Shining a Light on Agency FOIA Policies that Contradict the Law

Some agencies have regulations that conflict with the Freedom of Information Act (FOIA), which can lead to confusion for officials and the public, as well as the improper withholding of public information.  For instance, a few agencies still base their definition of a “representative of the news media” on language that is outdated and contradicted by both the FOIA statute and judicial authorities.  The old “organized and operated” standard that certain agencies have left in their regulations can be used to deny preferential fee treatment to nascent or non-traditional news media groups, as well as government watchdog organizations like Cause of Action Institute (CoA Institute).  The current statutory definition, by contrast, is meant to broaden the universe of requesters qualifying for the news media fee category.

In Cause of Action v. Federal Trade Commission,  a monumental decision in 2015 that resulted with an appellate court victory for Cause of Action Institute, the U.S Court of Appeals for the D.C. Circuit struck down the Federal Trade Commission’s outdated and narrow definition of a “representative of the news media” and confirmed the current statutory standard.  The FTC had tried to deny CoA Institute its proper fee categorization and a public interest fee waiver.

In March 2018, CoA Institute submitted a comment to the Millennium Challenge Corporation (MCC), a small agency tasked with delivering foreign aid to combat global poverty, on the agency’s proposed rule revising its FOIA regulations.  Among other things, CoA Institute suggested that the MCC correct its definition of a “representative of the news media.” In July of that year, MCC finalized a rule implementing the recommended revisions and taking a step towards effective and transparent oversight.  CoA Institute has had similar success with FOIA reform at other agencies, including the Consumer Product Safety Commission, Office of the Special Counsel, U.S. Department of Defense, U.S. Agency for International Development, and the U.S. Department of Homeland Security.

This is but one example of the work CoA Institute performs to advance government transparency and protect the rights of the American public, taxpayers and our collective ability to hold our government accountable for its actions.

Matt Frendewey is Director of Communications at Cause of Action Institute.


CoA Institute Discovers Curious DHS FOIA Notification Process for Employee Records

Earlier today, Cause of Action Institute (CoA Institute) received a misdirected email from the Department of Homeland Security (DHS) that apparently was intended to serve as a notification to an unidentified agency employee that certain personnel records were to be released under the Freedom of Information Act (FOIA).

The “awareness” email indicated that employee-related records were scheduled to be released in response to a FOIA request.  It also identified the name of the FOIA requester—a CoA Institute employee—and included an attached file containing the records at issue.  The email was issued “[i]n accordance with DHS Instruction 262-11-001,” which is publicly available on the DHS’s website and appears to have been first issued at the end of February 2018.

Under Instruction 262-11-001, the DHS is required to “inform current [agency] employees when their employment records . . . are about to be released under the FOIA.”  “Employment records” is defined broadly to include any “[p]ast and present personnel information,” and could include any record containing personal information (e.g., name, position title, salary rates, etc.).  Copies of records also are provided as a courtesy to the employee.

The DHS instruction does not attempt to broaden the scope of Exemption 6, and it recognizes that federal employees generally have no expectation of privacy in their personnel records.  More importantly, the policy prohibits employees from interjecting themselves into the FOIA process.  This sort of inappropriate involvement has occurred at DHS and other agencies in the past under the guise of “sensitive review,” particularly whenever politically sensitive records have been at issue.

Nevertheless, the DHS “awareness” policy still raises good government concerns.  As set forth in the sample notices appended to the instruction, agency employees are routinely provided copies of responsive records scheduled for release, as well as the names and institutional affiliations of the requesters who will be receiving those records.

To be sure, FOIA requesters typically have no expectation of privacy in their identities, and FOIA requests themselves are public records subject to disclosure.  There are some exceptions.  The D.C. Circuit recently accepted the Internal Revenue Service’s argument that requester names and affiliations could be withheld under Exemption 3, in conjunction with I.R.C. § 6103.  Other agencies, which post FOIA logs online, only release tracking numbers or the subjects of requests.  In those cases, a formal FOIA request is required to obtain personally identifying information.

Regardless of whether the DHS policy is lawful, it is questionable as a matter of best practice.  Proactively sending records and requester information to agency employees could open the door to abuse and retaliation, particularly if an employee works in an influential position or if a requester is a member of the news media.  The broad definition of “employee record” also raises questions about the breadth of implementation.

