ruling in this case were it not for Sen. Wyden’s authorized comments.

The Department of Justice (DOJ), in its brief, contends that FOIA exempts this information from disclosure.  It argues that the FISC Rules of Procedure prohibit the disclosure of the FISC opinions and Intelligence Committee briefings.  In the alternative, the DOJ declared that the information sought “necessarily implicates classified intelligence sources and methods” and is therefore exempted from FOIA disclosure.  Finally, the DOJ asserts that disclosure of the information sought by EFF “could result in exceptionally grave and serious damage to the national security,” and that the court should defer to the Department’s finding on this matter.

This exemplifies the government’s general rationale for maintaining secrecy as to FISC opinions.  The FISC was designed to have Article III judges rule on information collection/surveillance requests from intelligence agencies, while preserving the secrecy of the government’s investigations that could be jeopardized by public disclosure.  By declassifying certain statements regarding the FISC opinion, the government sought to balance the interest in government transparency with the protection of critical intelligence activities.