The Foilies were written by EFF's Beryl Lipton, Dave Maass and Aaron Mackey and MuckRock's Dillon Bergin, Kelly Kauffman and Anna Massoglia. Art by Shelby Criswell.
For the last six years, a class of journalism students at the University of Nevada, Reno, has kicked off each semester by filing their first Freedom of Information Act (FOIA) requests.
The assignment: Request copies of complaints sent to the Federal Communications Commission (FCC) about their favorite TV show, a local radio station, or a major broadcast event, such as the Grammys or the Super Bowl halftime show. The students are learning that the federal government and every state have laws establishing the public's right to request and receive public records. It's a bedrock principle of democracy: If a government belongs to the people, so do its documents.
In the past, the FCC always provided records within a few weeks, if not days. But that changed in September when students requested consumer complaints filed against NPR and PBS stations to see if there was absolutely anything at all to merit defunding public media. Seven months later — crickets.
Now the students are learning to persevere even when public officials demonstrate an utter disdain for transparency. And The Foilies are here for it.
Established in 2015, The Foilies are an annual project by the Electronic Frontier Foundation and MuckRock to recognize the agencies, officials and contractors that thwart the public's right to know. We give out these tongue-in-cheek "awards" during Sunshine Week (March 15-21), a collective effort by media and advocacy organizations to highlight the importance of open government.
This year, we've got a few "winners" whose behavior defies belief.
But it's not all negative. Those same Reno students are also assigned to file public records requests for restaurant health inspections. This semester, the records started to show up in their inboxes within 20 minutes.
If every agency followed Northern Nevada Public Health's example, we could sunset this Sunshine Week project.
Quick links:
Last spring, the office of Texas Gov. Greg Abbott withheld communications between himself and one of the state’s most powerful business figures, Elon Musk. The office claimed that the communications were exempt from public records law because they would reveal confidential legal and policy discussions, including how the state entices private companies to do business in Texas, or “intimate and embarrassing” information.
The claims were unelaborated boilerplate language based on exemptions in Texas’ public records law. But if you’re wondering what "intimate" and “embarrassing” exchanges Abbott and Elon Musk shared over email, you may be waiting a while.
Last fall, the Office of the Texas Attorney General ordered Texas Gov. Greg Abbott’s office to release nearly 1,400 pages of communications between Abbott and Musk. About 1,200 of those pages were fully redacted–just sheets of gray obscuration. The records that were released don’t reveal much more than an invitation to a happy hour or a reminder of the next SpaceX launch.
The Surcharge, Eh? Award - Vancouver, B.C.Vancouver residents must now pay twice for public records. Despite taxes already funding the creation and storage of government records, the City Council approved charging people $10 Canadian (about $7.33 in the United States) every time they ask for “non-personal” public records.
Officials claim the fee is necessary to deter misuse and cover some administrative costs. The only people abusing anything, however, are the officials who imposed this tax on the public. The message Vancouver is sending is as crisp as a newly minted $10 note: Secrecy is a higher priority than public accountability.
The Shady Screenshot Award - Department of Homeland SecurityThe Department of Homeland Security’s banner year of lawlessness included backsliding on its transparency obligations.
In response to a request from the nonprofit American Oversight, DHS stated that it was no longer automatically archiving text messages sent between officials. The department clarified that it had a new, and much worse, records retention policy. Instead of archiving officials’ text messages as the agency had done before, DHS now asks officials to take screenshots of any text messages conducting government business on their work phones.
It’s hard to see the change as anything more than a giant middle finger to the public, especially because the Federal Records Act requires agencies to retain all records officials create while conducting their public duties, regardless of format. We won’t hold our breath waiting on DHS officials to dutifully press the volume and power button on their phones to record every text message they send and receive.
The Discardment of Government Efficiency Award - DOGEAs the Trump administration took over last year, there was a looming threat over government transparency: the so-called Department of Government Efficiency, also known as DOGE.
Billionaire Elon Musk, soon to be the de facto leader of DOGE, proudly claimed “there should be no need for FOIA requests” and “all government data should be default public for maximum transparency.” What quickly became apparent was there may be no need for FOIA requests, because there may be no FOIA officers to fulfill those requests.