Finally, there are issues of fairness and efficiency.  If an agency employee knows that his records are going to be released, is it fair to proactively disclose details about the requester immediately and without requiring the employee to file his own FOIA request and wait in line like anyone else?  The public often waits months for the information being given to employees as a matter of course, even though the agency admits that there are no cognizable employee privacy interests at stake.

More importantly, an agency-wide process of identifying employees whose equities are implicated in records and individually notifying them about the release of their personal details likely requires a significant investment of agency resources.  Would it not be more responsible to spend those resources on improving transparency to the public at large?  To reducing agency FOIA backlogs?  Notifying employees whenever their information is released to the public is likely only to contribute to a culture of secrecy and a further breakdown in the trust between the administrative state and the public.

Ryan P. Mulvey is Counsel at Cause of Action Institute

2018.02.20 DHS Instruction 262-11-001

2018.12.20 DHS Notification Email

Millennium Challenge Corporation Adopts CoA Institute’s Recommendations for FOIA Regulations

The Millennium Challenge Corporation (“MCC”) finalized a rule at the end of last week implementing new Freedom of Information Act (“FOIA”) regulations and incorporated important revisions proposed by Cause of Action Institute (“CoA Institute”) in a comment submitted to the agency in March 2018.  The MCC is a small agency tasked with delivering foreign aid to combat global poverty.

CoA Institute made several recommendations in response to the MCC’s proposed rulemaking.  Most importantly, we urged the agency to remove outdated “organized and operated” language from its proposed definition of a “representative of the news media.”  Such language has been used in the past to deny news media requester status—and favorable fee treatment—to government watchdog organizations, including CoA Institute.  For example, CoA Institute sued the Federal Trade Commission, and took its case all the way to the D.C. Circuit, just to get the agency to acknowledged that its FOIA fee regulations were outdated and that it had improperly denied CoA Institute a fee reduction.

In deciding that case, the D.C. Circuit issued a landmark decision clarifying proper fee category definitions and the application of fees in FOIA cases.  CoA Institute cited this case to the MCC and the agency took heed of the current case law, removing the outdated “organized and operated” standard from its final rule.

CoA Institute also asked the MCC to remove language directing FOIA officials to read agency regulations “in conjunction with” fee guidelines published by the White House Office of Management and Budget (“OMB”) in 1987.  Portions of the OMB guidance, which are actually the source of the “organized and operated” standard, are simply no longer authoritative—they conflict with the statutory text, as amended by Congress, and judicial authorities, including Cause of Action v. Federal Trade Commission.

Continued reliance on the OMB guidelines threatens to cause confusion.  In 2016, the FOIA Advisory Committee and the Archivist of the United States both called on OMB to update its fee guidelines.  CoA Institute also filed a petition for rulemaking on the issue, and is currently litigating the matter in federal court.  Although the MCC has decided not to alter its reference to the OMB guidelines (and did not provide an explanation for rejecting that portion of CoA Institute’s comment), the fact remains that no agency can rely on OMB’s superseded directives.

Since the passage of the FOIA Improvement Act of 2016, CoA Institute has commented on twenty-six separate rulemakings.  Of the twelve that have been finalized, CoA Institute has succeeded in convincing seven agencies to abandon the outdated “organized and operated” standard in favor of a proper definition of “representative of the news media,” including the following:

Some agencies, including the National Credit Union Administration and the Federal Reserve, choose to defer on CoA Institute’s recommendations and have promised to propose further rulemakings in the near future to address outstanding fee issues.

CoA Institute’s successful comment to MCC is another small step in our efforts to provide effective and transparent oversight of the administrative state and, more specifically, to ensure agency compliance with the FOIA.

