freshidea - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

FBI accused of avoiding FOIA requests in the name of security

A lawsuit against the Department of Justice claims the FBI is using outdated technology in order to avoid fulfilling FOIA requests.

A new lawsuit against the Department of Justice claims the FBI has been actively crippling its database systems to exploit a loophole in FOIA request regulations and to avoid supplying information.

Ryan Shapiro, a Ph.D. candidate at MIT and research affiliate at Harvard's Berkman Klein Center for Internet and Society, filed the lawsuit alleging the FBI has purposely failed to fulfill FOIA requests by using an outdated and badly designed search system. Shapiro charged that the FBI has intentionally used an ineffective search method, and then claimed it cannot find the information he has requested.

"When it comes to FOIA, the FBI is simply not operating in good faith. Since the passage of the Freedom of Information Act (FOIA), the FBI has viewed efforts to force bureau compliance with FOIA as a security threat," Shapiro said. "Over the years, the FBI has established countless means by which to avoid compliance with FOIA. One of the chief means by which the FBI accomplishes this is to search for records in such a way that the search routinely fails by design."

According to Shapiro, the FBI is taking advantage of a loophole in FOIA rules.

"The FOIA statute doesn't require an agency to locate requested records. Rather, it requires an agency to conduct a search 'reasonably calculated' to locate the records," Shapiro said. "By utilizing deliberately deficient FOIA search methodologies, the FBI superficially appears to be in compliance with FOIA without having to actually locate, and, therefore, potentially release, many records."

The Central Records System (CRS) database holding the FBI records cannot be searched, so the FBI must instead search a mirror of the database, called the Automated Case Support (ACS) system, which has three possible methods for searching. Shapiro claimed the FBI does not use full-text search methods and instead intentionally uses what he called the worst method of search, UNI (Universal Index), which, he said, has been designed to fail.

Operation Mosaic

UNI is an index of search terms within the CRS. Shapiro said this is extremely problematic as a search tool, because in order for a record to show up in the UNI, the proper search term has to have been indexed. These terms are indexed by an FBI agent who goes through a report "with a marker, and you draw a line under every term you want indexed." Shapiro said it is up to the individual agent to decide what is important enough to be indexed, and only "a few key things" will be indexed within a document.

"Not only is it arbitrary, but it's also very inconsistent. So, I have multiple examples of the same document sent by headquarters and two different FBI field offices, and this document gets indexed by different people and the indexing is totally different," Shapiro said. "Even FBI RIDS [Record/Information Dissemination Section] section chief David M. Hardy himself concedes in court declarations that the indexing of records by the FBI essential to UNI searches is characterized by a largely discretionary and even arbitrary set of practices not designed for the purpose of effectively locating records responsive to FOIA requests."

Shapiro said this failure of the database indexing was proven with his research into Operation Mosaic, which Shapiro described as "an FBI program to try and limit the FBI's obligations under FOIA, [and] to grant the FBI functional immunity from the Freedom of Information Act."

"In 1974, when FOIA was amended to apply to the FBI and the other intelligence agencies for the first time, all of the intelligence agencies freaked out and tried to do anything they could to kill FOIA, or to exempt themselves from it. And the other agencies had a lot better success than the FBI did," Shapiro told SearchSecurity, adding, to this day, the National Security Agency has no obligation to comply with FOIA requests. "By the late 70s, the FBI realized they had lost the efforts to statutorily exempt themselves from FOIA, and so they were looking for ways to appear to be in compliance of the act, but get to avoid compliance."

Operation Mosaic was an early effort to accomplish this, and Shapiro said the operation is unlikely to be indexed by UNI because it is not the subject of an investigation, a victim or suspected perpetrator of a crime. As such, despite Shapiro having copies of FBI documents pertaining to Operation Mosaic, he was not able to obtain more via FOIA requests because the FBI claimed a search of its database returned no results, which is what prompted the latest lawsuit by Shapiro against the DOJ.

As recently as December 2014, Hardy, the FBI RIDS chief, contended in court proceedings pertaining to another lawsuit by Shapiro that full-text searches are too difficult to perform in response to FOIA requests.

"Full-text searches are considered an extraordinary measure that is unduly burdensome and not reasonably likely to locate responsive records. In fact, in RIDS' experience, full-text searches generally return a significant number of 'hits' that are random and incomplete references," Hardy said, claiming the act of sifting through these hits results in "a significant use of time and resources that yield no additional responsive information" for FOIA requests. "As such, the ACS index search of the CRS is the key to locating information."

Shapiro said this assertion is "absurd on its face."

"The FBI's assertion is akin to suggesting that a search of a limited and arbitrarily produced card catalog at a vast library is as likely to locate book pages containing a specified search term as a full-text search of database containing digitized versions of all the books in that library," Shapiro said.

The FBI would not comment specifically on its systems or on any pending litigation, but a spokesperson noted there is a more modern database system that has been in use since 2012.

"Sentinel is the FBI's case management system and was implemented FBI-wide on July 1, 2012," an FBI spokesperson told SearchSecurity. "The Sentinel case management system builds on the Automated Case Management System and shares its operational purpose; Sentinel provides a modern portal to locate information within FBI records."

Shapiro said this statement by the FBI should be read "hyper-literally," and no implications should be gleaned from it.

"The FBI makes no statement one way or another as to whether FBI is using ACS instead of Sentinel for FOIA search purposes, regardless of what FBI might be doing for non-FOIA search purposes," Shapiro told SearchSecurity. "There is no question FBI is still relying upon ACS for FOIA search purposes. Ask FBI this question directly. They will not tell you, otherwise."

The FBI has not responded to follow-up questions as of this publication.

Next Steps

Learn how a surge in FOIA requests creates business for open records software companies.

Find out how Universal Credit documents show government projects should be open and transparent.

Get info on how the U.K. government failed on its election transparency pledge.

Dig Deeper on Government information security management