Why agencies redact what they redact — and how to fight back.
FOIA's nine exemptions are the only legal grounds an agency can use to withhold records. Every
redaction in every release should cite one or more of these. If a redaction has no exemption
cited, that's a procedural error you can flag in an appeal.
(b)(1)
Classified national security information
Protects: Records properly classified under an Executive Order (currently E.O. 13526).
Common usage: Most common at CIA, NSA, DoD, ODNI. Protects classified intelligence sources, methods, capabilities.
How to challenge: Request a Mandatory Declassification Review (MDR). Challenge the classification level. Argue that the record is so old that classification can no longer be justified (records over 25 years old face a higher bar for continued classification).
Example: A CIA assessment of Soviet missile capabilities from 1972 may still be (b)(1) if the underlying collection method remains in use. An MDR has succeeded in similar cases.
(b)(2)
Internal personnel rules and practices
Protects: Records related solely to internal personnel rules of an agency.
Common usage: Rarely invoked since the Supreme Court narrowed it in Milner v. Department of the Navy (2011).
How to challenge: Often not worth challenging — the modern interpretation is narrow enough that legitimate (b)(2) invocations are usually defensible.
Example: Internal employee parking policies or HR-only procedural rules.
(b)(3)
Specifically exempted by other statutes
Protects: Records exempted by another federal statute that explicitly mandates withholding (the "statutory withholding" exemption).
Common usage: CIA Act of 1949 §§ 6 & 3, NSA Act, Federal Rules of Criminal Procedure 6(e) (grand jury), 41 U.S.C. § 423 (contract proposals).
How to challenge: Identify the exact statute being cited. Some have been narrowed by courts — for example, ACLU v. CIA narrowed (b)(3)+CIA Act for certain operational records.
Example: CIA invokes (b)(3) + CIA Act to withhold its budget topline. NSA invokes (b)(3) + NSA Act for organizational details.
(b)(4)
Trade secrets and confidential commercial/financial information
Protects: Information obtained from a person and considered confidential commercial information.
Common usage: Contractor records, regulatory filings, proprietary technical data.
How to challenge: Argue the information is no longer commercially sensitive (e.g., expired contracts, superseded specifications). After Argus Leader (2019), agencies may withhold information that the submitter "customarily keeps private" — challenge by showing the data has been published elsewhere.
Example: A defense contractor's pricing schedule for a weapons system delivered 30 years ago.
(b)(5)
Deliberative process / attorney-client / work product
Protects: Inter- or intra-agency memoranda that would not be available to a party in litigation against the agency (the "withhold it because you can" exemption).
Common usage:The most frequently abused FOIA exemption. Used for drafts, recommendations, legal opinions, deliberative emails.
How to challenge: Challenge aggressively. (b)(5) has time limits — after 25 years, deliberative-process privilege expires by statute. Argue that the document reflects final policy, not deliberation. Request the "factual material" segregated from the deliberative portions.
Example: A draft policy memo from 1990 should no longer be deliberative; it's now historical record.
(b)(6)
Personal privacy
Protects: Personnel, medical, and similar files where disclosure would constitute a clearly unwarranted invasion of personal privacy.
Common usage: Names, addresses, SSNs of individuals mentioned in records. Routinely applied to identify employees below a certain GS level.
How to challenge: Request records with names redacted but content preserved. Argue public interest in disclosure outweighs privacy interest (the "balancing test"). Most successful for officials acting in their public capacity.
Example: Name of a CIA case officer in a 1965 operations cable — agency will redact. Name of a CIA deputy director making a policy decision — public interest favors disclosure.
(b)(7)
Law enforcement records
Protects: Records compiled for law enforcement purposes, with six sub-categories: (A) ongoing investigations, (B) fair-trial rights, (C) personal privacy of subjects/witnesses, (D) confidential sources, (E) law enforcement techniques, (F) physical safety.
Common usage: FBI investigative files most often; also DEA, ATF, DHS investigative components.
How to challenge: Most challengeable: (b)(7)(A) once the case is closed — argue the investigation has concluded so the protection lapses. (b)(7)(C) personal privacy yields to public interest for senior officials. (b)(7)(E) techniques cannot protect generally-known methods.
Example: FBI file on a closed 1970s case is no longer (b)(7)(A). Techniques that have been publicly described in court testimony cannot remain (b)(7)(E).
(b)(8)
Financial institution regulation
Protects: Records related to bank examinations and supervisory reports.
Common usage: Federal Reserve, OCC, FDIC supervisory exam records.
How to challenge: Rarely encountered outside banking-regulator FOIA work. Largely accepted as legitimate when invoked.
Example: Bank examination report from the OCC.
(b)(9)
Geological and geophysical information about oil and gas wells
Protects: Maps and data concerning oil/gas exploration wells.
Common usage: Vanishingly rare.
How to challenge: Not generally challenged.
Example: Geological survey data submitted under a permit application for an oil well.
Glomar responses ("can neither confirm nor deny")
Sometimes an agency won't even confirm whether responsive records exist. This is a "Glomar response,"
named after a CIA refusal to confirm or deny records about the Hughes Glomar Explorer in the 1970s.
Glomar can be challenged when the agency has officially acknowledged the program elsewhere
("public-domain doctrine") or when the very fact of existence is not itself classified.
How to read a redaction
Every redacted block in a release should be marked with a code like (b)(1) or
(b)(7)(E). Copy the code, look it up here, and decide whether to challenge.
If an entire document is withheld, the agency's response letter must cite the exemptions
that apply. If they say "withheld in full" without a citation, that's an appealable error.
Disclaimer: This guide is for informational purposes only and does not constitute
legal advice. Consult an attorney for FOIA litigation or appeals involving complex legal questions.
🗂️
DeclassDB
FOIA search is fragmented and keyword-only.
DeclassDB unifies seven federal archives — CIA CREST, FBI Vault, NSA, State, NARA, DoD, NSArchive — and
adds AI semantic search, so you can find what you mean, not just what you typed.
🧠
AI semantic search
Find by meaning across 309,708 CREST documents (1.05M pages, full-text).
The embedding model runs in your browser — no cloud round-trip. Pro & Researcher.
🛰️
One query, every agency
Unified, blended, de-duplicated across seven federal sources. CIA / FBI / State always free;
NSA / NARA / DoD / NSArchive unlocked on Pro.
🔒
Privacy-first by design
Vectors, AI summaries, and entity extraction all run on your device. No cloud, no search logs,
no third-party trackers. Air-gappable for federal use.
No servers. No databases. No tracking. Your catalog lives in your browser. PDFs are served
directly from government websites. Search proxies run on Netlify's free tier. AI runs on your
hardware via Ollama.
That's why DeclassDB is free — and will stay free.