How To FOIA, With An Example From Hacking History

FOIA is a very hot topic at the time of writing, given political events in the United States. I thought it was time I wrote a user friendly guide explaining the basics of how to file FOIA requests with U.S. agencies, with an example from the history of hacking and the FBI as the government agency we’ll be FOIAing.

Before we get to that though, what is FOIA?

The Freedom of Information Act

The Freedom of Information Act [5 USC 552], or FOIA, generally provides that any person has a right—enforceable in court—of access to federal agency records, except to the extent that such records (or portions thereof) are protected from disclosure by one of nine exemptions.

Above, the FBI themselves summarize FOIA, essentially the act enables members of the public to request unpublished or unreleased information in the form of existing records from U.S. government agencies.

We are going to use it to dig into the history of hacking.

FBI & ‘Operation Bot Roast’

When I want to create a FOIA request and I am looking for events that spark my interest I comb through online newspaper archives for keywords like “hacker” or “hackers”, since we are planning on sending a FOIA to the FBI we can look for “FBI” as one of our keywords too.

When I did a quick search for the purposes of this blog I stumbled across the article on the left, from the AP via the Daily News published on 14th of June, 2007.

Botnets and ransomware both started to make mainstream news headlines in the mid 2000s, this time before they both became a problem everyone was painfully aware of fascinates me.

The article explains botnets and how hackers create them “by scanning the Internet for vulnerable computers, which are then infected and instructed to join the botnet. Because the hacker has complete control of each “bot” computer, the botnet can be used to launch denial-of-service attacks, send spam e- mail, steal account login information or run any program.”

The part that we are most interested in though is the sentence “recent busts of botnet hackers, as part of the FBI’s “Operation Bot Roast” sting”, the article then goes on to list the names of some people caught as a result of the operation.

We can’t FOIA based on names of people if they are still living, this includes hacker nicknames (or handles as some call them) but not hacker group names. The names of the people listed in the article as caught by Operation Bot Roast are useless for our purposes but the operation name itself is perfect for a records request.

So we are going to FOIA the FBI for records relating to “Operation Bot Roast”.

Writing the FOIA Request

Lets think about what we need, or want, to include in our request, shall we?

The article we are basing our request off of was published in June of 2007 and describes the arrests as a result of Operation Bot Roast as “recent”, but the examples given include indictments days before the article was published and court cases that are already progressing.

To be safe lets give the FBI a time span of between November 1st 2006 and June 30th 2007, this gives us an eight month block that we can ask the FBI to search their records for records mentioning Bot Roast.

Why do we want to do this? It helps the FOIA department (hopefully) search for our records quicker and also helps ensure that records that won’t interest us won’t get caught up in that search because of similar language used in the files.

If there was only one case involved, or multiple cases in the same city, we could also suggest that the FOIA department check the records of wherever the nearest FBI field office is first, but in this case the “Bot Roast” arrests are spread out across the U.S.

Putting it All Together

Now that we know what we are asking for, what it relates to and when we want the FBI FOIA department checking records we can write our request and head on over to the FBI’s eFOIA web portal. Click the “Electronic FOIPA” box, accept the terms of service and provide a valid email address. Click the link you receive in your email to access the portal.

Scroll down to “New eFOIPA Submission” and you will probably be clicking “Myself”, as who you are making the request on behalf of.

You will then need to fill in your personal details, your address (which can be outside of the U.S.) and then choose what your request relates to.

If you want to request records the FBI might hold on you yourself you would select “Myself”, you can also choose to request records on a deceased person and the final option is what we need here, the catch-all “All Other Subjects”.

Now we get to the actual request. Here is what I wrote for our example request:

Hello,

I am requesting documents, audio or video recordings or other formats of information you may hold on “Operation Bot Roast”, a project undertaken by the FBI’s cyber division to track down and arrest criminals writing, spreading and selling malware to aid in the building of “botnets” of infected computers. These records will probably relate to computers, hacking, computer viruses, malware or online banking fraud.

I am seeking responsive records between the dates of November 1st, 2006 and June 30th, 2007.

This is a request under FOIA.

The requested documents will be made available to the general public, and this request is not being made for commercial purposes.

In the event that there are fees, I would be grateful if you would inform me of the total charges in advance of fulfilling my request. I would prefer the request filled electronically, by e-mail attachment if available or CD-ROM if not.

Thank you,

[Insert Name Here]

After this you can decide if you want to agree to additional processing fees up front, depending on how many records are returned. Then you will be asked if you want the request expedited, in general unless you have a very good reason here you will not get your request sped up by requesting this.

Finally the most important part, clicking this button:

Now What?

You will receive an email detailing your request for your own personal records. You will then probably receive a letter after a week or so either telling you that no records were found that match your request criteria or a letter to tell you that your request is being processed. If you received a letter telling you that no records were found you can go back to the drawing board with your request, maybe change the time frame you are requesting the record search for or clarify some of the details in a follow up request.

After a few months (or years, perhaps) you may receive a link to a file on the FBI eFOIA portal asking you either if you want to continue your request or if you are willing to reduce the number of pages for the processing of your request to speed it up.

You do not have to write a physical letter back to reply to these communications from the FOIA department, there are email addresses listed in the letters that you can instead respond to. Make sure and include the FOIA request number from the letter you receive so that the FOIA department know exactly what request you are referring to.

If you move physical addresses and really care about your FOIA requests you can contact the FBI’s FOIA department and ask them to update your address attached to the request. You should do this as the FBI FOIA department is very unpredictable in terms of whether they will send you records via their web portal or on CD-ROM regardless of what you specified in your request.

If records were found eventually you will receive them! It may be one heavily redacted page or it may be hundreds of pages in massive PDF files. Consider uploading the files somewhere like Internet Archive so that other people interested in whatever the records are about will have access to them too!

I hope this blog was helpful and that it will help you on your way to filing some requests of your own.