FOIA

Government Officials' Internet Browsing Histories Are Not Agency Records under FOIA

The D.C. Circuit rejects an effort to obtain internet browsing histories under the Freedom of Information Act

|

The Cause of Action Institute sought to obtain the internet browsing histories of several government officials, including the Secretary of Agriculture and Director of the Office of Management and Budget, under the Freedom of Information Act (FOIA). A district court rejected their claim, concluding that browsing histories are not agency records under FOIA. Yesterday a panel of the U.S. Court of Appeals for the D.C. Circuit agreed.

In Cause of Action Institute v. OMB, Judge Rao (joined by Judges Srinivasan and Sentelle) agreed with the district court that federal agencies do not exercise the requisite degree of control over internet browsing histories for the histories to constitute agency records subject to FOIA disclosure. As Judge Rao explained, the "agencies' retention and access policies for browsing histories, along with the fact they did not use any of the officials' browsing histories for any reason, lead to the conclusion that these documents are not agency records."

Interestingly enough, the court's reasoning suggests that the outcome could change were a federal agency to exercise greater control over government officials' internet browsing histories, such as by limiting the ability of individual officials to delete or modify their histories. I would not expect that to happen, however. Under the assumption that most federal agencies try to resist FOIA most of the time (a safe, if ungenerous, general assumption about agency behavior), the decision is also likely to dissuade agencies from adopting policies that could make internet browsing histories subject to FOIA in the future.

NEXT: Federal Government Lawyer Suing for Employment Discrimination Can’t Sue Pseudonymously,

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. So, “Judge Rao (joined by Judges Srinivasan and Sentelle) agreed with the district court that federal agencies do not exercise the requisite degree of control over internet browsing histories for the histories to constitute agency records subject to FOIA disclosure.”

    Are system backups, nearly all automated and synced to gov servers subject to FOI? Then FOI the user profile directory, and you have the histories.

    And if you have the sys backups, then the dept DOES have requisite degree of control, often to incremental backups over the course of a day.

    1. Computer backups are collections of records and other files, so the backup would not be subject to FOIA as an indivisible whole. And usually (certainly at the federal level, I think Florida and perhaps other states differ) freedom-of-information and other record management laws distinguish between the official record copy and copies made for convenience or other purposes. The copies are usually not subject to independent production under FOIA requests — you can get a copy of the record if the original is responsive to a request, but in most FOIA regimes you cannot submit a request for a copy as such.

      1. The dictionary definition is the meaning of a word. The Supreme Court ruled that over 100 times. This notpicky, pettifogging, loophole seeking decision shows judge decide on bias, feelins, and acculturated preferences. Their bias always favors big government.

        The record of searches will show a bunch of time spent on porn, including illegal child porn, or on video games by video addicts. Again that is not damaging. Use anti-Slapp against defendants using information about searches for political attack, unrelated to the embarassing truth about searches.

        Courts should embrace critical thinking, as should all Rules of Procedure. It should become a required prelaw course to modernize this uterly failed profession.

        1. Even if embarrassment is the sole consequence, it will benefit the taxpayer. Please, spend more than one hour of your eight hour work day on work for the taxpayer. Your spending time on other subjects will be public knowledge.

          1. During Zoom business meetings, I am spending time on the Volokh Conspiracy. If a supervisor starts to read it, and sees the time stamps on my Comments, I could be in trouble. Loving correction of the lawyer profession is better than porn.

            1. If a supervisor reads the content of your comments, the time stamps are going to be the least of your problems.

    2. LOL if you think government infrastructure is modern enough for automated synced backups.

      I’m a government worker, and we don’t have anything like that for anything that isn’t e-mail.

      1. Probably not true, when I worked at the city of Seattle they did have the capability of tracking browsing history of employees. It actually came up in a couple of cases where they couldn’t avoid it

        But for the most part that was the last thing they wanted to track. They deleted the logs early and often, because it was nothing but trouble.

