DOJ Asks Court To Keep Google NSA Partnership Secret
The Justice Department is defending the government’s refusal to discuss—or even acknowledge the existence of—any cooperative research and development agreement between Google and the National Security Agency.
The Washington based advocacy group Electronic Privacy Information Center sued in federal district court here to obtain documents about any such agreement between the Internet search giant and the security agency.
The NSA responded to the suit with a so-called “Glomar” response in which the agency said it could neither confirm nor deny whether any responsive records exist. U.S. District Judge Richard Leon in Washington sided with the government last July.
A three-judge panel of the U.S. Court of Appeals for the D.C. Circuit is scheduled to hear the dispute March 20.
EPIC filed a Freedom of Information Act request in early 2010, noting media reports at the time that the NSA and Google had agreed to a partnership following the cyber attacks in China that year against Google.
EPIC asked for, among other things, communication between the NSA and Google about Gmail and Google’s “decision to fail to routinely encrypt” messages before Jan. 13, 2010.
The NSA’s response to the request for records noted that the agency “works with a broad range of commercial partners and research associations” to ensure the availability of secure information systems. The agency, however, refused to confirm or deny any partnership with Google.
The security agency said it routinely monitors vulnerabilities in commercial technology and cryptographic products because the government relies heavily on private companies for word processing systems and e-mail software.
“If NSA determines that certain security vulnerabilities or malicious attacks pose a threat to U.S. government information systems, NSA may take action,” DOJ Civil Division lawyers Catherine Hancock and Douglas Letter said in a brief in the D.C. Circuit in January.
DOJ’s legal team said that acknowledging whether NSA and Google formed a partnership from a cyber attack would illuminate whether the government “considered the alleged attack to be of consequence for critical U.S. government information systems.”
NSA said it cannot provide documents—or confirm their existence—because the information would alert adversaries about the security agency’s priorities, threat assessments and countermeasures.
DOJ said media reports about the alleged Google partnership with NSA do not constitute official acknowledgement.
The Washington Post and The New York Times both reported that Google contacted the NSA after the Jan. 2010 cyber attack, which the company said was rooted in China and targeted access to accounts of Chinese human rights activists. The Wall Street Journal said NSA’s general counsel worked out a cooperative research and development agreement with Google.
EPIC’s attorneys, including Marc Rotenberg, the group’s president, said in court papers that the document request includes records that are not relevant to the NSA’s information assurance mission.
“The NSA mischaracterizes EPIC’s FOIA Request by stating that responsive documents would reveal ‘information about a potential Google-NSA relationship,’” Rotenberg said.
The crux of the records request, Rotenberg said, is Google’s switch to application encryption by default for Gmail accounts soon after the cyber attack. Google in 2008 began allowing users to encrypt mail passing through the company servers, EPIC said in its brief, but encryption was not provided by default.
EPIC’s brief said the failure of the NSA to conduct a search for records “deprives the court of the ability to meaningfully assess the propriety” of the agency’s response that it can neither confirm nor deny the existence of responsive records.
“Without first conducting the search, not even the agency can know whether there is a factual basis for its legal position,” Rotenberg said.
EPIC said its records request does not seek documents about NSA’s role to secure government computer networks. “Google provides cloud-based services to consumers, not critical infrastructure services to the government,” Rotenberg said.