Senate Overturns CFPB “Guidance” Document

The Senate has overturned a CFPB “guidance” document that was for all intents and purposes a regulation. This repeal was effected by the Congressional Review Act (“CRA”) which allows the Congress to overturn regulations within 60 days of the later of the regulation being sent to Congress or being published in the Federal Register. As I wrote for the Hill in March of last year, the CRA’s evasion of the filibuster invites a deregulatory agenda by the Congress that need not be blocked by partisan divisions or the filibuster. As we noted on this website at that time there are many, many such regulations. With the wise test of a “guidance document” by Senator Toomey more avenues for reform open up.

I have remarked on the threat to the Rule of Law and our Constitutional structure by the CFPB before. One of its previous high-handed regulations has already been removed by a similar use of the CFPB to our applause. The various federal agencies’ attempts to rule by letter and by guidance have been brushed back here and there. But they remain a troubling bureaucratic subversion of the fundamental separation of powers created to protect and empower American liberty.

John J. Vecchione is president and CEO at Cause of Action Institute.

Oversight Victory: Tax Regulations Now Subject to OMB Review

In a major win for oversight and constitutional governance, the White House Office of Management and Budget (“OMB”) and the Department of the Treasury have scrapped a decades-old agreement that exempted many IRS tax regulations from independent review and oversight.  In its place, the agencies have set up a new agreement that requires Treasury to submit important tax regulations to OMB’s Office of Information and Regulatory Affairs (“OIRA”) for review pursuant to Executive Order 12,866 (“EO 12,866”) just like nearly every other agency.

This change came after an investigative report from Cause of Action Institute and a sustained campaign over the past few months from supporters of OIRA review.  From a transparency perspective, this agreement is already an improvement because it has been announced publicly, posted on Treasury’s website, and not kept secret for thirty-five years, like the previous agreement.

 

The New Memorandum of Agreement

The new agreement will require Treasury to submit the following categories of tax regulations to OIRA for review:

All three categories are well conceived.  First, one of the main focuses of OIRA review has always been interagency consultation.  And IRS rules can overlap with rules from the Department of Labor and, increasingly in the wake of the Affordable Care Act, the Department of Health and Human Services.  Allowing those and other agencies to weigh in on proposed tax regulations is an appropriate and necessary level of oversight, and can lead to better policymaking.  At the Senate hearing where the agreement was unveiled, Senator Lankford asked Treasury General Counsel Brent McIntosh who will make the determination of whether a new rule is likely to create a conflict with another agency.  McIntosh replied that, under the agreement, Treasury will submit a list of rules to OIRA on a quarterly basis and OIRA will then be in a position to flag rules that may create a conflict.

Second, Treasury will send OIRA tax regulations that raise novel legal or policy issues.  These are exactly the type of rules should not be decided in a vacuum and when independent review from OIRA and others can provide a fresh look at novel questions.  This is also an existing category of rules that are covered by EO 12,866 and so it makes sense to include tax regulations in this existing mandate.

Third, and finally, the new agreement includes tax regulations that are likely to have an annual non-revenue impact on the economy of $100 million or more.  This is the existing threshold for significant regulatory actions for other agencies.  The agreement makes a distinction for the “non-revenue” impact of tax regulations.  This is a commonsense distinction because OIRA review and cost-benefit considerations should be focusing on the distortionary impacts of regulatory choices, not money transferred to the fisc.  This modification of the existing language in EO 12,866 was necessary to fit the existing system to the way tax regulations work.  At the hearing, Senator Lankford asked McIntosh which rules from the 2017 tax cuts may meet this threshold.  McIntosh estimated that rules related to pass-through entities, interest expense deductions, bonus depreciation, section 199A, partnerships under section 512, and section 951A could now be subject to OIRA review.

 

The New MOA Puts OIRA in Control

The new agreement includes an important provision that bars Treasury from rushing rules out the door to the Federal Register before OIRA has signed off.

In order for the president and the White House to properly oversee the Executive Branch, they must be able to control its regulatory actions.  This provision makes it explicit that OIRA gets the final say.

 

Agreement Addresses Concerns about Delay and Expertise

Perhaps the biggest pushback against subjecting tax regulations to the same review that applies to other agencies’ rules was concerns about delay.  The new agreement addresses that issue by putting a 45-day clock on OIRA review and a special 10-business-day expedited review for rules stemming from the 2017 tax cuts.  Responding to concerns about OIRA’s expertise, Administrator Naomi Rao announced that Minnesota Law Professor and tax administration expert Kristin Hickman was joining OIRA as an advisor.  And OMB has been staffing up on other tax experts as well.

