Long v. Immigration and Customs Enforcement , 149 F. Supp. 3d 39 ( 2015 )


Menu:
  •                            UNITED STATES DISTRICT COURT
    FOR THE DISTRICT OF COLUMBIA
    _________________________________________
    )
    Susan B. Long, et al.,                       )
    )
    Plaintiffs,                            )
    )
    v.                              )             Civil No. 14-00109 (APM)
    )
    Immigration and Customs Enforcement, et al., )
    )
    Defendants.                            )
    _________________________________________ )
    MEMORANDUM OPINION AND ORDER
    I.     INTRODUCTION
    Plaintiffs Susan B. Long and David Burnham bring this suit under the Freedom of
    Information Act (“FOIA”).      Between October 13, 2010, and February 26, 2013, Plaintiffs
    submitted seven FOIA requests to two federal agencies, Defendant Immigration and Customs
    Enforcement and Defendant Customs and Border Patrol. They sought metadata and database
    schema from databases used by both agencies, as well as “snapshots” of data contained within one
    of the databases. Defendants produced some documents in response. But they withheld a host of
    others, relying on FOIA Exemptions 3 and 7 and claiming that producing certain responsive
    materials would be overly burdensome. Plaintiffs brought this suit claiming that Defendants
    violated FOIA by failing to provide them with all materials responsive to their requests.
    Upon consideration of the parties’ submissions and the record evidence, the court grants in
    part and denies in part the parties’ Cross-Motions for Summary Judgment.
    II.    BACKGROUND
    Plaintiffs Susan B. Long and David Burnham are Co-Directors of the Transactional
    Records Access Clearinghouse (“TRAC”), “a research center established by Syracuse University
    that gathers information about the functioning of federal law enforcement and regulatory agencies,
    analyzes the data, and publishes reports.” See Pls.’ Mot. Summ. J., ECF No. 18 [hereinafter Pls.’
    Mot.], Decl. of Susan B. Long, ECF No. 18-2 [hereinafter Long Decl.], ¶ 2. TRAC’s primary
    purpose is “to provide comprehensive information about the staffing, spending, and enforcement
    activities of the federal government.” Id. Plaintiffs submitted seven FOIA requests either to
    Immigration and Customs Enforcement (“ICE”), Customs and Border Patrol (“CBP”), or both,
    which are described in further detail below.
    A.      Requests for EID and IIDS Metadata and Database Schema
    1.      FOIA Request I
    By letter dated October 13, 2010, Plaintiffs submitted a FOIA request to ICE for
    documentation related to the Enforcement Integrated Database (“EID”). See Defs.’ Mot., Ex. 1,
    ECF No. 17-3 [hereinafter FOIA Request I]. The EID is a “shared common database repository
    for all records created, updated, and accessed by a number of [Department of Homeland Security
    (“DHS”)] law enforcement and homeland security software applications.” Defs.’ Mot. for Summ.
    J., ECF No. 17 [hereinafter Defs.’ Mot.], Decl. of Karolyn Miller, ECF No. 17-1 [hereinafter Miller
    Decl.], ¶ 12. EID “captures and maintains information related to the investigation, arrest, booking,
    detention, and removal of persons encountered during immigration and criminal law enforcement
    investigations and operations conducted by [ICE], [CBP], and U.S. Citizenship and Immigration
    Services.” Id. EID contains an array of personally identifiable information about persons detained
    for violating the Immigration and Nationality Act, including names, aliases, dates of birth,
    2
    telephone numbers, addresses, Alien Registration Numbers, Social Security Numbers, passport
    numbers, and employment, educational, immigration, and criminal histories. Id. ICE uses the EID
    database to manage cases from the time of an undocumented immigrant’s detention through the
    person’s final case disposition. Defs.’ Mot., Decl. of Fernando Pineiro, ECF No. 17-2 [hereinafter
    Pineiro Decl.], ¶ 47. Plaintiffs’ first FOIA request sought:
    (1) a copy of the records identifying each and every database table in the EID and
    describing all fields of information that are stored in each of these tables . . . (2) a
    copy of records defining each code used in recording data contained [in] the EID.
    This is a request for the contents of specific auxiliary tables—often referred to as
    code or lookup tables—within the database itself where this information is stored .
    . . (3) a copy of the EID’s database schema . . . [and] (4) records that identify the
    [Database Management Software (“DBMS”)] (e.g., Oracle, DB2, Sybase, SQL
    Server, etc.) including [the] Version No. used for the EID.
    FOIA Request I at 1. In other words, Plaintiffs “sought a complete set of documentation on the
    [EID].” Pineiro Decl. ¶ 6 (internal quotation marks omitted).
    2.      FOIA Request II
    On October 18, 2010, Plaintiffs submitted a second FOIA request to ICE for “a complete
    set of documentation on the ‘ICE Integrated Decision Support . . . Database,’” known as “IIDS.”
    Defs.’ Mot., Ex. 8, ECF No. 17-3 [hereinafter FOIA Request II], at 1. IIDS is “a subset of the EID
    database repository . . . [that] provides a continuously updated snapshot of selected EID data.”
    Miller Decl. ¶ 13. IIDS’ “intended purpose . . . is . . . to query EID data for operational or executive
    reporting purposes and is typically used to generate management reports and statistics from EID
    data.” Id. “Specifically, IIDS contains biographic information, information about encounters
    between agents/officers and subjects, and apprehension and detention information about all
    persons in EID.” Id. Plaintiffs’ second FOIA request sought the same information regarding the
    IIDS database that the first request sought regarding the EID database. See FOIA Request II at 1.
    3
    In summary, FOIA Requests I and II sought documents that disclose the fields, variables,
    codes, and structures of the EID and IIDS databases. It appears that TRAC, as part of its goal to
    provide the public with information about law enforcement agencies, filed the requests in an
    attempt to learn what types of data ICE and CBP collect and rely upon to perform their immigration
    enforcement duties.
    3.     Government Response to FOIA Requests I and II
    In response to FOIA Requests I and II, ICE conducted a search of the System Lifecycle
    Management repository database (“SLM”), which is “the authoritative place for technical
    documents associated with EID and IIDS.” Defs.’ Mot., Decl. of Jeff Wilson, ECF No. 17-6
    [hereinafter Wilson Decl.], at 5. SLM documents are divided into sections and, after searching the
    EID and IIDS sections of the repository, ICE personnel reviewed responsive documents. Id. The
    agency then released 97 responsive pages, with redactions, and withheld the remaining responsive
    documents. Pineiro Decl. ¶ 19. CBP did not search its records in response to FOIA Requests I
    and II. See Pls.’ Mot. at 10; Defs.’ Opp’n to Pls.’ Mot. for Summ. J. & Reply, ECF No. 25
    [hereinafter Defs.’ Opp’n & Reply], at 18.
    B.      Requests for Snapshots
    1.     FOIA Requests for Snapshots and Information About Snapshots
    Plaintiffs also submitted FOIA requests to both ICE and CBP for “snapshots” of data from
    the EID database. As noted, the EID database includes “information related to the investigation,
    arrest, booking, detention, and removal of persons.” Miller Decl. ¶ 12. ICE and CBP maintain
    several other databases, much like the IIDS database, that contain “subsets of EID data” and
    “provide . . . continuously updated snapshot[s] of selected EID data.” Pls.’ Mot., Decl. of Jehan
    A. Patterson, ECF No. 18-1 [hereinafter Patterson Decl.], Ex. A at 6. These snapshots allow CBP
    4
    and ICE “to query EID data for operational or executive reporting purposes.” Id. Collectively,
    the snapshots allow ICE to search all of the information contained within the EID database at a
    particular point in time. Wilson Decl. at 4. As described below, Plaintiffs’ additional FOIA
    requests sought copies of certain snapshots.
