So what I intend to do here is to give an overview of the FOIA process and how you can make it work for you. So what's FOIA? So a lot of people don't necessarily know that the government does have a pathway for giving you documents that belong to all of us. So FOIA stands for the Freedom of Information Act.

And so what this is designed to do is to disperse documents that are sourced from the government. It's true information. It's usually, in some cases, it's raw information. In other cases, it's processed information. It all depends on what you're asking for.

But the beauty of the Freedom of Information Act is that it allows common people to make these requests at will for almost any topic that you're interested in. It's a very powerful process. It doesn't have to cost you any money. In some cases, it will cost money, but we'll get into the nuance of all of this

as we go along. So, okay, so why would you want to interact with the government in the first place? I don't know why you'd want to interact with the government on any other basis, but the Freedom of Information Act is something that we should all be involved in because it boosts transparency in a way that not very many other

governmental processes allow for. So if you're interested in a topic and you want to know more, you think maybe the government might have some information, FOIA is gonna be your way to get that. So maybe you're doing research on a topic. You've got an area of interest and you want to know more about it,

FOIA may be the way that you can do that. There are a lot of different complications that make FOIA challenging in some ways and deliberating in others. Again, something we'll get into in a little while, but with this process, you want to have a topic in mind when you get started. So let's just jump right into how we would do this.

So I'm gonna kind of try and keep the context of everything I say around a topic that's of interest to me and probably a lot of people who are on the stream. Working with a colleague of mine, Emma Best, we put together a talk or a project

to look through government documents that involve the history of hackers and events that have happened to the government or may have been investigated by the government around information security. We call those hacking history and on markrock.com, which is a site that you can use

to submit Freedom of Information Act requests, we are over 1% of the requests on the site now. By far, we are the largest by requests, we're the largest program project on Mark Rock. So we've put in, I think I got an update today that we have over 850 requests in,

which is quite a bit, a bit enough of my bragging. So with hacking history, it's a large umbrella topic that you can ask all kinds of different questions about. So this can range from anywhere from malicious code that the government may have to specific events

the government may have been investigating or even involved in directly, it could involve people. So there are a lot of subtopics that fit into this topic that you can ask the government about. So to get started, we can think of something

that we want to ask a question about. So because we're talking at DEF CON, because we're having a DEF CON weekend here and I've got some information back, which I'll share at the end of the slideshow, let's take DEF CON for instance. So let's say that you wanna know more about DEF CON. The process here is to try and target something that you think that the government

may have specific information on. So an event like DEF CON, you would want to start by asking questions that pertain to that specific event that happens yearly. So in a way, this is kind of like, it's a little like social engineering, but not in the more technical way

that the actual good social engineers, not like myself, can do this. So you wanna think of questions that will get the best response for the questions that you're asking. So when you think of a topic, try and make it something specific, but you don't necessarily have to make it super, super specific when you just get started.

You can start with something that's very broad in nature and try and target documents that you think maybe may comport with a broader sense. So like, if you're starting broad, start with something like indexes. So asking for indexes of things is a really good place to start if you're not really quite sure

what you want to ask about, or whether you're not quite sure if there may be documents that exist on the topic in the first place. So you can ask a government, for instance, for indexes of programs that pertain to a specific topic. So you may be able to ask the Federal Bureau of Investigation

for an index of maybe hacker conferences that they've been tracking for the last 10 or 15 years, which brings me to another kind of sub-genre here. So you want to kind of think of, make sure that you time-bound everything. So don't just ask for like everything

the government has on X. If it's a really big topic, try and keep it something very specific in time. Let me go back one. So when you're asking these questions, yeah, time-bound it, keep it between a certain timeframe. So either, I usually start with January 1 of a specific year,

and then if I want to go for five years, I may go January 1 of like 1990 to 1995 or something like that. I like to be specific about the exact day that I want it to start and end. I just think that makes it easier because really you have to remember that on the other end of this process is another human

and the other human may have different quirks about how they would provide information to you. So time-bounding helps with larger topics to kind of chunk it down. It saves a lot of time on the other side of the search.