      2. God that is scary = if you think government infrastructure is modern enough for automated synced backups. I’m a government worker, and we don’t have anything like that for anything that isn’t e-mail.

        Seriously? I am not being facetious. With all the trillions we piss away, we don’t have a decent IT backbone? What the hell are government IT people doing with the billions they get? My home network gets synced and backed up, and this backup is synced between three locations, Sarcastr0.

        1. He just doesn’t know that they do backups.

        2. I’ve been trained on Federal recordkeeping, and we put federal records on a global drive that is presumably backed up, but plenty of what we do isn’t so covered.

      3. S_0,
        At least some gov’t labs do keystroke logging on a rather regular basis with only the slightest triggers

    3. That’s the point, system logs are not agency records are you going to supply all the emails the guys wife is sending him about her therapy, which are also in the email logs?

      We all know that we should keep that off the official email or browsing, but it’s not foolproof, and it doesn’t mean its an agency record.

      1. Using government owned equipment for personal use is nearly always a violation of acceptable use policies, and typically grounds for dismissal, at least from my times of interacting with gov systems as a software contractor and as an employee of a defense contractor.

        1. Excessive personal use can get you in trouble. A certain amount of personal use of the computers and phones is expected, and explicitly permitted in most cases.

          Just don’t try to run a business (especially not an “adult” dating service) off the department web servers.

          1. De minimus use is generally permitted EXCEPT in certain areas: e.g., using the govt system for personal gain and or finances, gambling, pornography, political action, lobbying. doing anything that would embarrass the institution.

        2. Sure, that is always true, government or private, but realistically, it always occurs. My employer does not care if I spend ten minutes checking my bank account on a laptop, and if they did I would not be as keen to work there.

          Its like, sure, having a quick conversion at the coffee station is technically using employer time, but cracking down on that would piss off a lot of people, be objectively unreasonable, and that sort of conversation might even be encouraged to build comradery between everyone.

    4. Maybe you recall the IRS targeting scandal, when we got a peek at the IRS’ data preservation policies. Spoiler: They’d have been better termed “evidence destruction” policies. They went into great detail about mandatory erasure of backups after an embarrassingly short period.

      They literally were more focused on making sure evidence would be destroyed, than preserving important data.

  2. On the spectrum between basic privacy for governmental employees to allow them to actually make reasoned decisions and everything is hidden zero accountability, the browsing history of an employee seems well to the former.

    Like I doubt even my IT department is going through the browsing historys of all employees, seems like a massive waste of time (though it would explain why they take forever to do simple things like fixing my damn system …)

  3. Plus I doubt the browsing history is related to agency business anyway.

    Unless it’s the Agency of Big-Asses, Tits, and Female Erotica.

    1. Okay, that’s funny.

      1. sm811…Let me ask a question. So internet history is not considered an agency record (as it has been here). Now suppose you have a government employee download child porn. And that child porn is discovered through routine IT surveillance executed by automated programs. The employee is dismissed. In arbitration, the government enters the employee’s internet search history into evidence as a justification for dismissal.

        Does that kind of scenario change the reasoning as to why internet browsing history is not considered an agency record? Should it?

        1. Wouldn’t that depend on how “agency record” is construed?

          For the federal government, see 44 U. S. Code section 3401; it turns on whether the browsing history itself is “evidence of the organization, functions, policies, decisions, procedures, operations, or other activities of the United States Government”. Is the computer history “evidence of the” decision to fire the employee, or is the letter of dismissal, along with an arbitrator’s ruling, the relevant record that is evidence of the decision? (I don’t think the Internet use itself would be considered operations or activity of the USG, because the employee is being fired for improper use of government resources.)

          1. My thinking is that if you open the door, if even a crack…internet search history used as evidence in dismissal…it changes the rules for everyone else in government. Or does it?

            1. I don’t see that C_XY.
              It is easy enough for the employer to transform the browsing history into paper records or other discoverable materials

        2. Only a government lawyer would be stupid enough to enter the search history when the actual porn was downloaded.

        3. C_XY,
          What is done is that a browsing record is downloaded, printed and put into the employee’s file along with all actions that derived from the discovery of prohibited activities. That file is a discoverable agency record.

