United States District Court, District of Columbia
SUSAN B. LONG, et al., Plaintiffs,
IMMIGRATION AND CUSTOMS ENFORCEMENT, et al., Defendants.
MEMORANDUM OPINION AND ORDER
P. Mehta, United States District Judge.
case arises from seven requests Plaintiffs Susan B. Long and
David Burnham made under the Freedom of Information Act
(“FOIA”) between October 13, 2010, and February
26, 2013, in which they sought information regarding the
metadata and database schema for databases used by Defendant
Immigration and Customs Enforcement (“ICE”) and
Defendant Customs and Border Patrol (“CBP”), as
well as information concerning “snapshots” of one
database. Plaintiffs seek this information on behalf of the
Transactional Records Access Clearinghouse
(“TRAC”) at Syracuse University, which collects,
organizes, and distributes data concerning federal government
enforcement activities. Defendants produced several pages of
responsive documents but withheld many others, leading to the
present litigation. In a prior ruling in this matter, the
court granted in part and denied in part the parties'
cross-motions for summary judgment.
few issues in this litigation remain. First, the parties
continue to dispute whether disclosure of metadata and
database schema pertaining to Defendant ICE's Enforcement
Integration Database (“EID”) and Integrated
Decision Support Database (“IIDS”) could
reasonably be expected to risk circumvention of the law, such
that those materials may be withheld pursuant to FOIA
Exemption 7(E). Second, the parties disagree as to whether
Defendant conducted an adequate search to locate
“snapshot” identification and preparation
records, consistent with Plaintiffs' Third FOIA Request,
and then properly withheld certain responsive materials while
segregating and releasing non-exempt materials. Both parties
have moved for summary judgment.
an augmented record and supplemental briefing, summary
judgment in full remains elusive. The court concludes that
there remain genuine disputes of fact as to whether (1)
disclosure of the EID and IIDS metadata and database schema
could “reasonably be expected to risk
circumvention of the law, ” 5 U.S.C. §
552(b)(7)(E) (emphasis added); (2) the requested information
concerning the timing and frequency of snapshot production
was “compiled for law enforcement purposes” and,
if so, whether its release could “reasonably
be expected to risk circumvention of the law, ”
id. (emphasis added); and (3) whether Defendant
performed a proper segregability analysis as to those
responsive materials. The court does grant summary judgment
to Defendant, however, as to the adequacy of its search in
response to Plaintiffs' Third FOIA Request, its
withholding of employees' names and contact information
under Exemption 6, and its segregability analysis as to those
withholdings. Accordingly, the court grants in part and
denies in part Defendant's Motion for Summary Judgment
and denies in full Plaintiffs' Cross-Motion for Summary
court assumes the parties' familiarity with the
underlying factual and procedural history of this case and
recites only what is necessary to resolve the narrow issues
of Plaintiffs' seven FOIA requests are still at issue.
Plaintiffs submitted two FOIA requests-one on October 13,
2010, the other on October 18, 2010-that sought documents
disclosing the fields, variables, codes, and structures of
the shared Enforcement Integration Database
(“EID”) and Integrated Decision Support Database
(“IIDS”), upon which ICE and CBP rely to manage
cases pertaining to the detention of undocumented immigrants.
See Long v. Immigration & Customs Enf't, 149
F.Supp.3d 39, 43-44 (D.D.C. 2015). The EID contains
information “related to the investigation, arrest,
booking, detention, and removal of persons encountered during
immigration and criminal law enforcement investigations and
operations conducted by ICE, CBP, and U.S. Citizenship and
Immigration Services.” Id. at 44 (alterations
adopted) (internal quotation marks omitted). The IIDS
contains a subset of that information, including
“biographic information, information about encounters
between agents/officers and subjects, and apprehension and
detention information about all persons in EID, ” which
the agency uses to produce management and statistical
reports. Id. at 45 (internal quotation marks
omitted). Plaintiffs submitted a Third FOIA Request to
Defendant on September 21, 2012, that sought, in relevant
part, information relating to “snapshots” and
extracts of the EID over a 12-month period. Id.
“Snapshots” and extracts refer to subsets of
select EID data maintained in other databases that allow
Defendant to search all the information contained in the EID
at a particular point in time. Id. Plaintiffs'
Third FOIA Request seeks the following information
surrounding these snapshots and extracts: (1) documents
identifying any snapshots prepared in the past 12 months; (2)
the frequency with which snapshots are taken; (3) who
prepares the snapshots; (4) to whom snapshots have been sent,
and (5) how long it takes to prepare the snapshots. See
received a limited amount of materials in response to these
three FOIA requests. With respect to the first two requests,
Defendant released 97 redacted pages of responsive documents,
but withheld the remaining responsive materials premised on
FOIA Exemption 7(E). See Id. With respect to the
Third FOIA Request, Defendant created a nine-page
document (“the Nine-Page Document”) that
summarizes the responsive materials and released a redacted
version of that document, but not the original responsive
materials. See Id. at 46.
filed suit, claiming, as relevant here, that Defendant has
not complied with its FOIA obligations in responding to
Plaintiffs' request for EID and IIDS metadata and
database schema or Plaintiffs' Third FOIA Request.
