 Get on in. Thanks, Whitney. Thanks to the Crypto Village for fitting me on in the last minute here. I know this is pulled together rapidly. So today I'm gonna talk to you about the FOIA process. Call the stock fund with FOIA, just taking up the government for sweet, sweet secrets. So what I intend to do here is to give an overview of the FOIA process and how you can make it work for you. So what's FOIA? So a lot of people don't necessarily know that the government does have a pathway for giving you documents that belong to all of us. So FOIA stands for the Freedom of Information Act. And so what this is designed to do is to disperse documents that are sourced from the government. It's true information. It's usually, in some cases, it's raw information. In other cases, it's processed information. It all depends on what you're asking for. But the beauty of the Freedom of Information Act is that it allows common people to make these requests at will for almost any topic that you're interested in. It's a very powerful process. It doesn't have to cost you any money. In some cases, it will cost money, but we'll get into the nuance of all of this as we go along. So okay, so why would you want to interact with the government in the first place? I don't know why you'd want to interact with the government on any other basis, but the Freedom of Information Act is something that we should all be involved in because it boosts transparency in a way that not very many other governmental processes allow for. So if you're interested in a topic and you want to know more, you think maybe the government might have some information, FOIA is going to be your way to get that. So maybe you're doing research on a topic. You've got an area of interest and you want to know more about it. FOIA may be the way that you can do that. There are a lot of different complications that make FOIA challenging in some ways and deliberating in others. Again, something we'll get into in a little while, but with this process, you want to have a topic in mind when you get started. So let's just jump right into how we would do this. So I'm gonna kind of try and keep the context of everything I say around a topic that's of interest to me and probably a lot of people who are on the stream. Working with a colleague of mine and the best, we put together a talk or a project to look through government documents that involve the history of hackers and events that have happened to the government or may have been investigated by the government around information security. We call this hacking history and on markrock.com, which is a site that you can use to submit Freedom of Information Act requests. We are over 1% of the requests on the site now. By far, we're the largest by requests, we're the largest program project on Mark Rock. So we've put in, I think I got an update today that we have over 850 requests in, which is quite a bit, I'm in enough of my bragging. So with hacking history, it's a large umbrella topic that you can ask all kinds of different questions about. So this can range from anywhere from malicious code that the government may have to specific events that the government may have been investigating or even involved indirectly. It could involve people. So there are a lot of subtopics that fit into this topic that you can ask the government about. So to get started, we can think of something that we want to ask a question about. So because we're talking at DEF CON, because we're having a DEF CON weekend here and I've got some information back, which I'll share at the end of the slideshow, let's take DEF CON for instance. So let's say that you wanna know more about DEF CON. The process here is to try and target something that you think that the government may have specific information on. So an event like DEF CON, you would want to start by asking questions that pertain to that specific event that happens yearly. So in a way, this is kind of like, it's a little like social engineering, but not in the more technical way that the actual good social engineers, not like myself, can do this. So you wanna think of questions that will get the best response for the questions that you're asking. So when you think of a topic, try and make it something specific, but you don't necessarily have to make it super, super specific when you just get started. You can start with something that's very broad in nature and try and target documents that you think maybe may comport with a broader sense. So like if you're starting broad, start with something like indexes. So asking for indexes of things is a really good place to start if you're not really quite sure what you want to ask about or whether you're not quite sure if there may be a documents that exist on the topic in the first place. So you can ask a government, for instance, for indexes of programs that pertain to a specific topic. So you may be able to ask the Federal Bureau of Investigation for an index of maybe hacker conferences that they've been tracking for the last 10 or 15 years, which brings me to another kind of sub-genre here. So you want to kind of think of, make sure that you time-bound everything. So don't just ask for like everything the government has on X if it's a really big topic, try and keep it something very specific in time. Oh, let me go back one. So when you're asking these questions, yeah, time-bound