Caging Public Records Under Lock & Key

How Agency Password-Protection of Public Records Violates FOIA’s Text and Purpose

For the past six or so years, FOIA requestors have grown accustomed to receiving two emails from DHS agencies when they release public records. The first is an email with the records. The second is an email with the password to open the pdf containing those records. This is true even when the records themselves contain no personally identifiable information. This is true even where the records are not about any individual.

Around 2017, DHS FOIA offices began imposing an additional, unwritten (likely unlawful) barrier on publicly disseminating records these agencies release. Sure, you can have the records, but the pdf file containing them is password-protected. That means you can’t publicly post the file without posting the password. It means you can’t share the records without also sharing the password. And it means if you happen to lose the password or if the government forgets to send it, the file containing those records becomes worthless.

Does releasing “public” records to under digital lock-and-key violate the Freedom of Information Act? Our project filed some public records requests to find out. In FOIA requests to DHS, DOJ-OIP, CBP, and ICE, we asked the agency to explain the legal and policy basis requiring an access key provided to only a single individual before viewing public records.

In our request to DHS’s FOIA office, we laid out the problem as we’ve experienced it:

In recent years, your agency FOIA Office has required FOIA requestors to access agency records using a government-created password that is unique to the file containing responsive documents. The FOIA Office accomplishes this either through requiring FOIA requestors to utilize a 6-8 character password delivered by a second or separate communication.

Practically speaking, this doubles the number of communications the agency must generate in turning over responsive documents, and prevents widespread public dissemination of the records by restricting their access only to the requestor receiving the password. Your agency is thus doubling the work it does at one point of the FOIA response process while reducing significantly the transmissibility of the public records it provides. This is occurring at a time when multi-year backlogs and court orders plague timely access to vital information about the agency’s function.

All of this would be understandable and unavoidable if Congress required such actions. But it did not. The Freedom of Information Act and DHS’s FOIA regulations contain no language requiring public records to be password-protected. See 5 USC 552, and 6 CFR 5.1 et seq. Indeed, these authorities arguably prohibit such actions, because they constitute a conversion of the records from their original format into one constituting a completely new, password-protected document

We explained to DOJ-OIP the practical problem with password-protecting public records in our administrative appeal:

This makes the records less accessible by requiring an additional step before accessing them, a step which is controlled by the requestor. By conditioning access to public records on access to the password the agency attaches to them and provides the requestor, the agency risks not actually releasing the records publicly at all, but rather, engaging in a private distribution regime that flies in the face of the Act’s purpose and text. If, for instance, the agency must weigh the risk of foreseeable harm if certain private information becomes public, but the manner the agency uses to release the record doesn’t automatically render the information public, should the agency take that into consideration when weighing the harm?

In requests to DHS FOIA offices, we pointed out that password-protection itself undermines the agency’s ability to timely respond to FOIA requests:

Because your agency’s FOIA Office suffers from longstanding, unabated backlogs and extended, multi-year processing times of the kind expressly condemned by Congress in amending the FOIA, because your agency’s password protection practice appears to have no basis in law, and because this practice represents a potential obstacle to every FOIA requestor, including those seeking expedited processing, this policy impacts the substantial due process rights of requestors, and raises serious questions as to your Office’s capacity to discharge its obligations under the law, threatening public confidence in its functioning, we respectfully request expedited processing pursuant to 6 CFR 5.5(e).

So what did we seek?

Please provide any agency record documenting: (a) the legal authority from which your FOIA Office claims it derives the power to place non-exempt public records responsive to FOIA requests into a password-protected document.

(b) the Standard Operating Procedure used by your FOIA Office to assign non-exempt records a password.

(c) any contract materials with any third-party reflecting monies paid by your agency to outside contractors for password-protecting FOIA documents.

(d) any record reflecting the total time FOIA Office personnel dedicated during FY20, FY21 and FY22 (to date) to password-protecting records.

(e) any governing policy denoting when password protection is appropriate, and when it is not.

What’d the agency’s provide?

Back in December 2022, DOJ-OIP confirmed it has no records authorizing DHS to apply password protection to FOIA records.

In August 2022, CBP denied the existence of responsive records, but helpfully identified the source of authority it claims when it applies password protection. CBP claims FOIA records are subject to the Department-wide policy on Safeguarding Personally Identifiable Information. Specifically, CBP cites a December 4, 2017, DHS policy requiring DHS employees and contractors to prevent unauthorized disclosure of PII while carrying out their duties.

But wait: Exemptions 6 and 7C set forth statutory safeguards on the same information. The DHS policy, as applied to FOIA releases, thus imposes additional limitations on the distribution of purported PII. But the PII itself is missing. So CBP’s rationale, and the application of the DHS Safeguarding PII policy to FOIA, seems to contravene the statute.

ICE contended it has no responsive records. We find this a helpful admission, given that FOIA’s affirmative disclosure obligations, 5 USC 552(a)(1) and (2), forbid agencies from enforcing unpublished or unwritten policies affecting members of the public against parties in proceedings without giving those parties timely, accurate notice of the secret policy. Since ICE has not done so, and indeed, has claimed no such secret policy exists, the agency violates FOIA’s affirmative disclosure mandate. Consequently, it forfeits the right to password-protect its FOIA releases in litigation pursuant to 5 USC 552(a)(2)(E).

Notably, ICE FOIA’s password-protection practices are absent from the agency’s own FOIA training materials. We had to jailbreak this pdf to post it on DocumentCloud because ICE applied password protection to it. That was possible with fairly limited effort because we had the password. But if we didn’t — if we’d found the file but not the password email attached to it — we could not post it online and share it with you. This is one concrete harm password-protection visits upon the requesting public. It makes records we get harder to share by requiring more effort from us to share them.

Finally, DHS provided no records, lost an administrative appeal and then ignored the order of the administrative law judge on remand.

So what is to be done?

Power concedes nothing without a demand.

1. Requestors should specifically demand release of records without password protection in their initial request language.

2. Requestors receiving rolling productions from the agencies can demand in writing that password protection be removed. One DKTI partner recently got a password protection removed within 4 hours simply by lodging a written objection with the AUSA assigned to the litigation upon receiving the agency’s release.

3. Requestors as a community might demand the FOIA Public Liaison for their agency define the circumstances under which password protection applies.

4. Litigators might demand a federal court enjoin the practice of password-protection in their cases, as this practice enjoys no legal basis or policy support, and the absence of such policy means the agency cannot enforce it consistent with 5 USC 552(a)(2).

Password protection is detrimental to broad dissemination of public records. It imposes unjustified costs and burdens on the agency and the requestor alike. So what’s the argument for doing it?

Maybe the DHS Safeguarding PII policy works when there’s a first-party request for your own records and you’ve got a privacy waiver allowing the release of things that’d otherwise be subject to Exemptions 6 and 7C. But that doesn’t justify blanket password protection, which is what we’re seeing from agencies.

Instead, the effect of the password is to keep public records under lock and key, and to cage the information they contain. This makes each requestor the gatekeeper, and the password the single-source key to what’s inside. That dynamic is so, so far from a public release, and thus falls short of FOIA’s promise of transparency.

If you’ve had experiences with the challenges posed by password-protection or experiences challenging these password practices, we’d love to hear from you.