DOGE quickly went to work slashing through the federal government, including seizing control of the U.S. Institute of Peace. Part of the takeover included restricting access to the agency’s FOIA system and firing the employees responsible for fulfilling FOIA requests, according to a letter sent to Bloomberg reporter Jason Leopold. Meanwhile, when CNN filed a FOIA request with the Office of Personnel Management (OPM) for information about Musk and DOGE's security clearance, they were told: "Good luck with that," because the FOIA officers had been fired.
DOGE also argued that its own records are exempt from FOIA under the Presidential Records Act, meaning records cannot be accessed until five years after President Donald Trump is out of office.
While DOGE “doesn’t exist” anymore according to the OPM, there remains a lasting dark mark on the state of FOIA and records management.
The Secret Eyes in the Sky Award - Chula Vista Police Department, Calif.In 2021, Arturo Castañares at La Prensa San Diego filed a request with the Chula Vista Police Department for copies of videos taken by drones responding to 911 calls as part of the city's "drone as first responder" program. One of the goals was to evaluate the technology’s efficacy and risks to civil liberties.
The city worked overtime to maintain the secrecy of the footage at the same time officials publicly touted the drones as a revolution in policing. That’s some impressive trust-us-but-don’t-verify chutzpah.
The city argued that every second of every video recorded by its drones was categorically off limits because they were law enforcement investigative records. They even got a trial court to initially buy the argument.
But an appellate court ruled that the investigatory records exemption is more limited, shielding only drone footage that is part of a criminal investigation or evidence of a suspected crime. Footage of wildfires, car wrecks, wild animal sightings and the like are not criminal investigations and must be disclosed.
The California Supreme Court rejected both of CVPD's appeals and a trial court bench slapped the city for inaccurate and incomplete court filings. In the end, the city had to shell out north of $400,000 to its outside lawyers, and then paid Castañares’ lawyers more than $500,000 when he prevailed.
So what were Chula Vista police hiding? A bunch of routine service calls, such as unverified reports of a vehicle fire and a vehicle collision.
Now, according to La Prensa's reporting, officials are trying to raid a public safety fund created by voters to reimburse the city for the cost of its ill-advised secrecy.
The City of Darkness Award - Richmond, Va.Richmond’s creation of a new FOIA Library may seem like a step toward transparency, but there are questions about the city’s commitment after it left the same officials subject to records requests in charge of curating which records might be released.
Faced with a plan to post all of the city’s eligible public records released under Virginia’s “sunshine” law, the Richmond City Council instead opted to go with the mayor’s alternative proposal. That plan lets the mayor’s administration — the same one that might be the subject of those records — decide what’s worth posting to the library.
Instead of providing access to all public records that the city released under the Virginia Freedom of Information Act, the library will only contain a subset that officials believe meet certain criteria, including records that the administration deems "relevant" to city business or that would aid "accountability.” The city cites concerns that "transparency without context" might be too confusing for the average citizen. Forgive us for having more faith in Richmond residents than its leaders do.
The city’s secrecy shenanigans extend beyond the FOIA library.
In an ongoing legal battle, attorneys representing Richmond asked a judge to prohibit former city FOIA officer Connie Clay from filing FOIA requests seeking information about her firing, and sought a gag order to prevent her from talking about the case. Clay alleges she was fired for insisting the city comply with public records law, describing what she calls a “chaotic and mismanaged” and illegal FOIA request process. Rather than agree to a $250,000 settlement, Richmond has spent more than $633,000 in taxpayer funds on legal costs. The trial and the FOIA library launch are both slated for the summer of 2026.
The Flock You Awards - Multiple WinnersIf you live in one of the 5,000 cities where surveillance vendor Flock Safety claims to have established relationships with local cops, you may have noticed the sudden installation of little black cameras on poles by the side of the road or at intersections. These are automated license plate readers (ALPRs), which document every vehicle that passes within view, including the license plate, color, make, model and other distinguishing characteristics. The images are fed to Flock's servers, and the company encourages police to share the images collected locally with law enforcement throughout the country. Each year, law enforcement agencies across the country conduct tens of millions of searches of each other's databases.