it, keep it between a certain timeframe. So either I usually start with January one of a specific year and then if I want to go for five years, I may go January one of like 1990 to 1995 or something like that. I like to be specific about the exact day that I wanted to start an end. I just think that makes it easier because really you have to remember that on the other end of this process is another human and the other human may have different quirks about how they would provide information to you. So time-bounding helps with larger topics to kind of chunk it down. It saves a lot of time on the other side of the search. So when the FOIA officer gets the request, they'll be able to take that information and do a search against it, but there are requirements that the government tries to stay under. So what I mean by that is the government is not obligated to provide you everything that they have and just work on it indefinitely. It has to not cause, I think with the wording that they use is reasonable something reasonable distress or like it's gotta be a reasonable request. Like you can't ask for an entire database of something and expect that you're gonna get it back. So try to, especially if it's a larger topic, kind of try and keep it in a self-isolated kind of like a chunk of information that you expect to get back. This can also be helpful if you're not sure what you're gonna get back in the first place. So if you think that there may be a lot of information there, the time-bounding really helps with that. So when I did my request for DEF CON, for instance, I chunked it down to like the beginning of DEF CON which is like 92, 93 timeframe to 1997. What I ended up getting was like wildly, it was way up into the 2000s that I got some information. And that's just kind of one of the fun things about the FOIA process is that you never really know what you're gonna get back cause it's kind of like a treasure hunt. Okay, so who can you ask questions to? You can ask questions to any government agency. Every federal government agency is required to be responsive to FOIA. How they are responsive to your requests is part of the nuance. So a lot of my requests, for instance, go to FBI. If you wanted to ask a special forces, something about special forces. So it's about a specific special forces organization. You might want to send a Freedom of Information Act to the Special Operations Command which is just a sub genre of the Department of Defense. You can also duplicate that request and send it to the Department of Defense to see if they may have anything kind of broader. You can ask the Central Intelligence Agency, you can ask the Department of Housing and Urban Development. There's any government agency that takes public funding which is all of them has to be responsive to FOIA in some form or fashion. Some of them are better than others. So I famously, the NSA is not good with FOIA. They just, they take forever to acknowledge your FOIAs. When they do finally acknowledge them, the searching takes a lot longer than really it should. I think by law they're bound to provide full service to all requests within 10 days but it almost never goes down that way. So be prepared for disappointment and long timelines especially depending on who you ask. But that's not, your FOIA requests are not just limited to federal agencies and federal entities. You can also, in a lot of cases, you can ask your local entities the same questions especially if they're of local interest. So if you wanted to ask your local police department questions, you're almost assured to be able to do that. So it's not quite the same as the federal mandate but local jurisdictions also municipalities have to follow. They usually have their own like form of the Freedom of Information Act that mirrors what the feds use. So any question that you might ask to the police or to the FBI, you can probably ask your local folks as well. Okay, so here's the fun part, the ask. So when you go to do your asking, we already touched on a little bit of this. Have a topic in mind, that's one big thing but also have specific questions that you want to ask in mind. So if you're unclear when you put your request in, again, remember there's a human on the other end of this process and there's a good chance that they're not gonna know what you're asking for if you're not super clear about it. So if you tell them that you want something that's very vague and up for interpretation or it's muddy and difficult to divine what it is that you're asking for exactly, the FOIA officer is bound to just kick it back to you and say like, I don't know what you're talking about, be more specific. So don't give up if you get a rejection when you send in your first few. Just try to hone in on exactly what it is that you wanna know about. So I know I had a ton of rejections when I first started asking before I started to figure out like, oh, I guess you can't just ask CIA about aliens because they've been asked this question probably a million times and they probably don't really have anything good in the first place. So or something that's releasable which is another thing that we'll get into shortly. So when you do this asking, try to be as specific as possible even when you're not quite sure what to expect back. So when you start a research project, you may start with fewer details. So