A Spooky Tale of Denial of Service
October 27, 2022 / #FOIA
By Ben Tingo, FOIA Advisory Committee Member
Welcome to the second post in AINS’ modern Freedom of Information Act (FOIA) blog series. In case you missed it, we recently introduced you to Ben Tingo, our National Archives and Records Administration FOIA Advisory Committee member. Here we share his article on the “denial of service attack” and how it relates to the needs of today’s FOIA requesters.
Halloween is just around the corner, so I have a terrifying tale to spin for you.
Picture if you will: you are a librarian in a small town library. You love your job. You especially love how you’re able to help members of your community. The library is a place to learn that is equally available to everyone, and you help make sure it runs well and is always available. Most of your time is spent maintaining the library’s collections and performing administrative tasks – necessary, but time consuming – that keep the library running. People also come to you every day with questions about a variety of topics, and you know your library so well that you’re able to quickly direct them to the resource they need to find what they are looking for. Normally, just a few people a week come directly to you looking for something, maybe a couple a day, and many of them are asking for similar things which you can provide quickly. Even when you get difficult requests, you are able to spend the necessary time to provide them with the best answer. You almost never have someone just waiting around for help.
But today is not a normal day.
Today, while you’re replacing returned books to their shelves, you hear an ominous sound from the street: “Boooooooooookssss…” You look outside and see dozens of disheveled-looking people filling the street and approaching the front door. “Booooooooooooooookssssss….”, they moan as they enter the library and shuffle around.
You politely explain to the crowd that you have a great many books available – this is, after all, a library – and that you can provide all of them (you’re a stellar librarian), but that would take a lot of time and effort. You explain that if they can tell you why they want “booooooooksss,” or maybe just tell you which specific books they want, then you’d be able to get them what they’re looking for much faster. This suggestion enrages them.
As you stand there, bewildered and considering your options, you notice the mayhem this crowd is causing all around. Several have cornered your colleagues, who are also trying their best to be helpful. The rest are just aimlessly milling about stacks, getting wedged into every nook and cranny they can find.
These requesters are making it hard for the library to function: books are piling up on carts and overflowing in the return bin, and other people who are coming and looking for information are getting sidelined and have to wait much longer than usual to get what they need. You have so many other things you need to take care of to keep the library running, but you are obligated to help these people. You keep pleading with them to engage with you – “help me help you!” – to no avail. More and more keep coming. Panicked, you call 9-1-1 and within minutes the EMTs, police, and fire department show up to help manage the crowd, but they are powerless to stop it. TV crews arrive to document the madness. The mayor and city council come by, but they seem to be blaming you for the problem and all the attention only makes the problem worse. Thousands of people converge outside pushing in the doors and windows, and banging on the walls, until the glass shatters and you are swallowed by a teeming horde of people shouting, “BOOOOOOOOOKSSSSSSS!!!!”
Thankfully, book-seeking zombies do not literally exist, but many FOIA professionals recently found themselves facing a similar nightmare. According to a recent article from The Washington Post, local election offices were recently flooded by requests for election-related records. These lightly-staffed offices have lately been receiving abnormal requests: A requester in Wisconsin sought 34 different types of documents. Election offices across North Carolina received hundreds of requests in a single day. And in Kentucky, officials received highly technical requests that they could not understand, and when they contacted the requesters for more information about what they were looking for, the requesters weren’t sure, either. Regardless, these offices are required to respond to these requests as best they can, and even just logging and reaching out to requesters for clarification of their request takes time and effort that these small offices just don’t have to spare. To make matters worse, this appears to be a coordinated effort – a “denial of service attack” – where the actual goal is disruption of the office’s main services of election oversight and management rather than obtaining responsive records in aid of government transparency.
Although this scenario has been playing out in state and local offices, federal FOIA shops should not think it can’t happen to them. In fact, it doesn’t take a coordinated effort for FOIA to become a major burden to our government agencies. The number of requests across the government continues to rise, and although the majority of these requests are received by only 5-10 of the largest government agencies, smaller offices should not get complacent. There are always improvements that can be made, even in the best of times, and the experience of these election offices show that any office, of any size, can be just one news cycle away from being flooded with zombie requesters that weaponize FOIA and cause significant problems by making hundreds of requests or even thousands of requests for exceptionally voluminous or complex records.
So what can FOIA offices do to prepare for their own zombie attack? Be proactive. Don’t get complacent, and don’t think it can’t happen to you. Make it a habit – a policy and SOP – to regularly engage with your FOIA program administration to identify weaknesses and opportunities to improve. Are there processes that should be digitized? Should you move to the cloud — what if you can’t access your files for an extended period of time? What happens if you start receiving requests for video files that need to be redacted? What about responding to requests that encompass hundreds, thousands, or even millions of pages of documents? How do you manage proactive disclosures? Do you have a method to identify duplicate requests and frequently requested records? Do you have a reliable way to publish these records to the public?
The point is, you might not be able to avoid a zombie invasion, but there are things you can do to keep an invasion from becoming an apocalypse. And chances are good that by being prepared for the worst, you will actually find ways to be better than your current best. Software is not the only solution here, but if you’re interested in ways that technology can help, feel free to reach out to AINS – your FOIA technology partner – for a discussion about your preparedness, and please come to our User Conference on November 3rd to learn more about how we are helping our customers stay vigilant and be prepared.
This is the second in the modern FOIA blog series. Read the first post here and look out for future blog posts by Ben Tingo.