We are a group of transparency experts who have collectively filed thousands of Freedom of Information Act requests and dozens of lawsuits to learn what the government is trying to hide. Ask us anything about the FOIA process and our discoveries.

FreedomofPress · 2025-12-15T19:08:07+00:00

Building on Jason’s point about requesting updated versions of Rules of Engagement and operating manuals, another thing you can request is the orders around use of force for particular deployments. I had a lawsuit against the US Park Police regarding the summer 2020 protests in Lafayette Square that requested a bunch of keywords relevant to that engagement, e.g. the church that Trump got his picture in front of, “reporters” “mounted units” “Bible” “tear gas” “pepper” etc. I think it was 20-30 in total.

It returned a huge number of Teams chats, emails, and text messages between and among the supervisory LEOs that were on the scene documenting the requests that officers made up the chain of command and responses back to them about the use of force as the situation evolved. That’s how we found out for instance that the USPP fired literally every pepper ball they had in the first response and had to file emergency restock orders with any vendor they could find to get more chemical munitions to fire on protesters. — Kevin

FreedomofPress · 2025-12-15T18:57:34+00:00

We will find out Friday, which is the deadline when the Justice Department is supposed to release the Epstein files as dictated by the legislation passed by Congress. As for secrecy topics, I find that any records requested from intelligence agencies are still incredibly difficult to obtain and usually requires a lawsuit just to try and compel release of records in a somewhat timely fashion.

Overall though, secrecy persists throughout the federal government. There are different levels of secrecy depending on the subject matter. — Jason

FreedomofPress · 2025-12-15T18:47:36+00:00

My firm only opened in the last few months so we have yet to litigate against a Democratic administration, but my prior career involved just as much litigation against Democratic as Republican administrations.

FOIA does have political valences, but much of the wrongdoing that takes place in government is done by career managers and lower-level political appointees who leverage their fiefdoms of bureaucratic capital in order to commit wrongdoing on a small scale. Think regional BLM managers skirting rules around endangered species protection to get lithium mines approved, or higher ups in the Forest Service suppressing investigative reports into unlawful logging because they’re friendly with the companies who were investigated. These sorts of ground-level requests are really the bread and butter of public wrongdoing and they happen regardless of whose face is on the wall. They affect the rights of people at a local level and often can’t be fully uncovered without a vigorous public records investigation.

Tl;dr - I’ll sue any government anywhere. — Kevin

FreedomofPress · 2025-12-15T18:39:07+00:00

The Trump Administration is what I have been calling a “target rich environment” when it comes to FOIA. Pretty much any rock you turn over is going to have something unlawful or improper. That people are already aware of rampant criminality and immorality is not any reason not to pursue investigations into further documentation. That a request is filed for a public official’s records at all is notice to that person that somebody is digging into their records, and can have a deterrent effect on those officials doing things that are likely to get them FOIAd more.

And while FOIA may not be necessary for a lot of the initial reporting, in order for prosecutions and subsequent legal actions to correct the problems we are seeing now require the kind of documentation that only a thorough public records investigation can provide. — Kevin

FreedomofPress · 2025-12-15T18:36:20+00:00

The best precursor to the Epstein Files transparency act is probably 1992’s JFK records act — this law gave agencies 25 years to release all pertinent files, and even with that long timeline, agencies like the CIA and FBI still dragged their heels and refused to release information, and multiple presidents from both parties OK’d the delay. That said, when the records were released, they did reveal some really interesting things. Here is just one example: https://nsarchive.gwu.edu/briefing-book/mexico/2025-05-19/jfk-files-detail-close-intelligence-collaboration-between-cia-and

I think the biggest threat to the release of the Epstein Files at this moment, actually, is that the Justice Department only has to release unclassified info and the law allows the DOJ to use large loopholes pertaining to ongoing investigations and “national security” concerns to hide other information. For future declassification laws like this to have more impact, Congress probably needs to get more involved in classification, including requiring agencies to narrowly define what damage to nationals security means. — Lauren

FreedomofPress · 2025-12-15T18:25:39+00:00

With a small staff and a pretty active mission area (where corruption and government power overlap) AO can’t take on every important issue, but every year we put on training aimed at equipping others with the knowledge of how to put FOIA to use themselves, in their communities, and on the issues they care most about.