In 2025, journalists and privacy advocates started filing public records requests with agencies to get spreadsheets called a "Network Audit," which shows every search, including who ran it and why. Accessing these audits uncovered abuse of the system including: investigating a woman who received an abortion, targeting immigrants, surveilling protesters, and running racist searches targeting Roma people.
In response, some cities have terminated their contracts with Flock Safety. Other law enforcement agencies, and Flock itself, have gone a different direction:
Taunton Police Department, Mass.: The police department told the ACLU of Massachusetts to cough up $1.8 million if the organization wanted its network audit logs–the highest public records fee we documented this year. The civil liberties group filed requests with agencies throughout the state for the audits, and most agencies handed over the spreadsheets for free and with little fanfare. Taunton, however, said it would take 20,000 hours to process the request, at $86.57 an hour.
Orange County Sheriff's Department, Calif.: The Orange County Sheriff gave a number of reasons it wouldn't release the network audit logs in response to a public records request. The most inane (and misspelled one): It would "disincentive law enforcement from conducting such research." Aren't cops the ones who say if you’re not doing anything wrong, you've got nothing to hide? Well, well, well, how the tables have turned.
Flock Safety: The company responded to criticisms of its ALPR network by sending legal threats aimed at trying to silence its critics. First, the company used a bogus trademark claim to threaten DeFlock.me–a crowdsourced map of ALPR. (EFF represented its creator.) Then it hired a company to try to get the hosts of HaveIBeenFlocked.com, which hosts an interface for searching these network audits, to remove the site from the internet.
The Database Deletion Award - Muneeb and Sohaib Akhter, formerly of OpexusBrothers Muneeb and Sohaib Akhter are accused of essentially hitting delete on government data, destroying access to information contained in millions of records.
The government hired a federal contractor called Opexus, which hosts data and provides services to dozens of federal agencies. The company employed the Akhter siblings, though in February 2025, Opexus learned about the brothers’ previous convictions for wire fraud and obstructing justice. Soon after, the company fired the pair. But, according to prosecutors, the two decided to double down on being wildly unsuited for administrative access to government records systems.
The Akhters immediately turned around and retaliated “by accessing computers without authorization, issuing commands to prevent others from modifying the databases before deletion, deleting databases, stealing information, and destroying evidence of their unlawful activities," according to the U.S. Department of Justice.
The two have been accused of deleting 96 government databases, many of which contained FOIA records and sensitive investigative files. Their indictment alleges that a minute later, one brother queried an artificial intelligence tool for “how to clear system logs following the deletion of databases.” The brothers are also charged with stealing government records and conspiracy to commit computer fraud.
The Brothers Akhter allegedly took mere moments to destroy untold amounts of information that belonged to the public. Though they could face decades in prison, the public may never know the extent of the damage.
Want more FOIA horror stories? Check out The Foilies archives!
EFF has filed a new lawsuit against the Consumer Product Safety Commission (CPSC) to ensure that the public has full access to the laws that govern us.
Our client Public.Resource.Org (Public Resource), a tiny non-profit founded by open records advocate Carl Malamud, has a mission that’s both simple and powerful: to make government information more accessible. Public Resource acquires and makes available online a wide variety of public documents such as tax filings, government-produced videos, and federal rules about safety and product designs. Those rules are initially created through private standards organizations and later incorporated into federal law. Such documents are often difficult to access otherwise, meaning the public cannot read, share, or comment on them.
Working with Harvard Law School’s Cyberlaw Clinic, Public Resource has been submitting Freedom of Information Act requests to the CPSC requesting copies of the legally binding safety codes for children’s products—an area of law of intense interest to child safety advocates and consumer advocates, not to mention the families who use those products. But CPSC says it can’t release the codes, because the private association that coordinated their initial development insists that it retains copyright in them even after they have been adopted into law. That’s like saying a lobbyist who drafted a new tax law gets to control who reads it or shares it, even after it becomes a legal mandate.
Faced with similar claims, some courts, including the Court of Appeals for the Fifth Circuit, have held that the safety codes lose copyright protection when they are incorporated into law. Others, like the D.C. Circuit (in a case EFF defended on Public Resource’s behalf), have held that even if the standards don't lose copyright once they are incorporated into law, making them fully accessible and usable online is a lawful fair use.
