NCND/Glomar: When Agencies Neither Confirm Nor Deny the Existence of Records

The Office of Government Information Services (OGIS) offers dispute resolution services to Freedom of Information Act (FOIA) requesters and agencies. This function allows OGIS to observe and examine the interactions between requesters and agencies across the Federal government, and note common questions and issues that arise in the FOIA process. The FOIA Ombuds Observer addresses questions and issues frequently seen in our individual cases. Our goal is to increase efficiency and transparency in the FOIA process.

NCND/Glomar: When Agencies Neither Confirm Nor Deny the Existence of Records

March 29, 2024
No. 2024-01

The 2020-2022 term of the Freedom of Information Act (FOIA) Advisory Committee recommended that agencies provide information to requesters about Glomar responses in which an agency “neither confirms nor denies’’ (NCNDs) the existence of records. This FOIA Ombuds Observer, written for requesters, can be shared with the public by agencies on their FOIA websites as envisioned by the Committee.[1]

Federal agencies are required to disclose any record requested under the Freedom of Information Act (FOIA) unless the agency reasonably foresees that disclosure of that record would harm an interest protected by a FOIA exemption. There are nine FOIA exemptions, and they protect interests such as national security, personal privacy, and law enforcement. To invoke one of these exemptions, an agency will ordinarily search for the requested records, redact the information within a record that needs to be withheld (or withhold a record in its entirety), and reference the exemption used for the withholding. 

This process naturally confirms that the requested records exist. But what happens when the agency reasonably foresees that disclosing the fact that the requested records exist is itself protected from disclosure under an exemption? In those cases, the agency will ordinarily not search for the records, issue a Glomar response in which the agency “neither confirms nor denies” (NCND)s the existence of responsive records, and reference the exemption used for the response.[2] Therefore, unlike a typical withholding which protects the contents of a record from disclosure, a NCND/Glomar response protects the fact of a record’s existence from disclosure. To comply with FOIA’s disclosure requirements, when an agency receives a request for records where only some of those records trigger a NCND/Glomar response, the agency “splits” the request and issues a response that confirms that some of the records requested exist, while neither confirming nor denying the existence of other records.[3]

The Glomar Story[4]

The Glomar response arose from a 1975 FOIA request to the Central Intelligence Agency (CIA) inquiring about the agency’s operation to employ a recovery vessel—known as the Hughes Glomar Explorer—to recover a sunken Soviet nuclear submarine.[5]

In March 1968, a Soviet submarine carrying nuclear missiles sank in the Pacific. The Soviet military was unable to locate the wreckage during its months-long search, but the U.S. intelligence community understood the value of this opportunity and located the submarine wreck. To salvage the Soviet submarine without letting the then Union of Soviet Socialist Republics (USSR) know, the CIA worked with Howard Hughes, billionaire owner of Global Marine Development Inc., whose notoriety would provide a cover story for the salvage operation. The cover story was for Hughes to publicly announce that Global Marine would construct a ship to collect valuable minerals from the Pacific Ocean floor. The reality was that an expensive, one-of-a-kind ship was being built to retrieve the submarine. The ship—named the Hughes Glomar Explorer, ‘Glomar’ being a contraction of Global Marine—began the salvage operation in June 1974.[6] The cover story successfully prevented the USSR from identifying the operation's true nature; however, several months after its completion, U.S. news media learned details of the operation following a burglary at Hughes’ office, where his private files—including documentation of his agreement with the CIA—were stolen.[7] The CIA worked to prevent media coverage, but the story broke in February 1975, with numerous subsequent news stories piecing together the facts of the operation. When a journalist filed a FOIA request seeking additional information, the CIA found itself in uncharted territory.

