Federal Communications Commission, Response to FOIA Request by Gizmodo Media Group, July 19 2017, Unclassified.
National Security Archive
A FOIA denial reveals how the FCC hid internal debates over a DDoS attack that threatened the legitimacy of its net‑neutrality rulemaking.
Source: Federal Communications Commission, Response to FOIA Request by Gizmodo Media Group, July 19 2017, Unclassified. Date: Jul 19, 2017 Archive: Ars Technica
Editorial Analysis
Original analysis by the DriftSeas editorial desk. The complete primary-source document, transcribed from the National Security Archive scan, appears in full below.
A FOIA Glimpse into the FCC’s Net‑Neutrality Turmoil
The July 19 2017 response from the Federal Communications Commission to a Freedom of Information Act request filed by Gizmodo Media Group is not merely a bureaucratic letter; it is a snapshot of the agency’s internal scramble as it faced one of the most contentious regulatory battles in recent memory. The request, filed in early 2017, sought every email, calendar entry, and draft memo that linked Chairman Ajit Pai and Commissioner Michael O’Rielly to the alleged distributed‑denial‑of‑service (DDoS) attack that crippled the FCC’s public comment system in May of that year. The timing is crucial: the attack coincided with the final weeks of the Obama administration’s net‑neutrality rulemaking, and the incoming Trump administration, led by Pai, was poised to dismantle those protections.
The document reveals the FCC’s procedural posture. After the attack, the agency publicly warned that “spam” and “astroturfing” might have polluted the comment stream, and it commissioned a technical analysis—later cited by Dr. David Bray, a senior FCC engineer, as confirming a DDoS event. The FOIA response shows that the Commission’s own offices were asked to produce a trove of internal communications about the incident, the integrity of the comment system, and how to respond. The fact that the FCC located roughly 225 pages but released only 16, withholding the rest under Exemptions 4, 5, 6, and 7, signals a deliberate effort to keep the deliberative process and any potentially embarrassing trade‑secret information out of public view.
Why does this matter beyond the mechanics of a FOIA denial? The episode sits at the intersection of three larger narratives. First, it underscores the vulnerability of digital democratic participation: the FCC’s comment portal—once a model of open‑government engagement—was shown to be susceptible to cyber‑attack, raising doubts about the legitimacy of the massive public input that underpinned the net‑neutrality order. Second, it illustrates how the new Republican leadership leveraged the attack to cast doubt on the rulemaking’s credibility, framing the controversy as a technical failure rather than a policy dispute. Third, it highlights the growing tension between transparency advocates and agencies that invoke deliberative‑process privileges to shield internal debates from scrutiny.
The actors named in the request—Pai, O’Rielly, and Dr. Bray—each embody different facets of the controversy. Pai, appointed by President Obama but quickly turned into the Trump administration’s deregulatory champion, used the DDoS narrative to argue that the comment system was “unreliable” and that the net‑neutrality rule lacked a solid evidentiary base. O’Rielly, a vocal critic of the rule, echoed those concerns in public statements, suggesting that the flood of comments was “manufactured” by interest groups. Dr. Bray’s technical memo, cited in the request, provided the agency’s first official acknowledgment of a cyber‑attack, yet the FOIA response’s heavy redactions leave his methodology and conclusions largely hidden. The omission hints at a possible reluctance to expose the agency’s technical vulnerabilities or to reveal how internal experts may have been pressured to frame the incident in a way that supported a policy agenda.
Reading between the lines, the extensive reliance on Exemption 5 (deliberative‑process privilege) suggests that many of the withheld documents were pre‑decision drafts, staff memos, and internal debates about whether to invalidate the comment period or to move forward with the net‑neutrality order despite the attack. The agency’s justification—that disclosure would “chill deliberations”—is standard FOIA rhetoric, but the sheer volume of material kept secret raises questions about whether the FCC was attempting to suppress dissenting views that might have complicated the case for repeal.