let's say that you put in a request for an index because you have nothing on the topic that you're interested in and the index is gonna come back and it's gonna have some information that will kind of give you threads to pull. And so when you start to pull those threads, you'll be able to figure out what kinds of questions to ask next that will be more specific to your area of interest. So when you format your question, again, make sure it's time bound even if you're asking for something that you know that the government has for a specific timeframe. I like to put like buffer space on either side. So give it maybe a year before and after the event if you're asking about an event and just see if they've been collecting information prior to or after the event was supposed to have taken place. Good things to ask about events, programs, individual specific, all of those things are great places to start. So if you have like a specific hacking event, for instance that you want to ask about, let's just say like there's a city bank hack from 1995. If you know exactly when that happened, time bound it for that year. Maybe give yourself some six months on either side. If you know that there's a specific individual you want to ask about, there are a few more things that you have to keep in mind when you actually go to do the question asking. But, and those are more that we'll get into in just a second. But make sure that you just like if you want to know about, let's say you want to know something about Kevin Minick, there's a lot more here. But if you want to know something about Kevin Minick, you ask the FBI, give me all the information that you have, any documentation related to Kevin Minick between the years of X and X. And make sure that you would involve, include things like audio, visual, handwritten notes. It also really helps to get familiar with very specific government documentation. One of my favorites to ask for is FBI FD 302 documents, because 302s are what the FBI uses to take handwritten notes. So FBI agents are not required, they're actually, I don't know if they're disqualified by mandate to not be able to actually record conversations that they have with, as interviews with people. So with sources and just like bystanders. So the way that they do this is they take handwritten notes. So all of those handwritten notes go into an FBI database and you can ask for those handwritten notes. So asking for FD 302 is always great. So there's always all kinds of like funny extemporaneous information in there. Keywords are great, specific records like an FD 302, even if you don't know they exist, ask for them anyway. Indexes we already covered. Basically, you can ask for anything that qualifies as a public document. So anything that's recorded by the government technically becomes a public document. But just because you ask for them doesn't mean that they have to give them to you. So there will be some exemptions that we'll have to deal with in this process. So when you get responses, this is gonna take some time. So give yourself plenty of, make sure that you're very patient with this process. I've still got FOIA's waiting for responsive documents that I've been waiting for the last couple years. I've put one in for a well-known hacker that probably people on the stream know of named Trick. I've got one into the Defense Intelligence Agency for Trick and I am not expecting that one to be done until December of 2021. So be patient, especially if you're asking for something that's been classified or is currently classified. Just have patience with the process. There, a lot of times they'll declassify it if it's relevant and it's older. But that's kind of just the luck of the draw. So do's and don'ts. Okay, so things that you should do, ask specific questions, time bound your requests, FOIA for the dead. So here's an interesting thing about people. So when I just gave out that example about doing a Freedom of Information Act request on Kevin Mitnick, you wouldn't get anything back in all likelihood because he's still a U.S. person and he's still alive. So when you do a request like this, you have to make sure that you are following their rules for asking for information. If the person is dead, you can ask these questions and just provide an obituary. In most cases, that will be enough. The obituary has to be from a publication that's well known. You can't just send them like a local newspaper, probably won't cut it or like a blog post or something. Trust me, I've tried this and it doesn't work. So don't be disappointed if you send them something and they just flat out reject it. I've had that happen before even if I think that it's good enough. There are also exemptions though for the U.S. persons policy, which is what prohibits the government from sharing information about living U.S. persons. One of those is an exemption for public figures. So I don't know that Kevin Minick would qualify as being a public figure, but if you were to ask for something within the last 10 or 15 years on Minick, probably they're not gonna share it unless he dies tonight, which I hope that didn't happen, but just sibling. Yeah, and remember that there's a person on the other end of this. So don't be a huge jerk to them. Most of them are earnestly trying to be helpful to you. So try to be polite, especially if you get something back. I could