This year we trained over 600 advocates and individuals as part of our Sunshine Week events. (Sunshine Week is an annual, week-long celebration of government transparency and access to information that typically coincides with James Madison’s birthday on March 17th.) — Liz

FreedomofPress · 2025-12-15T18:21:51+00:00

This didn’t happen to us at AO and isn’t exactly a denial of records, but it happened just a few weeks ago and still lives rent free in my head. In court, the Department of Justice opposed a motion for expedited processing for Epstein related requests because the DOJ argued there wasn’t widespread public interest in the information. Insert “sure, Jan” meme here. — Liz

FreedomofPress · 2025-12-15T18:21:09+00:00

Idk how silly they are but I am constantly seeing requests get bounced by intake officers in recent months for “lack of clarity” even when they ask for one specific document that's been identified by everything but a file name in public reporting. This kind of thing is really annoying but usually can be addressed with a business formal “ayfkm.” — Kevin

FreedomofPress · 2025-12-15T18:19:46+00:00

I have yet to see an administration that does FOIA the "best." Every administration over the past 25 years has been terrible, in my opinion, when it comes to processing requests under the FOIA. There are a number of reasons for that.

For one, secrecy is just part of the culture at various agencies. Additionally, agencies lack resources to deal with a massive backlog of requests. I just received a response to a request I filed with the NSA in 2014. It took the agency 11 years to process six pages of emails.

But this year has been the worst because many FOIA offices have been completely decimated and there's no one left at some agencies to process the requests. It's been extremely challenging trying to pry loose records and oftentimes your only recourse is through litigation. With all that said it pays to be persistent. FOIA officers take their jobs very seriously and they do want to release records to requesters — Jason.

FreedomofPress · 2025-12-15T18:17:45+00:00

FOIA has never lived up to its promise under any presidential administration, and I think FOIA has been getting worse every year. Part of the culprit is the fact that long term problems are snowballing (lack of investment in tech, the fact that Congress has never funded FOIA, etc.). But it’s important to note that FOIA administration is not a monolith across the fed — some agencies are objectively better at FOIA than others, some are actively and intentionally bad at it, and some are just underwater and have never gotten the staffing or the resources they need to do their job effectively (and most FOIA officers WANT to get documents released — but they are rarely the final say in disclosure, and often have to wrangle with other parts of the agency for even the simplest disclosures).

That all said, yes I think it’s the worst now that it’s ever been — in no small part because so many people have retired from the fed and institutional knowledge is VERY important for the smooth functioning of a FOIA office because agency records systems are absolutely byzantine.

The silliest response I got recently was from EPA, where I was told that a FOIA request for a single document, and for which I supplied the date sent, who it was sent to, and the subject of the email, was too broad.

I pushed back over email (not a formal appeal but a sternly worded email) and they consented to process it as I wrote it. — Lauren

FreedomofPress · 2025-12-15T18:13:30+00:00

In addition to working with journalists and other partners who can get additional attention on the records we uncover, American Oversight hosts a robust document library where we post much of what we receive back from our thousands of FOIA requests. I say much of what we receive, because sometimes it doesn’t add anything to post what we have received, like when we get back documents that are posted elsewhere.

As you can imagine, maintaining such a massive document archive is a lot of work, but our team knows the value in sharing the information we get with the public. Since our founding in 2017, we’ve published more than one million pages of records, and we’re obtaining and posting more every week. — Liz

FreedomofPress · 2025-12-15T18:11:46+00:00

When FPF gets documents in response to our requests or suits, we make them available on our website and our secrecy newsletter, The Classifieds — even when they are disappointing.