The legacy of this FOIA response is twofold. Practically, it set a precedent for how the FCC would handle future transparency requests about its cyber‑security posture and comment‑handling processes, often citing the same exemptions. Symbolically, it contributed to the narrative that the net‑neutrality rule was built on a flawed foundation, a story that the Trump administration later used to justify its 2017 repeal. For scholars of regulatory history, the document is a reminder that the battle over the internet’s future was fought not only in public hearings and courtrooms but also in the quiet corridors of agency offices, where decisions are drafted, debated, and sometimes concealed.
In sum, the July 19 2017 FOIA response is a microcosm of a pivotal moment when cyber‑threats, partisan politics, and the limits of governmental transparency collided. Its redacted pages may never be seen, but the very act of withholding them tells us as much about the FCC’s strategic calculations as any released memo could.
Federal Communications Commission Washington, D.C. 20554
July 19, 2017
Dell Cameron Gizmodo Media Group 2 West 17th St, 2nd Floor New York, NY 10011 Via e-mail to foiaquery@gmail.com
Re: FOIA Control No. 2017-655
Mr. Cameron:
This letter responds to your Freedom of Information Act (FOIA). Your request has been assigned FOIA Control No. 2017-655. Specifically, your request seeks:
- All communications between employees in the offices of Chairman Ajit Pai and Commissioner Michael O’Rielly concerning the following topics: a. “distributed denial-of-service attack” or “DDoS” b. Public comments to the FCC’s comment system regarding net neutrality. c. “astroturfing” d. “spam” sent to the FCC comment system. e. Dr. David Bray’s May 8, 2017, statement regarding the alleged DDoS attack. f. Questions from representatives of the news media regarding the alleged DDoS attack and/or the integrity of the FCC’s comment system.
- All calendar entries, visitor logs, or meeting minutes referring or relating to any and all meetings between employees in the offices of Chairman Ajit Pai and Commissioner Michael O’Rielly regarding the FCC’s public comment system and/or the alleged DDoS attack.
- Any and all documents in the offices of Chairman Ajit Pai and Commissioner Michael O’Rielly discussing, referring, or relating to the FCC’s comment system and/or the alleged DDoS attack, including all draft or final versions of orders, memoranda, or written views concerning the approach the FCC should take with respect to perceived issues with the comment system.
- All records referencing a letter by Senators Ron Wyden and Brian Schatz sent to FCC on May 9 concerning the alleged DDoS attack.
- All documents and communications in the offices of Chairman Ajit Pait and Commissioner Michael O’Rielly relating to the recommendations or views of FCC personnel about how to respond to the alleged DDoS attack and/or questions about the integrity of the FCC’s comment system.
- A copy of any records related to the FCC “analysis” (cited in Dr. Bray’s statement) that concluded a DDoS attack had taken place.
Pursuant to section 0.461(g)(1)(i) of the Commission’s rules, the date for responding to your request has been extended July 6, 2017, due to a need to search records from multiple offices of the Commission. The deadline was subsequently extended to July 19, 2017.
The Office of the Chairman, the Office of Commissioner O’Rielly, the Office of Legislative Affairs, and the Office of the Managing Director – Information Technology searched for responsive records.
We located approximately 225 pages of records responsive to your request. Of the approximately 225 pages of responsive records located, 16 pages are produced here. The remaining pages are withheld in full due to the reasons discussed below. Additionally, some material on the pages produced has been redacted due to the reasons discussed below.
Records responsive to your request were withheld under FOIA Exemption 4.¹ Exemption 4 protects matters that are “trade secrets and commercial or financial information obtained from a person and privileged or confidential.” These documents consist of trade press articles and other subscription publications that are subject to copyright. We have determined that disclosure is prohibited by law under the Trade Secrets Act, 18 U.S.C. § 1905, or that release would otherwise harm the commercial interests of the companies involved.
