Amid last year’s Snowden revelations, I sent the NSA a FOIA request for my home phone call detail records. At the time, I was a Verizon customer, I had seen the National Security Letter compelling Verizon to produce all call detail records (CDRs) where one or both parties were located in the United States, and I wanted to see what my collection of CDRs looked like.
The NSA denied my FOIA request, and I filed an appeal in January 2014.
The Appeal Letter
Here is what my appeal letter said:
January 5, 2014
NSA/CSS FOIA Appeal Authority (DJ4)
National Security Agency
9800 Savage Road STE 6248
Fort George G. Meade, MD 20755-6248.Dear NSA/CSS FOIA Appeal Authority:
I am writing in regards to FOIA request case number 75473, in which I requested telephony metadata for calls originating from 781-xxx-xxxx, my Verizon-provided home telephone number. The NSA responded on November 21, 2013, denying my request. I disagree with the reasons given for denial, and wish to file an appeal.
NSA’s letter cited three statutes as the basis for my denial: Title 18 U.S. Code 798, Title 50 U.S. Code 3024(i), 50 U.S. Code 3605. I am appealing the denial because I believe that none of the cited statues applies to my request.
50 U.S. Code 3605 deals with disclosure of the organization or any function of the National Security Agency, or any information with respect to the activities thereof, or of the names, titles, salaries, or number of the persons employed by such agency. My request involve my personal telephony metadata — it does not involve the organization of the National Security Agency; nor does it involve the names, titles, salaries, or number of persons employed by the agency. Furthermore, my request was strictly limited to data already collected — I have not requested details of the NSA’s functions or activities. As the original denial letter notes, the Agency’s functions and activities have been widely reported by the press and media; I will note that the press and media reporting has made extensive use of primary source documents.
Title 50 U.S. Code 3024(i) deals with the Protection of intelligence sources and methods […] from unauthorized disclosure. I have requested a copy of telephony metadata collected from my home phone number; I have not requested any information regarding the source of that data, nor have I requested information about how the data was obtained.
Title 18 U.S. Code 798 deals with
classified information […]
(1) concerning the nature, preparation, or use of any code, cipher, or cryptographic system of the United States or any foreign government; or
(2) concerning the design, construction, use, maintenance, or repair of any device, apparatus, or appliance used or prepared or planned for use by the United States or any foreign government for cryptographic or communication intelligence purposes; or
(3) concerning the communication intelligence activities of the United States or any foreign government; or
(4) obtained by the processes of communication intelligence from the communications of any foreign government, knowing the same to have been obtained by such processes
I believe that (1) does not apply, since my personal telephony metadata is not a code, cypher, or cryptographic system. I believe that (2) does not apply because my personal telephony metadata is not a device, apparatus, or appliance. I believe that (3) does not apply because I have requested telephony metadata, and not information about the activities that led to its collection. (As before, said activities have been widely reported in the media, to the point where they could be considered common public knowledge.) I believe that (4) does not apply because my personal telephony metadata does not include the communications of any foreign government.
Furthermore, I believe that my FOIA request falls squarely in scope of the Privacy Act of 1974. See 5 USC Section 552a, Paragraph (d)
Each agency that maintains a system of records shall —
(1) upon request by any individual to gain access to his record or to any information pertaining to him which is contained in the system, permit him and upon his request, a person of his own choosing to accompany him, to review the record and have a copy made of all or any portion thereof in a form comprehensible to him […]
I believe that the agency’s collection of telephony metadata constitutes a system of record, whereby I have the right to obtain and review records pertaining to me.
Thanks for your time and attention. I look forward to hearing your response.
NSA’s Response to My Appeal
The NSA sat on my appeal for a few months, before responding on July 30th, 2014. I’ve posted the NSA’s response below. I’d suggest reading it slowly; the NSA’s FOIA analyst rambles on a bit, but the response contains some real gems.