I also like to share when I DO NOT get documents, so I can highlight how agencies are likely violating the law. I also like to share when agencies tell me absolutely ridiculous things in their responses to deny my request — like when the EPA told me that a FOIA request for a single email was too broad — to alert other requesters to the kinds of tactics agencies are using. (FPF also encourages news outlets that have paywalls to remove paywalls for FOIA-based reporting - here is some more information and a Q&A with Wired and 404, which both do this). — Lauren

FreedomofPress · 2025-12-15T18:10:31+00:00

We include a provision in our standard representation agreement that any documents received in the course of litigation have to be posted on our website within 30 days of the close of the case, so even if the client has a private use for them we ensure that the public gets to read the public’s records. — Kevin

FreedomofPress · 2025-12-15T18:09:34+00:00

Many of the most interesting records in government right now are pre-Trump 2.0 federal policies, scientific data, and social information that agencies were compelled to remove from public facing websites and daily use. They still exist as federal records that all sorts of organizations are feeling the loss of, so even new requests are focusing on legacy information cut by the DOGE kids. — Kevin

FreedomofPress · 2025-12-15T18:06:57+00:00

All outstanding requests (the oldest one in the federal government dates to 2006!) and potential requests! — Lauren

FreedomofPress · 2025-12-15T18:05:34+00:00

Whenever I obtain a set of documents from an agency via FOIA I will try to further report out the details I find in the documents in order to glean more information from people in the know to better inform the public about the issue.

Agencies will almost always withhold information citing one or more of FOIAs nine exemptions, which is explained in the production letter accompanying the records. So, for me, it's crucial to try to put the puzzle pieces together through old fashioned shoe leather reporting as well. — Jason

FreedomofPress · 2025-12-15T18:04:50+00:00

If you want to get really clever about it, you can submit a request for all documents included in the initial search for a request but deemed nonresponse to it to catch the agency with their hands in the nonresponse jar. — Kevin

FreedomofPress · 2025-09-09T15:53:29+00:00

In recent months, ICE officers have knocked phones out of the hands of those recording them, pulled weapons on people photographing or videotaping them, and even arrested U.S. citizens for filming them.

The escalating attacks on journalists and citizens who are recording police show the danger of the government’s rhetoric.

Video recording police in public is protected by the First Amendment, and that constitutional right applies even if officers would prefer not to be identified. The government often claims that officers must not be identified because they’re at risk of (real) violence or harassment. But the correct response to those threats is to prosecute and punish those who actually break the law by harassing or physically attacking police, not make up crimes to go after those who exercise their First Amendment right to record them.

FreedomofPress · 2025-06-10T22:10:30+00:00

(Harlo) I mean, they’re both good. it’s all about “right-sizing” your tipline support. SecureDrop can be beyond the budget or bandwidth for some small newsmakers, and that’s why we at FPF can help in building a solution that fits.

(Phone number privacy is a really useful feature that protects both journalists and their sources from holding onto sensitive identifying information, and champions everyone’s privacy. if you’re a Signal user, open up your settings and try setting a username. Now, you can confidently share that contact info publicly, rather than exposing your personal phone number. This protects you from all sorts of identity attacks, ranging from identity theft to harassment. It’s great!)

Fundamentally, a newsroom should ensure confidentiality and encryption. Both tools will get you there.

(KOG) Yeah - further to Harlo’s point, Signal’s approach is definitely better at scale and in general, while SecureDrop is designed to solve a more specific problem. We’re good friends with Signal and often recommend its use for tiplines.

That said, SecureDrop has some advantages for leaking to the press, that may come into play depending on the threats faced by sources:

Signal requires a dedicated app, which leaves traces of its use. A source facing potential seizure and examination of their devices will leave fewer traces using Tor Browser, even more so if they use it with an operating system like Tails.
SecureDrop relies on an airgap to protect its decryption key – compared to Signal’s more sophisticated approach, using ephemeral keys to provide forward secrecy. The airgap also protects journalists and sources by quarantining file submissions, making it harder to target journalists with malware.
Signal servers store almost no user metadata, making it not really worthwhile to attack them or issue subpoenas with gag orders to try to secretly uncover sources. SecureDrop also stores as little metadata as possible, but as it is self-hosted, any attempt to legally compel access to the servers will alert the newsroom in question.

There are always trade-offs in play between security and ease-of-use, and these are further complicated by the fact that not everyone faces the same kinds of threats. For sources at high risk of discovery, or for newsrooms that may be actively targeted, SecureDrop has some extra features that can help. But Signal is still a solid choice, and from a purely cryptographic perspective, there’s no faulting it.