    On September 21, 2012, Plaintiffs submitted two FOIA requests to ICE. One sought
    information about snapshots. It requested “records identifying any extracts and ‘snapshots’
    prepared from the [EID] over the last 12 months, along with records relating to the frequency with
    which such extracts and snapshots have been prepared, who was responsible for preparing any
    snapshot or extract, the recipient(s) of the extracts/snapshots, as well as the EID system time
    required in their preparation.” Defs.’ Mot., Ex. 16, ECF No. 17-3 [hereinafter FOIA Request III],
    at 1. The other request sought a copy of a snapshot itself, in particular, a “current ‘snapshot’ of
    ENFORCE prepared for [IIDS] system.” Defs.’ Mot., Ex. 19, ECF No. 17-3 [hereinafter FOIA
    Request IV], at 1. ENFORCE consists of several “applications” that allow “DHS personnel [to]
    create, modify, and access the data stored in the EID’s central data repository.” Patterson Decl.,
    Ex. A at 2.
    On February 25, 2013, Plaintiffs submitted a fifth FOIA request, this time to CBP, which
    sought a “current ‘snapshot’ of [the] EID database prepared for [the] CBP data warehouse.” Defs.’
    Mot., Ex. 21, ECF No. 17-3 [hereinafter FOIA Request V], at 1. The next day, Plaintiffs submitted
    two final FOIA requests. The first was sent to ICE and sought “a current ‘snapshot’ of [the] EID
    database prepared for the EARM Data Mart.” Defs.’ Mot., Ex. 23, ECF No. 17-3 [hereinafter
    FOIA Requests VI], at 1. The second, which was sent to both ICE and CBP, sought “the current
    ‘snapshot’ of [the] EID database prepared for EID Data Mart.” Defs.’ Mot., Ex. 23, ECF No. 17-
    3 [hereinafter FOIA Requests VII], at 1. The EARM Datamart and the EID Datamart, like the
    5
    IIDS database, contain subsets of data from EID and are “typically used to generate management
    reports and statistics from EID data.” Patterson Decl., Ex. A at 6. Specifically, the EARM
    Datamart, which is used to track cases of undocumented immigrants who are in the removal
    process, Pineiro Decl. ¶ 47, contains a host of information about immigration court proceedings
    and the detention statuses and locations of persons subject to such proceedings, Patterson Decl.,
    Ex. A at 7. And the EID Datamart contains data on, among other things, arrests and removal
    processing, including personal information about persons subject to those proceedings. Id. at 7.
    2.     Government Response to FOIA Requests III through VII
    In response to FOIA Request III, ICE disclosed nine pages of records that it asserted were
    responsive to the request, with redactions pursuant to FOIA exemptions 6, 7(C), and 7(E). Pineiro
    Decl. ¶ 27. Neither ICE nor CBP, however, produced copies of the snapshots Plaintiffs requested
    in FOIA Requests IV through VII.
    3.     Summary of FOIA Requests
    In summary, TRAC submitted seven FOIA requests. Five were directed to ICE only,
    together requesting EID and IIDS metadata and database schema, as well as snapshots of data from
    the EID database and information about those snapshots. See FOIA Requests I, II, III, IV, and VI.
    One was directed to CBP only, requesting a snapshot of certain EID data. See FOIA Request V.
    And one was directed to both ICE and CBP, again seeking from each agency a snapshot of certain
    EID data. See FOIA Request VII.
    C.      Procedural History
    Plaintiffs filed this action on January 29, 2014, alleging that Defendants’ searches were
    inadequate and that Defendants improperly withheld responsive materials under FOIA. See
    generally Compl., ECF No. 1. On October 9, 2014, Defendants filed a Motion for Summary
    6
    Judgement. See generally Defs.’ Mot. In it, Defendants argued that their search was adequate as
    they conducted searches in the SLM repository for documents responsive to Plaintiffs’ request for
    the EID and IIDS metadata and database schema, and that they properly withheld responsive
    documents pursuant to Exemptions 3, 7(A), and 7(E). Id. at 10-11, 15-26. With regard to the
    snapshots, Defendants asserted that they were unable to produce any responsive documents,
    because “the snapshots Plaintiffs requested were not retained for the date ranges of the subject
    FOIA requests, . . . the requested information could not be produced with the technology currently
    in the Agency’s possession, and . . . even if the information could be produced, Defendants were
    not capable of redacting the information.” Id. at 11-12.
    On November 13, 2014, Plaintiffs filed a Cross-Motion for Summary Judgment.
    See generally Pls.’ Mot.    In the Motion, Plaintiffs argued that Defendants’ claimed FOIA
    exemptions are inapplicable. Id. at 14-26. They also disputed the assertion that Defendants are
    unable to produce the requested snapshots. Id. at 27-30. Plaintiffs further argued that Defendants’
    search was inadequate because Defendants: (1) did not sufficiently respond to FOIA Request III;
    (2) failed to search the EID and IIDS databases themselves for documents pertaining to the
    metadata and database schema of each system; and (3) failed to search CBP records. Id. at 31-32.
    III.   DISCUSSION
    A.      Standard of Review
    Under Federal Rule of Civil Procedure 56, a court must grant summary judgment “if the
    movant shows that there is no genuine dispute as to any material fact and the movant is entitled to
    judgment as a matter of law.” Fed. R. Civ. P. 56(a). When a court is applying this standard, “the
    evidence of the non-movant is to be believed, and all justifiable inferences are to be drawn in his
    favor.” Anderson v. Liberty Lobby, Inc., 
    477 U.S. 242
    , 255 (1986). A dispute is “genuine” only
    7
    if a reasonable fact-finder could find for the nonmoving party, while a fact is “material” only if it
    is capable of affecting the outcome of litigation. 
    Id. at 248-49
    . A non-material factual dispute is
    insufficient to prevent the court from granting summary judgment. 
    Id. at 249
    .
    FOIA cases often are appropriately decided on motions for summary judgment.
    See Defenders of Wildlife v. U.S. Border Patrol, 
    623 F. Supp. 2d 83
    , 87 (D.D.C. 2009). A court
    may award summary judgment in a FOIA case using solely the information included in the
    agency’s affidavits or declarations if they are “relatively detailed and non-conclusory,” SafeCard
    Servs., Inc. v. SEC, 
    926 F.2d 1197
    , 1200 (D.C. Cir. 1991) (citations and internal quotation marks
    omitted), and describe “the documents and the justifications for nondisclosure with reasonably
    specific detail, demonstrate that the information withheld logically falls within the claimed
    exemption, and are not controverted by either contrary evidence in the record nor by evidence of
    agency bad faith,” Military Audit Project v. Casey, 
    656 F.2d 724
    , 738 (D.C. Cir. 1981). “Unlike
    the review of other agency action that must be upheld if supported by substantial evidence and not
    arbitrary or capricious, the FOIA expressly places the burden ‘on the agency to sustain its action’
    and directs the district courts to ‘determine the matter de novo.’” DOJ v. Reporters Comm. for
    Freedom of Press, 
    489 U.S. 749
    , 755 (1989) (quoting 
    5 U.S.C. § 552
    (a)(4)(B)).
    B.      EID and IIDS Metadata and Database Schema
    The court first considers Plaintiffs’ challenge to Defendants’ invocation of FOIA
    Exemptions 7(E), 7(A), and 3 to withhold and redact materials responsive to Plaintiffs’ requests
    for EID and IIDS metadata and database schema. “The basic purpose of FOIA is to ensure an
    informed citizenry, vital to the functioning of a democratic society, needed to check against
    corruption and to hold the governors accountable to the governed.” NLRB v. Robbins Tire &
    Rubber Co., 
    437 U.S. 214
    , 242 (1978) (citation omitted). Because of FOIA’s critical role in
    8
    promoting transparency and accountability, “[a]t all times courts must bear in mind that FOIA
    mandates a ‘strong presumption in favor of disclosure.’” Nat’l Ass’n of Home Builders v. Norton,
    
