Andy Greenberg, Forbes Staff.
5/11/2012 @ 12:30PM
If the world’s largest surveillance agency has a working relationship with the world’s largest Internet firm, that’s no one’s business but theirs, according to an appeals court in the DC Circuit.
In the ruling issued Friday, (PDF here ) the court decided that the National Security Agency doesn’t need to either confirm or deny its relationship with Google in response to a Freedom of Information Act (FOIA) request filed by the Electronic Privacy Information Center, ruling that a FOIA exemption covers any documents whose exposure might hinder the NSA’s national security mission. Beyond merely rejecting the FOIA request, the court has agreed with the NSA that it has the right to simply not respond to the request, as even a rejection of the request might reveal details of a suspected relationship with Google that it has sought to keep secret.
“If NSA disclosed whether there are (or are not) records of a partnership or communications between Google and NSA regarding Google’s security, that disclosure might reveal whether NSA investigated the threat, deemed the threat a concern to the security of U.S. Government information systems, or took any measures in response to the threat,” the court’s ruling read. “As such, any information pertaining to the relationship between Google and NSA would reveal protected information about NSA’s implementation of its Information Assurance mission.”
Since just after Google revealed in early 2010 that it had been hacked by cyberspies seemingly based in China, the Washington Post reported that Google and the NSA had partnered to help bolster the company’s defenses against future attacks. NSA director Mike McConnell followed up with an op-ed in the Post, which included a statement that a partnership with Google was “inevitable.”
Both articles understandably spooked the privacy community. After all, the NSA has two roles, both as the government’s top cybersecurity defenders and, more troublingly for its relationship with a Silicon Valley firm that has enormous troves of users’ personal information, as its most powerful surveillance arm.
Following the Post’s story, EPIC filed a FOIA request to learn more about the nature of that partnership. The NSA handed them what’s known as a Glomar response, a refusal to either confirm or deny the existence of the records the FOIA request seeks based on a historic case in which the CIA issued a similar non-response to a journalist seeking information about its secret underwater vessel called the “Glomar Explorer.”
EPIC sued, arguing that the story in the Post already had confirmed the existence of the partnership and invalidated the NSA’s Glomar non-denial denial. But the court took the NSA’s side, first in a July ruling and then in Friday’s appeal ruling that stated “the fact that limited information regarding a clandestine activity has been released does not mean that all such information must be released.”
“We are disappointed by the decision of the DC Circuit,” EPIC director Marc Rotenberg wrote to me in an email that cited the Washington Post story and McConnell’s op-ed.”The NSA has adopted an increasingly public-facing role with its Information Assurance mission. And of course the agency’s surveillance activities raise profound concerns for Internet users. Under these circumstances, EPIC believed that the agency could not rely on a Glomar response prior to an actual search for responsive records, but the court held otherwise.”
EPIC hasn’t yet decided whether to pursue another appeal, which could take the issue to the Supreme Court.
The ruling comes as controversy has been growing around the Cyber Intelligence Sharing and Protection Act (CISPA), a bill that passed the House last month in a form that would allow private firms like Google to share a wide range of information with government agencies like the NSA for cybersecurity reasons, as well as other vague purposes like computer “crime” and even “the protection of individuals from the danger of death or serious bodily harm.”
Google, unlike practically every other major tech firm, has yet to take a stance on that bill or the similar cybersecurity legislation now being considered in the Senate. Facebook, Microsoft, IBM, Intel, Oracle, AT&T and Verizon all support the bill.
Rotenberg suggests that Friday’s ruling demonstrates just how secretive and unaccountable CISPA’s data-sharing partnerships between private firms and the government would be....
PAGE 2 HERE