The leak of information to the public following the burglary of Hughes’ office did not constitute an official acknowledgement by the government of the project. A confirmation by the CIA of the existence of related records would have been an official acknowledgement, however. Because the existence of the project was itself classified, the CIA stated in its response to the FOIA request that “[w]e can neither confirm nor deny the existence of the information requested, but hypothetically, if such information were to exist, the subject matter would be classified and could not be disclosed.”[8] Since the project involving the Hughes Glomar Explorer is the first case in which an agency refused to either confirm or deny the existence of records, this type of response is often known as the “Glomar response.”

Although the concept of NCND/Glomar originated as a response to a request for national security records in a court case, today, agencies issue NCND/Glomar responses to requests for records covered by other exemptions as well. National security and requests for records that implicate an individual’s personal privacy are two of the topics that trigger NCND/Glomar responses most frequently.[9]

NCND/Glomar and National Security Information

FOIA Exemption 1 protects from disclosure information that has been deemed classified “under criteria established by an Executive Order to be kept secret in the interest of national defense or foreign policy”[10] and is “properly classified pursuant to such Executive order.”[11] Some agencies also use FOIA Exemption 3, which protects information that has been specifically exempted from disclosure by statutes other than FOIA. An example of an Exemption 3 statute is the National Security Act of 1947, which protects intelligence sources and methods.

The Executive Order, and the national security statutes that qualify for Exemption 3[12] withholding, recognize both the right of the public to be informed about activities of its government and the need to protect national security information from unauthorized or untimely disclosure. As illustrated in the original Glomar story, when an agency receives a request for records, and the very existence or nonexistence of those records is itself classified, the agency will issue a NCND/Glomar response—refusing to either confirm or deny the existence of the requested records.[13] Courts have routinely upheld this response if the agency logically or plausibly explains that revealing the existence of records would harm national security. 

NCND/Glomar and Privacy

FOIA Exemptions 6 and 7(C) authorize agencies to withhold information when they reasonably foresee that disclosure could cause an unwarranted invasion of an individual’s personal privacy. Exemption 6 protects personnel, medical, and similar records which, if disclosed, would constitute a clearly unwarranted invasion of personal privacy. Exemption 7(C) protects records or information compiled for law enforcement purposes which, if disclosed, could reasonably be expected to constitute an unwarranted invasion of personal privacy. 

While these two exemptions differ slightly in the types of records to which they apply, and the likelihood and type of privacy invasion they are protecting, NCND/Glomar works the same way for both: the focus is on whether disclosing the existence of responsive records harms the interest being protected, in this case, an unwarranted privacy invasion of a third-party. For example, a request for the investigatory file of an individual that is not publicly known to have been criminally investigated would likely trigger a NCND/Glomar response. The privacy interest is in avoiding the stigma of having this individual’s name associated with a criminal investigation. Another example might be a request for the disciplinary records for a government employee who is well-known, but does not have a public record of misconduct. Here, although the individual is well-known, this particular fact about the individual is not well-known, and may cause an unwarranted privacy invasion if disclosed. Information need not be intimate or embarrassing to trigger a NCND/Glomar response.

A NCND/Glomar response is generally not appropriate when the third-party individual is deceased[14] or has waived their privacy rights. It is also not appropriate when there is a substantial FOIA public interest in the requested information that outweighs the individual’s privacy interest (see discussion below). 

Ways to Avoid and/or “Pierce” a NCND/Glomar Response

When preparing a request, the requester should consult any information provided on the agency’s website to check for tips on avoiding scenarios that may invoke a NCND/Glomar response.[15] The Central Intelligence Agency, for example, notes on its FOIA website that it will neither confirm nor deny the existence of records on 10 subjects, including specific confidential or covert relationships; names, official titles, and salaries of CIA personnel; and data relating to the CIA budget and/or expenditures.[16]

If a requester receives a NCND/Glomar response that they believe is incorrect, the requester should administratively appeal the initial decision in accordance with the instructions provided in the agency’s response letter, and include evidence that shows that the fact of the existence of the requested records is known. This can be evidence that the requested records have already been officially acknowledged, a privacy waiver from the individual about whom the records are sought; or the individual’s proof of death, such as an obituary or death certificate. In the privacy context, the requester can also show that the FOIA public interest outweighs the individual privacy interest.