So when the FOIA officer gets the request, they'll be able to take that information and do a search against it. But there are requirements that the government tries to stay under. So what I mean by that is the government is not obligated to provide you everything that they have

and just work on it indefinitely. It has to not cause, I think what the wording they use is a reasonable something, reasonable distress or like it's gotta be a reasonable request. Like you can't ask for an entire database of something

and expect that you're gonna get it back. So try to, especially if it's a larger topic, kind of try and keep it in a self-isolated kind of like a chunk of information that you expect to get back. This can also be helpful if you're not sure what you're gonna get back in the first place. So if you think that there may be a lot of information there,

the time-bounding really helps with that. So when I did my request for DEFCON, for instance, I chunked it down to like the beginning of DEFCON, which is like 92, 93 timeframe to 1997. What I ended up getting was like wildly, it was way up into the 2000s and I got some information.

And that's just kind of one of the fun things about the FOIA process is that you never really know what you're gonna get back. So it's kind of like a treasure hunt. Okay, so who can you ask questions to? You can ask questions to any government agency. Every federal government agency is required to be responsive to FOIA.

How they are responsive to your requests is part of the nuance. So a lot of my requests, for instance, go to FBI. If you wanted to ask special forces, something about special forces, so it's about a specific special forces organization, you might want to send a Freedom of Information Act

to the Special Operations Command, which is just a sub genre of the Department of Defense. You could also duplicate that request and send it to the Department of Defense to see if they may have anything kind of broader. You can ask the Central Intelligence Agency, you can ask the Department of Housing and Urban Development.

There's any government agency that takes public funding, which is all of them, has to be responsive to FOIA in some form or fashion. Some of them are better than others. So I famously, the NSA is not good with FOIA.

They take forever to acknowledge your FOIAs. When they do finally acknowledge them, the searching takes a lot longer than really it should. I think by law, they're bound to provide full service to all requests within 10 days,

but it almost never goes down that way. So be prepared for disappointment and long timelines, especially depending on who you ask. But that's not, your FOIA requests are not just limited to federal agencies and federal entities. You can also, in a lot of cases, you can ask your local entities the same questions,

especially if they're of local interest. So if you wanted to ask your local police department questions, you're almost assured to be able to do that. So it's not quite the same as the federal mandate, but local jurisdictions also, municipalities have to follow, they usually have their own like form

of the Freedom of Information Act that mirrors what the feds use. So any question that you might ask to the police or to the FBI, you can probably ask your local folks as well. Okay, so here's the fun part, the ask. So when you go to do your asking, we already touched on a little bit of this,

have a topic in mind, that's one big thing, but also have specific questions that you want to ask in mind. So if you're unclear when you put your request in, again, remember there's a human on the other end of this process, and there's a good chance that they're not gonna know what you're asking for if you're not super, super clear about it.

So if you tell them that you want something that's very vague and up for interpretation, or it's muddy and difficult to divine what it is that you're asking for exactly, the FOIA officer is bound to just kick it back to you and say like, I don't know what you're talking about, be more specific.

So don't give up if you get a rejection when you send in your first few. Just try to hone in on exactly what it is that you wanna know about. I know I had a ton of rejections when I first started asking before I started to figure out like, oh, I guess you can't just ask CIA about aliens

because they've been asked this question probably a million times, and they probably don't really have anything good in the first place or something that's releasable, which is another thing that we'll get into shortly. So when you do this asking, try to be as specific as possible.

