💾 Local Free

Understanding FOIA Exemptions

Why agencies redact what they redact — and how to fight back.

FOIA's nine exemptions are the only legal grounds an agency can use to withhold records. Every redaction in every release should cite one or more of these. If a redaction has no exemption cited, that's a procedural error you can flag in an appeal.

(b)(1)

Classified national security information

Protects: Records properly classified under an Executive Order (currently E.O. 13526).
Common usage: Most common at CIA, NSA, DoD, ODNI. Protects classified intelligence sources, methods, capabilities.
How to challenge: Request a Mandatory Declassification Review (MDR). Challenge the classification level. Argue that the record is so old that classification can no longer be justified (records over 25 years old face a higher bar for continued classification).
Example: A CIA assessment of Soviet missile capabilities from 1972 may still be (b)(1) if the underlying collection method remains in use. An MDR has succeeded in similar cases.
(b)(2)

Internal personnel rules and practices

Protects: Records related solely to internal personnel rules of an agency.
Common usage: Rarely invoked since the Supreme Court narrowed it in Milner v. Department of the Navy (2011).
How to challenge: Often not worth challenging — the modern interpretation is narrow enough that legitimate (b)(2) invocations are usually defensible.
Example: Internal employee parking policies or HR-only procedural rules.
(b)(3)

Specifically exempted by other statutes

Protects: Records exempted by another federal statute that explicitly mandates withholding (the "statutory withholding" exemption).
Common usage: CIA Act of 1949 §§ 6 & 3, NSA Act, Federal Rules of Criminal Procedure 6(e) (grand jury), 41 U.S.C. § 423 (contract proposals).
How to challenge: Identify the exact statute being cited. Some have been narrowed by courts — for example, ACLU v. CIA narrowed (b)(3)+CIA Act for certain operational records.
Example: CIA invokes (b)(3) + CIA Act to withhold its budget topline. NSA invokes (b)(3) + NSA Act for organizational details.
(b)(4)

Trade secrets and confidential commercial/financial information

Protects: Information obtained from a person and considered confidential commercial information.
Common usage: Contractor records, regulatory filings, proprietary technical data.
How to challenge: Argue the information is no longer commercially sensitive (e.g., expired contracts, superseded specifications). After Argus Leader (2019), agencies may withhold information that the submitter "customarily keeps private" — challenge by showing the data has been published elsewhere.
Example: A defense contractor's pricing schedule for a weapons system delivered 30 years ago.
(b)(5)

Deliberative process / attorney-client / work product

Protects: Inter- or intra-agency memoranda that would not be available to a party in litigation against the agency (the "withhold it because you can" exemption).
Common usage: The most frequently abused FOIA exemption. Used for drafts, recommendations, legal opinions, deliberative emails.
How to challenge: Challenge aggressively. (b)(5) has time limits — after 25 years, deliberative-process privilege expires by statute. Argue that the document reflects final policy, not deliberation. Request the "factual material" segregated from the deliberative portions.
Example: A draft policy memo from 1990 should no longer be deliberative; it's now historical record.
(b)(6)

Personal privacy

Protects: Personnel, medical, and similar files where disclosure would constitute a clearly unwarranted invasion of personal privacy.
Common usage: Names, addresses, SSNs of individuals mentioned in records. Routinely applied to identify employees below a certain GS level.
How to challenge: Request records with names redacted but content preserved. Argue public interest in disclosure outweighs privacy interest (the "balancing test"). Most successful for officials acting in their public capacity.
Example: Name of a CIA case officer in a 1965 operations cable — agency will redact. Name of a CIA deputy director making a policy decision — public interest favors disclosure.
(b)(7)

Law enforcement records

Protects: Records compiled for law enforcement purposes, with six sub-categories: (A) ongoing investigations, (B) fair-trial rights, (C) personal privacy of subjects/witnesses, (D) confidential sources, (E) law enforcement techniques, (F) physical safety.
Common usage: FBI investigative files most often; also DEA, ATF, DHS investigative components.
How to challenge: Most challengeable: (b)(7)(A) once the case is closed — argue the investigation has concluded so the protection lapses. (b)(7)(C) personal privacy yields to public interest for senior officials. (b)(7)(E) techniques cannot protect generally-known methods.
Example: FBI file on a closed 1970s case is no longer (b)(7)(A). Techniques that have been publicly described in court testimony cannot remain (b)(7)(E).
(b)(8)

Financial institution regulation

Protects: Records related to bank examinations and supervisory reports.
Common usage: Federal Reserve, OCC, FDIC supervisory exam records.
How to challenge: Rarely encountered outside banking-regulator FOIA work. Largely accepted as legitimate when invoked.
Example: Bank examination report from the OCC.
(b)(9)

Geological and geophysical information about oil and gas wells

Protects: Maps and data concerning oil/gas exploration wells.
Common usage: Vanishingly rare.
How to challenge: Not generally challenged.
Example: Geological survey data submitted under a permit application for an oil well.

Glomar responses ("can neither confirm nor deny")

Sometimes an agency won't even confirm whether responsive records exist. This is a "Glomar response," named after a CIA refusal to confirm or deny records about the Hughes Glomar Explorer in the 1970s.

Glomar can be challenged when the agency has officially acknowledged the program elsewhere ("public-domain doctrine") or when the very fact of existence is not itself classified.

How to read a redaction

Every redacted block in a release should be marked with a code like (b)(1) or (b)(7)(E). Copy the code, look it up here, and decide whether to challenge.

If an entire document is withheld, the agency's response letter must cite the exemptions that apply. If they say "withheld in full" without a citation, that's an appealable error.

Disclaimer: This guide is for informational purposes only and does not constitute legal advice. Consult an attorney for FOIA litigation or appeals involving complex legal questions.

Collections

Download Queue