          1. Ah….That makes sense, Don Nico.

            1. I suspect the reasoning is also largely based on ‘we have never done it this way’ and ‘because we don’t want to accommodate your request.’ Your example of the criminal proceeding demonstrates why electronic records such as browser history on government computers, are indeed ‘actionable’ material under FOIA requests. Or, so I believe, since both federal and local governments would treat them as such in your example. I stated the same in the morning roundup, but this seems like the govt dragging its feet, with a sympathetic judge to help.

    2. We did have an employee at city of Seattle who’s computer was searched for child porn. He went out and drowned himself over the weekend.

      The Mayor at the time was credibility accused of raping at least 7 underaged boys, nothing much ever happened to him.

      The city got fucked good though.

  4. As a former government employee with an extensive browsing history, unrelated to employment, the worst they’re going to find is an obsessive online stalking of Mariners prospects that were highly touted but ultimately were never worth a damn.

    1. Mine would show, we should probably hire these guys on stack overflow, they know all the stuff this guy is supposed to know.

  5. Why bother with a FOIA request? Just pay a few bucks, form a company, and pay google and them for “marketing research”. Or buy an NSA analyst a couple of dinners.

  6. Leaving aside if the factors were properly applied to these facts based on precedent…. this is a very weird test.

    “The agency doesn’t control the histories, the employees do.” Um, the employees ARE THE AGENCY. Respondeat superior and all that.

    “They agency doesn’t control the histories, they just set retention periods.” Um, isn’t that control?

    Also, doesn’t the agency control the employees? And doesn’t the agency control the computers they use? And doesn’t the agency control the internet used to do this browsing?

    If somebody says “Employee Johnny was looking at porn when I walked past” don’t you doubt for a second they would insist on control of the browsing histories and the ability to look at employees’ histories at any time.

    “an agency does not necessarily ‘control’ every document found in its digital storage”. That’s just…. wow.

    1. Precedent recognizes a difference between agency records and personal records: https://www.justice.gov/oip/blog/foia-update-oip-guidance-agency-records-vs-personal-records

      As for “control”, context is important. If an agency employee downloads a copy of the US Constitution, perhaps in a fit of curiosity, does that mean the agency controls the Constitution? If someone composes a personal email to their spouse or counselor on a government system, does the agency control that email?

      1. They control the digital copy and the associated metadata.

      2. “does that mean the agency controls the Constitution” The agency would control the copy of the Constitution.

        “does the agency control that [personal] email” If it was sent on a government email account and/or a government computer, yes, or at least the copy kept in the “sent” folder.

        These are easy questions. These are electronic files kept on government computers. Of course they are in the government’s control

  7. I can’t speak to the DA or OMB, but I can testify that the DoD *does* prevent users from deleting their browsing histories, irrespective of whatever system-level monitoring and logging the network imposes. The browsers will tell you up-front when you are viewing your browsing history, “this setting is controlled by your system administrator,” or words to that effect; I will have to refresh my memory tomorrow.

  8. This is a slippery slope.

    Browser history is a fundamentally a usage log. Are logs of who enters buildings subject to FOIA? Are visitor logs to government offices subject to FOIA? Are chain of custody records subject to FOIA?

    Each of these examples are logs. Why would an exception be created for a log of personal usage on a government-owned, government-controlled asset?

  9. VC slashdotting Reason. Very impressive.

    My question would be how the government can exercise sufficient control over a record that hasn’t been compiled yet out of the raw data in memory. The agency must be in control of the record at the time the request was made, not in control of sufficient underlying data to compile the record. Or, even better, if it’s on a remote server for a signed-in user; Google isn’t manually compiling a pen register of every website visited by every user, and then scotch-taping it to the side of the server rack to maintain the record for government use.

    Disclaimer: I know nothing about the law here, beyond the opinion and a quick look at a DOJ primer.

    Mr. D.

Please to post comments