Even when you're not quite sure what to expect back. So when you start a research project, you may start with fewer details. So let's say that you put in a request for an index because you have nothing on the topic that you're interested in. And the index is gonna come back and it's gonna have some information

that will kind of give you threads to pull. And so when you start to pull those threads, you'll be able to figure out what kinds of questions to ask next that will be more specific to your area of interest. So when you format your question, again, make sure it's time-bound. Even if you're asking for something that you know that the government has

for a specific timeframe, I like to put like buffer space on either side. So give it maybe a year before and after the event, if you're asking about an event, and just see if they've been collecting information prior to or after the event was supposed to have taken place. Good things to ask about events, programs,

individual specific, all of those things are great places to start. So if you have like a specific hacking event, for instance, that you want to ask about, let's just say like there's a Citibank hack from 1995. If you know exactly when that happened,

time-bound it for that year. Maybe give yourself some six months on either side. If you know that there's a specific individual you want to ask about, there are a few more things that you have to keep in mind when you actually go to do the question asking, and those are more that we'll get into in just a second,

but make sure that you just like, if you want to know about, let's say you want to know something about Kevin Mitnick, there's a lot more here, but if you want to know something about Kevin Mitnick, you ask the FBI, give me all the information that you have, any documentation related to Kevin Mitnick, between the years of X and X,

and make sure that you would involve, include things like audio visual, handwritten notes. It also really helps to get familiar with very specific government documentation. One of my favorites to ask for is FBI FD302 documents, because 302s are what the FBI uses

to take handwritten notes. So FBI agents are not required, they're actually, I don't know if they're disqualified by mandate to not be able to actually record conversations that they have as interviews with people, so with sources and just like bystanders.

So the way that they do this is they take handwritten notes. So all of those handwritten notes go into an FBI database and you can ask for those handwritten notes. So asking for FD402 is always great. There's always all kinds of like funny, extemporaneous information in there. Keywords are great, specific records like an FD302,

even if you don't know they exist, ask for them anyway. Indexes, we already covered. Basically, you can ask for anything that qualifies as a public document. So anything that's recorded by the government technically becomes a public document, but just because you ask for them doesn't mean that they have to give them to you.

So there will be some exemptions that we'll have to deal with in this process. So when you get responses, this is gonna take some time. So give yourself plenty of, make sure that you're very patient with this process. I've still got FOIAs waiting for responsive documents that I've been waiting for the last couple of years.

I've put one in for a well-known hacker that probably people on the stream know of named Trick. I've got one into the Defense Intelligence Agency for Trick, and I am not expecting that one to be done until December of 2021. So be patient, especially if you're asking for something

that's been classified or is currently classified, just have patience with the process. A lot of times they'll declassify it if it's relevant and it's older, but that's kind of just the luck of the draw. So dos and don'ts. Okay, so things that you should do.

Ask specific questions, time-bound your requests. FOIA for the dead. So here's an interesting thing about people. So when I just gave that example about doing a Freedom of Information Act request on Kevin Mitnick, you wouldn't get anything back in all likelihood

because he's still a US person and he's still alive. So when you do a request like this, you have to make sure that you are following their rules for asking for information. If the person is dead, you can ask these questions and just provide an obituary. In most cases, that will be enough.

The obituary has to be from a publication that's well known. You can't just send them like a local newspaper probably won't cut it or like a blog post or something. Trust me, I've tried this and it doesn't work. So don't be disappointed if you send them something and they just flat out reject it.

I've had that happen before even if I think that it's good enough. There are also exemptions though for the US person's policy which is what prohibits the government from sharing information about living US persons. One of those is an exemption for public figures. So I don't know that Kevin Mitnick

would qualify as being a public figure, but if you were to ask for something within the last 10 or 15 years on Mitnick, probably they're not gonna share it unless he dies tonight, which I hope that didn't happen, but just sibbling. Yeah, and remember that there's a person

on the other end of this. So don't be a huge jerk to them. Most of them are earnestly trying to be helpful to you. So try to be polite, especially if you get something back, like be very thankful, grateful to them for being helpful to you. You don't have to kiss their ass or anything,

but like just be aware that they have been trying to help you. Oh, I forgot that I made these highlighted. Okay, so don'ts. Okay, so really don't be a jerk. The person on the other side can just decide to slow the process. Like there's really no punishment. So if you've been a total asshole to them

from the get-go, they can just slow roll it and that's not gonna be helpful to you. At the same time though, don't back down just because you've been denied doesn't mean that you can't appeal. So this kind of another kind of like subroutine in this process is that when you ask a question

and you get rejected, that doesn't necessarily need to be all she wrote. You can do appeals. So if you get a rejection, you can say, I don't know that you did a thorough enough search of your records. I'm pretty sure the FBI might have files on this. So I would like to appeal this finding.