See Compl., ECF No. 1. Defendants moved for summary
judgment on the ground that disclosure of EID and IIDS
metadata and database schema would risk a Structured Query
Language (“SQL”) injection attack, thereby
justifying the agency's withholding of that information
under Exemption 7(E). See Defs.' Mot. for Summ.
J. & Mem. in Supp., ECF No. 17 [hereinafter Defs.'
Mot. for Summ. J., ECF No. 17], at 22-26. Even assuming the
materials sought could qualify for withholding under
Exemption 7(E), Plaintiffs argued in opposition, it was
unclear how Defendant could claim that disclosure of this
information risks a SQL injection attack, given that that
type of attack requires a direct connection to a database and
the EID and IIDS are not publicly accessible. See
Pls.' Mem. in Supp. of Cross-Mot. for Summ. J., ECF No.
18, at 19. Separately, Plaintiffs noted, at no point had
Defendant provided any information regarding its
efforts to search for snapshot identification and preparation
records in response to their Third FOIA Request. See
Id. at 31.
Memorandum Opinion and Order issued on December 14, 2015, the
court agreed with Plaintiffs as to these two issues.
Specifically, the court held that the metadata and database
schema at issue satisfy the “compiled for law
enforcement purposes” and “techniques,
procedures, or guidelines” requirements of Exemption
7(E), but the court was unconvinced that Defendant had
sufficiently shown how disclosure of these materials
“could reasonably be expected to risk
circumvention of law” in light of the incongruity
between the type of harm claimed and the purported
impossibility of it occurring. See Long, 149
F.Supp.3d at 48-54 (emphasis added). Additionally, the court
agreed that Defendant had not explained its efforts to
conduct an adequate search for materials responsive to
Plaintiffs' Third FOIA Request. Id. at 60.
wake of the court's decision, the parties submitted
supplemental briefing and evidence in support of their
respective positions. With respect to the EID and IIDS
metadata and database schema, Defendant emphasized that its
disclosure would risk circumvention of law even in the
absence of a public interface because disclosing that
information would make it easier for hackers to create
convincing e-mails that lull unsuspecting, authorized users
to click on nefarious links or attachments, also known as
phishing or spear phishing attacks, and inadvertently allow
hackers to access the system and/or steal users'
credentials. See Defs.' Notice of Suppl. Evid.,
ECF No. 32 [hereinafter Defs.' Notice], Ex. 3, ECF No.
32-3 [hereinafter Foster Decl.], ¶¶ 14-15;
Defs.' Suppl. Br. in Supp. of Defs.' Mot. for Summ.
J., ECF No. 35 [hereinafter Defs.' Suppl. Summ. J. Br.],
at 5-8. Separately, Defendant explains that the
reasonableness and adequacy of its search in response to
Plaintiffs' Third FOIA Request is evidenced by the fact
that the Request went through multiple levels of review, and
experts in a sub-division curated the search and created a
responsive document, with redactions justified under
Exemptions 6, 7(C), and 7(E). Defs.' Suppl. Summ. J. Br.
at 16-17; Defs.' Notice, Ex. 2, ECF No. 32-2 [hereinafter
Wilson Decl.], ¶¶ 21, 25, 30, 35, 38, 49, 52. In
response, Plaintiffs submitted a supplemental brief that
contests the application of Exemption 7(E) to withhold the
EID and IIDS metadata and database schema; the adequacy of
the search in response to their Third FOIA Request;
Defendant's reliance on Exemptions 6, 7(C), and 7(E) to
withhold material responsive to the Third FOIA Request; and
Defendant's segregability analysis. See
Pls.' Suppl. Mem. in Opp'n to Defs.' Mot. for
Summ. J. & in Supp. of Cross-Mot. for Summ. J., ECF No.
37 [hereinafter Pls.' Suppl. Summ. J. Br.]. In part,
Plaintiffs argued that Defendant has identified no
“reasonable” expectation that disclosure risks
compromising EID security because Defendant previously
provided to Plaintiffs earlier versions of the materials they
now seek. Id. at 10-11. Because Defendants'
supplemental reply brief did not respond to that argument,
cf. Defs.' Opp'n to Pls.' Suppl.
