FOIA: AI Cuts Redaction from Weeks to Hours
Updated for 2026.
The federal government spent an estimated $500M on FOIA processing in 2024. Most of that cost was manual redaction. The DOJ backlog passed 100,000 open requests.
ARPA-H issued a procurement in 2025 for AI redaction software. HHS found that its CMS division needed AI-powered tools. Manual work had created backlogs that staff could not clear.
The question has shifted. It is no longer about whether to automate. It is about how to do it in a way that holds up in court.
The Federal Backlog Problem
Under 5 U.S.C. §552, agencies must respond within 20 business days. In practice, many take months. Some take years.
The DOJ backlog of 100,000+ requests equals roughly 2 billion minutes of manual review. That assumes just 20 minutes per request. At government billing rates, the labor cost runs into the billions.
Most of that time goes to one task. Staff scan pages for names, addresses, and phone numbers. That does not need attorney judgment. It needs pattern matching. An algorithm does it in seconds.
What ARPA-H and HHS Required
ARPA-H sought AI redaction software for FOIA document processing. Their stated requirements were:
- Auto-identification of Exemption 6 and 7(C) personal data.
- Batch processing of large document sets.
- Mixed format support: PDF, Word, and email.
- Audit trail documentation.
- Defensible output for FOIA response.
HHS/CMS reached the same conclusion. Growing volumes and flat staffing made manual review unsustainable. These agencies were not chasing new technology. They were solving a compliance crisis.
State and Local: Fewer Resources, Same Rules
Federal agencies have dedicated FOIA offices and legal budgets. State and local governments face the same legal duties with far fewer resources.
California's CPRA requires responses within 10 calendar days. A county with a three-person legal team cannot work through 2,000 documents in that window. The options are limited:
- Deny or delay — which creates legal risk.
- Hire temporary staff — expensive and slow.
- Automate the mechanical redaction phase.
Option 3 is now within reach. The same batch processing that federal agencies use is available to county legal departments. No long procurement timelines required. See our compliance overview for how public records rules apply across jurisdictions.
EU DSARs: The Same Problem
GDPR Article 15 Data Subject Access Requests (DSARs) create a parallel challenge for EU organizations. Unlike FOIA, DSAR obligations apply to all organizations that handle personal data. A small SaaS firm can receive the same volume of DSARs as a large bank.
The practical challenge mirrors FOIA. An organization must produce all data held about a specific person. Third-party personal data must be redacted from the response. The deadline is 30 days.
Each DSAR touching email archives, support tickets, and order records can mean hundreds of documents to check. For organizations handling 20–50 DSARs per month, manual review requires one or more full-time staff. Batch automation reduces that to part-time work.
Desktop Processing for Sensitive Records
Some agencies cannot use web-based tools. Data that must stay within agency systems needs local processing.
The Desktop App (anonym.plus) is built for this use case:
- All processing runs on the agency's own hardware.
- No data is sent to external servers.
- Batch runs handle 1–5,000 files at a time.
- Supported formats: PDF, DOCX, XLSX, TXT, CSV, JSON, XML.
- Processed files are packaged as a ZIP archive.
- CSV and JSON export with per-file metadata are included.
For agencies with air-gapped networks or strict data residency rules, local processing is the only viable path. The Desktop App uses the same detection model — XLM-RoBERTa with 285+ entity types — as the web platform. It works fully offline.
See our Desktop App documentation for setup details.
Implementation Notes
Audit trails. Government workflows require records of what was redacted, on what basis, and by whom. Batch metadata covers the first two. Routing exception documents through staff review covers the rest.
Consistency. A FOIA response that redacts a name in one document but misses it in another creates legal exposure. A fixed automated configuration removes that inconsistency.
SBU materials. Many government documents are sensitive but unclassified. Local processing handles SBU files with no network use. Web-based processing with proper DPA agreements covers non-SBU files.
Output format. The Redact method uses black bar replacement. This matches the look of standard FOIA redactions and suits court production. The token approach — such as [REDACTED - Exemption 6] — adds explicit exemption citation for more detailed records.
The Bottom Line
FOIA is a legal duty. The 20-business-day deadline is not a goal. When request volumes exceed what staff can handle, failures follow.
AI-powered batch redaction does not replace legal judgment. It removes the mechanical phase — finding and marking standard personal data across thousands of documents. That phase consumes 70–80% of review time. Staff can then focus on the 10–20% of documents where context matters.
ARPA-H and HHS/CMS both saw this. State and local governments and EU organizations facing DSAR duties face the same challenge. See our security and compliance overview for how defensible redaction workflows are structured.