    309 F.3d 26
    , 32 (D.C. Cir. 2002) (quoting Dep’t of State v. Ray, 
    502 U.S. 164
    , 173 (1991)). But
    “an agency’s justification for invoking a FOIA exemption is sufficient if it appears logical or
    plausible.” Larson v. Dep’t of State, 
    565 F.3d 857
    , 862 (D.C. Cir 2009) (citations and internal
    quotation marks omitted).
    1.      Exemption 7(E)
    Defendants rely primarily on Exemption 7(E) to withhold records responsive to Plaintiffs’
    request for metadata and database schema. Once again, the metadata and database schema sought
    in this case are the fields, variables, codes, and structures of the EID and IIDS databases. Under
    Exemption 7(E), an agency may withhold information “compiled for law enforcement purposes”
    if, among other reasons, its release “would disclose techniques and procedures for law enforcement
    investigations or prosecutions, or would disclose guidelines for law enforcement investigations or
    prosecutions if such disclosure could reasonably be expected to risk circumvention of the law.”
    
    5 U.S.C. § 552
    (b)(7)(E). Exemption 7(E) “sets a relatively low bar for the agency to justify
    withholding,” Blackwell v. FBI, 
    646 F.3d 37
    , 42 (D.C. Cir. 2011), and “where an agency
    ‘specializes in law enforcement, its decision to invoke [E]xemption 7 is entitled to deference,’”
    Lardner v. DOJ, 
    638 F. Supp. 2d 14
    , 31 (D.D.C. 2009) (quoting Campbell v. DOJ, 
    164 F.3d 20
    ,
    32 (D.C. Cir. 1998). This does not excuse an agency, however, from the requirement of describing
    its “justifications for withholding the information with specific detail.” ACLU v. Dep’t of Defense,
    
    628 F.3d 612
    , 619 (D.C. Cir. 2011)).
    Plaintiffs challenge Defendants’ invocation of Exemption 7(E) on a host of grounds.
    Specifically, they argue that: (a) the records sought were not compiled for law enforcement
    9
    purposes; (b) the records do not disclose law enforcement techniques, procedures, or guidelines;
    and (c) disclosure of the records does not present a risk of circumvention of the law. The court
    considers each of these arguments in turn.
    a.      Compiled for law enforcement purposes
    Defendants contend that they “engage in law enforcement activity and the records
    responsive to the subject FOIA request were compiled for law enforcement purposes.” Defs.’ Mot.
    at 20. According to a declaration submitted by ICE’s Deputy FOIA Officer, Fernando Pineiro, the
    databases at issue—namely, EID and IIDS—contain “law enforcement sensitive information
    relating to investigations, enforcement operations, and checks of other law enforcement
    databases.” Defs.’ Mot. at 20 (quoting Pineiro Decl. ¶ 47). ICE uses IIDS, in particular, “to rapidly
    run reports and queries on data stored in other ICE databases, particularly [EID].” Pineiro Decl.
    ¶ 47. Responding to Defendants’ claim, Plaintiffs argue “[t]hat [just because] the databases
    themselves may contain information compiled for law enforcement purposes does not, as the
    government assumes, mean that all information about the databases—especially information that,
    like the information requested here, serves data management and administrative purposes—was
    also compiled for law enforcement purposes.” Reply Mem. in Supp. of Pls.’ Mot. for Summ. J.,
    ECF No. 27 [hereinafter Pls.’ Reply], at 2.
    The court has little trouble rejecting Plaintiffs’ argument. A record is deemed “compiled
    for a law enforcement purpose” so long as there is (1) a rational “nexus” between the record and
    the agency’s law enforcement duties and (2) a connection between the subject of the record and a
    possible security risk or violation of federal law. See Campbell, 
    164 F.3d at 32
    ; see also Pratt v.
    Webster, 
    673 F.2d 408
    , 420 (D.C. Cir. 1982). The latter requirement must be satisfied “to establish
    that the agency acted within its principal function of law enforcement, rather than merely engaging
    10
    in a general monitoring of individuals’ activities.” Pratt, 673 F.3d at 420. Plaintiffs concede that
    Defendants use the EID and IIDS databases for law enforcement purposes—to assist ICE and CBP
    with deporting people who are unlawfully in the United States, to arrest those who violate federal
    immigration laws, and to track investigations and court proceedings of those apprehended.
    See Pls.’ Mot. at 4. Thus, records concerning how these databases are constructed and how they
    operate—like the data itself—clearly have a rational “nexus” to Defendants’ law enforcement
    duties. The second prong of the “law enforcement purpose” test is also satisfied because of the
    clear connection between the records and possible security risks or violations of law. These are
    not the kind of records compiled for generalized snooping of individuals’ lives, but were prepared
    to effectuate the agencies’ law enforcement responsibilities. The court thus concludes that the
    withheld records easily qualify as records or information “compiled for law enforcement
    purposes.”
    b.     Techniques, procedures, or guidelines
    Plaintiffs next argue that the withheld records concerning database metadata and database
    schema would not, if released, disclose “techniques,” “procedures,” or “guidelines” for law
    enforcement investigations or prosecutions, as those terms are used in Exemption 7(E). Plaintiffs
    contend that “the fact that data is used by law enforcement personnel in carrying out their duties
    does not mean that revealing information about a database discloses the techniques and methods
    that law enforcers employ in using it.” Pls.’ Reply at 4. For their part, Defendants offer the
    following, from ICE’s Deputy FOIA Officer, Fernando Pineiro, in opposition to Plaintiffs’
    position:
    ICE employed certain law enforcement techniques and methods designed to obtain
    information in furtherance of the nation’s immigration and customs laws, and ICE
    law enforcement officers use the database and systems that are the subjects of
    Plaintiffs’ FOIA request to maintain that information and carry out those duties.
    11
    Pineiro Decl. ¶ 50; see also Defs.’ Mot. at 20-22.
    Although the court views the Pineiro Declaration as providing a rather thin explanation for
    why the metadata and database schema qualify as a law enforcement technique, procedure, or
    guideline, the court ultimately agrees with Defendants based on the Court of Appeals’ decision in
    Blackwell v. FBI, 
    646 F.3d 37
     (D.C. Cir. 2011), as well as analogous district court cases. In
    Blackwell, the FBI sought to protect under Exemption 7(E) “methods of data collection,
    organization and presentation contained” in certain reports. 
    Id. at 42
     (internal quotation marks
    omitted). The FBI’s declarant explained that “the manner in which the data is searched, organized
    and reported to the FBI is an internal technique, not known to the public,” and the “method was
    developed by [the vendor] to meet the specific investigative needs of the FBI.” 
    Id.
     (internal
    quotation marks omitted).     Based on those averments (as well as an additional attestation
    concerning how disclosure could give rise to the potential risk of circumvention of the law), the
    Court of Appeals concluded that the FBI had properly invoked Exemption 7(E). 
    Id.
    Other cases from this Circuit are to similar effect. For instance, in Strunk v. DOJ, 
    905 F. Supp. 2d 142
     (D.D.C. 2012), the court concluded that withheld computer screen transaction
    codes, computer transaction codes, and computer function codes—similar to the codes at issue
    here—from a CBP database known as TECS, though not themselves law enforcement “techniques
    and procedures,” were protected “guidelines for law enforcement investigations and prosecutions”
    under Exemption 7(E). 
    Id. at 148
     (citation omitted). Similarly, in Skinner v. DOJ, 
    893 F. Supp. 2d 109
     (D.D.C. 2012), the court agreed that computer access codes associated with the TECS
    database were, at the least, law enforcement guidelines under Exemption 7(E), 
    id. at 114
    . And
    other decisions have treated law enforcement database codes or fields in the same way. See Ortiz
    v. DOJ, 
    67 F. Supp. 3d 109
    , 123 (D.D.C. 2014) (granting Exemption 7(E) protection to “violator
    12
    identifier codes”); Miller v. DOJ, 
    872 F. Supp. 2d 12
    , 29 (D.D.C. 2012) (permitting agency to
    withhold law enforcement numerical database codes used to identify information and individuals,
    as well as codes “relate[d] to procedures concerning the use of law enforcement resources and
    databases . . ., as well as case program and access codes”); McRae v. DOJ, 
    869 F. Supp. 2d 151
    ,
    169 (D.D.C. 2012) (holding that “codes, case numbers, and other computer information pertaining
    to the TECS, NCIC, and databases maintained by the North Carolina authorities are techniques
    and procedures for law enforcement investigation”).
    Blackwell and these district court decisions teach that internal database codes, fields, and
    other types of identifiers used by law enforcement agencies to conduct, organize, and manage
    investigations and prosecutions qualify, at least, as law enforcement guidelines, if not also law
    enforcement methods and techniques. Thus, the court rejects Plaintiffs’ argument that the EID
    and IIDS metadata and database schema do not qualify for withholding under Exemption 7(E).
    c.      Circumvention of the law
    The parties’ final area of disagreement about the application of Exemption 7(E) is also their
    most significant. They dispute whether disclosure of the metadata and database schema “could
    reasonably be expected to risk circumvention of the law.” 
    5 U.S.C. § 522
    (b)(7)(E). Defendants
    assert that disclosure of the EID and IIDS metadata and database schema would enable
    “individuals to access [ICE]’s law enforcement database, including its investigative files,
    manipulate data within those databases, and launch a full scale cyber-attack against [ICE].” Defs.’
    Mot. at 21. To establish the risk of such an attack, Defendants offer the affidavit of Karolyn Miller,
    an Information Technology Specialist in Information Security at ICE, who identifies a specific
    13
    kind of risk—a Structured Query Language injection attack, or a “SQL injection attack,” on the
    EID and IIDS databases. Miller Decl. ¶ 16. As Miller explains:
    The SQL injection attack . . . is a technique used by malicious intruders or
    “hacktivists” to exploit web sites by changing the intended effect of an SQL query
    by inserting new SQL keywords or operators into the query. Basically, the attacker
    inserts or “injects” SQL instructions in a web application Search field to cause the
    program to malfunction. The program’s error allows the attacker to then access
    otherwise restricted parts of the database to view or steal information . . . that will
    allow the attacker to not only access the full database, but . . . also potentially allow
    access to other parts of the IT system . . . by using the stolen credentials.
    