 

Concerns about the New Agreement

There is at least one concern about the agreement.  It only applies to “tax regulatory actions,” which the agreement gives the same meaning as “regulatory actions” in EO 12,866.  That definition covers “any substantive action by an agency (normally published in the Federal Register) that promulgates or is expected to lead to the promulgation of a final rule or regulation, including notices of inquiry, advance notices of proposed rulemaking, and notices of proposed rulemaking.”  Noticeably absent from this definition are interpretative rules that are not published in the Federal Register.  The IRS is notorious for trying to claim that its rules are interpretative and do not need to follow the strictures of the Administrative Procedure Act.  (CoA Institute recently filed an amicus brief in a case challenging this behavior.)  It remains to be seen whether the IRS and Treasury will try to assert that interpretative rules do not meet the definition of a “regulatory action” under EO 12,866 and thus do not need to be sent to OIRA for review.  A fair reading of the term “regulatory action” should include interpretative rules, even under the IRS’s improperly broad definition of that term.

But overall a dramatic improvement in the oversight of tax regulations and milestone in the project to end so-called tax exceptionalism and bring IRS under the same administrative law as everyone else.

James Valvo is Counsel and Senior Policy Advisor at Cause of Action Institute.  He is the principal author of Evading Oversight.  You can follow him on Twitter @JamesValvo.

CoA Institute Calls for EPA Watchdog Investigation into the Use of Unauthorized Electronic Messaging and Web-Based Email Apps on Agency Devices

Washington, D.C. – Cause of Action Institute (“CoA Institute”) wrote yesterday to the Environmental Protection Agency (“EPA”) Office of Inspector General (“OIG”) to request an investigation into the unauthorized use of electronic messaging and web-based email applications on agency-furnished and taxpayer-funded mobile devices, including iPhones and iPads. CoA Institute’s request follows the recent release under the Freedom of Information Act (“FOIA”) of a contractor-generated report that proves EPA employees installed at least sixteen different messaging applications, including Facebook Messenger and Google Hangouts, in contravention of official agency policy.  EPA employees also installed personal email programs, such as AOL and Yahoo Mail, on their government phones.  The OIG previously examined the use of two other encrypted messaging applications, “Signal” and “WhatsApp,” after CoA Institute opened its own investigation into allegations concerning the possible avoidance of records management laws.

 Cause of Action Institute Counsel Ryan Mulvey: “The newest details concerning the range of applications that EPA employees installed on their taxpayer-funded phones and tablets raise serious concerns.  Beyond the fact that many of these applications should never have been found on a government phone because of their personal nature, the presence of sixteen different electronic messaging applications raises doubts about the EPA’s compliance with record preservation rules.  All work-related communications created or received on a personal email account, or an electronic messaging program like Facebook Messenger, should have been preserved for disclosure to the public.  The EPA Inspector General must examine this matter and consider what steps the agency should take to rectify any deficiencies in meeting its record preservation obligations.”

Shortly after President Trump took office, Politico reported that a small group of EPA employees were using an encrypted messaging application, called “Signal,” to discuss ways to prevent incoming political appointees from implementing the new Administration’s policy agenda.  CoA Institute opened an investigation and, over the past year, has slowly pieced together details about the Signal scandal.

In response to its first FOIA lawsuit, the EPA acknowledged that there was an “open law enforcement” investigation.  Then, records released to CoA Institute revealed how an EPA contractor “scanned” most agency-furnished devices for the different applications that had been installed by employees.  That scan, which was requested “orally” by the OIG, was conducted with a software tool known as “Mobile Device Management,” or “MDM.”  As part CoA Institute’s second FOIA lawsuit, the EPA disclosed the contractor-generated report, as well as other documents.  A summary of the report, which consists of a list running ninety-six pages long, identifies all of the applications installed on most agency-furnished devices.

In addition to Signal and WhatsApp, at least another sixteen applications with electronic messaging capabilities were used by EPA employees, along with three email programs.  To the extent the OIG was unaware of these other messaging applications, further inquiries are necessary, as the use of these applications raise issues relating to federal records management.  Moreover, although the OIG has reported that the EPA disabled the ability of many iPhone and iPad users to download the “Apple Store app,” and thus to install unauthorized applications, it is unknown whether all unapproved messaging applications have been deleted or, alternatively, whether adequate procedures have been put in place so that the EPA can meet its recordkeeping obligations.

