close X

Search Results for: IRS

Politics Clouding Criticism of the EPA’s Heightened Sensitive Review FOIA Procedures

May 14, 2018 by

Last week, a report from Politico revealed that the Environmental Protection Agency (“EPA”) maintains a burdensome “sensitive review” process for Freedom of Information Act (“FOIA”) requests concerning Administrator Scott Pruitt’s activities.  According to internal sources, officials within the Office of the Administrator have “reviewed documents collected for most or all FOIA requests regarding [Pruitt’s] activities[.]”  The Politico report further claims that this “high-level vetting” has increased, as compared with the policies and practices introduced during the Obama years.  “This does look like the most burdensome review process that I’ve seen documented,” argued Nate Jones from National Security Archive.

It is true that the Trump Administration has enhanced sensitive review processes at the EPA.  Other agencies have witnessed a similar expansion of sensitive review, as Cause of Action Institute’s investigation of the National Oceanic and Atmospheric Administration demonstrates.  But it would be a mistake—as I argued last December—to think that the Obama White House was any better at avoiding FOIA politicization.  The EPA has a long and terrible track record for anti-transparency behavior.  Consider the agency’s blatant weaponization of fee waivers.  According to data compiled by the Competitive Enterprise Institute, and reported by Reason and The Washington Examiner, the Obama EPA regularly denied public interest fee waivers to organizations critical of the agency’s regulatory activities and the White House’s policy agenda.  By contrast, left-leaning groups nearly always (92% of the time) received fee waivers.

In addition to this viewpoint discrimination, the EPA suffered other transparency scandals.  Former Administrator Lisa Jackson infamously used a fictional alter ego—“Richard Windsor”—to conduct agency business on an undisclosed government email account.  And the EPA “misplaced” over 5,000 text messages sent or received by former Administrator Gina McCarthy and other top officials.  The Obama-era EPA also tolerated the widespread use of personal email accounts by high-ranking bureaucrats, a practice that significantly frustrated public access to agency records and proved to foreshadow or parallel other FOIA scandals at the White House Office of Science and Technology Policy, the Department of Defense, and Department of Homeland Security, the Internal Revenue Service, and, most famously, the State Department.  It is noteworthy that, in March of 2015, The Guardian—hardly a right-leaning paper—could seriously ponder: “Is the EPA having a transparency crisis?

The history speaks for itself: the EPA under Scott Pruitt is not a new or unique threat to transparent government.  The litany of FOIA abuses at the EPA and other agencies under both Presidents Obama and Trump demonstrate that we should fight the tendency to view the problem of FOIA politicization through a partisan lens.  “Sensitive review” matured as a practice in the Obama Administration, and is continuing under President Trump, but there are institutional motivations for any and all bureaucrats, regardless of party affiliation, to frustrate the disclosure of records, particularly if they are embarrassing or raise the specter of media attention.

According to EPA Inspector General reports published in August 2015 and January 2011, the EPA’s FOIA regulations allow political appointees—including the Chief FOIA Officer and authorized disclosure official in the Office of the Administrator—to participate in approving requests and redacting records.  Is it any wonder that an agency follows its own long-established rules for processing requests it deems “sensitive”?  So long as the law gives the agency an opportunity to violate the spirit of the FOIA, the agency will take advantage of that discretion, even if it means violating statutory timelines for responding to requesters.

When Administrator Pruitt directed his staff to involve itself with the disclosure of records, he continued a tradition of obstructing the public’s right to access government information.  He deserves the criticism he has received.  But focusing on Administrator Pruitt’s (or President Trump’s) regulatory agenda, or his personal views on hot-button topics like global warming, obscures the underlying problem and makes it more difficult to reach consensus on how to address the real issues.  The FOIA and implementing regulations, for one, need to prohibit “sensitive review,” or at least provide serious restrictions on its implementation.  And guidance from the Department of Justice should address the troubling aspects that sensitive review can present.  This should be part of a solution that everyone who believes in transparency can accept.