    Id.
     She concludes that, “[s]hould ICE be required to provide . . . database schema, tables, codes,
    code values, and database version, ICE will have disclosed the exact information that an SQL
    [injection] attacker needs to penetrate the EID and IIDS databases and systems, and potentially the
    ICE network.” 
    Id. ¶ 19
    .
    i.      Plaintiffs’ legal interpretation of Exemption 7(E)
    Plaintiffs offer two rejoinders—one legal, the other factual—to Defendants’ ominous
    prediction of a potentially debilitating cyber-attack resulting from disclosure. Plaintiffs first argue
    that, “[a]lthough a cyber-attack would undoubtedly constitute a violation of law, such a violation
    does not constitute circumvention of a relevant law within the meaning of Exemption 7(E).” Pls.’
    Mot. at 16. Instead, according to Plaintiffs, “the exemption allows an agency to withhold
    techniques, procedures, and guidelines that it uses to enforce particular laws . . . if disclosure of
    those techniques, procedures, or guidelines would allow an individual to circumvent those laws.”
    
    Id.
     In other words, Plaintiffs contend that Exemption 7(E) applies only if the risk that there will
    be a violation of law relates to those laws that the subject law enforcement agency is tasked with
    enforcing.   Plaintiffs thus argue that an unlawful cyber-attack cannot serve as a basis for
    withholding EID and IIDS metadata and database schema because such information, if disclosed,
    does not risk circumvention of the laws enforced by Defendants.
    14
    The FOIA statute, however, cannot be read so narrowly. Exemption 7(E) plainly states
    that withholding is permissible under that provision if “disclosure could reasonably be expected to
    risk circumvention of the law”—“the law,” period. 
    5 U.S.C. § 552
    (b)(7)(E). Congress did not
    qualify or modify “the law” in any way to circumscribe the types of laws that might be violated in
    the event of disclosure for Exemption 7(E) to apply. Thus, a plain reading of the statute does not
    support Plaintiffs’ interpretation.
    Nor have courts read the exemption as Plaintiffs have proposed. Indeed, courts in this
    District have recognized the risk of a cyber-attack or a breach of a law enforcement database as
    valid grounds for withholding under Exemption 7(E). In Skinner, the court upheld the agency’s
    decision to withhold data under Exemption 7(E) where the agency showed that release of the
    subject data would “(1) permit unauthorized users to avoid recognition, instant detection and
    apprehension, (2) give them near-unfettered access to one of the nation’s most critical electronic
    law enforcement infrastructures, and (3) arm these intruders with the ability to irreparably corrupt
    the integrity of [the database] by altering or manipulating it.” 893 F. Supp. 2d at 113 (internal
    quotation marks omitted). Likewise, in Strunk, the court recognized a risk of circumvention where
    disclosure of data could “facilitate[ ] access to and navigation through [a law enforcement
    database] and reveal[ ] mechanisms for access to and navigation through [the database].” 905
    F. Supp. 2d at 147. There, the agencies asserted that “individuals who knew the meaning of the
    codes . . . would gain access to CBP law enforcement techniques and procedures that would permit
    them to . . . corrupt[ ] the integrity of ongoing investigations.” Id. at 148. Skinner and Strunk
    make clear that the potential for a cyber-attack or data breach is the kind of risk of circumvention
    of the law that justifies withholding under Exemption 7.
    15
    ii.      Plaintiffs’ factual challenge to the asserted risk of a cyber-
    attack
    This case, however, differs from Skinner and Strunk in one important respect: Plaintiffs
    here have aggressively challenged Defendants’ assertion that disclosure of the metadata and
    database schema would expose the EID and IIDS databases to a SQL injection attack. In support,
    Plaintiffs have offered the declaration of an expert in data security, Dr. Paul Clark, President and
    Chief Technology Officer of SecureMethods, Inc., and Paul C. Clark, LLC,1 who disputes the
    potential for a SQL attack. He explains:
    A SQL injection attack is a type of remote execution attack. In other words,
    someone who is not physically on the premises where a computer system is located
    nonetheless can launch an attack by transmitting malicious instructions through a
    web interface that has a direct connection to a database that will accept and execute
    such instructions . . . . [R]emote execution is not a credible threat to the EID or
    IIDS systems . . . [because] there is no publicly accessible web interface to the EID
    or IIDS, nor do agencies outside of [DHS] have access to the database systems.
    Pls.’ Mot., Decl. of Paul C. Clark, ECF No. 18-3 [hereinafter Clark Decl.], ¶¶ 11-12 (emphasis
    added).
    Defendants offer a relatively limp response to Dr. Clark’s critique. They do not disagree
    that a hacker would require an external access point to execute a SQL injection attack; nor do they
    claim that the EID or IIDS databases are in fact accessible through an external access point.
    Rather, through the affidavit of Jeff Wilson, Unit Chief of the Information Technology
    Management Unit within Enforcement and Removal Operations, Law Enforcement and Systems
    Analysis at ICE, Defendants state: “[T]here are still dangers associated with providing information
    and records associated with system development, data tables and fields, outage times, etc., whether
    or not the database has a ‘publically accessible web interface.’” Defs.’ Opp’n & Reply, Suppl.
    1
    See Pls.’ Mot., Decl. of Paul C. Clark, ECF No. 18-3, at 11.
    16
    Decl. of Jeff Wilson, ECF No. 25-1 [hereinafter Wilson Suppl. Decl.], ¶ 9. Wilson cites as the
    sole example a 2014 cyber-attack against Home Depot, which was executed using malware
    inserted at point-of-sale machines in stores in the United States and Canada. Id. Wilson Suppl.
    Decl. ¶ 9. Wilson adds:
    Intimate knowledge of tables, codes, and schemas can be used to create a more
    sophisticated attack that lasts days, weeks or even months. Additional technical
    dangers include: cross site scripting, session hijacking, SQL injection, race
    conditions, unformatted error messages, improper html rendering and submittals,
    among others.
    Id. ¶ 10. But nowhere does he say that any of those “additional technical dangers” could be
    accomplished when a system, like the one at issue here, has no an external access point.
    Plaintiffs offer an obvious retort to Wilson’s statements. In a supplemental declaration,
    Dr. Clark states: “In the Home Depot example [Wilson] cites, access was obtained not through a
    web interface, but through point-of-sale devices that connected to Home Depot’s system. ICE
    obviously does not use point-of-sale devices that would provide an attacker with access to its
    systems, and Mr. Wilson does not suggest that any comparable means of access to ICE’s systems
    exists.” Pls.’ Reply, Suppl. Decl. of Paul C. Clark., ECF 27-2 [hereinafter Clark Suppl. Decl.],
    ¶ 4. When pressed at oral argument, counsel for Defendants was unable to identify any SQL
    injection attacks that have occurred without a public access point and asked to further brief the
    question whether a SQL injection attack could be achieved only via a public access point.
    Hr’g Tr. at 21:3-23:14, Oct. 28, 2015 (Draft).
    In evaluating whether Plaintiffs have carried their burden of showing a risk of
    circumvention of the law, the court is fully cognizant of the low bar that the Court of Appeals has
    set for establishing such risk. See, e.g., Pub. Employees for Envtl. Responsibility v. U.S. Section,
    17
    Int’l Boundary & Water Comm’n, U.S.-Mexico, 
    740 F.3d 195
    , 204-05 (D.C. Cir. 2014); Blackwell
    v. FBI, 
    646 F.3d at 42
    . Trial courts are to:
    [L]ook[ ] not just for circumvention of the law, but for a risk of circumvention; not
    just for an actual or certain risk of circumvention, but for an expected risk; not just
    for an undeniably or universally expected risk, but for a reasonably expected risk;
    and not just for certitude of a reasonably expected risk, but for the chance of a
    reasonably expected risk.
    Mayer Brown LLP v. IRS, 
    562 F.3d 1190
    , 1193 (D.C. Cir. 2009). Courts must heed that low bar,
    especially in cases where an agency has warned that disclosure could lead to a cyber-attack on, or
    security breach of, an agency data system containing sensitive law enforcement and personal
    information. Judges are not cyber specialists, and it would be the height of judicial irresponsibility
    for a court to blithely disregard such a claimed risk.
    But the standard of review of a claimed 7(E) exemption, while highly deferential, is not
    “vacuous.”    Campbell, 
    164 F.3d at 32
     (quoting Pratt, 673 F.2d at 421).              Courts have a
    responsibility to ensure that an agency is not simply manufacturing an artificial risk and that the
    agency’s proffered risk assessment is rooted in facts. Based on the present record, the court cannot
    find that Defendants have carried their burden of showing that disclosure of the IED and IIDS
    metadata and database schema increases the risk of a cyber-attack of the kind Defendants posit.
    The sole risk that Defendants claim might be heightened by the release of metadata and database
    schema is that of a SQL injection attack. On the present record, however, it is undisputed that a
    SQL injection attack requires an external point of entry, such as a website or point-of-sale machine,
    and that the IED and IIDS databases are not so exposed. The court is thus left unconvinced, at this
    juncture, that the sole risk of circumvention of the law claimed by Defendants—a SQL injection
    attack—would be increased if the requested metadata and database schema were disclosed. The
    court, therefore, denies Defendants’ Motion for Summary Judgment as to its invocation of
    18
    Exemption 7(E) to withhold information concerning IED and IIDS metadata and database
    schema.2
    The court, however, will not at this juncture order Defendants to disclose the withheld
    material. Rather, in the exercise of its discretion, the court will permit Defendants to supplement
    the record with additional affidavits or other evidence to establish that disclosure of the IED and
    IIDS metadata and database schema will increase the risk of a cyber-attack, data breach, or any
    other circumvention of the law.3 See Wolf v. CIA, 
    569 F. Supp. 2d 1
    , 10 (D.D.C. 2008) (“Where
    an agency’s declarations are deficient, courts generally will request that an agency supplement its
    supporting declarations rather than order discovery.” (citation and internal quotation marks
    omitted)); see also Hall v. CIA, 
    668 F. Supp. 2d 172
    , 188-93 (D.D.C. 2009) (granting in part and
    denying in part the agency’s and the plaintiff’s cross-motions for summary judgment, and
    permitting the agency to submit a “supplemental filing” in support of its invocation of certain
    FOIA exemptions).
    2.       Exemption 3
    Defendants alternatively argue that their withholding of metadata and database schema is
    justified under FOIA Exemption 3. Generally speaking, that exemption protects a record from
    disclosure if it has been “specifically exempted from disclosure by statute.” 
    5 U.S.C. § 552
    (b)(3).
    Here, Defendants have argued that the withheld materials are exempt from disclosure under the
    2
    Defendants also invoke Exemption 7(A) to justify withholding the metadata and database schema. However,
    Defendants’ invocation of Exemption 7(A) relies on arguments substantially identical to those presented in connection
    with their Exemption 7(E) claim. That is, disclosure of the requested information would expose the databases to
    potential cyber-attacks. See Defs.’ Opp’n and Reply at 22-23; Hr’g Tr. 26:5-28:9. Thus, for the same reason that the
    court has denied summary judgment on Defendants’ invocation of Exemption 7(E), it does so as to Defendants’
    invocation of Exemption 7(A).
    3
    Defendants’ briefing also suggests the possibility of an “inside job” where someone within ICE or CBP, who
    otherwise does not have access to the requested information, could use it to gain unauthorized access to the databases.
    See Defs.’ Opp’n. and Reply at 10; see also Hr’g Tr. at 24:8-25:3. But Defendants have not presented any evidence
    of how the requested disclosures might increase the risk of such an attack. Defendants may wish to address this risk
    in its supplemental submission.
    19
    Federal Information Security Management Act (“Management Act”), 
    44 U.S.C. §§ 3541-49
    . They
    are incorrect.
    Exemption 3 applies only if a statute “requires that matters be withheld from the public in
    such a manner as to leave no discretion on the issue” or “establishes particular criteria for
    withholding or refers to particular types of matters to be withheld.” 
    5 U.S.C. § 552
    (b)(3)(A).
    Exemption 3 further provides that, “if [the statute was] enacted after the date of enactment of the
    OPEN FOIA Act of 2009,” Exemption 3 applies only if the statute “specifically cites to this
    paragraph.” 
    Id.
     § 552(b)(3)(B).
    The statute upon which Defendants rely—the Management Act—was repealed in its
    entirety on December 18, 2014—after this case was filed—and replaced by the Federal
    Information Security Modernization Act of 2014 (“Modernization Act”), 
    44 U.S.C. § 3551
     et seq.
    (2014). As the Modernization Act is the law in effect at the time the court is rendering its decision,
    it is the controlling law in the present dispute. See Bradley v. School Bd. of City of Richmond, 
    416 U.S. 696
    , 711 (1974) (stating the “principle that a court is to apply the law in effect at the time it
    renders its decision, unless doing so would result in manifest injustice or there is statutory direction
    or legislative history to the contrary”).
    The Modernization Act does not enable Defendants to invoke Exemption 3 here for two
    reasons. First, because the Modernization Act was enacted after the OPEN FOIA Act of 2009, for
    it to protect records from disclosure under Exemption 3 it must “specifically cite[ ] to [Exemption
    3].” 
    5 U.S.C. § 552
    (b)(3)(B). It does not do so. Second, to the extent that the Modernization Act
    does cite to FOIA, it does not alter agencies’ obligations under the FOIA statute.                 The
    Modernization Act expressly states that “[n]othing in this subchapter . . . may be construed as
    affecting the authority of . . . the head of any agency, with respect to the authorized use or
    20
    disclosure of information, including . . . the disclosure of information under section 552 of title 5.”
    
