In the last few days, Hillary Clinton’s campaign has backed efforts to recount votes in key states. In addition to being a close election, many commentators have endorsed the recount efforts to address concerns over hackers [1] tampering with the election process. Coincidentally, a court decision from last week provides a glimpse of the concerns the Federal Election Commission (FEC) had prior to election night.
In Levinthal v. Federal Election Commission [2], Dave Levinthal, an investigative reporter for the Center for Public Integrity, filed a request under the Freedom of Information Act (FOIA) seeking information from the FEC. Specifically, the plaintiff was seeking a copy of a study that reviewed vulnerabilities in the FEC’s information technology systems and the recommendations to address those vulnerabilities and any emails and documents related to the study. The FEC produced non-exempt materials related to the study, but withheld the study itself. Levinthal filed suit based on allegations that the FEC did not fully comply with the FOIA request.
The FEC conducted this study to determine how to implement new guidelines published by the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST Study). The NIST Study was intended to seek out measures for the FEC to implement “to protect its infrastructure from ‘wrongful interference, circumvention, or unlawful action by unauthorized persons.’”
After refusing to disclose the results from the NIST Study, the FEC filed a motion for summary judgment arguing the NIST Study was exempt from disclosure as a “law enforcement record.” Specifically, FOIA allows an agency to withhold information: (1) if it is “compiled for law enforcement purposes;” (2) if its release “would disclose techniques and procedures for law enforcement investigations or prosecutions, or would disclose guidelines for law enforcement investigations or prosecutions;” and (3) such “disclosure could reasonably be expected to risk circumvention of the law.”
Importantly, the FEC’s Chief Information Officer provided evidence to the court that the NIST Study “provides a blueprint to the Commission’s networks” and that its public disclosure “could thus enable hackers to bypass the Commission’s current protection mechanisms.” And, in agreeing with this premise, the District Court stated:
This court observed in Long v. Immigration and Customs Enforcement, 149 F. Supp. 3d 39, 53 (D.D.C. 2015), that “[j]udges are not cyber specialists, and it would be the height of judicial irresponsibility for a court to blithely disregard…a claimed risk” of a cyber-attack or a security breach. The court will not disregard such risk in this case. Accordingly, the court finds that the NIST Study satisfies the second prong of the “compiled for law enforcement purposes” inquiry.
Based the evidence provided by the FEC’s Chief Information Officer, the District Court granted the FEC’s motion for summary judgment and found the NIST Study was exempted from disclosure.
This opinion provides insight beyond the questions concerning the IT systems underpinning the recent Presidential Election. From a practical standpoint, while this decision addresses the narrow issue of whether the NIST Study was subject to a FIOA request, it also provides guidance on the broader proposition that courts are willing to acknowledge cyber risks. And, more than merely acknowledging that risk, this court was willing to base its decision on the FEC’s “cyber specialist’s” opinion that there was a cyber risk.