Alternatively, a requester may want to file a new FOIA request that is broader in nature and not as targeted. The broadened scope may place the request into a category of information that is unclassified, or has been publicly acknowledged by the agency, and therefore not result in a NCND/Glomar response.

Official Acknowledgment

In both the national security and privacy contexts, if a requester can demonstrate that an agency has previously disclosed the existence of the same records they have requested, they could successfully challenge an agency’s NCND/Glomar response. The previously disclosed information must be virtually identical to the requested information, and it must have been released through a documented official disclosure, not public speculation or a leak. Statements contained in media reports of government officials who are not authorized to speak for the agency do not constitute official acknowledgment. Similarly, a general acknowledgment of an agency’s intelligence activities usually will not be enough to overcome a NCND/Glomar response regarding specific details of an operation that have not officially been acknowledged by the government. An acknowledgement or admission by one agency generally does not constitute an acknowledgement or admission for another agency. 

FOIA Public Interest

A requester may be able to show how disclosure of the personal information would shed light on agency operations sufficient to override the privacy interests of the individual who is the subject of the request. Under FOIA, the extent to which information would shed light on an agency’s performance determines the “public interest.” The public has an interest in information that would reveal how an agency operates, such as how it makes its decisions and carries out its responsibilities. A requester’s identity or personal interest in—or need for—the information is not considered a public interest. Rather, a requester must show how disclosure of personal information would shed light on agency operations while it is performing its statutory duties. To demonstrate an overriding public interest in disclosure of information related to “official misconduct,” for example, a requester “must produce evidence that would warrant a belief by a reasonable person that the alleged Government impropriety might have occurred.”[17]

If a requester seeks access to information that would cause an unwarranted invasion of a third party’s privacy they must provide a privacy waiver, proof of death, or show that there is a significant public interest in disclosure of the materials requested. If a requester fails to provide such information, an agency will, after balancing the individual’s privacy interest against the public’s interest in knowing how an agency operates, and considering the foreseeable harm in disclosure, invoke an Exemptions 6 and/or 7(C) NCND/Glomar to neither confirm nor deny the existence of records requested.[18] A third-party request for information in law enforcement records will typically result in the agency issuing a NCND/Glomar response. The reason for this response is that members of the public are likely to draw adverse inferences from the mere fact that an individual is mentioned in an agency’s law enforcement records files and would cast them in an unfavorable or negative light. Courts have recognized that individuals have substantial privacy interests in information that either confirms or suggests that they have been subject to criminal investigations or proceedings.

Why Does My Response Letter Say the Agency Found Some Records, But Can Neither Confirm Nor Deny the Existence of Other Records?

To ensure that requesters receive the maximum information possible, agencies will sometimes “split” a request to make a determination regarding the records that are not eligible to receive a NCND/Glomar response. For example, agencies in the intelligence community have separate file systems for unclassified and classified records. Agencies have a duty to release all unclassified, non-exempt information. Therefore, if a FOIA request turns up responsive records in both systems, agencies may sometimes explain that the agency searched and found (or has not found) responsive records, and will also neither confirm nor deny the existence or nonexistence of records responsive to the request. That response may seem contradictory; however, this means the agency is confirming the existence or non-existence of responsive records in its open, acknowledged files, while at the same time refusing to confirm or deny the existence or non-existence of records in its classified files. Similarly, for a request that seeks non-law enforcement records as well as law enforcement records, or which seeks acknowledged law enforcement files as well as unacknowledged files, courts have upheld agencies' use of a “bifurcated” or two-pronged approach in its response, i.e., using NCND/Glomar in response to a part of the request, and addressing and processing separately other records that the agency locates.