be very thankful, grateful to them for being helpful to you. You don't have to kiss their ass or anything, but just be aware that they have been trying to help you. Oh, I forgot that I made these highlighted. Okay, so don'ts. Okay, so really don't be a jerk. The person on the other side can just decide to slow the process. Like there's really no punishment. So if you've been a total asshole to them from the get-go, they can just slow roll it, and that's not gonna be helpful to you. At the same time though, don't back down just because you've been denied doesn't mean that you can't appeal. So this kind of another kind of like subroutine in this process is that when you ask a question and you get rejected, that doesn't necessarily need to be all she wrote. You can do appeals. So if you get a rejection, you can say, I don't know that you did a thorough enough search of your records. I'm pretty sure the FBI might have files on this. So I would like to appeal this finding and then that goes on to another authority to kind of like double check the work. More often than not, they will just do what they call an affirmed on appeal, which means that they'll just say, nope, we got it right the first time, even if they didn't. And so then it's kind of game over at that point. Unless you got a lawyer and then you can take them to court to fight them. That's like a whole other ball of wax though, that's not really primed for this specific beginner's tutorial on FOIA. Don't ask for sources and methods. So if you go to CIA or FEI or NSA and you say like, give me all the documentation you have on like all the exploits you have, they're not gonna just give up the goods because you asked them nicely. They would classify that as sources and methods. So that information is highly, highly protected because it provides the government with a future pathway to procure new information. So yeah, so don't like, don't ask CIA about their purchasing programs or like specific things that they do to handle assets or anything like that. They're not gonna talk about it. Don't waste your time. Don't waste their time. Like you're just gonna aggravate them and you'll be aggravated as well. Don't ask about living US persons. This is kind of a general rule. Again, just kind of a waste of time. There's not gonna be, and most people don't really have, I think there's this notion that people just have like government files all over the place, probably not. So don't count on like doing a FOIA request for your neighbor and expecting to get this like big file of information back that you can use against them in your next disagreement. It just doesn't work like that. You can though do a FOIA request on yourself. So that is another kind of like loophole to the whole US persons exemption. So if you wanted to do a freedom of information as the tongue twister, if you wanted to do a FOIA request on yourself, you can do this. All you have to do is submit a privacy waiver. So what that does is it's basically a form that you fill out and you send into the agency and you say like, I'm forfeiting my right to privacy on this basis. What they do is they'll send you the information that's pertinent to that request. So if you have run-ins with the FBI in the past or if they've interviewed you or something and you wanna get that information later on, totally do it. They're not gonna make it public and put it on a website or something. I would suggest not doing it through a site like Muckrock because Muckrock will just publish it if you want it to remain private. But if you do it through directly through the FBI's online portal, if you put the request in that way, then they'll just send the information directly to you and not make it public in any other way. So definitely encourage you to do this if you have interest in your own information. Okay, exemptions. So like I said before, just because you ask the government for something does not necessarily mean that they're gonna just give it to you. And ways that they will deny giving you information that you ask for is through, they'll usually do this with exemptions. So you tend to see exemptions more when it comes to specific national security organizations. So some of the common ones that we see all the time are B1 and I'm just kind of paraphrasing what this means. If you see a B1, this may come in the form of a redaction or just a full out like we're not gonna give you anything. Usually it will come attached to a document. So when you see, when you get a document back, there'll be like a big blurb that will just be, it'll have a big white box over it and then they'll have the exemption listed in the margin. So B1, yeah, it's really, really classified. It's national security act stuff. So like, no, no, we're not kidding. It really is, this is actually really actually classified. So they'll exempt it for that reason. B3, this is CIA's nope rule. It's protected by a very specific statute in law. I can't think of any examples of this right off the top of my head, but this is something that's generally used by CIA. B4 is a one that protects trade secrets. So you'll see this oftentimes in the form of like propent proprietary information. That kind of stuff is really just there to protect intellectual property. B5, B5 is one that I really, really hate. B5, when I see a B5, what it says to me is like, fuck you in particular. What