Case No. 75457/Appeal No. 3895
30 July 2014Dear Mr. Revilak:
This replies to your letter, dated 5 January 2014, appealing the National Security Agency/Central Security Services (NSA/CSS’) denial of your request under the Freedom of Information Act (FOIA) for a list of all phone calls from your cell phone number (781-xxx-xxxx). I have reviewed your request, the Chief of the FOIA/Privacy Act (PA) Office’s response to you, and your letter of appeal.
As a result of my review, I have concluded that the appropriate response is to continue to neither confirm nor deny the existence or nonexistence of any records on you pertaining to any NSA intelligence programs or activities, to include programs authorized under Section 215 of the USA PATRIOT Act and Section 702 of the Foreign Intelligence Surveillance Act Amendments Act. To do otherwise when challenged under the FOIA would result in the exposure of intelligence information, sources, and methods, which could harm our national security and severely undermine NSA activities in general. For example, if NSA denied having information in cases where we had no such information, but remained silent in cases in which the information existed, it would tend to reveal in which activities NSA was engaged. Any further elaboration concerning these matters would reveal information that is currently and properly classified under Executive Order 13526.
Accordingly, the existence or nonexistence of any intelligence information you requested remains exempt from disclosure pursuant to 5 U.S.C. Sec. 552(b)(1), which protects properly classified information. I have determined that any substantive response to your request would tend to confirm or deny specific activities. The fact of the existence or nonexistence of such information is a properly classified matter under Executive Order 13526, since it meets the specific criteria for classification established in Section 1.4(c) of the Order. When such classification is warranted, Section 3.6(a) of the Order allows an agency to respond by declining to confirm or deny the existence of responsive records.
Further, the fact of the existence or nonexistence of any such records is also exempt pursuant to 5 U.S.C. Sec. 552(b)(3), which permits withholding of matters specifically exempted from disclosure by statute. The applicable statutory provisions with regard to the existence or nonexistence of the records requested are: 18 U.S.C. Sec. 798, which prohibits the release of information concerning classified communications intelligence activities except to those persons authorized to receive such information; 50 U.S.C. Sec. 3024(i), which requires the protection of intelligence sources and methods from unauthorized disclosure; and Section 6 of the National Security Agency Act of 1959, Public Law 86-36 (codified at 50 U.S.C. Sec. 605), which provides that no law shall be construed to require the disclosure of the organization, personnel, functions, or activities of the National Security Agency.
Additionally, on appeal you assert that the records you have requested are the types of records that are subject to the provisions of the PA, 5 U.S.C. Sec. 552a, because, as suggested in your appeal, they include the collection of personal information which is maintained in a PA system of records. To the extent that you are seeking a response under the PA, please be advised that the existence or nonexistence of any intelligence records that may fall within a PA system of records is also exempt from disclosure pursuant to the first exemption of the PA (5 U.S.C. Sec. 552a(k)(l)), which allows for the withholding of classified information if that information is exempt from disclosure under the FOIA. The existence or nonexistence of the information you requested meets the criteria for classification under the FOIA (5 U.S.C. Sec. 552(b)(1)) as described above and thus is also exempt from disclosure under the PA (5 U.S.C. Sec. 552a(k)(l)). See also Section 3.6(a) of Executive Order 13526.
Because this response is a denial of your appeal, you are hereby advised of your right pursuant to 5 U.S.C. Sec. 552(a)(4)(B) to seek judicial review of my decision in the United States District Court in the district in which you reside, in which you have your principal place of business, in which the Agency records are situated (U.S. District Court of Maryland), or in the District of Columbia.
Sincerely,
E. R. BROOKS
Chief of Staff
Freedom of Information Act/Privacy Act
Appeal Authority
Dissecting the NSA’s Denial Letter
I’d like to pick the NSA’s denial letter apart, and draw attention to some particularly good bits. We’ll start with the opening sentence.