    44 U.S.C. § 3558
    . Therefore, Defendants’ claim that the requested materials can be withheld
    pursuant to Exemption 3 fails.
    C.      Copies of Snapshots of Data from the EID Database
    The parties’ second major dispute concerns Defendants’ non-production of copies of
    “snapshots” of data from the EID database. Again, “snapshots” are continuously updated extracts
    of portions of the EID database that enable Defendants to search and manipulate the EID data.
    Plaintiffs assert that Defendants have not complied with FOIA because they failed to disclose
    copies of the requested snapshots and did not perform an adequate search for them. Defendants
    offer two reasons why they cannot comply with Plaintiffs’ requests for copies of snapshots. First,
    they argue that their “document system is not capable of producing the information for distribution
    to Plaintiffs.” Defs.’ Mot. at 13. Second, they argue that even if they could produce the snapshots,
    “Defendants lack[ ] the technology to redact the information.” 
    Id. at 14
    .
    Under FOIA, “an agency shall provide the record in any form or format requested by the
    person if the record is readily reproducible by the agency in that form or format.” 
    5 U.S.C. § 552
    (a)(3)(B) (emphasis added). The key term, “readily reproducible,” “is not . . . synonymous
    with technical[ly] feasible.” Scudder v. CIA, 
    25 F. Supp. 3d 19
    , 38 (D.D.C. 2014). Rather, “[t]he
    Court may consider the burden on the defendant agency in determining whether the documents at
    issue are ‘readily reproducible.’” 
    Id.
     To justify withholding otherwise responsive materials, the
    “agency’s evidence of burden . . . must be not only compelling, but also demonstrate that
    compliance with a request would impose a significant burden or interference with the agency’s
    operation.” Public.Resource.Org v. IRS, 
    78 F. Supp. 3d 1262
    , 1266 (N.D. Cal. 2015) (citing TPS,
    Inc. v. DOD, 
    330 F.3d 1191
    , 1195 (9th Cir. 2003)). Among the factors that a court may consider
    21
    in assessing the claimed burden are the amount of time, expense, and personnel that would be
    required to complete document searches and production, as well as whether the agency has the
    existing technology or would have to purchase new technology to perform those tasks. See Wolf
    v. CIA, 
    569 F. Supp. 2d at 9
     (“Courts often look for a detailed explanation by the agency regarding
    the time and expense of a proposed search in order to assess its reasonableness.” (citation
    omitted)); Pinson v. DOJ, 
    80 F. Supp. 3d 211
    , 217 (D.D.C. 2015) (holding that DOJ did not carry
    its burden by merely asserting that the search would require a “burdensome effort” without
    offering estimates of “the time required to conduct [the] requested search, the cost of such a search,
    or the number of files that would have to be manually searched”).
    Consistent with these principles, courts have held that agencies need not disclose records
    when conducting a search for requested materials would impose an unreasonable burden. See, e.g.,
    Nation Magazine, Washington Bureau v. U.S. Customs Serv., 
    71 F.3d 885
    , 891-92 (D.C. Cir. 1995)
    (determining that a request that required an agency to search through 23 years of unindexed files
    imposed an unreasonable burden); Am. Fed’n of Gov’t Employees, Local 2782 v. U.S. Dep’t of
    Commerce, 
    907 F.2d 203
    , 208-09 (D.C. Cir. 1990) (holding that a request that required a search
    of “every chronological office file and correspondent file, internal and external, for every branch
    office [and] staff office” was overbroad); Nat’l Sec. Counselors v. CIA., 
    960 F. Supp. 2d 101
    , 161-
    62 (D.D.C. 2013) (concluding that a request that sought copies of all federal intelligence agency
    records pertaining to a supercomputer and required a search of all agency offices was so broad as
    to impose an unreasonable burden upon the agency). Courts also have held that agencies are
    excused from complying with FOIA requests where “review[ing], redact[ing], and arrang[ing] for
    inspection [of] a vast quantity of material” presents an unreasonable burden. Am. Fed’n of Gov’t
    Employees, 
    907 F.2d at 209
    ; see also Vietnam Veterans of Am. Conn. Greater Hartford Chapter
    22
    120 v. DHS, 
    8 F. Supp. 3d 188
    , 203 (D. Conn. 2014) (FOIA request for which agency would need
    to locate, review, and make heavy redactions to 26,000 packets, each of which contained 50 pages,
    was unreasonably burdensome); Hainey v. Dep’t of Interior, 
    925 F. Supp. 2d 34
    , 45 (D.D.C. 2013)
    (holding that it would be unreasonably burdensome to require the agency to search and review
    every email sent or received by 25 different employees throughout a two-year time period).
    Particularly relevant here, one court has held that the process of making redactions to 20 million
    responsive records within a database was sufficiently burdensome to justify the agency’s
    withholding of the entirety of the requested information. See Ayuda, Inc. v. FTC, 
    70 F. Supp. 3d 247
    , 276-77 (D.D.C. 2014) (“[B]ecause the agency aims to protect the private information of
    citizens by withholding the data fields at issue, and because the manual review needed for redacting
    such information is unreasonably burdensome, the Court concludes that the FTC properly withheld
    the data fields.”).
    Consistent with the above cases, the court finds that Defendants have demonstrated that
    producing and redacting the requested snapshots would be unduly burdensome. According to
    Defendants’ affiant Jeff Wilson, “[c]urrently, there is no specific product, report or snapshot
    generated during the Extract-Transform-Load (ETL) process where information from the EID is
    transferred to IIDS and the datamarts . . . . [T]his process is automatic and occurs through a link
    established between two databases with no tangible extract files.” Wilson Suppl. Decl. ¶ 15; see
    also Wilson Decl. at 8 (“To produce an extract in a format that could be consumed by the external
    entity, a new record would need to be created. It would require the design, development, and
    implementation of a different process for this new record that does not include law enforcement
    sensitive and/or personally identifiable information[.]”). In other words, according to Wilson,
    when EID data is collected, organized, and transferred to a functional database like IIDS, no
    23
    reproducible extract or copy of the transferred data, or snapshot, is created to provide to a FOIA
    requester. Wilson adds: “ICE does not currently have the technology to [produce the requested
    snapshots]. It is difficult to assess what it would take to provide a severable copy because the EID
    is comprised of so many data elements.” Wilson Decl. at 9. At a minimum, Wilson explains,
    duplication and production of snapshots would “require a new contract to facilitate the extract
    process and associated databases in the hundreds of thousands to millions of dollars.” 
    Id.
     The
    contract would have to provide for the hiring of additional information technology specialists,
    including experts in database design and maintenance, large data storage and transfer, networking,
    and programming, as well as the hiring of experts to remove or redact sensitive law enforcement
    data. 
    Id.
    And, according to Wilson, even if Defendants could replicate the snapshot for production,
    they would face tremendous challenges in redacting sensitive personal and law enforcement
    material, which even Plaintiffs concede are subject to valid FOIA exemptions. The tables available
    in the EID consist of more than 6.7 billion rows of data, with the total amount of information
    contained within the EID exceeding five terabytes. 
    Id. at 7
    . Wilson equated the volume of data to
    “1.8 million songs on an iPod” or an audiobook that “would take approximately 9.5 years to read.”
    