CoA Institute’s April 11, 2018 letter to the EPA Inspector General is available HERE.

For information regarding this press release, please contact Nichole Wilson: Nichole.wilson@causeofaction.org

Cause of Action Institute Launches Investigation into Agency Use of Instant Messaging Applications

The number of communications devices and platforms has mushroomed in recent years, making communication both quicker and easier. Naturally, these technologies have been incorporated into business and government. The use of instant messaging applications (“IM”) for business communications has become so common that most enterprise software includes IM functionality (for example, Google Hangouts, Skype for Business instant messaging, Slack, etc.).

In response to these developments, the Federal Records Act (“FRA”) was amended in 2014 to codify a new definition of electronic messages.  The FRA now states that electronic messages include “electronic mail and other electronic messaging systems that are used for purposes of communicating between individuals” 44 U.S.C. § 2911. Electronic communications sent or received in the course of agency business—regardless of the method of message delivery—are therefore federal records and must be properly captured, retained, and stored such that they can be searched and reproduced upon request. National Archives and Records Administration (“NARA”) Bulletin 2015-02, “Guidance on Managing Electronic Messages,” makes this explicitly clear.

Unfortunately, recent events have highlighted the failure of federal agencies to properly capture, retain, and store electronic messages, including:

  • five months of missing, and then recovered, text messages between the FBI’s Peter Strzok and Lisa Page related to their official duties,
  • 2016 EPA Inspector General investigation into the use of encrypted text messages,
  • CFPB using encrypted messaging apps, the so-called “Dumbledore’s Army”,
  • IRS not retaining communications through their internal instant messaging system due to a memorandum of understanding with the Treasury Employees Union, and
  • NOAA’s questionable use of Google Hangouts.

It appears incidents of federal agencies neglecting and/or intentionally failing to properly capture, retain, and store electronic messages that are federal records are not isolated or exceptional. In light of this, CoA Institute has launched a broad inquiry into federal agencies’ efforts to implement the 2014 FRA amendments and NARA Bulletin 2015-02. Last week, CoA Institute sent FOIA requests to nearly forty agencies seeking records:

  • regarding policies on the use, retention, and management of electronic (instant) messages;
  • related to implementation of or compliance with NARA Bulletin 2015-02;
  • reflecting the electronic messaging systems installed on agency devices; and
  • reflecting whether the agency has enabled automatic electronic message archiving, indexing, and eDiscovery features on instant messaging platforms in use.

The FRA and Freedom of Information Act are essential to government transparency and accountability and they must be enforced even when—or especially when—government regulations, policies, and practices lag behind the implementation of new technologies. With respect to instant messages, the federal government’s characteristic bureaucratic torpidity bears potentially far-reaching implications for proper oversight of the federal government. With this investigation, CoA Institute seeks to discover whether (and where) government neglect or exploitation of new technologies threatens transparency and accountability.

 

Thomas Kimbrell is a research fellow at Cause of Action Institute.

Sixth Circuit Should Follow Supreme Court’s Precedent and Recognize Limits of Anti-Injunction Act

Today, Cause of Action Institute filed an amicus brief in CIC Services, Inc. v. IRS in the U.S. Court of Appeals for the Sixth Circuit.  At issue in the case is whether the Anti-Injunction Act prohibits courts from reviewing whether the IRS complied with the Administrative Procedure Act (“APA”) when it issued a notice related to captive insurance companies.  We urged to appellate court to reverse the district court’s ruling that the Act blocks the suit and to resist the temptation to extend the D.C. Circuit’s flawed reasoning from Florida Bankers.

Notice 2016-66 and Captive Insurance

The rule at issue is contained in Notice 2016-66.  The IRS believes that small companies are using captive insurance companies (i.e., a type of self-insurance vehicle owned by the company or an affiliate) as a tax shelter.  But the IRS isn’t really sure if they are or what types of captives could be problematic.  So the IRS created a new category of “reportable transaction” known as a “transaction of interest,” which requires companies to proactively disclose when they are using a captive insurance company to self-insure.

The problem is that this creates a recordkeeping and reporting burden on small businesses and threatens fines if they do not comply.  CIC Services, the plaintiff-appellant in the case, estimates it would require hundreds of hours of labor and more than $100,000 to comply with the notice.  Further, “reportable transactions” are a scarlet letter in the tax world, and many businesses would rather avoid the underlying behavior than disclose they are engaging in a “reportable transaction.”