Ryan P. Mulvey is Counsel at Cause of Action Institute

DHS Fails to Locate Records Concerning Compliance with Federal Records Act over Private Web-based Email Accounts

Cause of Action Institute (“CoA Institute”) filed a Freedom of Information Act (“FOIA”) appeal with the Department of Homeland Security (“DHS”) yesterday, challenging the adequacy of the agency’s search for records concerning the use of private web-based email accounts by former DHS officials, as well as efforts to recover federal records from those officials’ accounts, as required by the Federal Records Act (“FRA”).  Although DHS disclosed two records in response to our request—namely, a letter from the National Archives and Records Administration (“NARA”), which expressed concern over the possible alienation of federal records, and DHS’s response to NARA—DHS’s repeated representations in federal court demonstrate the existence of countless other responsive records.

High-Ranking DHS Officials Received “Waivers” to Use Private Web-based Email Accounts

In July 2015, Bloomberg reported that then-Secretary Jeh Johnson and at least twenty-eight other senior officials at DHS were granted special permission to used private web-based email accounts—such as Google and Yahoo—to conduct official business.  These “waivers” were exceptions to an agency-wide ban on the use of private email that was imposed in April 2014.  Agency insiders admitted that the practice of issuing such waivers was a “national security risk.”  As reported by Politico, DHS ended its use of waivers, but the agency still faced numerous FOIA requests—and a lawsuit brought by Judicial Watch—from those seeking access to the work-related records created or received on the private web-based email accounts.

CoA Institute’s Initial Investigation into the DHS Webmail Waivers

On September 11, 2015, CoA Institute submitted a FOIA request to DHS for all agency records maintained on Secretary Johnson’s—or any other official’s—private web-based email account.  We also sought records concerning the DHS webmail waiver regime, including policies on how waivers were granted or guidance on record retention that may have been provided to waiver recipients.  In response to the request, DHS provided a substantial number of records concerning the actual processing of waivers, but it failed to produce any official correspondence from the private accounts.  Although we appealed that determination, DHS upheld the adequacy of its search, even though it had openly admitted in court to having control over actual responsive records.  A federal district court judge even issued a preservation order to ensure that former officials would continue to cooperate with recovery efforts under the Trump Administration.

Exploring DHS’s Compliance with the Federal Records Act

Armed with the knowledge that DHS was working to recover potential federal records from Secretary Johnson’s private web-based email account, as well as the accounts of three other former officials, CoA Institute filed two additional FOIA requests on June 1, 2017.  We asked both DHS and NARA to disclose records concerning NARA approval for the practice of issuing webmail waivers, as well as records reflecting the agencies’ compliance with their FRA obligations.  For example, we wanted to know whether DHS had involved the Attorney General in recovery efforts, or whether anything had been done to recover records from the other twenty-five webmail recipients that were not the subject of Judicial Watch’s ongoing FOIA litigation.

DHS could only locate two responsive records.  The first was a February 22, 2017 letter from NARA, which was prompted by the Judicial Watch lawsuit and raised concerns about the possible alienation of federal records.  NARA asked DHS to prepare a report on its recover efforts, along with a description of the “safeguards” that had been implemented to prevent the future alienation of records from private web-based email accounts.  The second responsive record was DHS’s Mary 19, 2017 response to NARA, in which the agency described its ongoing communications with Secretary Johnson and others to facilitate the return of potential federal records.  DHS claimed it was unable to locate any other responsive material.

This is an absurd determination.  DHS has repeatedly described its ongoing efforts to comply with the FRA and to ensure that work-related emails from the private web-based email accounts are returned to the agency, at least with respect to the four officials identified by Judicial Watch.  Whither the records of such communications?  CoA Institute’s request to DHS was intentionally broad and sought to capture, among other things, “any correspondence from a webmail recipient indicating that he or she no longer ha[s] possession of DHS records in a personal email account, or that he or she ha[s] forwarded them to a DHS-hosted email account, and any records evidencing agency efforts to confirm the truth of such representations.”

As for our request to NARA, that agency has failed to provide any sort of interim response, let alone a final determination, despite the fact it had granted CoA Institute’s FOIA request expedited processing.

The Lack of Transparency in Agency Compliance with the Federal Records Act is Troubling

The Obama Administration established a pattern of high-ranking officials using personal email accounts to conduct agency affairs, thereby potentially ignoring federal laws that require the preservation of records for future disclosure to Congress and the American public.  The lack of transparency with respect to the use of private email is concerning enough; the lack of transparency over efforts to remedy abusive and unauthorized use of personal email, and to return records to agency custody, is even more worrisome.  Government-oversight organizations such as CoA Institute have increasingly been forced to seek judicial relief to ensure agency compliance with the FRA, and this tendency is only likely to increase given the pace of technological development.