Cross-Mot. & Suppl. Reply Br. in Supp. of Defs.' Mot.
for Summ. J., ECF No. 40 [hereinafter Defs.' Suppl.
Reply], at 6-10, the court ordered supplemental briefing as
to whether there remains a “reasonable” risk of a
security breach given Plaintiffs' claim that Defendants
previously disclosed the same type of information. Minute
Order, Jan. 26, 2017.
issues being ripe for resolution, the court now turns to the
remaining issues in this lit igat ion.
court reviews de novo whether an agency has complied with its
obligations under FOIA. 5 U.S.C. § 552(a)(4)(B).
motion for summary judgment, a court must enter judgment in
favor of the moving party if that party “shows that
there is no genuine dispute as to any material fact and the
movant is entitled to judgment as a matter of law.”
Fed.R.Civ.P. 56(a). A dispute is “genuine” only
if a reasonable fact-finder could find for the nonmoving
party, and a fact is “material” only if it is
capable of affecting the outcome of the litigation.
Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 248
requires a federal agency to conduct an “adequate
search” in response to a FOIA Request. An agency
performs an “adequate search” within the meaning
of FOIA when it performs a search “reasonably
calculated to uncover all relevant documents.”
Oglesby v. U.S. Dep't of the Army, 920 F.2d 57,
68 (D.C. Cir. 1990). The agency bears the burden of proving
that it performed an adequate search and may rely on sworn
affidavits or declarations to make that showing. See
SafeCard Servs., Inc. v. SEC, 926 F.2d 1197, 1200 (D.C.
Cir. 1991). The court may grant summary judgment to the
agency based on those materials if they are reasonably
specific and contradicted by neither other record evidence
nor evidence of agency bad faith. See Military Audit
Project v. Casey, 656 F.2d 724, 738 (D.C. Cir. 1981);
Beltranena v. Clinton, 770 F.Supp.2d 175, 181-82
(D.D.C. 2011). FOIA plaintiffs can rebut an agency's
declarations and affidavits by demonstrating that there
remains a genuine issue as to whether the agency performed an
adequate search for documents responsive to the
plaintiff's request. See Hodge v. FBI, 703 F.3d
575, 580 (D.C. Cir. 2013); Span v. U.S. Dep't of
Justice, 696 F.Supp.2d 113, 119 (D.D.C. 2010) (internal
quotation marks omitted).
agency also bears the burden of proving that it withheld
certain materials responsive to a plaintiff's FOIA
request pursuant to a statutory exemption. Citizens for
Responsibility & Ethics in Wash. v. U.S. Dep't of
Justice, 746 F.3d 1082, 1088 (D.C. Cir. 2014). To make
this showing, the agency, again, may rely on affidavits and
declarations. If the agency's materials “provide
specific information sufficient to place the documents within
the exemption category, if this information is not
contradicted in the record, and if there is no evidence in
the record of agency bad faith, then summary judgment is
appropriate without in camera review of the documents.”
Am. Civil Liberties Union v. U.S. Dep't of Def.,
628 F.3d 612, 626 (D.C. Cir. 2011) (quoting Larson v.
U.S. Dep't of State, 565 F.3d 857, 870 (D.C. Cir.
even when an exemption applies to shield one portion of a
document responsive to the FOIA request, however, the agency
is required to disclose “[a]ny reasonably segregable
portion” of that document. See 5 U.S.C. §
552(b). “It is neither consistent with the FOIA nor a
wise use of increasingly burdened judicial resources to rely
on in camera review of documents as the principal tool for
review of segregability disputes.” Mead Data Cent.,
Inc. v. U.S. Dep't of the Air Force, 566 F.2d 242,
262 (D.C. Cir. 1977) (footnote omitted). Instead, agencies
enjoy a presumption of compliance with this obligation,
absent contrary evidence submitted by the plaintiff. See
Sussman v. U.S. Marshals Serv., 494 F.3d 1106, 1117
(D.C. Cir. 2007).
court begins with whether Defendant may rely upon FOIA
Exemption 7(E) to withhold the EID and IIDS metadata and
database schema responsive to Plaintiffs' first two FOIA
requests before turning to the issues surrounding
Defendant's response to Plaintiffs' Third FOIA
The EID and IIDS Metadata and Database Schema
cites Exemption 7(E) to justify withholding the EID and IIDS
metadata and database schema that Plaintiffs' sought in
their first two FOIA requests. That exemption protects from
records or information compiled for law enforcement purposes,
but only to the extent that the production of such law
enforcement records or information . . . would disclosure
techniques and procedures for law enforcement investigations
or prosecutions, or would disclose guidelines for law
enforcement investigations or prosecutions if ...