The IRS is doing all of this without notice and comment, without studying the adverse impact of its fishing expedition, and in conflict with Congress repeatedly authorizing captive insurance vehicles for small businesses.  CIC Services is also challenging whether the IRS can create a “transaction of interest” without issuing a formal regulation because Congress has limited the IRS’s ability to make “reportable transactions” to those “as determined under regulations prescribed” by the agency.[1]  A simple notice does not meet this standard.

An Overbroad Use of the Anti-Injunction Act Stands in the Way

The parties’ dispute over Notice 2016-66 and whether it violates substantive and procedural limitations on the agency has all the makings of a rather pedestrian APA case.  This is why we have preenforcement judicial review of agency rulemaking.  Enter the Anti-Injunction Act, which prohibits suits “for the purpose of restraining the assessment or collection of any tax shall be maintained in any court by any person.”[2]  The district court agreed with the IRS that the Act blocked the CIC Services suit.

But Notice 2016-66 deals with neither the “assessment” nor the “collection” of any tax; it creates a reporting requirement.  The U.S. Supreme Court unanimously has held that “notice and reporting requirements precede the steps of ‘assessment’ and ‘collection’” and that suits challenging reporting requirements do not “restrain” those activities and do not trigger the Anti-Injunction Act.[3]    But the D.C. Circuit recently ignored the Supreme Court’s decision in Direct Marketing in Florida Bankers[4] and the Six Circuit may be tempted to extend the D.C. Circuit’s ruling.  CoA Institute submitted an amicus brief in support of a cert petition in Florida Bankers, but the Supreme Court declined to hear the case.

CoA Institute Shows the Court the Consequences of an Overbroad Anti-Injunction Act

The litigants in the case will present the court with all of the issues above.  CoA Institute’s contribution was to introduce the court to the consequences of allowing IRS rulemaking to go unreviewed.  We presented the research underlying our recent investigative report, Evading Oversight: the Origins and Implications of the IRS Claim that its Rules Do Not Have an Economic Impact.  The danger of allowing the IRS to continue to use an over-expansive reading of the Anti-Injunction Act to block judicial review of its rulemakings is that the IRS will continue to ignore the substantive and procedural limitations on its authority.

Congress and the president have established a series of oversight mechanisms to ensure that agencies are complying with procedural requirements, taking public comments into account, and properly mitigating the adverse impacts of their rules, when possible.  But the IRS has erected a series of self-made exemptions from these oversight requirements.  One of those exemptions is at issue in CIC Services: does the IRS have to comply with the APA when it promulgates legislative rules?  A broad reading of the AIA blocks the courts from answering that question and so the IRS continues to flout the rules.

Conclusion

The Sixth Circuit should reject any invitation to extend Florida Bankers, adhere to Supreme Court precedent from Direct Marketing, and reverse the district court’s ruling that the Anti-Injunction Act prevents preenforcement judicial review of whether the IRS complied with the APA when it issued Notice 2016-66.

James Valvo is Counsel and Senior Policy Advisor at Cause of Action Institute.  He is the principal author of Evading Oversight.  You can follow him on Twitter @JamesValvo.

[1] 26 U.S.C. § 6707A(c)(1).

[2] 26 U.S.C. § 7421.

[3] Direct Mktg. Ass’n v. Brohl, 135 S. Ct. 1124, 1131 (2015).

[4] Florida Bankers Ass’n v. Dep’t of Treasury, 799 F.3d 1065 (D.C. Cir. 2015)

Investigation Update: EPA Employees Used a Range of Messaging Apps and Other Non-Work-Related Programs on Agency-Issued Mobile Devices

Shortly after President Trump took office, Politico reported that a small group of career employees at the Environmental Protection Agency (“EPA”) were using an encrypted messaging application, called “Signal,” to discuss ways to prevent incoming political appointees from implementing the Trump Administration’s policy agenda.  The use of Signal at the EPA mirrored reports about the use of other electronic messaging platforms across the government.

Records recently released to CoA Institute under the Freedom of Information Act (“FOIA”) now confirm that a number of EPA employees installed Signal, WhatsApp, and at least sixteen other messaging applications on their agency-furnished devices.  These records also reveal that EPA employees installed a panoply of other applications—including email, sports betting, dating, and entertainment applications—that raise questions about the use of government-issued and taxpayer-funded mobile devices for personal purposes.