Records responsive to your request were withheld or redacted under FOIA Exemption 5.² Exemption 5 protects certain inter-agency and intra-agency records that are normally considered privileged in the civil discovery context. Exemption 5 encompasses a deliberative process privilege intended to “prevent injury to the quality of agency decisions.”³ To fall within the scope of this privilege the agency records must be both predecisional and deliberative.⁴ Predecisional records must have been “prepared in order to assist an agency decision maker in arriving at his decision.”⁵ Deliberative records must be such that their disclosure “would expose an agency’s decisionmaking process in such a way as to discourage candid discussion within the agency and thereby undermine the agency’s ability to perform its functions.”⁶
These documents include staffing decisions made by Commission supervisors, draft talking points, staff summaries of congressional letters, and policy suggestions from staff. We have determined that it is reasonably foreseeable that disclosure would harm the Commission’s deliberative processes, which Exemption 5 is intended to protect. Release of this information would chill deliberations within the Commission and impede the candid exchange of ideas.
¹ 5 U.S.C. § 552(b)(4). ² 5 U.S.C. § 552(b)(5). ³ NLRB v. Sears Roebuck & Co., 421 U.S. 132, 151 (1975). ⁴ Id. at 151-52. ⁵ Formaldehyde Inst. v. Dep’t of Health and Human Servs., 889 F.2d 1118, 1122 (D.C. Cir. 1989); see also Coastal States Gas Corp. v. Dep’t of Energy, 617 F.2d 854, 866 (D.C. Cir. 1980) (“In deciding whether a document should be protected by the privilege we look to whether the document is . . . generated before the adoption of an agency policy and whether . . . it reflects the give-and-take of the consultative process. The exemption thus covers recommendations, draft documents, proposals, suggestions, and other subjective documents. . . .”). ⁶ Formaldehyde Inst., 889 F.2d at 1122 (quoting Dudman Commc’ns Corp. v. Dep’t of the Air Force, 815 F.2d 1565, 1568 (D.C. Cir. 1987).
2
Records responsive to your request were withheld or redacted under FOIA Exemption 6.7 Exemption 6 protects “personnel and medical files and similar files the disclosure of which would constitute a clearly unwarranted invasion of personal privacy.” Balancing the public’s right to disclosure against the individual’s right to privacy, we have determined that release of this information would constitute a clearly unwarranted invasion of personal privacy. These redactions consist of non-public contact information. We have determined that the public interest in this information is de minimis, while there is a substantial privacy interest for the affected individuals.
We have determined that it is reasonably foreseeable that disclosure would harm the privacy interest of the persons mentioned in these records, which Exemption 6 is intended to protect.
Records responsive to your request were withheld under Exemption 7(E), which protects “records or information compiled for law enforcement purposes [the production of which] would disclose techniques and procedures for law enforcement investigations or prosecutions, or would disclose guidelines for law enforcement investigations or prosecutions if such disclosure could reasonably be expected to risk a circumvention of the law.”8 These documents consisted of discussion of the Commission’s IT infrastructure and countermeasures. It is reasonably foreseeable that this information, if released, would allow adversaries to circumvent the FCC’s protection measures.
We have determined that it is reasonably foreseeable that disclosure would harm the Commission or the Federal government’s law enforcement activities, which Exemption 7 is intended to protect.
Part 6 of your request seeks “A copy of any records related to the FCC ‘analysis’ (cited in Dr. Bray’s statement) that concluded a DDoS attack had taken place.” IT staff have confirmed there are no records responsive to this portion of the request. The analysis referred to stemmed from real time observation and feedback by Commission IT staff and did not result in written documentation.
The FOIA requires that “any reasonably segregable portion of a record” must be released after appropriate application of the Act’s exemptions.9 The statutory standard requires the release of any portion of a record that is nonexempt and that is “reasonably segregable” from the exempt portion. However, when nonexempt information is “inextricably intertwined” with exempt information, reasonable segregation is not possible.10 The redactions and/or withholdings made are consistent with our responsibility to determine if any segregable portions can be released. To the extent non-exempt material is not released, it is inextricably intertwined with exempt material.
