Long v. ICE, No. 14-00109, 2015 WL 8751005 (D.D.C. Dec. 14, 2015) (Mehta, J.)
Long v. ICE, No. 14-00109, 2015 WL 8751005 (D.D.C. Dec. 14, 2015) (Mehta, J.)
Re: Request for metadata and database schema from certain databases
Disposition: Granting in part and denying in part defendant's motion for summary judgment; granting in part and denying in part plaintiff's motion for summary judgment
- Exemption 7, Threshold: "The court thus concludes that the withheld records easily qualify as records or information 'compiled for law enforcement purposes.'" The court notes that "[p]laintiffs concede that Defendants use the EID and IIDS databases for law enforcement purposes—to assist ICE and CBP with deporting people who are unlawfully in the United States, to arrest those who violate federal immigration laws, and to track investigations and court proceedings of those apprehended." Additionally, the court finds that there is a "clear connection between the records and possible security risks or violations of law."
- Exemption 7(E): "Based on the present record, the court cannot find that Defendants have carried their burden of showing that disclosure of the IED and IIDS metadata and database schema increases the risk of a cyber-attack of the kind Defendants posit." First, "[a]lthough the court views [defendant's] Declaration as providing a rather thin explanation for why the metadata and database schema qualify as a law enforcement technique, procedure, or guideline, the court ultimately agrees with Defendants." However, second, the court finds that "[t]he sole risk that Defendants claim might be heightened by the release of metadata and database schema is that of a [Structured Query Language ("SQL")] injection attack." "On the present record, however, it is undisputed that a SQL injection attack requires an external point of entry, such as a website or point-of-sale machine, and that the IED and IIDS databases are not so exposed." "The court is thus left unconvinced, at this juncture, that the sole risk of circumvention of the law claimed by Defendants—a SQL injection attack—would be increased if the requested metadata and database schema were disclosed." However, "the court will permit Defendants to supplement the record with additional affidavits or other evidence to establish that disclosure of the IED and IIDS metadata and database schema will increase the risk of a cyber-attack, data breach, or any other circumvention of the law."
- Exemption 3: The court holds that "[d]efendants’ claim that the requested materials can be withheld pursuant to Exemption 3 fails." The court explains that "[t]he statute upon which Defendants rely—the Management Act—was repealed in its entirety on December 18, 2014—after this case was filed—and replaced by the Federal Information Security Modernization Act of 2014 . . . 44 U.S.C. § 3551 et seq. (2014)." "As the Modernization Act is the law in effect at the time the court is rendering its decision, it is the controlling law in the present dispute." The court finds that "[t]he Modernization Act does not enable Defendants to invoke Exemption 3 here for two reasons." "First, because the Modernization Act was enacted after the OPEN FOIA Act of 2009, for it to protect records from disclosure under Exemption 3 it must 'specifically cite[ ] to [Exemption 3].'" "It does not do so." "Second, to the extent that the Modernization Act does cite to FOIA, it does not alter agencies' obligations under the FOIA statute." "The Modernization Act expressly states that '[n]othing in this subchapter ... may be construed as affecting the authority of ... the head of any agency, with respect to the authorized use or disclosure of information, including ... the disclosure of information under section 552 of title 5.'"
- Procedural Requirements, Responding to FOIA Requests: "[T]he court finds that Defendants have demonstrated that producing and redacting . . . requested snapshots [concerning transfer of data] would be unduly burdensome." The court explains that, "when [the] data is collected, organized, and transferred to a functional database . . ., no reproducible extract or copy of the transferred data, or snapshot, is created to provide to a FOIA requester." The court notes that, "[h]ere, Defendants’ declarant . . . has attested, based on his specific knowledge of and experience with the . . . database and associated datamarts that replicating and redacting the snapshots would create an undue burden on the agencies." "Plaintiffs’ declarant, though an expert in the field of database systems and management, has not offered any evidence that specifically rebuts [defendant's] assertions about the agencies’ present technological capabilities as to the [specific] database [at issue] and associated datamarts or regarding the burden that reproduction and redaction of the snapshots would impose on them." "Instead, [plaintiff] offers only observations about commercial databases in general."
- Litigation Considerations, Discovery: "Plaintiffs’ request for discovery is denied." The court finds that "[p]laintiffs have not offered any evidence that is specific to the . . . databases at issue in this case, to create a factual dispute that might otherwise justify allowing Plaintiffs to take discovery."
- Procedural Requirements, Searching for Responsive Records: "The court agrees with Plaintiffs’ first contention that Defendants have not explained what search, if any, they undertook to locate extract identification and preparation records sought." "Indeed, the government does not even respond to this argument." "Because Defendants do not address what search, if any, they conducted, the court will deny summary judgment as to the adequacy of their search in response to [this portion of plaintiffs' requests]." However, the court "finds that Defendants’ search of [a] repository for [certain] requested records was adequate." The court finds that plaintiffs "have not offered any reason to believe that responsive records—other than the database schema and codes themselves, which Defendants are not required to produce at this juncture—would be found within [certain] databases." "Absent such a showing, the court is satisfied that Defendants conducted a proper search for the . . . database schema and metadata."