Success in Piercing an NCND/Glomar Response: Not the End of the Matter

Even if a requester is able to overcome a NCND/Glomar response, the agency will still need to review the records and determine whether any of FOIA’s nine exemptions apply that would prevent the agency from releasing some or all of the responsive information.

1. Recommendation No. 2022-03, contained in the Final Report and Recommendations of the Freedom of Information Act Federal Advisory Committee 2020-2022 Term, proposed “that agencies provide information to requesters on their websites about the circumstances that will likely result in a ‘Neither Confirm Nor Deny’ response, and, when possible, include suggestions on how to avoid such a response.” 

2. The phrase itself, “neither confirm nor deny,” has long appeared frequently in news reports, as an alternative to a “no comment” response when the respondent does not wish to answer. In 1911, for example, the Boston and Maine Railroad told the Boston Globe it would “neither confirm nor deny” reports about its future plans. “Manager Barr Silent” Boston Globe. February 10, 1911 – via Newspapers.com. In 1916, Ford representatives said they would "neither confirm nor deny" that price cuts were in the offing for its popular Model-T automobile. “Report says Ford price to go down,” Huntington Herald. July 31, 1916 – via Newspapers.com. And when the governor of Kansas was questioned in 1920 about a report addressing a state official's potential ouster, he responded that he would “neither confirm nor deny” the report’s existence. “May Ask Kansas Bank Commissioner to Quit Office," Ponca City News, June 26, 1920 – via Newspapers.com.

3. See generally FOIA Update, Vol. XVII, No. 2, at 3-4 (“OIP Guidance: The Bifurcation Requirement for Privacy 'Glomarization'”) (providing guidance on how agencies should handle requests for law enforcement records on third parties).

4. For a complete history of the term, see The FOIA Ombudsman blog post “What the FOIA is Glomar?!?”

5. See Phillippi v. CIA, 546 F.2d 1009 (D.C. Cir. 1976).

6. https://abcnews.go.com/US/cias-secret-history-phrase-confirm-deny/story?id=24033629.

7. https://www.nytimes.com/1975/03/14/archives/cia-link-to-hughes-reported-disclosed-by-burglary-on-coast.html.

8. See Phillippi v. CIA, 546 F.2d 1009 (D.C. Cir. 1976).

9. “We FOIA’d every federal agency for their ‘Glomar’ responses. Here’s what we learned.” March 15, 2024, https://www.rcfp.org/glomar-denials-data-analysis/.

10. Each President, beginning with President Harry S. Truman in 1951, has either issued a new or revised executive order, or adopted a previous President's executive order, establishing the policy for the protection of national security information. The Executive Order currently in effect, Executive Order (E.O.) 13526, issued on December 29, 2009 by President Barack Obama, prescribes a uniform system for classifying, safeguarding, and declassifying national security information.

11. See E.O. 13526, § 1.4 (a condition for proper classification is a determination that disclosure of the information “could reasonably be expected to cause identifiable or describable damage to the national security”).

12. A list of these statutes is maintained by the Department of Justice: https://www.justice.gov/oip/foia-resources#s4.

13. See E.O. 13526, § 3.6 (a) (“[a]n agency may refuse to confirm or deny the existence or nonexistence of requested records whenever the fact of their existence or nonexistence is itself classified ….”).

14. Deceased individuals have greatly diminished personal privacy rights in the FOIA context. However, a deceased individual’s survivors may have a privacy interest in preventing disclosure of certain information pertaining to the deceased. 

15. See 2020-2022 FOIA Advisory Committee’s Final Report and Recommendations to the Acting Archivist of the United States, dated June 9, 2022, Rec. No. 2022-03.

16. https://www.cia.gov/readingroom/frequently-asked-questions. 

17. NARA v. Favish, 541 U.S. 157, 174 (2004).

18. See The Freedom of Information Act Guidelines issued by the Attorney General on March 15, 2022., https://www.justice.gov/ag/file/1208711-0/dl?inline.