EFF sues NSA in bid for records related to Heartbleed disclosure

Share this article:
In a court ruling, Judge Richard Leon described the agency’s tactics as "almost Orwellian".
The EFF is suing NSA to produce records related to Heartbleed disclosure.

The Electronic Frontier Foundation (EFF) has filed a lawsuit against the National Security Agency (NSA), accusing the agency of knowing about and exploiting the Heartbleed bug for many years before it was revealed to businesses and the public.

The Office of the Director of National Intelligence has previously denied knowledge — and exploitation — of the zero day vulnerability, a claim that the EFF takes issue with in its suit, citing published news reports to the contrary.

In April, a White House blog gave a murky explanation as to how the government chooses to disclose vulnerabilities, citing reliance on a Vulnerabilities Equity Process that it calls “a disciplined, rigorous and high-level decision-making process for vulnerability disclosure,” albeit one with “no hard and fast rules.”

The suit, filed in a U.S. District Court in San Francisco, stems from a May Freedom of Information Act (FOIA) request when the EFF asked NSA to provide records on “the development or implementation of the ‘Vulnerabilities Equity Process.'” The organization asked the agency to expedite the request due to the “urgency to inform the public concerning actual or alleged federal government activity.”

The NSA agreed to turn over the records (though EFF still awaits the information), but the agency denied the request for expedition. Noting the vast number of FOIA requests that agencies must fulfill, EFF Legal Fellow Andrew Crocker told SCMagazine.com in email correspondence that he didn't "think the government is intentionally dragging its feet." But the privacy advocacy group noted in its suit that the NSA has exceeded the standard 20-day deadline for processing FOIA requests, and that the EFF had exhausted all administrative avenues.

"It's important to get these criteria because the decisions that the government makes on whether to disclose vulnerabilities can have a large impact on the individual users' security," said Crocker. Pointing out that despite reports in the press, "there has been very little transparency from the government itself," he said. "As with other areas of the ongoing debate, the public needs greater insight into this process in order to form an opinion — one of the core purposes of FOIA."

The suit asks the Court to order the NSA to produce the requested documents quickly and in their entirety, as well as pick up legal fees incurred by the action.

[Update: This article has been updated to include additional comments from Andrew Crocker from the EFF.]

Share this article:

Sign up to our newsletters

More in News

Senator Leahy prepares bill to tackle NSA snooping

The bill is set to be introduced on Tuesday.

Malware used to compromise payment cards at Wendy's restaurant in Michigan

Customers who paid with credit and debit cards at a Wendy's in Michigan may have had their payment card compromised if they used it at the restaurant for about a month prior to July 15.

Report: Japan eyes law requiring security incident reporting

Bloomberg says the Japanese government is eyeing cyber security legislation to make companies 'fess up to security incidents impacting users.