MuckRock's #AppleVSFBI FOIA Primer

MuckRock’s #AppleVSFBI FOIA Primer

Despite exemptions, there’s still a lot records that can be released

Written by
Edited by Beryl Lipton and JPat Brown

Two of America's most famously secretive institutions, the Federal Bureau of Investigation and Apple, are squaring off over encryption and backdoors, and three FOIA exemptions stand in the way of those wanting a document-driven view of the fight.

That doesn't mean FOIA fans should give up asking questions though. Here's our advice on getting documents to help better understand the FBI, Apple, and the fight over keeping devices secure while maintaining national security.

Rules of the game

There are three FOIA exemptions that will clearly come into play in the Apple vs. FBI fight: Exemptions 1, 4, and 7.

Exemption 1: Classified Information

Classified information is exempt from FOIA, and often takes decades to become declassified, even when it's no longer operationally useful. There's a good chance that many of the capabilities used by the FBI or organizations it's partnering with are classified and often even agreements that the FBI has with private organizations might be classified.

This has made reporting and debating the use of National Security Letters, for example, incredibly difficult, because their usage has been classified.

Requesters do have one recourse here: Mandatory Declassification Review (MDR).

If you know material exists, but it is currently classified, you can request an MDR. It is then sent before an interagency review panel that gives the material a fresh look and decides if the material is still properly classified.

Jason Leopold shared how he uses the process:

I should also note that I file Mandatory Declassification Reviews, or MDRs, where a panel is forced to review a specific document and determine whether it can be declassified. MDRs have a far higher success rate than FOIAs. But with MDRs you have to know exactly what you are looking for and you need to know that the document you are seeking is in fact classified. The great thing about MDRs is the appeals process if the request is denied. You have a greater chance of obtaining the classified document during the MDR appeals process.

The National Security Archive also has a good MDR primer.

Exemption 4: Trade Secrets

Now that you've seen the first part of your fight with the FBI, it's time to take on Apple. Exemption 4 allows companies to protect their trade secrets and certain sensitive information from release.

Agencies typically give companies a window of time to review materials they plan to release, at which point the companies can invoke this exemption. My request for emails between Google and the FCC regarding a Street View investigation are a good example of this exemption in play. The letter sent by the FCC to Google was CC'd to me and noted that I had a 10-day window after Google's response to appeal their redactions.

In this case, I did not, as Google only asked for a relatively small amount of information to be redacted.

Exemption 7: Law Enforcement Practices

Another exemption in the FBI's favor, Exemption 7 is a broad category that helps law enforcement agencies keep their techniques secret and excludes material that:

(A) could reasonably be expected to interfere with enforcement proceedings, (B) would deprive a person of a right to a fair trial or an impartial adjudication, (C) could reasonably be expected to constitute an unwarranted invasion of personal privacy, (D) could reasonably be expected to disclose the identity of a confidential source, including a State, local, or foreign agency or authority or any private institution which furnished information on a confidential basis, and, in the case of a record or information compiled by a criminal law enforcement authority in the course of a criminal investigation, or by an agency conducting a lawful national security intelligence investigation, information furnished by a confidential source, (E) would disclose techniques and procedures for law enforcement investigations or prosecutions, or would disclose guidelines for law enforcement investigations or prosecutions if such disclosure could reasonably be expected to risk circumvention of the law, or (F) could reasonably be expected to endanger the life or physical safety of any individual.

Like exemption 1, this can cover a lot of ground, but often prior court cases can be your friend here. If the technique has previously been discussed openly, either by an official or in court, it provides a solid argument that its disclosure would not interfere with law enforcement techniques.

Bonus Exemption: U.S. Code § 3605

The National Security Agency, which often works as America's codebreaker-in-chief, has an incredibly broad exemption, U.S. Code § 3605:

(a) Except as provided in subsection (b) of this section, nothing in this chapter or any other law (including, but not limited to, the first section and section 2 of the Act of August 28, 1935) [1] shall be construed to require the disclosure of the organization or any function of the National Security Agency, or any information with respect to the activities thereof, or of the names, titles, salaries, or number of the persons employed by such agency.

While this exemption is not absolute (see almost 50 successful requests to the NSA here), your chances of getting useful information via FOIA on, say, the NSA's ability to crack an iPhone are pretty close to nil.

You can, however, see how many iPhones and other Apple products the NSA has bought.

What you can get

The four exemptions above cover a lot of ground, but there's still some useful avenues to explore with FOIA when investigating the intersection of national security, Apple, and the FBI.

Talking Points

Since the Apple vs. FBI fight went public, officials have been unusually vocal about what it means, very clearly stating that this is just about this one phone, for example.

These remarks are almost never completely extemporaneous, particularly when things are in litigation, so one possible avenue is asking for talking points developed for agency officials.

These types of requests can be relatively general: I received some from the Navy, while Jason Smathers received 15 pages of heavily redacted talking points from the NSA.

Well-worded, targeted requests, however, are even better, and can produce important stories. See Jason Leopold's use of talking points to show how the agency used 9/11 as a key surveillance talking point.

The key is to keep the request specific enough so they'll know what to find it, but broadly worded enough that the agency can't wriggle out of the request on a technicality (do they call these types of documents talking points, briefing notes, or something else? No matter what they're called, you want them).

Here's a more targeted request in this vein I sent to the NSA for a ribbon-cutting ceremony.

Congressional Correspondence

Most agencies have a special office that handles correspondence with Congress. Given what a hot button issue encryption is, it's likely that a number of agencies have had communications with Congress on this exact issue. While Congress is exempt, agencies responses to them (and even letters from Congress members to agencies) are not, as long as you request it from the agency.

Here's an example request that was sent to the US Forest Service (which may have documents on apples, but probably not much on Apple).

Federal Purchasing

As we referenced earlier, even the secretive NSA will share some information on its purchase of Apple devices. You can request what kinds of agreements other local, state, and federal agencies have to buy Apple products as well.

A good start might be the General Service Administration's laptop inventory, at least to get a sense of MacBook purchases. Fortunately, you don't even have to wait: Allan Lasser requested it as part of his broader hunt for the US government's oldest computer.

Legal Opinions and Policies

The Department of Justice's Office of Legal Counsel likely has legal opinions related to the case; they may be FOIA-able as well.

Requests related to encryption policies and legal opinions might also fare well with the Executive Office of United States Attorneys and the Department of Justice's Criminal Division.

Inspector General Reports

Inspector General (IG) reports are often a rich source of data, and this issue is fair game. Many reports are made public, and Oversight.Garden does a good job of collecting and indexing them.

A quick search for encryption yielded 1,107 reports, while Apple had 416 results (though most appear to pertain to the edible variety).

Reports that aren't currently public can be requested under the Freedom of Information Act; the New York Times, for example, was able to get the Stellarwind IG report after suing.

Image via @ItsMikeBivins