DHS seems to be working extra hard to keep secret whether it has fully met its FRA obligations.  It was certainly embarrassing for the agency when its practice of issuing waivers that allowed agency leadership to use private web-based email accounts came to light.  It will be even more embarrassing if evidence surfaces to show that DHS is still dragging its feet to recover those records, as required by law.

Ryan Mulvey is Counsel at Cause of Action Institute


DHS Watchdog Claims Political Appointees No Longer Politicizing FOIA

One of the earliest transparency scandals of the Obama Administration erupted in 2010 when the Associated Press discovered that officials at the Department of Homeland Security (“DHS”) had, “in a highly irregular move,” started to “filter hundreds of public records requests through political appointees, allowing them to examine what was being requested and delay releasing sensitive material.”  These appointees, along with senior officials and public affairs staff, effectively blocked or delayed the disclosure of potentially embarrassing or politically-damaging agency records under the Freedom of Information Act (“FOIA”).  Their interjection into the FOIA process—and retaliation against career staff members who objected to this “sensitive review”— resulted in a congressional inquiry and damning Oversight Committee report.  The Obama Administration politicized FOIA the same way at the Department of Housing and Urban Development, the Environmental Protection Agency, the State Department, and the Department of the Treasury.  The situation at DHS, however, has improved, according to a recently-released Inspector General report.

The July 7, 2009 memorandum establishing sensitive review procedures at DHS included extensive reporting requirements, including updates to the White House about agency disclosures.  The DHS Inspector General politely described this, in a March 2011 report, as “unprecedented.”  It “created inefficiencies that hampered full implementation” of the FOIA.  More troubling, the policy had the practical effect of targeting media organizations and critics of the Administration.  Agency officials regularly delayed requests from media outlets, for example, so that they could develop a public response to damaging records.  And other disclosure decisions were sometimes based on the political affiliation of a requester.

Now, in response to a June 2015 request from the U.S. Senate Homeland Security and Governmental Affairs Committee, the Inspector General has published a new report that revisits its earlier findings and suggests that the culture of FOIA politicization at DHS has improved.  Since 2011, DHS has “reduced the number of days that political appointees . . . have to review releases from 3 days to 1 day.”  The sensitive review process has been renamed the “1-Day Awareness Notification Process.”  And, in most cases, FOIA officers “no longer wait for approval before releasing responses to significant FOIA requests” because it is “not required.”  An audit of 57 “significant requests” showed that none were delayed because of political appointee intervention.

These findings are positive.  The more limited involvement of fewer political appointees—“an advisor to the DHS Secretary, an official in the Office of Public Affairs, and the Chief FOIA Officer”—as well as a shorter “notification” period, limits the potential for politicization while respecting agency leadership’s concern for being kept aware of disclosures that might ignite media attention.  The apparent removal of any sort of necessary “clearance” authorization from political staff, or the removal of a requirement to obtain such clearance before release, is also a helpful development.  Oddly, DHS’s revised procedures are only “informally documented” in a “2012 email” and “2015 draft guidance.”  According to the Inspector General’s report, the DHS Privacy Office aims to finalize them by the end of the year.  The sooner, the better.

Ryan P. Mulvey is Counsel at Cause of Action Institute.

A Warrantless Phone Search, A Dangerous Precedent

Washington D.C. – Cause of Action Institute (“CoA Institute”) today filed an amicus curiae brief in support of Defendant Hamza Kolsuz who in February, 2016 was arrested at a Virginia airport attempting to board a plane bound for Istanbul, Turkey.

At the time of his arrest, U.S. Department of Homeland Security (“DHS”) Customs and Border Patrol (“CBP”) officers seized Mr. Kolsuz’s iPhone and subsequently ordered a month-long, warrantless forensic search, resulting in nearly 900 pages of detailed information, including Mr. Kolsuz’s internet-browsing history, text messages, emails, and various geographic locations he had visited. Under a 2014 Supreme Court case, any search of a cellphone seized during an arrest requires a warrant.  