Now EFF has teamed up with the Cyberlaw Clinic to continue the fight. We’re asking a court to rule that copyright is no barrier to accessing and sharing the rules that are supposed to ensure the safety of our built environment and the products we use every day. With the rule of law under assault around the nation, it is more important than ever to defend our ability to read and speak the law, without restrictions.
EFF has long warned against age-gating the internet. Such mandates strike at the foundation of the free and open internet. They create unnecessary and unconstitutional barriers for adults and young people to access information and express themselves online. They hurt small and open-source developers. And none of the available age verification options are perfect in terms of protecting private information, providing access to everyone, and safely handling sensitive data.
Last year, EFF raised concerns about A.B. 1043 as one of several bills in the California legislature that took the wrong approach to protecting young people online—by focusing on censorship rather than privacy. Now that A.B. 1043 is set to go into effect in 2027, we've received a lot of questions about its possible effects.
A.B. 1043’s Censorship TrapEven proposals that may not explicitly mandate age verification, such as A.B. 1043, can still create many of the same censorship problems. A.B. 1043 requires all operating systems and app stores to create age bracketing systems that will segment their users based on their ages. Users are then required to provide operating systems and apps their birth date or age so that they can be placed in their respective age bracket. A.B. 1043 also requires application and software developers to collect this age bracket information when a user want to use that software or application.
A.B. 1043 treats the age-bracket signal sent by a user as giving the application or service actual knowledge of users’ ages. Knowledge that the user is a minor could provide the basis for liability under other laws, such as California Age-Appropriate Design Code.
The result is a recipe for censorship. Applications and software developers for operating systems may interpret A.B. 1043 and its potential enforcement by the California Attorney General as requiring them to exclude users who say they are minors or who don’t fit in a specific age bracket they believe is acceptable to use their application or software. But minors have a First Amendment right to access the vast majority of these apps and services. What California has done is essentially outsource censorship to developers, who are likely to lean into over-censorship.
Broad Language Undercuts Policy GoalsA.B. 1043’s one-size-fits-all approach is also problematic because it disregards the many ways in which we make and use digital tools. It assumes the internet and digital devices begin and end with the dominant technology companies and device makers, when we know that’s not the case. Additionally, many families share devices, especially in low-income households. These proposals do not account for situations where there is more than one user of a device.
Additionally, broad proposals that demand the implementation of such censorship tools under the guise of protecting young people's safety force developers to reach for imperfect solutions—or risk being found non-compliant and pushed out of markets. Many of these mandates imagine technology that does not currently exist. Such poorly thought-out mandates, in truth, cannot achieve the purported goal of age verification. Often, they are easy to circumvent and many also expose consumers to real data breach risk.
Squeezing Small and Open-Source Developers Hurts EveryoneA.B. 1043’s burdens fall particularly heavily on developers who aren’t at large, well-resourced companies, such as those developing open-source software. Not recognizing the diversity of software development when thinking about liability in these proposals effectively limits software choices—which is especially harmful at a time when computational power is being rapidly concentrated in the hands of the few. This harms users' and developers' right to free expression, their digital liberties, privacy, and ability to create and use open platforms. It also, perversely, entrenches the dominance of major operating system developers and device makers.
A.B. 1043 and similar proposals also raise considerable implementation issues because they cast a potentially wide net. A.B. 1043, for example, carves out “broadband internet access service," "telecommunications service,” and the “use of a physical product,” whereas “mobile devices” and “computers” are covered. However, so many devices could fall into these categories; people consider smart watches to be computers, for example. Virtually every digital device that runs software built in the past three decades could fall into that category. This means that consumers may have to submit age information to more companies than ever, again increasing the possibility of data misuse and data breach.
There Is Still A Better WayLegislators do not need to sacrifice their constituents' First Amendment rights and privacy to make a safer internet, but they can address many of the harms these proposals seek to mitigate. Many lawmakers have recognized these approaches, such as data minimization, in their proposals. Rather than creating age gates, a well-crafted privacy law that empowers all of us—young people and adults alike—to control how our data is collected and used would be a crucial step in the right direction.