    Id.
     Further employing the example of an iPod, Wilson stated that redacting exempt information
    would be akin to “redacting every artist, album, and song name as well as significant portions of
    the song[s].” 
    Id. at 8
    . According to Wilson, “[a]t this particular time, the ICE FOIA Office does
    not have the existing technology or expertise for processing this data.” Wilson Suppl. Decl. ¶ 16.
    Although Wilson could have been more descriptive in explaining precisely what it would take to
    redact exempt information and why such process would be unduly burdensome, he does state the
    following: “The redaction process for this request is expensive for a federal agency. It requires a
    24
    modification to an existing contract, clearances, background screenings, training, and ramp up
    time.” 
    Id.
    Plaintiffs dispute Defendants’ contention that producing and redacting the requested
    snapshots would impose an undue burden on the agencies. Plaintiffs offer their own expert
    declaration from Michael Hasan, a software engineer employed by Plaintiffs’ research institute,
    TRAC. To rebut Defendants’ contention that reproducing a snapshot would impose an undue
    burden, Hasan states that “[e]xtraction is a built-in functionality of any commercial [DBMS]
    software that allows any database object or table to be queried and extracted into text or another
    electronic representation. . . . Thus, it should be an easy and inexpensive process to extract data
    using such software.” Pls.’ Mot., Decl. of Michael Hasan, ECF No. 18-4 [hereinafter Hasan Decl.],
    ¶ 10. As to Defendants’ contentions concerning the burdensomeness of redacting the snapshots,
    Hasan states, “[r]edaction is another built-in functionality that is common across commercial
    DBMS packages. It is a trivial matter to redact a column of information (for example, a column
    containing Social Security numbers of individuals apprehended by defendants) by executing a
    simple . . . command that either deletes the data in the column or replaces the data with a special
    symbol to denote redaction.” 
    Id. ¶ 13
    .
    Although Hasan’s Declaration raises some questions about whether the snapshots are
    indeed readily reproducible and redactable, the court ultimately finds those questions insufficient
    to create a genuine dispute of material fact that would preclude a grant of summary judgment in
    Defendants’ favor. FOIA requires courts to “accord substantial weight to an affidavit of an agency
    concerning the agency’s determination as to technical feasibility . . . and reproducibility[.]”
    See 
    5 U.S.C. § 552
    (a)(4)(B) (emphasis added); see also Scudder, 25 F. Supp. 3d at 39
    (“[S]ubstantial deference is due an agency’s ‘reproducibility’ determination[.]”).           Here,
    25
    Defendants’ declarant, Jeff Wilson, has attested, based on his specific knowledge of and
    experience with the EID database and associated datamarts that replicating and redacting the
    snapshots would create an undue burden on the agencies. The court, as it must, accords that view
    substantial weight. Plaintiffs’ declarant, though an expert in the field of database systems and
    management, has not offered any evidence that specifically rebuts Wilson’s assertions about the
    agencies’ present technological capabilities as to the EID database and associated datamarts or
    regarding the burden that reproduction and redaction of the snapshots would impose on them.
    Instead, Hasan offers only observations about commercial databases in general—his declaration
    reveals no specific knowledge about the EID database and its associated operations. Hasan,
    naturally, is limited by his lack of first-hand experience with the EID database and the datamarts
    at issue in this case. But once, as here, an agency has proffered a declaration as to the technical
    feasibility and reproducibility of a records request—which, by statute, must be accorded
    substantial weight—a plaintiff must offer more than generalities about technical capabilities of
    generic systems to overcome or raise questions about that declaration. Plaintiffs have failed to do
    so here.
    Plaintiffs make one additional argument in an effort to rebut Defendants’ contention that
    reproducing and redacting would impose an undue burden. Plaintiffs argue that Defendants must
    be able to produce and redact the snapshot because they have previously provided Plaintiffs with
    redacted portions of snapshots in response to other FOIA requests. Long Decl. ¶¶ 16-20.
    Defendants do not deny the past productions but argue that Plaintiffs’ present requests are
    meaningfully different in scope and scale. Whereas Plaintiffs’ previous, fulfilled requests sought
    specific information contained in the snapshots, the present requests seek the snapshots in their
    entirety. Defs.’ Mot. at 14. For example, one previous request sought “anonymous case-by-case
    26
    information on each removal and return for January 2014.” Wilson Suppl. Decl. ¶ 12 (emphasis
    added).        “The request specifically asked for 54 data elements for each individual
    removed/returned; the data elements include[d], inter alia, biographical information, criminal
    history, and immigration history for every individual removed/returned for a limited time period.”
    Id. As to that request, ICE reviewed the relevant information and created new spreadsheets in
    order to provide it to Plaintiffs. See id. ICE also created codes that it used to alter exempt
    information contained in the requested data set so that such information was not released.
    See Hr’g Tr. at 15:1-16; see also Wilson Suppl. Decl. ¶ 12. Defendants thus contend that these
    past productions serve as poor comparators for the present, far more expansive requests.
    The court agrees. The court again accords substantial weight to the representations of
    Defendants’ affiant, Jeff Wilson. According to Wilson, a request for a snapshot of the entire
    database is “vastly different” from Plaintiffs’ previous requests and, as a consequence, the manner
    in which ICE responded to the prior requests is “wholly inadequate for responding to a request for
    all the data replicated at unspecified points in time into other datamarts.” Wilson Suppl. Decl.
    ¶ 13. Wilson adds that “the replication or copying of all data from EID data into the IIDS, and
    other datamarts[,] is not a pull of data,” which was sufficient to respond to past requests. Id.
    Plaintiffs have not offered any evidence specific to the databases at issue here that rebuts those
    contentions. The court therefore concludes that FOIA does not require Defendants to produce
    redacted copies of the requested snapshots.
    D.     Request for Discovery
    In a related argument, Plaintiffs request that the court allow them to conduct discovery on
    the factual issues concerning Defendants’ capacity to produce and redact the extracts and snapshots
    from their databases. They argue that they “have introduced facts casting serious doubt on
    27
    defendants’ assertions that they lack the technology to produce and redact data extract files and
    that they would have to spend ‘hundreds of thousands to millions of dollars,’ Wilson Decl. at 9,
    on a contract to create a new database.” Pls.’ Mot. at 30.
    Courts have “broad discretion to manage the scope of discovery” in FOIA cases. SafeCard
    Servs., 
    926 F.2d at 1200
    . “Discovery in FOIA is rare and should be denied where an agency’s
    declarations are reasonably detailed, submitted in good faith and the court is satisfied that no
    factual dispute remains.” Schrecker v. DOJ, 
    217 F. Supp. 2d 29
    , 35 (D.D.C. 2002); see also Baker
    & Hostetler LLP v. U.S. Dep’t of Commerce, 
    473 F.3d 312
    , 318 (D.C. Cir. 2006). Here,
    Defendants have set forth detailed affidavits explaining that they currently lack the technology to
    produce and redact copies of the requested snapshots and that acquiring the necessary technology
    and marshalling the resources necessary to produce and redact copies of the snapshots would be
    unduly burdensome.      Although Plaintiffs have offered rebuttal declarations that raise some
    questions about Defendants’ assertions, for the reasons already discussed, Plaintiffs have not
    offered any evidence that is specific to the EID and other databases at issue in this case, to create