And then that goes on to another authority to kind of like double check the work. More often than not, they will just do what they call an affirmed on appeal, which means that they'll just say, nope, we got it right the first time, even if they didn't. And so then it's kind of game over at that point,

unless you get a lawyer and then you can take them to court to fight them. That's like a whole other ball of wax though, that's not really prime for this specific beginner's tutorial on FOIA. Don't ask for sources and methods. So if you go to CIA or FBI or NSA

and you say like, give me all the documentation you have on like all the exploits you have, they're not gonna just give up the goods because you asked them nicely. They would classify that as sources and methods. So that information is highly, highly protected because it provides the government

with a future pathway to procure new information. So yeah, so don't ask CIA about their purchasing programs or like specific things that they do to handle assets or anything like that. They're not gonna talk about it. Don't waste your time. Don't waste their time.

Like you're just gonna aggravate them and you'll be aggravated as well. Don't ask about living US persons. This is kind of a general rule. Again, just kind of a waste of time. There's not gonna be, and most people don't really have, I think there's this notion that people just have like government files all over the place.

Probably not. So don't count on like doing a FOIA request for your neighbor and expecting to get this like big file of information back that you can use against them in your nexus agreement. It just doesn't work like that. You can though do a FOIA request on yourself.

So that is another kind of like loophole to the whole US person's exemption. So if you wanted to do a freedom of information accident, tongue twister, if you wanted to do a FOIA request on yourself, you can do this. All you have to do is submit a privacy waiver. So what that does is it's basically a form

that you fill out and you send in to the agency and you say like, I'm forfeiting my right to privacy on this basis. What they do is they'll send you the information that's pertinent to that request. So if you've had run-ins with the FBI in the past, or if they've interviewed you or something

and you wanna get that information later on, totally do it. They're not gonna make it public and put it on a website or something. I would suggest not doing it through a site like MuckRock because MuckRock will just publish it if you want it to remain private. But if you do it directly through the FBI's online portal,

if you put the request in that way, then they'll just send the information directly to you and not make it public in any other way. So definitely encourage you to do this if you have interest in your own information. Okay, exemptions. So like I said before, just because you ask the government for something does not necessarily mean that they're gonna just give it to you.

And ways that they will deny giving you information that you ask for is through, they'll usually do this with exemptions. So you tend to see the exemptions more when it comes to specific national security organizations So some of the common ones that we see all the time are B1, and I'm just kind of paraphrasing

what this means. If you see a B1, this may come in the form of a redaction or just a full out, like we're not gonna give you anything. Usually it will come attached to a document. So when you see, when you get a document back, there'll be like a big blurb that will just be, it'll have a big white box over it. And then they'll have the exemption listed in the margin.

So B1, yeah, it's really, really classified. It's National Security Act stuff. So like, no, no, we're not getting it really is. This is actually really actually classified. So they'll exempt it for that reason. B3, this is CIA's NOPE rule.

It's protected by a very specific statute in law. I can't think of any examples of this right off the top of my head, but this is something that's generally used by CIA. B4 is one that protects trade secrets.

So you'll see this oftentimes in the form of like a propant proprietary information. That kind of stuff is really just there to protect intellectual property. B5, B5 is one that I really, really hate. B5, when I see a B5, what it says to me is like,

fuck you in particular. What we call it in the FOIA community is the withhold it because you want to exemption. There's not really, this is kind of a catchall that agencies will use. I've even gotten B5s from like the Department of Education. So it's not because the information is classified.