Ryan P. Mulvey is Counsel at Cause of Action Institute

Filed Under: Media, Blog Tagged With: , , , , , ,

Litigation Update: Cause of Action v. Department of Justice and the House Financial Services Committee’s Attempt to Undermine the FOIA

May 10, 2018 by

In July 2017, Cause of Action Institute (“CoA Institute”) sued the Department of Justice (“DOJ”) after the agency refused to produce records under the Freedom of Information Act (“FOIA”) that would have revealed whether the Office of Information Policy (“OIP”) or Office of Legislative Affairs (“OLA”) were involved in implementing a controversial directive from the U.S. House of Representatives Committee on Financial Services.  CoA Institute’s FOIA request, which was filed in May 2017, followed reports that Jeb Hensarling, Chairman of the Financial Services Committee, directed twelve agencies—including, the Department of the Treasury and eleven other entities—to treat all records exchanged with the Committee as “congressional records” not subject to the FOIA.

As a result of litigation, DOJ identified sixteen pages of responsive records.  Eleven pages, which represent communications between an “unidentified Executive Branch agency” and DOJ, were withheld in full.  One additional record—an email between the Office of the White House Counsel and OIP—was partially redacted, but an attachment—a copy of Chairman Hensarling’s letter—was withheld in full.  DOJ defended its treatment of these records by invoking the attorney-client and deliberative process privileges.

Last Friday, CoA Institute moved for summary judgment, rebutting DOJ’s claims and arguing that the agency could not use the attorney-client and deliberative process privileges.  With respect to the White House email and attachment, DOJ failed to establish that an attorney-client relationship existed between the White House Counsel and OIP.  Assuming the requisite relationship did exist, the email still neither revealed private confidences nor solicited legal advice.  It also did not reflect a deliberative or consultative process.  Instead, the email was a literal “FYI”—the sort of informational notice that courts regularly compel agencies to disclose:

DOJ also wrongly withheld the email attachment—a copy of Chairman Hensarling’s letter—because the letter is already in the public domain and, in any case, does not reveal confidential information pertaining to the White House or DOJ.

Communications with the “unidentified Executive Branch agency” similarly cannot be exempt under the attorney-client and deliberative process privileges.  Although these records may contain legal advice on responding to Chairman Hensarling’s directive, they were shared outside of the Office of Legal Counsel, which is the DOJ component responsible for providing legal opinions to the White House and the rest of the Executive Branch.  To maintain attorney-client confidentiality, an agency must not circulate privileged material beyond those officials tasked with providing (or receiving) legal counsel.  Here, by involving OLA, which functions as DOJ’s congressional affairs office and does not serve as an “attorney” to other agencies, the “unidentified” agency waived any expectation of confidentiality.  Finally, DOJ misused the deliberative process privilege because it failed to explain how these inter-agency communications reflected DOJ’s recommendations or opinions or were otherwise non-factual.

Importantly, DOJ also failed to meet its burden under the new “foreseeable harm” standard.  Congress introduced this standard with the FOIA Improvement Act of 2016 to codify the so-called “presumption of openness,” which discouraged the mere “technical” application of exemptions.  The FOIA, as amended, now requires an agency, such as DOJ, to explain how specific records can reasonably be foreseen to harm agency interests.  DOJ failed to provide a satisfactory argument in this case and did not even mention its obligations under the new standard.

* * *

The public deserves to know how, and to what extent, DOJ was involved in formulating and implementing Chairman Hensarling’s anti-transparency policy.  Because Congress is not itself subject to the FOIA, a request for records that have been exchanged with the legislative branch presents unique difficulties.  Nevertheless, the law requires that Congress manifest a clear intent to maintain control over specific records to keep them out of reach of public disclosure.  As I have argued previously, Chairman Hensarling’s directive is ineffective in this respect.  The mere fact that an agency possesses a record that relates to Congress, was created by Congress, or was transmitted to Congress, does not, by itself, render it a “congressional record.”  Any deviation from this acknowledged standard for defining a “congressional record” would frustrate the FOIA and impede transparent government.