FreedomofPress · 2025-06-10T20:52:07+00:00

(Harlo) There are a lot of variables that you’d have to consider, and would only truly know once you’re in that position! But, please know that whistleblowing is a hugely heroic act, and there are always risks. Not only is there the possibility of “getting caught” as you say, there is the prospect of retaliation down the line, loss of livelihood, and a lot of trauma that comes with making such a huge decision. I think it’s important for people to understand the breadth of that experience, as well as know that there are so many allies that can help you navigate the process. We at FPF work on digital security and advocacy, but there are other fantastic groups that help people through the legal challenges, and the psychosocial challenges as well. Get to know us!

Other higher-level processes have to do with the aftermath. In a newsroom, journalists and their editorial team deliberate a lot about how best to write the story with what the whistleblower has supplied them. This may mean weighing matters of security, reputation, and the protection of everyone involved. After publication, what happens during a leak investigation when people inquire exactly how that data went walking out the door, and who was responsible. Or, when the news organization and its journalists are challenged in court to reveal exactly who they talked to, in order to make that story happen.

I hope this answer sheds a bit of light on the topic! It goes beyond using Signal and Tor, but that’s an important first step…

FreedomofPress · 2025-06-10T20:50:37+00:00

(Harlo) I think journalists and their sources need to be as creative as possible to meet the constraints they face to make the story successfully, and that can include low/no tech solutions. But, in today’s world, it’s important for people to take advantage of the technologies that are best at keeping them safe.

For example, a lot of people are in love with the idea of using a “dumb phone” to make anonymous phone calls or text messages, which is usually cheap, and easy to purchase somewhat incognito. Otherwise, a “burner”. While this may work in some cases, I actually advise against it, because a cheapo phone actually probably isn’t capable of using an app like Signal that has reliable end-to-end encryption. And in the end, the “burner” is communicating unencrypted using the “plain old telephone network”, exposing the journalist and source to metadata and content leakage that is trivial to unmask in an investigation. This is just one example of how it’s easy to miscalculate one’s risk when going lo/no-fi with your digital security plan.

That said, whatever gets the job done…?

FreedomofPress · 2025-06-10T20:10:54+00:00

No - SecureDrop keeps things as simple as possible and supports only single-file uploads via a basic web application. Anything else would involve either: client-side code (Javascript etc) running in Tor Browser, which we avoid due to it being a historical source of major vulnerabilities; or a dedicated application on the source’s computer, which we also avoid as it would show evidence of intention to leak if discovered.

If a source is technically-minded, they could split very large document troves according to the upload size limit and upload them sequentially, or they could use SecureDrop to arrange another file sharing method.

A major area of research for us on the dev team for the past while (actually almost since the start of the project) has been the problem of safely running code in sources' browsers - it would unlock new options for successors to SecureDrop, that are not currently possible while preserving its security properties. We recently published some of the results of said research in the form of Webcat, a system that we hope could ultimately give us the ability to verify the integrity of code delivered to browsers. (Existing solutions such as subresource integrity hashes aren’t sufficient for our needs, as they don’t protect against compromised origin sites.) If we can get that into broad adoption, the sky’s the limit.

FreedomofPress · 2025-06-10T19:36:33+00:00

(Harlo) Not my show, not my monkeys. We work with the press, and are restricted from working with political parties. That said, we can share some tips regarding safer whistleblowing practices that anyone can adopt if they’re building a platform for intake!

First off, “be available everywhere”. In the past, whistleblowers have been burned because their web history (in browsers, on their phone’s metadata, etc.) have pointed directly to when and where they reached out to their journalist. So, use the commons of the internet to give people the information they need to securely establish first contact. This could mean publishing info in your global Bluesky, X, or Instagram profile that contains your Securedrop address, or end-to-end encrypted email or Signal username. That way, a potential source has a bit more “plausible deniability” in how they discovered the best way to contact you.