They've just decided not to share it with you. These ones, I think though, you have much more luck fighting in court if you got something that's completely B5'd out, you can hire a lawyer if you want to and pursue the information. The agencies, in my opinion, should be providing you with a better exemption

than just, we're just don't feel like sharing it with you so, you know, shoo. It does also protect inter-agency and intra-agency memos though, which like still, it doesn't, to me, it doesn't matter whether it's being shared between two agencies or not. Like if it's releasable, it's releasable. B6 is one that protects personal information.

So let's say that you've requested information about a very old CIA operation, for instance, and you get a bunch of B6 back in the responsive documentation. It could be that you're getting like CIA cables back and inside the cables may have some specific personal information in there

that relates to people who may still be alive. So if you see B6, just don't be shocked. And then B7 is just the law enforcement exemption. It's kind of protects local law enforcement. There are some others that you may see in particular for CIA. They use X series exemptions,

which is, it just goes into very specific detail, which is actually the fact that they're withholding it is what it is, but the fact that they give you very specific exemptions that are specific to CIA is actually kind of helpful. So you might get an X series exemption for like a human source and they'll give you one

that separates a human source out from like a technical source, et cetera, et cetera. So very, very helpful when you go to actually look at the documentation. Okay, so now we get to the really fun part, which is my war stories. So here's one that people have really taken interest in. Put a FOIA request in for Snoop Dogg

to the Secret Service. This is Snoop, so this is a snippet from Snoop Dogg's Secret Service dossier is kind of a, to put it in generic terms. So very specific information in here. What we can gather just from looking at this is kind of the reason for why Secret Service took interest in the first place.

So there was a music video. This is actually why I did the FOIA because I knew that Snoop Dogg had made a video where he was pointing a gun at the president. And this, of course, gets like, this gets bootlicker's dander up, so they really hate this when you threaten the president. So they pulled together an entire file on Snoop Dogg,

and it's just, you'll see what I mean. So here we can see some very specific information about Calvin Broadus, his real name. There's some B6 information in here, so that's kind of what you're seeing

with these exemptions here, email address being exempted, the person who received it, the report number oddly is exempted under B6. I'm not really exactly sure why, but these are names, these are specific email addresses. This is kind of another weird one down here.

This is kind of an odd B6, but here are all of Snoop Dogg's his like aliases. Notably, they didn't include Snoop Lion because nobody really wants to remember Snoop Lion, but unless it's been redacted under B6. So this is kind of a good place to get an idea

of why you would get a B6 in the first place. And so also recently I got some information back on DEF CON in particular. So if you do a request for something like DEF CON, you're gonna get a lot of information back. And this is kind of what the top of one of the documents

might look like in a header from FBI. So like routine precedence, it'll give you a date, which is very helpful in terms of kind of grouping what information you got, when, and maybe how to categorize it. So when you come back to do research later, you can like put it in different folders and all of that.

They will also do B6 reductions. So you're seeing that happen here. These are specific FBI agent names and different handler, information custodians, information handlers. And then you'll have something that will kind of give you a general idea of what you're looking at. The title of this one was computer crimes.

I'm not sure, it looks like it went to the Los Angeles field office. And there's two in here, so two Miami and Los Angeles. And I think this is, I think this is Washington metropolitan field office, I think. So that's gonna be the Washington FBI field office. And then a couple of just specific things

that are kind of fun from this one that I got was here. Here's what the FBI wrote for their release of baccalaureate this in 2000, which happened at Defcon. So this one came out at the 2000 instance of Defcon. And what we see here is just kind of the way

that FBI was characterizing the release of this tool. So a previous instance of back orifice had been released and FBI had kind of looked into it, but I don't know the FBI really knew what to do with the information that it was out there, but definitely when back orifice 2000 came out, it was like, okay, now we have to be serious about this

because we can't just act like we don't know anything about this one. So they actually did start looking into it. And there are also files floating around out there about the cult of the dead cow anyway. So there's a ton of stuff the FBI had already compiled on CDC prior to, even prior to this.