The real-world implications of these sorts of congressional anti-transparency efforts are hardly imaginary or speculative.  The House Financial Services Committee has already intervened in a FOIA lawsuit to enforce its directive.  (That lawsuit is still ongoing.)  And CoA Institute is involved with a lawsuit against the Internal Revenue Service that involves a similarly overbroad effort by the Joint Committee on Taxation to sweep a range of agency records outside the scope of the FOIA.  CoA Institute has twice joined with other good government groups to express concern over these developments (here and here).  We are hopeful that the courts will put a stop to Congress’s games, and ensure public access to vital records revealing the interaction of the administrative state with the federal legislature.

CoA Institute’s brief is available here.

Ryan Mulvey is Counsel at Cause of Action Institute

Filed Under: Media, Blog Tagged With: , , , , ,

Oversight Victory: Tax Regulations Now Subject to OMB Review

April 13, 2018 by

In a major win for oversight and constitutional governance, the White House Office of Management and Budget (“OMB”) and the Department of the Treasury have scrapped a decades-old agreement that exempted many IRS tax regulations from independent review and oversight.  In its place, the agencies have set up a new agreement that requires Treasury to submit important tax regulations to OMB’s Office of Information and Regulatory Affairs (“OIRA”) for review pursuant to Executive Order 12,866 (“EO 12,866”) just like nearly every other agency.

This change came after an investigative report from Cause of Action Institute and a sustained campaign over the past few months from supporters of OIRA review.  From a transparency perspective, this agreement is already an improvement because it has been announced publicly, posted on Treasury’s website, and not kept secret for thirty-five years, like the previous agreement.

 

The New Memorandum of Agreement

The new agreement will require Treasury to submit the following categories of tax regulations to OIRA for review:

All three categories are well conceived.  First, one of the main focuses of OIRA review has always been interagency consultation.  And IRS rules can overlap with rules from the Department of Labor and, increasingly in the wake of the Affordable Care Act, the Department of Health and Human Services.  Allowing those and other agencies to weigh in on proposed tax regulations is an appropriate and necessary level of oversight, and can lead to better policymaking.  At the Senate hearing where the agreement was unveiled, Senator Lankford asked Treasury General Counsel Brent McIntosh who will make the determination of whether a new rule is likely to create a conflict with another agency.  McIntosh replied that, under the agreement, Treasury will submit a list of rules to OIRA on a quarterly basis and OIRA will then be in a position to flag rules that may create a conflict.

Second, Treasury will send OIRA tax regulations that raise novel legal or policy issues.  These are exactly the type of rules should not be decided in a vacuum and when independent review from OIRA and others can provide a fresh look at novel questions.  This is also an existing category of rules that are covered by EO 12,866 and so it makes sense to include tax regulations in this existing mandate.

Third, and finally, the new agreement includes tax regulations that are likely to have an annual non-revenue impact on the economy of $100 million or more.  This is the existing threshold for significant regulatory actions for other agencies.  The agreement makes a distinction for the “non-revenue” impact of tax regulations.  This is a commonsense distinction because OIRA review and cost-benefit considerations should be focusing on the distortionary impacts of regulatory choices, not money transferred to the fisc.  This modification of the existing language in EO 12,866 was necessary to fit the existing system to the way tax regulations work.  At the hearing, Senator Lankford asked McIntosh which rules from the 2017 tax cuts may meet this threshold.  McIntosh estimated that rules related to pass-through entities, interest expense deductions, bonus depreciation, section 199A, partnerships under section 512, and section 951A could now be subject to OIRA review.

 

The New MOA Puts OIRA in Control

The new agreement includes an important provision that bars Treasury from rushing rules out the door to the Federal Register before OIRA has signed off.

In order for the president and the White House to properly oversee the Executive Branch, they must be able to control its regulatory actions.  This provision makes it explicit that OIRA gets the final say.