    a factual dispute that might otherwise justify allowing Plaintiffs to take discovery. Cf. Scudder,
    25 F. Supp. 3d at 37 (finding that factual disputes existed where the plaintiff “provided reasonable
    evidence, based on his purported personal experience and observations, that the documents
    requested do exist in the format requested . . . even alert[ing] the defendant’s FOIA staff as to
    where within the defendant’s computer systems the electronically stored documents [we]re
    located”). Accordingly, Plaintiffs’ request for discovery is denied.
    E.      Adequacy of the Search
    Plaintiffs argue that Defendants’ search was inadequate in three ways. First, Plaintiffs
    argue that Defendants failed to provide any information regarding their search for FOIA Request
    28
    III—that is, “records identifying any extracts and ‘snapshots’ prepared from the [EID] over the
    last 12 months, along with records relating to the frequency with which such extracts and snapshots
    have been prepared, who was responsible for preparing any snapshot or extract, the recipient(s) of
    the extracts/snapshots, as well as the EID system time required in their preparation.” FOIA
    Request III at 1; see also Pls.’ Mot. at 31. Second, they argue that Defendants’ search for the
    metadata and database schema was inadequate because Defendants did not search the EID and
    IIDS databases for responsive records.      Pls.’ Mot. at 31-32.    Finally, Plaintiffs argue that
    Defendants’ search was inadequate because they failed to search any CBP records. Id. at 32.
    FOIA requires an agency to conduct a search for responsive records that is “reasonably
    calculated to discover the requested documents.” SafeCard Servs., 
    926 F.2d at 1201
    . “In general,
    the adequacy of a search is ‘determined not by the fruits of the search, but by the appropriateness
    of [its] methods.’” Hodge v. FBI, 
    703 F.3d 575
    , 579 (D.C. Cir. 2013) (quoting Iturralde v.
    Comptroller of the Currency, 
    315 F.3d 311
    , 315 (D.C. Cir. 2003)). In order to prevail on summary
    judgment, “the agency must show that it made a good faith effort to conduct a search for the
    requested records, using methods which can be reasonably expected to produce the information
    requested.” Oglesby v. U.S. Dep’t of the Army, 
    920 F.2d 57
    , 68 (D.C. Cir. 1990) (citation omitted).
    To carry this burden, the agency may submit a “reasonably detailed affidavit, setting forth the
    search terms and the type of search performed, and averring that all files likely to contain
    responsive materials (if such records exist) were searched.” 
    Id.
     “The adequacy of the search, in
    turn, is judged by a standard of reasonableness and depends, not surprisingly, upon the facts of
    each case.” Weisberg v. DOJ, 
    745 F.2d 1476
    , 1485 (D.C. Cir. 1984) (citation omitted).
    The court agrees with Plaintiffs’ first contention that Defendants have not explained what
    search, if any, they undertook to locate extract identification and preparation records sought in
    29
    FOIA Request III. Indeed, the government does not even respond to this argument. See Defs.’
    Reply at 17-18. Because Defendants do not address what search, if any, they conducted, the court
    will deny summary judgement as to the adequacy of their search in response to FOIA Request III.
    See Oglesby, 
    920 F.2d at 68
    . Defendants shall submit an affidavit that sets forth the search efforts
    undertaken in response to FOIA Request III.
    Plaintiffs next argue that the search Defendants conducted in response to FOIA Requests I
    and II was inadequate. Plaintiffs’ first two FOIA requests sought metadata and data schema from
    the EID and IIDS databases, including “records identifying the database tables . . . records defining
    the codes . . . database schema, and records that identify the DBMS software.” FOIA Request I at
    1; FOIA Request II at 1. According to declarant Jeff Wilson, ICE conducted the following search:
    On July 15, 2014, the ICE [Office of the Chief Information Officer (“OCIO”)]
    searched the [SLM] repository and located 2,793 documents. The SLM repository
    is the authoritative place for technical documents associated with the EID and IIDS.
    As a result, no other databases were required to be searched by OCIO. SLM
    documents are organized by sections so personnel located the “EID” and “IIDS”
    sections throughout the repository and transferred applicable documents for review.
    Wilson Decl. at 5. Plaintiffs contend that this search was inadequate because Defendants did not
    search the EID and IIDS databases themselves for responsive documents. Pls.’ Mot. at 31-32.
    According to Plaintiffs, “[l]ocating and copying the responsive information from the [EID and
    IIDS] databases would require only the execution of simple commands, and would provide the
    most accurate and current records responsive to the requests for database schema and code tables.”
    Pls.’ Reply at 24 (citing Pls.’ Reply, Second Decl. of Michael Hasan, ECF No. 27-3 [hereinafter
    Sec. Hasan Decl.], ¶¶ 9-10).
    The court disagrees with Plaintiffs and finds that Defendants’ search of the SLM repository
    for the requested records was adequate. “There is no requirement that an agency search every
    record system.” Oglesby, 
    920 F.2d at 68
     (citations omitted). The agency responded to the FOIA
    30
    request by searching the “authoritative” database where responsive records were likely to be held.
    It identified the sections of that database where responsive documents were likely to be found and
    reviewed the responsive documents. Though Plaintiffs may be correct that “[t]he database schema
    and [metadata] are actually a built-in part of any modern database,” Sec. Hasan Decl. ¶ 10, and
    therefore, are necessarily contained within the EID and IIDS databases, they have not offered any
    reason to believe that responsive records—other than the database schema and codes themselves,
    which Defendants are not required to produce at this juncture—would be found within the
    databases. Absent such a showing, the court is satisfied that Defendants conducted a proper search
    for the EID and IIDS database schema and metadata. See Mobley v. CIA, Civ. No. 11-cv-02072,
    Civ. No. 11-cv-02073, 
    2015 WL 7423687
    , *8 (D.C. Cir. Nov. 13, 2015) (“Agency affidavits—so
    long as they are ‘relatively detailed and non-conclusory’—are ‘accorded a presumption of good
    faith, which cannot be rebutted by ‘purely speculative claims about the existence and
    discoverability of other documents.’” (citations omitted)).
    Plaintiffs last contend that the search was inadequate because Defendants failed to search
    CBP records for responsive documents. Of Plaintiffs’ seven FOIA requests at issue in this case,
    only FOIA Requests V and VII were directed to CBP. Both of those were requests for copies of
    the requested snapshots. Because the court already has concluded that Defendants need not
    produce copies of snapshots, the court does not reach the issue of the adequacy of Defendants’
    search of CBP records.
    IV.    CONCLUSION AND ORDER
    For the reasons set forth above, Defendants’ Motion is granted in part and denied in part
    and Plaintiffs’ Cross-Motion is granted in part and denied in part. Judgment is entered in favor of
    31
    Defendants as to (1) the adequacy of the search for FOIA Requests I and II and (2) their
    withholding of copies of snapshots in response to FOIA Requests IV through VII.
    As for the grounds on which the court has denied Defendants’ Motion, within 30 days of
    this date, Defendants shall be permitted to supplement their summary judgment briefing with
    additional evidence that supports their assertions that (1) disclosure of metadata and database
    schema “could reasonably be expected to risk circumvention of the law” under Exemption 7(E)
    and (2) they have conducted an adequate search for records in response to FOIA Request III.
    Thereafter, within seven days, Plaintiffs shall notify the court if they intend to challenge the newly
    submitted evidence, and if so, the parties shall propose a briefing schedule.
    Dated: December 14, 2015                                      Amit P. Mehta
    United States District Judge
    32
    

