The co-directors of the Transactional Records Access Clearinghouse (TRAC) filed this Freedom of Information Act (FOIA) lawsuit against Immigrations and Customs Enforcement (ICE) and Customs and Border Protection (CBP) for their failure to disclose records responsive to FOIA requests seeking technical documentation for and data extracts from several immigration-related law enforcement and operations databases.
Both parties moved for summary judgment. Plaintiffs argued that defendants’ Exemption 7(E) claim to withhold records of the structure and metadata of the databases and technical documentation for the databases failed because the records did not reveal techniques, procedures, or guidelines for law enforcement investigations or prosecutions. Plaintiffs also argued that the risk of a cyber-attack that defendants contended would result from disclosure of these records was not a “circumvention of the law” within the meaning of Exemption 7(E), and it was not a risk that was reasonably expected to materialize from disclosure. Plaintiffs also contended that, because ICE and CBP had not invoked any FOIA exemptions to withhold the data extracts, defendants were required to disclose them. Defendants’ argument that they lacked the technological capability to produce the extracts could not excuse their obligation to comply with FOIA and disclose non-exempt records.
The district court, in a series of summary judgment rulings, held as a legal matter that Rule 7(E) was potentially applicable because database structures could reveal techniques, procedures, or guidelines, and successful attacks on government databases could constitute circumvention of the law. The court held, however, that factual disputes remained as to whether the information revealed would threaten the security of the databases. The court conducted an evidentiary hearing in May 2018, and received further briefing.
In June 2020, the court issued a decision finding that, although the agency had justified some withholding, some of the withheld materials were not exempt because their release would not threaten the security of agency databases and such materials were segregable. The court also held that the agency had failed to provide any factual basis for withholding of one of the responsive documents. The court ordered the agency to conduct a segregability analysis and to produce the withheld document. The agency’s segregability analysis proposed to spend more than 66 years reviewing records and omitted the key records in the case. Following discussions between the parties, the court ordered the agency to submit briefing on the scope of the agency’s obligation to review and produce records. The parties submitted those briefs in September 2020.
In 2021, the court ruled that ICE must produce data dictionaries and code lookup tables for two important databases, but permitted limited redactions. Over the next year, ICE produced those materials but redacted information beyond what the court’s orders permitted. The court then ordered a round of supplemental briefing on whether ICE’s redactions complied with the court’s earlier rulings. ICE submitted its opening brief in March 2023, and the plaintiffs submitted their response brief in April 2023.