we call it in the FOIA community is the withhold it because you want to exemption. There's not really, this is kind of a catch all that agencies will use. I've even gotten B5s from like the Department of Education. So it's not because the information's classified, they've just decided not to share it with you. These ones, I think though, you have much more luck fighting in court. If you get something that's completely B5 doubt, you can hire a lawyer if you want to and pursue the information. They really do need to re, the agencies in my opinion should be providing you with a better exemption than just, we just don't feel like sharing it with you. So, you know, shoot. It does also protect interagency and intraagency memos though, which like still, to me it doesn't matter whether it's being shared between two agencies or not. Like if it's releasable, it's releasable. B6 is one that protects personal information. So let's say that you've requested information about a very old CIA operation for instance, and you get a bunch of B6 back in the responsive documentation. It could be that you're getting like CIA cables back and inside the cables may have some specific personal information there that relates to people who may still be alive. So if you see B6, just don't be shocked. And then B7 is just the law enforcement exemption. It kind of protects local law enforcement. There are some others that you may see in particular for CIA. They use X series exemptions, which is just goes into very specific detail, which is actually the fact that they're withholding it is what it is, but the fact that they give you very specific exemptions that are specific to CIA is actually kind of helpful. So you might get an X series exemption for like a human source and they'll give you one that separates a human source out from like a technical source, et cetera, et cetera. So very, very helpful when you go to actually look at the documentation. Okay, so now we get to the really fun part, which is my war stories. So here's one that people have really taken interest in. I put a FOIA request in for Snoop Dogg to the Secret Service. This is a snippet from Snoop Dogg's Secret Service. dossier is kind of a, to put it in generic terms. So very specific information in here. What we can gather just from looking at this is kind of the reason for why Secret Service took interest in the first place. So there was a music video. This is actually why I did the FOIA because I knew that Snoop Dogg had made a video where he was pointing a gun at the president. And this of course gets like, this gets bootlickers dander up so they really hate this when you threaten the president. So they pulled together an entire file on Snoop Dogg. And it's just, you'll see what I mean. So here we can see some very specific information about Calvin Broadus, his real name. There's some B6 information in here. So that's kind of what you're seeing in these exemptions here is email address being exempted. The person who received it, the report number oddly is exempted under B6. I'm not really exactly sure why, but these are names. These are specific email addresses. This is kind of another weird one down here. This is kind of an odd B6, but here are all of Snoop Dogg's, his like aliases. Notably, they didn't include Snoop Lion because nobody really wants to remember Snoop Lion, but unless it's redacted under B6. So this is kind of a good place to get an idea of why you would get a B6 in the first place. And so also recently I got some information back on DEF CON in particular. So if you do a request for something like DEF CON, you're gonna get a lot of information back. And this is kind of what the top of one of the documents might look like in a header from FBI. So like routine precedence, it'll give you a date, which is very helpful in terms of kind of grouping what information you got when and maybe how to categorize it. So when you come back to do research later, you can like put it in different folders and all of that. They will also do B6 redactions. So you're seeing that happen here. These are specific FBI agent names and different handler information custodians, information handlers. And then you'll have something that will kind of give you a general idea of what you're looking at. The title of this one was Computer Crimes. I'm not sure. It looks like it went to the Los Angeles field office. And there's two in here. So two Miami and Los Angeles. And I think this is Washington Metropolitan field office, I think. So that's gonna be the Washington FBI field office. And then a couple of just specific things that are kind of fun from this one that I got was here. Here's what the FBI wrote for their release of back orifice in 2000, which happened at DEF CON. So this one came out at the 2000 instance of DEF CON. And what we see here is just kind of the way that FBI was characterizing the release of this tool. So a previous instance of back orifice had been released and FBI had kind of looked into it. But I don't know that FBI really knew what to do with the information that it was out there. But definitely when back orifice 2000 came out, it was like, okay, now we have to be serious about this because we can't just act like we don't know anything about this one. So they actually did start looking into it. And there are also files flitting around out there about the cult of the