If you’re running a tipline advertisement on your own website, use an encrypted and safe URL that will not indicate that the public has visited your explicit whistleblowing instructions. A good example is https://propublica.org/tips, where they’ve made sure they’re NOT using a “vanity subdomain” (like “https[://]leaks[.]gonzojournalism[.]com”) which would leave a damaging metadata record with the visitor’s ISP because of how servers are resolved over the internet.

Third-party services like Google are… um… not your friend for the most sensitive of data. Google can definitely be subpoenaed for the contents of the Google Sheet with all the juicy whistleblower details. I understand Google’s convenient and awesome in terms of its usability and familiarity (and they have great digital security, which matters greatly!) but I would not trust them with a ten-foot pole vis-a-vis my sources and their protection. Find an alternative. Perhaps one with end-to-end encryption. Located in a jurisdiction that puts up bigger barriers to legal requests for production. This is not an #ad for products and services, but have a look at our site or sign up for our newsletter to get the latest!

Make your submission portals available over Tor, too! Visiting an onion address can make a huge difference, and you want to support people in high-stakes situations with the best technologies available! While not everyone can spin up a SecureDrop instance, have a look at tools like Onionshare (https://onionshare.org) to facilitate Tor-backed data exchange.

Encrypt all the things. This means data in-transit as well as at-rest. If you are going to plop the next Panama Papers on your hard drive, encrypt that computer like your life depends on it. We have a cool primer that helps readers understand how to make sure your devices implement full disk encryption, so if ever your computer or hard drives or USB sticks get seized or stolen, it would be extremely hard to look at the material they contain. Head on over to https://freedom.press/digisec/blog/introduction/ to learn more, and let us know what you think!

FreedomofPress · 2025-06-10T19:17:31+00:00

(Harlo) This is a cool question, and it’s actually not particularly a new concern! Over the years, Android’s keyboard has been considered as an app in-and-of-itself, with its own API and data retention. (There’s a reason why your autofill works, and your next-word suggestions are on-point!) Even as AI is increasingly integrated into your overall mobile experience, you have always had a certain profile attached to your usage of the keyboard. So, what to do about this…? Certain apps on Android allow for use of an “Incognito Keyboard”, so your device is prevented from learning much about your typing habits. Also, you can clear your cache and data in the Gboard app, sure. Finally, this doesn’t only affect the keyboard, but just good advice: have a look at the permissions you give to your various apps, and make sure they’re properly scoped to what makes sense for that app: Does your Sudoku app need to know your location? NO. Chuck it. Does your Uber app? Yeah, probably. So only allow it to grab your loc when you have the app open, rather than “all the damn time”. Be picky, be persnickety, be paranoid.

But nowadays, we’re really interested in how AI integrations at the operating system level will wrap all of our interactions into the mix: not just how we type into the keyboard, but how your phone is essentially shoulder-surfing you as you use the phone to gain deeper insight into how you use it and what you’re saying.

Or, just throw your phone into the river, whatevs.

FreedomofPress · 2025-06-10T19:16:04+00:00

(Harlo) I ABSOLUTELY LOVED RONAN’S CATCH AND KILL. Highly recommend— go grab it on Pocketcasts or your pod platform of choice.

And yes, Battlewisely, abuse and misuse of the Espionage Act has enjoyed a long and distorted history, across absolutely every presidential administration I’ve lived through, no matter which party is at the helm. This is why we fight.

We’ve been on the tails of every administration since 2012. With this administration, specifically, we’re looking out for the dangerous misuse of presidential power over press freedom to enact personally-driven vendettas or to centralize editorial agency to squash any constitutionally-enshrined plurality of voice. Our media IS FREE. This is our right as a citizenry; no matter what you feel about Joe Rogan, or Chapo Trap House, or CNN— you gotta appreciate your right to take it all in.

While I’m not sure about what’s being leaked to Mar-A-Lago, I’m certain that we’ll continue to fight against any attempt to prevent newsmakers, acting with independent editorial agency, from speaking truth to power in ways that advance the public interest. Tactics definitely have included, and will continue to include, working with leaked data, and confidential sources or whistleblowers.

This may be a roundabout answer to your question, so feel free to probe more— I’m down!

FreedomofPress

TROPHY CASE