And then this was kind of an interesting one that came out about Defcon in 2010. So the FBI opened an entire program called Slam and Jam. And this was an investigation into a stolen laptop that came from General Dynamics. Really crappy name, but it kind of gives you a rundown

of some of the information that they collected and where. Another kind of note here about this one is the header here, secret. That's a previous classification. They exit out like this one that becomes declassified. So it's not still secret just in case someone had a question about that. So they do, FBI is very, very good about

classifying information or like formatting it in a way that's very easy to read. Not every agency is good about this, the FBI is very good about it in particular. So Slam and Jammin', here's like an excerpt that came from this investigation.

The FBI specifically talked to Defcon security to try and get some information about who might've stolen this machine. One of the, my favorite part is this one here about the Defcon employees Googling the computer model and discovered it was a ruggedized laptop and that it may be GPS tracked.

And then this was kind of like my favorite part of my favorite part, which was the Defcon organizers at the time said that a drunk Defcon employee tested the ruggedness of the computer by repeatedly dropping on the ground. So being very, very careful with computers

with potential government information on them. So just a lot of really interesting stuff that you can get out of this process. I really do encourage everyone who has interest to participate in this. It's something that we are really lucky

to have in the United States. And it's, my opinion is very underutilized. FOIA is probably better in the United States than it is in almost any other Western country, UK included. I even know people who do FOIA work in the UK and they get exemptions like way more than we get exemptions. So we have this tool, use it,

advocate for it to be stronger. Here's a little bit of background on the hacking history project in case you're interested. So it's just at mockrock.com, which is a 501c3. It's a nonprofit organization that kind of helps with government transparency.

So you can jot that down real quick. I don't know if we can probably drop it in the chat at some point, if there is a chat available. And that's all I have. So if there are any questions, I'm happy to take questions, but here's my information in case you're interested and wanna see stuff in the future or if you wanna engage later on. So that's all I got.

Awesome, thank you so much, Emily. So let me double check the Discord. We didn't have any questions come in via Discord, but I had a question for you. I'm embarrassed to admit this, but I have never actually submitted a FOIA request before.

Are there any things that like you gave a lot of really great tips and tricks for your first time? What's like the number one big error that someone makes when they make their first FOIA request? So I know that a lot of the ones that I did early on were just way too broad and it becomes kind of like,

I don't wanna make it mundane and say like, it's an art to do FOIA. It's not really an art, it's just something that you get used to over time. So when you do a request, try to make it as easy to understand for the person who's reading it. Like if you were to like take your brain out of your head so to speak, and imagine what it would read like

if you weren't writing it yourself. So I used to get them back all the time for just lack of clarity. So if you want to get responsive documentation, try and make it readable and perfectly understandable so it doesn't matter like how dummy the person

is reading it, if they can understand it, then they will try and help you. Another kind of tip that I didn't bring up is that there's this thing I call the sweet spot. So there's a sweet spot in classification that's like 30 years back. So knowing when information stops being classified

or when it needs to be reevaluated for classification re-up is really helpful to FOIA investigators. So if you're asking about something that happened in like the eighties or the nineties, now is actually the perfect time to be asking government agencies about that because it's probably, especially if it's been classified as top secret,

they're gonna have to re justify that and they're not often gonna like jump at the opportunity to do that. So information that hasn't maybe been made public before is kind of up for grabs in that 30 year span of time. So definitely if there's something that you know of that happened in the nineties or something that you want to investigate in that timeframe, do it now

so that you can get your request in and maybe get something back. That's awesome. That's actually a really interesting tip because I'm sure the nineties were really, really interesting, especially for hacking. And so I think maybe the greatest thing to come out of the 2020s will be more information about what was going on in the nineties.

Emily, thank you so very much for your time and jumping on for a last minute presentation. It's just an absolute pleasure to have you on our brand new stream. I look forward to hopefully seeing you in person at DEFCON next year or at some other event, but thank you so much.