 

Agreement Addresses Concerns about Delay and Expertise

Perhaps the biggest pushback against subjecting tax regulations to the same review that applies to other agencies’ rules was concerns about delay.  The new agreement addresses that issue by putting a 45-day clock on OIRA review and a special 10-business-day expedited review for rules stemming from the 2017 tax cuts.  Responding to concerns about OIRA’s expertise, Administrator Naomi Rao announced that Minnesota Law Professor and tax administration expert Kristin Hickman was joining OIRA as an advisor.  And OMB has been staffing up on other tax experts as well.

 

Concerns about the New Agreement

There is at least one concern about the agreement.  It only applies to “tax regulatory actions,” which the agreement gives the same meaning as “regulatory actions” in EO 12,866.  That definition covers “any substantive action by an agency (normally published in the Federal Register) that promulgates or is expected to lead to the promulgation of a final rule or regulation, including notices of inquiry, advance notices of proposed rulemaking, and notices of proposed rulemaking.”  Noticeably absent from this definition are interpretative rules that are not published in the Federal Register.  The IRS is notorious for trying to claim that its rules are interpretative and do not need to follow the strictures of the Administrative Procedure Act.  (CoA Institute recently filed an amicus brief in a case challenging this behavior.)  It remains to be seen whether the IRS and Treasury will try to assert that interpretative rules do not meet the definition of a “regulatory action” under EO 12,866 and thus do not need to be sent to OIRA for review.  A fair reading of the term “regulatory action” should include interpretative rules, even under the IRS’s improperly broad definition of that term.

But overall a dramatic improvement in the oversight of tax regulations and milestone in the project to end so-called tax exceptionalism and bring IRS under the same administrative law as everyone else.

James Valvo is Counsel and Senior Policy Advisor at Cause of Action Institute.  He is the principal author of Evading Oversight.  You can follow him on Twitter @JamesValvo.

Filed Under: Media, Blog Tagged With: , , , ,

CoA Institute Calls for EPA Watchdog Investigation into the Use of Unauthorized Electronic Messaging and Web-Based Email Apps on Agency Devices

April 12, 2018 by

Washington, D.C. – Cause of Action Institute (“CoA Institute”) wrote yesterday to the Environmental Protection Agency (“EPA”) Office of Inspector General (“OIG”) to request an investigation into the unauthorized use of electronic messaging and web-based email applications on agency-furnished and taxpayer-funded mobile devices, including iPhones and iPads. CoA Institute’s request follows the recent release under the Freedom of Information Act (“FOIA”) of a contractor-generated report that proves EPA employees installed at least sixteen different messaging applications, including Facebook Messenger and Google Hangouts, in contravention of official agency policy.  EPA employees also installed personal email programs, such as AOL and Yahoo Mail, on their government phones.  The OIG previously examined the use of two other encrypted messaging applications, “Signal” and “WhatsApp,” after CoA Institute opened its own investigation into allegations concerning the possible avoidance of records management laws.

 Cause of Action Institute Counsel Ryan Mulvey: “The newest details concerning the range of applications that EPA employees installed on their taxpayer-funded phones and tablets raise serious concerns.  Beyond the fact that many of these applications should never have been found on a government phone because of their personal nature, the presence of sixteen different electronic messaging applications raises doubts about the EPA’s compliance with record preservation rules.  All work-related communications created or received on a personal email account, or an electronic messaging program like Facebook Messenger, should have been preserved for disclosure to the public.  The EPA Inspector General must examine this matter and consider what steps the agency should take to rectify any deficiencies in meeting its record preservation obligations.”

Shortly after President Trump took office, Politico reported that a small group of EPA employees were using an encrypted messaging application, called “Signal,” to discuss ways to prevent incoming political appointees from implementing the new Administration’s policy agenda.  CoA Institute opened an investigation and, over the past year, has slowly pieced together details about the Signal scandal.