dead cow anyway. So there's a ton of stuff the FBI had already compiled on CDC even prior to this. And then this was kind of an interesting one that came out about DEF CON in 2010. So the FBI opened an entire program called Slam and Jam. And this was an investigation into a stolen laptop that came from General Dynamics. Really crappy name, but it kind of gives you a rundown of some of the information that they collected and where. Another kind of note here about this one is the header here, secret. That's a previous classification. They exit out like this one that becomes declassified. So it's not still secret just in case someone had a question about that. So the FBI is very, very good about classifying information or like formatting it in a way that's very easy to read. Not every agency is good about this, but FBI is very good about it in particular. So Slam and Jam and here's like an excerpt that came from this investigation. The FBI specifically talked to DEF CON security to try and get some information about who might have stolen this machine. One of the, my favorite part is this one here about the DEF CON employees googling the computer model and discovered it was a ruggedized laptop and that it may be GPS tracked. And then this was kind of like my favorite part which was the DEF CON organizers at the time said, that a drunk DEF CON employee tested the ruggedness of the computer by repeatedly dropping on the ground. So being very, very careful with computers with potential government information on them. So just a lot of really interesting stuff that you can get out of this process. I really do encourage everyone who has interest to participate in this. It's something that we are really lucky to have in the United States. And it's my opinion is very underutilized. FOIA is probably better in the United States than it is in almost any other Western country, UK included. I even know people who do FOIA work in the UK and they get exemptions like way more than we get exemptions. So we have this tool, use it, advocate for it to be stronger. Here's a little bit of background on the hacking history project in case you're interested. So it's just at mockrock.com, which is a 501c3 and it's a nonprofit organization that kind of helps with government transparency. So you can jot that down real quick. I don't know if we can probably drop it in the chat at some point if there is a chat available. And that's all I have. So if there are any questions, I'm happy to take questions, but here's my information in case you're interested and want to see stuff in the future or if you want to engage later on. So that's all I got. Awesome. Thank you so much, Emily. So let me double check the Discord. We didn't have any questions come in via Discord, but I had a question for you. Sure. I'm embarrassed to admit this, but I have never actually submitted a FOIA request before. Are there any things that like you gave a lot of really great tips and tricks for your first time? What's like the number one big error that someone makes when they make their first FOIA request? So I know that a lot of the ones that I did early on were just way too broad. And it becomes kind of like, I don't want to make it mundane and say like it's an art to do FOIA. It's not really an art. It's just something that you get used to over time. So when you do a request, try to make it as easy to understand for the person who's reading it. Like if you were to like take your brain out of your head, so to speak and imagine what it would read like if you weren't writing it yourself. So I used to get them back all the time for just lack of clarity. So if you want to get responsive documentation, try and make it readable and perfectly understandable. So it doesn't matter like how dummy the person is reading it. If they can understand it, then they will try and help you. Another kind of tip that I didn't bring up is that there's this thing I call the sweet spot. So there's a sweet spot in classification that's like 30 years back. So knowing when information stops being classified or when it needs to be reevaluated for classification REUP is really helpful to FOIA investigators. So if you're asking about something that happened in like the 80s or the 90s, now is actually the perfect time to be asking government agencies about that because it's probably, if especially if it's been classified as top secret, they're gonna have to re-justify that and they're not often gonna like jump at the opportunity to do that. So information that hasn't maybe been made public before is kind of up for grabs in that 30 year span of time. So definitely if there's something that you know of that happened in the 90s or something that you want to investigate in that timeframe, do it now so that you can get your request in and maybe get something back. That's awesome. That's actually a really interesting tip because I'm sure the 90s were really, really interesting especially for hacking. And so I think maybe the greatest thing to come out of the 2020s will be more information about what was going on in the 90s. Right. Emily, thank you so very much for your time and jumping on for a last minute presentation. It's just an absolute pleasure to have you on our brand new stream. I look forward to you hopefully seeing you in person at DEF CON next year or at some other event but thank you so much for...