We are required by both the FOIA and the Commission’s own rules to charge requesters certain fees associated with the costs of searching for, reviewing, and duplicating the sought after information.11 To calculate the appropriate fee, requesters are classified as: (1)
7 5 U.S.C. § 552(b)(6). 8 5 U.S.C. § 552(b)(7)(E). 9 5 U.S.C. § 552(b) (sentence immediately following exemptions). 10 Mead Data Cent. Inc. v. Dep’t of the Air Force, 566 F.2d 242, 260 (D.C. Cir. 1977). 11 See 5 U.S.C. § 552(a)(4)(A), 47 C.F.R. § 0.470.
3
commercial use requesters; (2) educational requesters, non-commercial scientific organizations, or representatives of the news media; or (3) all other requesters.12
Pursuant to section 0.466(a)(5)-(7) of the Commission's rules, you have been classified as category (2), "educational requesters, non-commercial scientific organizations, or representatives of the news media."13 As an "educational requester, non-commercial scientific organization, or representative of the news media," the Commission assesses charges to recover the cost of reproducing the records requested, excluding the cost of reproducing the first 100 pages. The production in response to your request did not involve more than 100 pages of duplication. Therefore, you will not be charged any fees.
You have requested a fee waiver pursuant to section 0.470(e) of the Commission's rules.14 As you are not required to pay any fees in relation to your FOIA request, the Office of the General Counsel, which reviews such requests, does not make a determination on your request for a fee waiver.15
If you consider this to be a denial of your FOIA request, you may seek review by filing an application for review with the Office of General Counsel. An application for review must be received by the Commission within 90 calendar days of the date of this letter.16 You may file an application for review by mailing the application to Federal Communications Commission, Office of General Counsel, 445 12th St SW, Washington, DC 20554, or you may file your application for review electronically by e-mailing it to FOIA-Appeal@fcc.gov. Please caption the envelope (or subject line, if via e-mail) and the application itself as "Review of Freedom of Information Action."
If you would like to discuss this response before filing an application for review to attempt to resolve your dispute without going through the appeals process, you may contact the Commission's FOIA Public Liaison for assistance at:
FOIA Public Liaison Federal Communications Commission, Office of the Managing Director, Performance Evaluation and Records Management 445 12th St SW, Washington, DC 20554 202-418-0440 FOIA-Public-Liaison@fcc.gov
If you are unable to resolve your FOIA dispute through the Commission's FOIA Public Liaison, the Office of Government Information Services (OGIS), the Federal FOIA Ombudsman's office, offers mediation services to help resolve disputes between FOIA requesters and Federal agencies.17 The contact information for OGIS is:
12 47 C.F.R. § 0.470. 13 47 C.F.R. § 0.466(a)(5)-(7). 14 47 C.F.R. § 0.470(e). 15 47 C.F.R. § 0.470(e)(5). 16 47 C.F.R. §§ 0.461(j), 1.115; 47 C.F.R. § 1.7 (documents are considered filed with the Commission upon their receipt at the location designated by the Commission). 17 Please note that attempts to resolve your dispute through the FOIA Public Liaison or OGIS do not toll the time for filing an application for review unless an extension is granted by the Office of General Counsel.
4
Office of Government Information Services National Archives and Records Administration 8601 Adelphi Road–OGIS College Park, MD 20740-6001 202-741-5770 877-684-6448 ogis@nara.gov ogis.archives.gov
Sincerely,
[Elizabeth Lyle R.04]
Elizabeth Lyle Assistant General Counsel
Enclosures cc: FCC FOIA Office
5
NATIONAL SECURITY ARCHIVE
National Security Archive, Suite 701, Gelman Library, The George Washington University, 2130 H Street, NW, Washington, D.C., 20037, Phone: 202/994-7000, Fax: 202/994-7005, nsarchiv@gwu.edu