The FBI is still trying to withhold records about Seth Rich and CrowdStrike

The CrowdStrike Reports

Speaking of “nothing to hide,” FBI personnel originally ignored my request for the CrowdStrike reports, apparently hoping that I wouldn’t notice. After I called them out in front of the court, they produced cover sheets for the reports and nothing more. In fact, even the cover sheets were partially redacted. You can find the cover sheets here, here, and here.

As you can see, each of those reports is preceded by the statutory exemptions that purportedly allow the FBI to withhold certain pages or sections of the report. That’s where things get interesting. Here are the five exemptions in question, with my comments interspersed:

• 5 U.S.C. § 552(b)(3) “[the records are] specifically exempted from disclosure by statute (other than section 552b of this title), provided that such statute (A) requires that the matters be withheld from the public in such a manner as to leave no discretion on issue, or (B) establishes particular criteria for withholding or refers to particular types of matters to be withheld;”
  
  • Comment: The FBI’s cover letter invokes 6 U.S.C. § 1501, which doesn’t make a lot of sense because it is only a list of definitions, although some of those definitions pertain to cybersecurity. The only other statute is 50 U.S.C § 3024(i)(1), which states “[t]he Director of National Intelligence shall protect intelligence sources and methods from unauthorized disclosure.” If a private company is hired by a hacking victim, then how does that pertain to the government’s “intelligence sources and methods”?

• 5 U.S.C. § 552(b)(4) “trade secrets and commercial or financial information obtained from a person and privileged or confidential;”
  
  • Comment: If the government is farming out its responsibilities to a private company, it seems any purported “trade secrets” are out the window. It’s also hard to reconcile “trade secrets” with section (b)(3) above, where the FBI claims government “sources and methods” must be protected. Whose secrets and methods are we protecting?

• 5 U.S.C. § 552(b)(6) personnel and medical files and similar files the disclosure of which would constitute a clearly unwarranted invasion of personal privacy;
  
  • Comment: Why would personnel, medical, and similar files be in a CrowdStrike report? And why can’t the names be redacted without redacting entire pages?

• (b)(7)(C) could reasonably be expected to constitute an unwarranted invasion of personal privacy;
  
  • Comment: Whose personal privacy? Again, why can’t the names be redacted without redacting entire pages?

• (b)(7)(E) would disclose techniques and procedures for law enforcement investigations or prosecutions, or would disclose guidelines for law enforcement investigations or prosecutions if such disclosure could reasonably be expected to risk circumvention of the law.
  
  • Comment: This one will raise a novel legal question for the court. So far as I am aware, the FBI had never before and has never since allowed a private company to conduct an investigation on its behalf. Is CrowdStrike “law enforcement” such that it can invoke the right to protect its investigations under (b)(7)(E)? I think not.

The FBI produced the cover pages in May of 2022, months after it was supposed to have produced all responsive documents. By now, the government should have filed a separate motion for summary judgment asking the court to rule that it does not have to search for or produce anything more related to CrowdStrike. If the government does not file that motion soon, I’ll be filing my own motion asking the court to order production of most if not all of the CrowdStrike reports.

The fun never stops.