Two new FOIA lawsuits: Any DIA purchases of DNS or netflow logs from data brokers, and FBI shooting incident reports

With The New York Times — and in one case, with my colleague Mark Mazzetti — I filed two new Freedom of Information Act cases this week. I thank the Times’ newsroom lawyer, David McCraw, and our annual First Amendment fellow, Jess Hui, for their representation in this litigation.

The case with Mark is asking the Defense Intelligence Agency for documents that would show whether it has been purchasing Domain Name System (DNS) logs or Internet traffic data from commercial brokers, and if so what it has been doing with them particularly in regards to searching for data associated with Americans.

Context: Last January I wrote about the DIA’s disclosure (in unclassified correspondence with the office of Senator Ron Wyden, Democrat of Oregon) that it has purchased smartphone app locational data from brokers and sometimes queried it, without a warrant, for information about an American’s past movements; that was interesting in part because in a landmark 2018 case called Carpenter, the Supreme Court held that the Constitution requires the government to obtain a warrant to compel phone companies to turn over location data about their customers, but the government has concluded that this ruling does not apply to locational data acquired through voluntary commercial transactions. Meanwhile, there is growing awareness of how DNS and/or netflow logs can be used to identify which websites or servers a particular user has accessed or which users are visiting a particular website or server, and debate about what the rules should be for government access to that kind of data. (This attention is mainly due to a legislative fight over whether to prevent the government from using Section 215 of the Patriot Act to gather Internet traffic logs, which Mr. Wyden has played a leading role in, but the power of DNS logs has also been in the news due to the Trump-era special counsel John Durham’s investigation into suspicions raised by a group of data scientists in 2016 about odd DNS data suggesting hidden communications between servers for the Trump Organization and a Kremlin-linked Russian bank.) In April, Wyden and other lawmakers introduced The First Amendment is Not For Sale Act to address commercial sales to the government of data pertaining to Americans’ communications. In May, Joseph Cox of Vice’s Motherboard reported on a letter from Wyden to the Pentagon revealing that the lawmaker had asked whether the Defense Intelligence Agency was buying commercially available DNS and netflow data, but that it had provided answers in a form he was not permitted to make public.

The other new FOIA case is seeking an updated (post 2015) set of the F.B.I.’s internal incident reports that it produces whenever an agent fires a weapon outside of a shooting range. The reports reconstruct a narrative account of what happened and assess whether the agent’s decision to pull the trigger complied with the F.B.I.’s policy, which allows deadly force only if agents fear that their lives or those of others are in danger. They can also reflect any disciplinary action or discussion of changes to training and procedures arising from the scrutiny.

Context: I’ve been periodically requesting and publishing these reports for years, and after having to fight a FOIA lawsuit for the first set, I was able to get updated tranches without litigation for some time. However the bureau has ignored my most recent request, so we are again suing to compel their disclosure in compliance with the information act. Notably, the first set of documents I obtained showed that the F.B.I. had deemed its agents faultless in at least 150 incidents in which they had shot someone dating back at last 20 years, including deeming a “good shoot” a case where it paid $1.3 million to an innocent man an agent shot in the jaw. After we began running stories on this pattern, the F.B.I.’s internal process seems to have gotten tougher, finding at least two shooting incidents to not have complied with its policy. But I’ve not obtained any such reports since 2016, so this lawsuit aims to make public what has happened since then.