Litigation

Court Finds for FBI in San Bernardino FOIA Case

Published: Oct. 04, 2017

Updated: Oct. 05, 2020

A United States District Court granted summary judgment to the FBI in a FOIA action brought by the AP, USA Today, and Vice, seeking disclosure of the name of the vendor the FBI used to access the San Bernardino shooter’s iPhone and the amount the FBI paid that vendor. The court found that three of FOIA’s national security and law enforcement exemptions applied to both pieces of information and therefore the FBI did not have to provide the information to the news agencies. Although not relevant to the ultimate outcome, the court also found that FOIA’s trade secret and financial information exemption did not apply to the amount paid to the vendor. This opinion illustrates the low bar the government faces when withholding information ostensibly related to national security and law enforcement.

The matter started when the AP, USA Today, and Vice each sought records relating to the FBI’s agreement with the vendor that assisted in accessing the San Bernardino shooter’s iPhone. After the FBI withheld some information based on several FOIA exemptions, the news agencies narrowed their request to just the name of the vendor and the amount paid to the vendor. The parties then cross-moved for summary judgment. Noting that an agency’s justification for invoking a FOIA exemption need only be “logical” or “plausible,” the court found that three of the FBI’s claimed exemptions applied to both the name of the vendor and amount it was paid, and that a fourth exemption did not apply to the amount the vendor was paid.

The first exemption that the court found applied to both the name and price was the exemption for records authorized by executive order to be kept secret in the interest of national defense or foreign policy. The court found that the name and amount paid to the vendor were properly withheld under the Classified National Security Information Executive Order because releasing the information could cause an identifiable and discernible degree of harm to national security. The court said that releasing the vendor’s identity could harm national security because it might allow adversaries to use existing public technology created by the vendor to probe for weaknesses and create better encryption technology to thwart the FBI’s ability to use the tool, and subject the vendor to attacks by entities who wish to exploit the technology, limiting the FBI’s present and future ability to gain access to suspected terrorists’ phones. The court said that disclosure of the amount paid could harm national security because it might logically reveal how much the FBI values gaining access to suspects’ phones, and the breadth of the tool’s capabilities.

The second exemption the court found applied to both the name and price was the exemption for information specifically exempted by statute. The FBI said Section 102A(i)(1) of the National Security Act of 1947, which protects intelligence sources and methods from disclosure, exempted both pieces of information from disclosure, and the court agreed. With respect to the identity of the vendor, the court called the tool itself an intelligence source and method because it “allows the FBI to access intelligence information on suspects’ phones, therefore logically serving as both a source of intelligence information and a method for obtaining intelligence information.” The court similarly found that “information regarding the purchase price relates to an intelligence source and method because it could lead to information about the iPhone hacking tool, in the same manner as discussed under Exemption 1.”

The third exemption the court found applied to both the name and price was the exemption for records that would disclose techniques, procedures or guidelines for law enforcement investigations or prosecutions if such disclosure could reasonably be expected to risk circumvention of the law. Noting that the FBI need only show that release of the information will create a “chance of a reasonably expected risk of circumvention of law,” the court found that the FBI met its burden. With respect to the vendor’s identity, the court found that the tool was itself a law enforcement technique and that releasing the vendor’s identity could allow hostile entities to discover how the tool works and then use that information to circumvent the tool. The court also found that releasing the amount paid to the vendor could reveal the nature of the tool and its likely capabilities as well as how the FBI concentrates its resources, which “in turn could give rise to the development of countermeasures by hostile entities that could cause circumvention of the law.”

Finally, court found that Exemption 4, which protects privileged and confidential trade secrets and commercial or financial information did not apply to the amount the FBI paid for the tool. Here the sole issue in dispute was whether the price information was “confidential.” The court found that the price paid for the tool was not confidential information in the FOIA context because releasing the information was not likely to impair the government’s ability to obtain similar information in the future or cause substantial harm to the vendor’s competitive position.