Federal Communications Commission

Washington, D.C. 20554

September 27, 2017

Jason Prechtel
249 Woodbine St.
Brooklyn, NY 11221
Via e-mail to: jrprechtel@gmail.com

Re: FOIA Control No. FCC-2017-000705

Jason Prechtel,

This letter responds to your Freedom of Information Act (FOIA) request for the public
API keys, including associated registration names and e-mail addresses, used to submit
online comments via ECFS to Proceeding 17-108, Restoring Internet Freedom between
Apr 26, 2017 and June 4, 2017. In addition, you also requested:

1) Logs of all times and dates that said public API keys were used to submit online
comments via ECFS to Proceeding 17-108, Restoring Internet Freedom
between Apr 26, 2017 and the date of your request (June 5, 2017).
2) E-mail addresses associated with all .CSV comment uploads, along with all .CSV
files uploaded in response to Proceeding 17-108, Restoring Internet Freedom
between Apr 26, 2017 and the date of your request (June 5, 2017) (including any
accepted .CSV submissions that did NOT use the FCC's "Restoring Internet
Freedom ECFS Bulk Upload Template" .CSV file template).
3) Logs of all times and dates that said e-mail addresses submitted online comments
via the FCC's online .CSV submission box to Proceeding 17-108, Restoring
Internet Freedom between Apr 26, 2017 and the date of your request (June 5,
2017).
4) All e-mail inquiries to ECFSHelp@fcc.gov regarding .CSV comment submissions
in response to Proceeding 17-108, Restoring Internet Freedom between Apr 26,
2017 and the date of your request (June 5, 2017).

Your request has been assigned FOIA Control No FCC-2017-000705 and the Office of
the Managing Directors (OMD) Information Technology Center (ITC), was assigned
this request.

As part of your request, you seek access to information regarding the identity of
individuals who registered for Application Programing Interface (API) keys in order to
submit comments in Docket 17-108. The Commission does not maintain this information.
Users register for API keys through data.gov, a website run by the General Services
Administration. The General Services Administration would, therefore, maintain any
records related to API key registration.1

The email addresses associated with the .CSV comment uploads you requested were
withheld under FOIA Exemption 6. 2 In addition, all .CSV files uploaded during the
times listed above are publicly available on ECFS and can be accessed at any time. FOIA
exemption (b) (6) permits the government to withhold all information about individuals
in "personnel and medical files and similar files" when the disclosure of such information
would constitute a clearly unwarranted invasion of personal privacy."

ITC has located 15 pages of documents that are responsive to your request for e-mail
inquiries to ECFSHelp@fcc.gov regarding .CSV comment submissions in response to
Proceeding 17-108, Restoring Internet Freedom between Apr 26, 2017 and June 5,
2017. These documents were redacted under FOIA Exemption 6.3 Exemption 6 protects
files containing personally identifiable information disclosure of which would constitute
a clearly unwarranted invasion of personal privacy. Balancing the publics right to
disclosure against the individuals right to privacy, we have determined that release of
this information would constitute a clearly unwarranted invasion of personal privacy.

Portions of these records were also redacted under FOIA Exemption 5.4 Exemption 5
protects certain inter-agency and intra-agency records that are normally considered
privileged in the civil discovery context. Exemption 5 encompasses a deliberative
process privilege intended to prevent injury to the quality of agency decisions.5 To fall
within the scope of this privilege the agency records must be both predecisional and
deliberative.6 Predecisional records must have been prepared in order to assist an
agency decision maker in arriving at his decision.7 Deliberative records must be such
that their disclosure would expose an agencys decisionmaking process in such a way as
to discourage candid discussion within the agency and thereby undermine the agencys
ability to perform its functions.8 The redacted material consists of internal deliberations
of staff regarding how to respond to outside inquiries.