Document Info

Docket Number: Civil Action No. 2014-0109

Citation Numbers: 149 F. Supp. 3d 39, 2015 U.S. Dist. LEXIS 166612, 2015 WL 8751005

Judges: Judge Amit P. Mehta

Filed Date: 12/14/2015

Precedential Status: Precedential

Modified Date: 10/19/2024

Authorities (25)

Hall v. Central Intelligence Agency , 668 F. Supp. 2d 172 ( 2009 )

Lardner v. Department of Justice , 638 F. Supp. 2d 14 ( 2009 )

Bradley v. School Bd. of Richmond , 94 S. Ct. 2006 ( 1974 )

National Ass'n of Home Builders v. Norton , 309 F.3d 26 ( 2002 )

Carl Oglesby v. The United States Department of the Army , 920 F.2d 57 ( 1990 )

United States Department of State v. Ray , 112 S. Ct. 541 ( 1991 )

Tps, Inc. v. United States Department of Defense Defense ... , 330 F.3d 1191 ( 2003 )

Defenders of Wildlife v. United States Border Patrol , 623 F. Supp. 2d 83 ( 2009 )

Campbell v. United States Department of Justice , 164 F.3d 20 ( 1998 )

Baker & Hostetler LLP v. United States Department of ... , 473 F.3d 312 ( 2006 )

American Federation of Government Employees, Local 2782, ... , 907 F.2d 203 ( 1990 )

Harold Weisberg v. U.S. Department of Justice, (Two Cases). ... , 745 F.2d 1476 ( 1984 )

Anderson v. Liberty Lobby, Inc. , 106 S. Ct. 2505 ( 1986 )

Wolf v. Central Intelligence Agency , 569 F. Supp. 2d 1 ( 2008 )

Safecard Services, Inc. v. Securities and Exchange ... , 926 F.2d 1197 ( 1991 )

Military Audit Project, Felice D. Cohen, Morton H. Halperin ... , 656 F.2d 724 ( 1981 )

The Nation Magazine, Washington Bureau, and Max Holland v. ... , 71 F.3d 885 ( 1995 )

United States Department of Justice v. Reporters Committee ... , 109 S. Ct. 1468 ( 1989 )

Mayer Brown LLP v. Internal Revenue Service , 562 F.3d 1190 ( 2009 )

GUILLERMO FELIPE DUEÑAS ITURRALDE v. COMPTROLLER OF THE ... , 315 F.3d 311 ( 2003 )

View All Authorities »