This replies to your letter, dated 5 January 2014, appealing the National Security Agency/Central Security Services (NSA/CSS’) denial of your request under the Freedom of Information Act (FOIA) for a list of all phone calls from your cell phone number
My initial letter to the NSA specifically stated that I was requesting CDRs from my home phone number, which the NSA acknowledged in their Nov. 21, 2013 reply. I’m not sure why the analyst referred to this as my cell phone number. Perhaps it was a simple mistake, or perhaps the NSA treats cell phone CDRs differently than land-line CDRs. I don’t know the answer to that.
Next, my favorite part of the entire letter:
As a result of my review, I have concluded that the appropriate response is to continue to neither confirm nor deny the existence or nonexistence of any records on you pertaining to any NSA intelligence programs or activities, to include programs authorized under Section 215 of the USA PATRIOT Act and Section 702 of the Foreign Intelligence Surveillance Act Amendments Act.
Translation: “Yeah, it seems that everyone knows about the shady stuff we were doing under the PATRIOT act in the FISA Amendments act. So let’s just forget the whole thing, and pretend it never happened, okay?”
This paragraph continues:
To do otherwise when challenged under the FOIA would result in the exposure of intelligence information, sources, and methods, which could harm our national security and severely undermine NSA activities in general.
Translation: “We’re really embarrassed as it is. Please don’t make us embarrass ourselves even more.”
Once upon a time, the term “national security” may have meant something. These days, I genuinely believe that “national security” is nothing more than “shit that would embarrass the government if people found out”.
Let’s continue:
Any further elaboration concerning these matters would reveal information that is currently and properly classified under Executive Order 13526.
This paragraph illustrates one of the strange alternate realities that our government operates under. In particular, the way in which information can be widespread common knowledge, yet still be “classified”. To give the bureaucrats credit, at least they are consistent in their behavior. The US military recently blocked access to The Intercept, to prevent military personnel from accessing leaked documents. The Federal government blocked access to wikileaks after Chelesea Manning leaked the contents of diplomatic cables. When the Snowden leaks began appearing last summer, the US army blocked access to the Guardian’s web site. This network censorship goes beyond the realm of “classified” documents; Congress was blocked from the Hope X website because the site contained “information about hacking”.
I’m not sure whether this constitutes a state of denial, or if the US government is actively working to censor the kind of information its employees can access. I suppose it could be worse. In China, everyone’s internet access is censored; in the US, it seems that only federal employees are censored.
Continuing on:
Section 6 of the National Security Agency Act of 1959, Public Law 86-36 (codified at 50 U.S.C. Sec. 605), which provides that no law shall be construed to require the disclosure of the organization, personnel, functions, or activities of the National Security Agency.
Translation: By law, the NSA has no public accountability, period. This law is wrong and outrageous on so many levels, and it needs to be changed. Given what we’ve learned about the NSA over the last 14 months, who (outside the intelligence community) can honestly say that the lack of accountability has been a good thing?
Finally, there is the closing paragraph:
Because this response is a denial of your appeal, you are hereby advised of your right pursuant to 5 U.S.C. Sec. 552(a)(4)(B) to seek judicial review of my decision in the United States District Court in the district in which you reside, in which you have your principal place of business, in which the Agency records are situated (U.S. District Court of Maryland), or in the District of Columbia.
Translation: “So sue me”.
End result: no call detail records for me.
For those of you who enjoy primary source documents, here is a pdf of the entire exchange: NSA Call Detail Records FOIA.
It appears that although you mentioned the Privacy Act, you didn’t explicitly make your initial request under the Privacy Act, nor did you file a Privacy act appeal. I suggest you make a new request for the same data, explicitly styled as a request pursuant to the Privacy Act and only the Privacy Act, not FOIA. If your request is denied, file a Privacy Act appeal. The rules and exemptions are different.
Sorry, I looked again, and it appears that your original request *did* say it was a Privacy Act request. But the NSA treated it as a FOIA request. It appears that it still hasn’t been processed as a Privacy Act request. You could either query them to see (if ever) they intend to respond to it as a Privacy Act request, or file a Privacy Act appeal of the constructive denial of your Privacy act request, or sue under the privacy act. Good luck!
Edward, thanks for the suggestions!
Steve