1
See e.g., Skurow v. Dept of Homeland Security, 892 F. Supp. 2d 319, 328 (D.D.C. 2012) (finding that an
agency was not required to search the files of a different agency in responding to a FOIA request); Askew v.
United States, No. 05-00200, 2006 WL 3307469, at *10 (E.D. Ky. Nov. 13, 2006) (rejecting plaintiffs
argument that the FOIA requires an agency to search another agencys files).
2
5 U.S.C. 552(b)(6).
3
5 U.S.C. 552(b)(6).
4
5 U.S.C. 552(b)(5).
5
NLRB v. Sears Roebuck & Co., 421 U.S. 132, 151 (1975).
6
Id. at 151-52.
7
Formaldehyde Inst. v. Dept of Health and Human Servs., 889 F.2d 1118, 1122 (D.C. Cir. 1989); see also
Coastal States Gas Corp. v. Dept of Energy, 617 F.2d 854, 866 (D.C. Cir. 1980) (In deciding whether a
document should be protected by the privilege we look to whether the document is . . . generated before the
adoption of an agency policy and whether . . . it reflects the give-and-take of the consultative process. The
exemption thus covers recommendations, draft documents, proposals, suggestions, and other subjective
documents. . . .).
8
Formaldehyde Inst., 889 F.2d at 1122 (quoting Dudman Commcns Corp. v. Dept of the Air Force, 815
F.2d 1565, 1568 (D.C. Cir. 1987).

2
We have determined that it is reasonably foreseeable that disclosure would harm the
Commissions deliberative processes, which Exemption 5 is intended to protect. Release
of this information would chill deliberations within the Commission and impede the
candid exchange of ideas.

Server logs responsive to your request were withheld under FOIA Exemption 6.9
Exemption 6 protects personnel and medical files and similar files the disclosure of
which would constitute a clearly unwarranted invasion of personal privacy.10 Balancing
the publics right to disclosure against the individuals right to privacy, we have
determined that release of this information would constitute a clearly unwarranted
invasion of personal privacy.

The server logs you are requesting document the hundreds of thousands of page requests
that the Electronic Comment Filing System (ECFS) received during the high-traffic
period of May 7-9, 2017. These logs provide information about each request, including
the Internet Protocol (IP) address from which the request originated. While we believe
that many of these requests made to the ECFS servers during this period came from
cloud-based automated bots, many also came from human users who successfully
commented on the Restoring Internet Freedom proceeding (Docket No. 17-108). We
therefore have reason to believe that many of the IP addresses in these logs are linkable to
ECFS commenters and should be considered personally identifiable information.11

We have determined that it is reasonably foreseeable that disclosure would harm the
privacy interest of the persons mentioned in these records, which Exemption 6 is intended
to protect.

Additionally, these server logs were withheld under Exemption 7(E), which protects
records or information compiled for law enforcement purposes [the production of
which] would disclose techniques and procedures for law enforcement investigations or
prosecutions, or would disclose guidelines for law enforcement investigations or
prosecutions if such disclosure could reasonably be expected to risk a circumvention of
the law.12 The requested logs would publicly disclose information about how the FCC

9
5 U.S.C. 552(b)(6).
10
The Supreme Court has interpreted the term similar files broadly, to include all information that
applies to a particular individual. Dept of State v. Washington Post Co., 465 U.S. 595, 602 (1982).
11
See, e.g., 16 C.F.R. 312.2 (rules implementing the Childrens Online Privacy Protection Act include in
the definition of personal information persistent identifiers like IP addresses that can be used to recognize
a user over time and across different websites or online services); Office of Management and Budget, Circ.
A-130, 33 (2016) (defining PII as information that can be used to distinguish or trace an individuals
identity, either alone or when combined with other information that is linked or linkable to a specific
indvidiual.)
12
5 U.S.C. 552(b)(7)(E). See Bigwood v. Dept of Defense, 132 F. Supp. 3d 124, 152 (D.D.C. 2015)
Importantly, the range of law enforcement purposes covered by Exemption 7(E) includes not only
traditional criminal law enforcement duties, but also proactive steps taken by the government designed to
prevent terrorism or maintain national security. (citing Ctr. for Natl Sec. Studies v. Dept of Justice, 331
F.3d 918, 926 (D.C. Cir. 2003)). See also Levinthal v. Fed. Election Comm., 219 F. Supp. 3d 1, 7 (D.D.C.
2016) ([T]he Commission . . . cannot effectively carry out its law enforcement function unless it has a
secure and reliable IT system.).