CoA Institute’s Investigation of Messaging Apps at the EPA

Cause of Action Institute (“CoA Institute”) opened its investigation into the use of Signal because we were concerned that the application might be used to conceal internal agency communications from oversight and to avoid EPA obligations under the FOIA and the Federal Records Act (“FRA”).  We were not alone in our suspicions.  After the House Committee on Science, Space, and Technology’s requested that the EPA Inspector General analyze the allegations reported in the press, the National Archives and Records Administration (“NARA”) opened its own inquiry into the potential violation of federal records management laws.  That inquiry remains open.

Over the past year we have slowly pieced together details about the Signal scandal.  In response to our first FOIA lawsuit, the EPA acknowledged that there was an “open law enforcement” investigation.  Although the EPA initially claimed that many records would be withheld in full, it changed its position and released records that corroborated the alarming facts reported by the media.  But, as we have explained, the records also revealed much more.  Among other things, they confirmed that CoA Institute’s original FOIA request, as reported by the Washington Times, was the actual impetus for the EPA Inspector General’s (“IG”) investigation.  As Assistant Inspector General Patrick Sullivan noted at the time:

The records also confirmed that an EPA contractor “scanned” most agency-furnished devices for the different applications that had been installed by employees.  This scan, which was requested by the IG, was conducted with a software tool known as “Mobile Device Management,” or “MDM.”  As part CoA Institute’s second FOIA lawsuit, the EPA disclosed that contractor-generated report, as well as other documents.

The EPA IG’s Investigatory Conclusions on Signal

The EPA IG memorialized its findings about the Signal scandal in a series of investigatory memoranda.  The watchdog determined that Signal was not used to “purposefully circumvent the applicable Federal record retention rules.”  Nevertheless, it concluded that two employees—one in the Office of the Inspector General and the other in the Office of the Science Advisor—violated agency policy by downloading the unapproved application, as revealed by a summary of a subset of the MDM report.

In each instance, the IG interviewed the offending employee and consulted the Department of Justice before concluding that no “discernable crime” had been committed.  The employee in the Office of Inspector General had downloaded Signal “to see if there was a suitable law enforcement purpose for the application.”

The employee in the Office of the Science Advisor denied having the application on his or her device, but consented to an examination of the phone.  Although Signal “did not appear to be currently installed,” there was no final explanation for how the application originally found its way onto the phone.  The IG opined that it could have happened due to unintentional synching with a personal Apple account.

But Maybe the Problem Was Never Signal . . .

As exonerating as the IG’s conclusion may be, the story does not end there.  While investigating the use of Signal, the EPA and the IG also discovered that fifty-eight employees violated official policy by downloading another encrypted messaging app, named “WhatsApp.”

The IG similarly determined that federal records laws had not been violated based on voluntary interviews of the fifty-eight employees, but this finding is somewhat contradicted by the admission of two employees that they used WhatsApp for “official EPA work.”

When all fifty-eight employees were polled on their “motivation and intent” for downloading WhatsApp, the clear majority cited a “lack of clarity” in the agency’s policy for not installing unapproved applications.  More than half also suggested that they had downloaded WhatsApp for “the purpose of keeping in touch with family/friends domestically or overseas.”

A Potentially Serious Deficiency in the EPA IG’s Inquiry

When the EPA scanned the contents of most mobile devices during the Signal investigation, it also produced a summary of all the applications installed on agency-furnished devices, along with an “install count” for each program.  The list runs ninety-six pages long and its contents are shocking.

To begin with, although the Signal scandal originally concerned the use of that single program, and was later expanded to include WhatsApp, the complete MDM report, which was released to CoA Institute, indicates that at least another sixteen applications with electronic messaging capabilities were being used by EPA employees.  These applications—many of which are likely unapproved and raise the exact same FOIA and FRA concerns as Signal and WhatsApp—include:

AIM (1 phone)
BlackBerry Messenger (3 phones)
Facebook Messenger (227 phones)
Google Hangouts (27 phones)
GroupMe (10 phones)
Jabber (27 phones)
KakaoTalk (3 phones)
Kik (1 phone)
LINE (1 phone)
Skype (58 phones)
Slack (7 phones)
Snapchat (25 phones)
Telegram (1 phone)
Viber (19 phones)
WeChat (2 phones)
WickrMe (1 phone)

Why did the EPA IG fail to investigate these other applications, some of which are capable of encrypted messaging?  Perhaps because the EPA’s Office of Environmental Information never handed over the full MDM report.  This is suggested by two records.