While Mr. Kolsuz filed a legal motion to suppress the evidence obtained without a warrant, the presiding judge ruled that the search constituted a border search, and was therefore legal under a narrow exception to the Fourth Amendment. Mr. Kolsuz was found guilty and sentenced to thirty months in prison.

We believe the District Court erred in allowing the evidence. Our brief urges the court to reverse the previous decision and grant Mr. Kolsuz a new trial.  While in certain circumstances, a border search may be conducted without a warrant, in this instance the governmental interests that justify this exception were not in play because neither Mr. Kolsuz nor his phone were crossing any border after his arrest. 

The brief states:

At the time of the search, neither Mr. Kolsuz nor his smartphone were in the process of crossing any border. The Government was not furthering any interest in prohibiting the entry or exit of contraband, enforcing currency control, levying duties or tariffs, or excluding travelers without the property documentation to enter the country…

The privacy interests inherent in electronic devices are so high as to require a minimum of probable cause to justify their search.  Any less protection will continue to chill First Amendment protections, harm business interests, and violate the Fourth Amendment rights of Americans to be free from unreasonable search and seizure.

Federal customs agencies have essentially turned what was supposed to be a narrow exception to the Fourth Amendment’s warrant requirement into a loophole to search anyone’s cellphone or laptop without any reasonable suspicion or probable cause to suspect them of a crime.  Under current DHS “guidance,” anyone who travels internationally can be detained, asked to grant a customs agent access to their cellphone or laptop (including their social media accounts, email, and other remotely-stored information), and even face seizure of their device for off-site searching if they refuse to consent to the search.  News reports have detailed the recounts of many Americans who have been subjected to this policy.  DHS searched 5,000 electronic devices in February of this year alone.  

In addition to the troubling implications under the Fourth Amendment’s right to privacy, the brief outlines how electronic devices are such a commonplace tool that modern business would be unable to function without them.  Journalists and legal organizations rely on smartphones, tablets, and laptops to communicate with sources around the world, store research and contact information, draft and publish news articles, and film or photograph live events, and upload stories to social media.  Similarly, lawyers routinely utilize laptops and smartphones as repositories of attorney-client communications and work product documents. Businesses also need such devices to perform proprietary work, transmit documents detailing trade secrets, and remotely access company information.   

The courts have carefully crafted legal balancing tests that recognize the need to protect certain information, like journalist sources, attorney-client privileged information, and confidential trade secrets, by allowing the government to access such privileged information only when certain compelling justifications exist. In this regard, the current DHS “policy” purporting to allow the agency unfettered access to information at the border does not only contravene the privacy rights of individuals, but also disrupts other carefully-created judicial safeguards that protect the information of businesses, journalists, and lawyers’ clients, from disclosure.

The brief was filed on behalf of Cause of Action Institute, along with the Committee for Justice, a nonprofit organization dedicated to promoting the rule of law, and Floor64 Inc. that publishes the online news site, Techdirt’s journalists routinely depend on the ability to protect its sources and private information.

The full brief is available here

For information regarding this press release, please contact Zachary Kurz, Director of Communications at CoA Institute:


CoA Institute Influences New DHS FOIA Regulations


The Department of Homeland Security (“DHS”) just finalized new Freedom of Information Act (“FOIA”) regulations.

Last year, Cause of Action Institute (“CoA Institute”) submitted comments to DHS in response to its proposed rule.  We urged the agency to remove the outdated “organized and operated” language from its definition of a representative of the news media.  This language has been used in the past to deny fee waivers to organizations like CoA Institute that are conducting investigations of potential agency wrongdoing.  For example, we had to take the Federal Trade Commission all the way to the D.C. Circuit just to get it to acknowledge that its FOIA fee regulations were outdated and that it was improperly denying us a fee reduction.

In deciding our case, the D.C. Circuit issued a landmark decision clarifying the proper definitions and application of fees in FOIA cases.  CoA Institute cited this case to DHS in its regulatory comments and DHS took heed of the current case law and removed outdated language from its regulations.

This is just another small step in our efforts to provide effective and transparent oversight of the administrative state.