The D.C. Circuit has denied the appeal of the Electronic Privacy Information Center (EPIC) as it attempted to seek communications between Google and the National Security Agency (NSA) concerning a January 2010 cyber attack on Google. Elec. Privacy Info. Ctr. v. NSA, 2012 U.S. App. LEXIS 9571 (D.C. Cir. 2012).
The attack targeted the e-mail accounts of Chinese human rights activists. It was reported that Google contacted the NSA immediately after the attack, and "former NSA director Mike McConnell commented in the Washington Post that collaboration between NSA and private companies like Google was 'inevitable.'" EPIC filed a Freedom of Information Act request in an attempt to learn more about how Google and the NSA may be working together.
The NSA refused, arguing a FOIA exemption as well as an exemption under the National Security Agency Act. EPIC argued that the exemptions did not apply, but the D.C. Circuit disagreed:
[I]t is apparent that any response to EPIC's FOIA request might reveal whether NSA did or did not consider a particular cybersecurity incident, or the security settings in particular commercial technologies, to be a potential threat to U.S. Government information systems. Any such threat assessment, as well as any ensuing action or inaction, implicates an undisputed NSA "function"—its Information Assurance mission—and thus falls within the broad ambit of Section 6 of the National Security Agency Act.