First, the EPA admitted to CoA Institute that it prepared two attachments (here and here) containing subsets of data from the MDM report, namely, those data that revealed the number and identifies of users with Signal or WhatsApp installed on their phones.

Second, the transmission of only the two summaries is suggested by the email referenced above, which also was disclosed to CoA Institute.  An IT team leader, Greg Zurla, sent the heads of the Office of Environmental Information, Steven Fine and Harvey Simon, the data about Signal and WhatsApp, but nothing else.  The IG’s final investigatory memoranda likewise reflect a targeted investigation into Signal and WhatsApp, with no mention of a broader dataset that could expose the unapproved use of similar encrypted messaging applications.

To the extent the IG was not—or still is not—aware of so many other messaging applications, then further inquiries need to be made.  Whether these platforms were used for personal or work-related purposes, they are problematic and raise issues relating to federal records management.  Moreover, although the IG has suggested that the EPA disabled the ability of some iPhone and iPad users to download the “Apple Store app,” and thus to install unauthorized applications, it is unknown whether all unapproved messaging applications have been deleted or, alternatively, whether adequate procedures have been put in place so that the EPA can meet all recordkeeping obligations.

The Use of Government Property for Personal Use is Deeply Troubling

The results of the IG investigation raise other troubling questions.  Why should a government employee be able to justify his installation of an unapproved, and legally problematic, application on agency-furnished hardware by claiming that he wanted to use it for personal purposes?  Should taxpayers pay for EPA employees to use government data plans to communicate with “family and friends”?

The full MDM report disturbingly reveals the sheer number of non-work-related applications that EPA employees installed.  Some of these, such as web-based email programs, raise records management issues that have plagued other agencies like the Department of Homeland Security.  The applications can be grouped into a number of categories.  Here is a sampling:

  • Web-Based Email
    AOL (16 phones)
    Gmail (129 phones)
    Yahoo Mail (56 phones)
  • Social Media
    Facebook (466 phones)
    Instagram (162 phones)
    LinkedIn (117 phones)
    Pinterest (75 phones)
    Reddit (20 phones)
    Twitter (310 phones)
  • Dating
    Coffee Meets Bagel (1 phone)
    OK Cupid (1 phone)
  • Personal Banking and Finance
    AmEx (11 phones)
    Barclaycard (6 phones)
    Bank of America (29 phones)
    CitiMobile (10 phones)
    Wells Fargo (24 phones)
    Navy Federal (11 phones)
    PayPal (10 phones)
  • Entertainment and Sports Betting
    Angry Birds (14 phones)
    Blackjack (5 phones)
    Candy Crush (32 phones)
    Draft Kings (1 phone)
    Duolingo (10 phones)
    ESPN (60 phones)
    Fandango (15 phones)
    HBO (15 phones)
    Netflix (73 phones)
    Pokémon GO (7 phones)
    Shazam (22 phones)
    SiriusXM (19 phones)
    Spotify (71 phones)
    YouTube (237 phones)
  • Shopping
    Amazon (56 phones)
    eBay (16 phones)
  • Religious
    Bible apps (22 phones)
    Catholic TV (1 phone)
  • Political
    Boycott Trump (1 phone)

Again, this is a non-exhaustive list.  The full list can be accessed here.

Based on the EPA’s list of approved “Terms of Service” agreements, it appears that most of these applications were never authorized for work-related business.  To the extent they were used for personal purposes, the EPA should take its workforce to task for abusing the privilege of a government-furnished and taxpayer-funded phone.

Although the IG reports that the EPA has disabled the Apple Store on newer models of the iPhone and iPad, we hope the agency makes serious efforts to remove these troubling applications from all makes and models of the hardware furnished to employees.  Simply stated, the EPA does not exist so its bureaucrats can spend the day watching Netflix, browsing eBay, or swiping right on a dating application.

Ryan P. Mulvey is Counsel at Cause of Action Institute.