3
protects the security of ECFS and its other information assets. The FCC contracts with a
commercial cloud server to host ECFS and uses application programming interfaces
(APIs) and other tools to manage the comment traffic and protect ECFS from DDOS and
other types of disruptive attacks. The logs would provide detailed information about
these arrangements. In addition to disclosing the security measures the FCC takes to
protect ECFS, the logs would also disclose detailed information about what steps the
FCC took to mitigate the spike in ECFS traffic during the requested period, thereby
giving future attackers a roadmap to evade the FCCs responses.

We have determined that it is reasonably foreseeable that disclosure would allow

circumvention of certain infrastructure protection mechanisms, which Exemption 7 is
intended to protect.

The FOIA requires that any reasonably segregable portion of a record must be released
after appropriate application of the Acts exemptions.13 The statutory standard requires
the release of any portion of a record that is nonexempt and that is reasonably
segregable from the exempt portion. However, when nonexempt information is
inextricably intertwined with exempt information, reasonable segregation is not
possible.14 The withholdings made are consistent with our responsibility to determine if
any segregable portions can be released. Conducting a line-by-line review of the server
logs to extract the exempt material, described above, would be a daunting task. The
requested server logs contain hundreds of millions of lines of technical information
documenting the servers activities. Reviewing this massive amount of data for IP
addresses linkable to individuals would require hundreds of hours and is not reasonable.

We are required by both the FOIA and the Commissions own rules to charge requesters
certain fees associated with the costs of searching for, reviewing, and duplicating the
sought after information.15 You will not be charged for this FOIA response. To the
extent this response incurred any fees billable to you, Commission staff has determined
that the total fee likely is less than the cost to collect and process the fee. Therefore,
pursuant to section 0.470 of the Commissions rules, no fee will be charged.

Your request for a fee waiver pursuant to section 0.470(e) of the Commissions rules is
moot due to a lack of fees.16 As you are not required to pay any fees in relation to your
FOIA request, the Office of the General Counsel, which reviews such requests, does not
make a determination regarding any request for a fee waiver you may have made.17

If you consider this to be a denial of your FOIA request, you may seek review by filing
an application for review with the Office of General Counsel. An application for review
must be received by the Commission within 90 calendar days of the date of this

13
5 U.S.C. 552(b) (sentence immediately following exemptions).
14
Mead Data Cent. Inc. v. Dept of the Air Force, 566 F.2d 242, 260 (D.C. Cir. 1977).
15
See 5 U.S.C. 552(a)(4)(A), 47 C.F.R. 0.470.
16
47 C.F.R. 0.470(e).
17
47 C.F.R. 0.470(e)(5).

4
letter.18 You may file an application for review by mailing the application to Federal
Communications Commission, Office of General Counsel, 445 12th St SW, Washington,
DC 20554, or you may file your application for review electronically by e-mailing it to
FOIA-Appeal@fcc.gov. Please caption the envelope (or subject line, if via e-mail) and
the application itself as Review of Freedom of Information Action.

If you would like to discuss this response before filing an application for review to
attempt to resolve your dispute without going through the appeals process, you may
contact the Commissions FOIA Public Liaison for assistance at:

FOIA Public Liaison

Federal Communications Commission, Office of the Managing Director,
Performance Evaluation and Records Management
445 12th St SW, Washington, DC 20554
202-418-0440
FOIA-Public-Liaison@fcc.gov

If you are unable to resolve your FOIA dispute through the Commissions FOIA Public
Liaison, the Office of Government Information Services (OGIS), the Federal FOIA
Ombudsmans office, offers mediation services to help resolve disputes between FOIA
requesters and Federal agencies.19 The contact information for OGIS is:

Office of Government Information Services

National Archives and Records Administration
8601 Adelphi RoadOGIS
College Park, MD 20740-6001
202-741-5770
877-684-6448
ogis@nara.gov
ogis.archives.gov

Sincerely,
Digitally signed by MARIE
MARIE CALVOSA CALVOSA
Date: 2017.09.29 12:13:17 -04'00'

Christine Calvosa
Deputy Chief Information Officer

cc: FCC FOIA Office

18
47 C.F.R. 0.461(j), 1.115; 47 C.F.R. 1.7 (documents are considered filed with the Commission upon
their receipt at the location designated by the Commission).
19
Please note that attempts to resolve your dispute through the FOIA Public Liaison or OGIS do not toll the
time for filing an application for review unless an extension is granted by the Office of General Counsel.