CoA Institute Lawsuit Prompts Archivist to Examine Potential Record Destruction at NOAA

Cause of Action Institute (“CoA Institute”) filed a lawsuit last summer against the National Oceanic and Atmospheric Administration (“NOAA”) seeking copies of electronic records created through the agency’s Google-based email platform.  These types of records are commonly known as “instant messages.”  The Freedom of Information Act (“FOIA”) requests at issue (available here and here) also sought formal agency guidance on the retention of “Google Chat” or “Google Hangouts” messages.  We had already learned, through earlier investigation, that at least one internal NOAA handbook, dating from March 2012, instructed agency employees to treat all chat messages as “off the record,” raising concerns about potential unlawful record destruction at NOAA.

Media Coverage of CoA Institute’s Lawsuit Tipped-off the National Archives

The Daily Caller News Foundation reported on CoA Institute’s lawsuit shortly after it was filed.  Officials at the National Archives and Records Administration (“NARA”), which is tasked with policing federal records management across the government, took notice of the story and subsequently opened an inquiry on July 17, 2017 into CoA Institute’s allegations.  NARA gave NOAA “30 calendar days” to indicate how it planned to address the retention of “Google Chat and Skype messages,” and, if necessary, to report an “unauthorized disposition,” that is, the improper destruction of records.

As far as we know, eight months later, NOAA still has not responded to NARA.  We only learned about the NARA inquiry due to the agency’s recent decision to proactively disclose information on all pending investigations into the unauthorized disposition of federal records.  We have filed FOIA requests with NOAA and NARA in order to discover the status of the inquiry, and we will provide further updates as more details become available.

The fact that CoA Institute had to file a FOIA request to obtain NOAA’s response to the NARA inquiry, as well as related communications, shows that NARA’s proactive disclosure regime on this topic could be improved.  NARA should add another category of materials to its webpage that includes all correspondence received from an agency under investigation for the improper treatment of records.

NOAA’s Questionably Legal Google Chat Policy Flouts NARA Guidance

It goes without saying that an agency-wide policy to treat all chat messages as categorically “off the record” is problematic.  Even if an agency expects its employees to keep business-related communications, which could qualify for retention under the Federal Records Act (“FRA”), off a chat-based platform, it is reasonable to assume that some messages worthy of preservation will be sent or received over instant messaging.  NARA Bulletin 2015-02 makes that point clear.  And even if some instant messages were not worthy of long-term historical preservation, they would still qualify as transitory records subject to NARA-approved disposition schedules.

A categorical policy such as the one that NOAA has adopted creates a moral hazard.  Officials who want to thwart transparency can communicate with chat or instant messaging and, at least in this case, there is no way for the agency, NARA, or the public to catch them in the act.  NOAA officials have been observed using Google Chat to communicate during a contentious meeting of the New England Fishery Management Council.  If an agency like NOAA refuses to police how its employees are using the chat function on their Google-based email accounts, it should disable the function all together.

Regardless of whether electronic messages created through Google Chat or Google Hangouts are subject to the FRA, they may still be subject to the FOIA, which defines an “agency record” in broader terms than the FRA’s definition of a “federal record.”  By failing to implement any sort of mechanism for preserving chat messages—even for the briefest period—NOAA is depriving the American public of access to records that could be particularly important in showing how the agency operates and regulates.

The worst part of this saga is that NOAA knew it was treading a thin line in deciding to treat Google Chat messages as “off the record.”  According on documents obtained through the FOIA, NOAA’s lawyers and records management specialists were aware that electronic messages would need to be saved for public disclosure if Google Chat were “on the record.”  Notes from an October 20, 2011 meeting reflect this:

NOAA also recognized that chat messages could, in theory, be subject to the FRA.  Yet NOAA Records Officer Patricia Erdenberger reasoned that, by treating Google Chat as “off the record,” the agency’s FRA obligations could be bypassed.  Making a questionable analogy to phone calls, Erdenberger suggested that chat messages be “considered transient electrons.”

Agencies must do a better job at keeping pace with evolving forms of technology.  As one of my colleagues has argued, the use of non-email methods of electronic communication—including text and instant messaging, as well as encrypted phone applications like Signal—has serious implications for federal records management.  The Department of Commerce, NOAA’s parent agency, has not updated it policy for handling electronic records since May of 1987.  NARA, for its part, has been critical of the Department’s failure to revise this guidance, which is “heavily oriented towards the management of digital records on storage media such as diskettes and magnetic tape.”  Still, thirty years is a long time for such inaction, even for the federal government.  The transparency community must therefore intensify its efforts to hold the government accountable until more effective ways of handling electronic records are introduced.

Ryan Mulvey is Counsel at Cause of Action Institute