In response to its first FOIA lawsuit, the EPA acknowledged that there was an “open law enforcement” investigation.  Then, records released to CoA Institute revealed how an EPA contractor “scanned” most agency-furnished devices for the different applications that had been installed by employees.  That scan, which was requested “orally” by the OIG, was conducted with a software tool known as “Mobile Device Management,” or “MDM.”  As part CoA Institute’s second FOIA lawsuit, the EPA disclosed the contractor-generated report, as well as other documents.  A summary of the report, which consists of a list running ninety-six pages long, identifies all of the applications installed on most agency-furnished devices.

In addition to Signal and WhatsApp, at least another sixteen applications with electronic messaging capabilities were used by EPA employees, along with three email programs.  To the extent the OIG was unaware of these other messaging applications, further inquiries are necessary, as the use of these applications raise issues relating to federal records management.  Moreover, although the OIG has reported that the EPA disabled the ability of many iPhone and iPad users to download the “Apple Store app,” and thus to install unauthorized applications, it is unknown whether all unapproved messaging applications have been deleted or, alternatively, whether adequate procedures have been put in place so that the EPA can meet its recordkeeping obligations.

CoA Institute’s April 11, 2018 letter to the EPA Inspector General is available HERE.

For information regarding this press release, please contact Nichole Wilson: Nichole.wilson@causeofaction.org

Filed Under: Media, Press Release Tagged With: , , , , ,

Cause of Action Institute Launches Investigation into Agency Use of Instant Messaging Applications

April 9, 2018 by

The number of communications devices and platforms has mushroomed in recent years, making communication both quicker and easier. Naturally, these technologies have been incorporated into business and government. The use of instant messaging applications (“IM”) for business communications has become so common that most enterprise software includes IM functionality (for example, Google Hangouts, Skype for Business instant messaging, Slack, etc.).

In response to these developments, the Federal Records Act (“FRA”) was amended in 2014 to codify a new definition of electronic messages.  The FRA now states that electronic messages include “electronic mail and other electronic messaging systems that are used for purposes of communicating between individuals” 44 U.S.C. § 2911. Electronic communications sent or received in the course of agency business—regardless of the method of message delivery—are therefore federal records and must be properly captured, retained, and stored such that they can be searched and reproduced upon request. National Archives and Records Administration (“NARA”) Bulletin 2015-02, “Guidance on Managing Electronic Messages,” makes this explicitly clear.

Unfortunately, recent events have highlighted the failure of federal agencies to properly capture, retain, and store electronic messages, including:

  • five months of missing, and then recovered, text messages between the FBI’s Peter Strzok and Lisa Page related to their official duties,
  • 2016 EPA Inspector General investigation into the use of encrypted text messages,
  • CFPB using encrypted messaging apps, the so-called “Dumbledore’s Army”,
  • IRS not retaining communications through their internal instant messaging system due to a memorandum of understanding with the Treasury Employees Union, and
  • NOAA’s questionable use of Google Hangouts.

It appears incidents of federal agencies neglecting and/or intentionally failing to properly capture, retain, and store electronic messages that are federal records are not isolated or exceptional. In light of this, CoA Institute has launched a broad inquiry into federal agencies’ efforts to implement the 2014 FRA amendments and NARA Bulletin 2015-02. Last week, CoA Institute sent FOIA requests to nearly forty agencies seeking records:

  • regarding policies on the use, retention, and management of electronic (instant) messages;
  • related to implementation of or compliance with NARA Bulletin 2015-02;
  • reflecting the electronic messaging systems installed on agency devices; and
  • reflecting whether the agency has enabled automatic electronic message archiving, indexing, and eDiscovery features on instant messaging platforms in use.

The FRA and Freedom of Information Act are essential to government transparency and accountability and they must be enforced even when—or especially when—government regulations, policies, and practices lag behind the implementation of new technologies. With respect to instant messages, the federal government’s characteristic bureaucratic torpidity bears potentially far-reaching implications for proper oversight of the federal government. With this investigation, CoA Institute seeks to discover whether (and where) government neglect or exploitation of new technologies threatens transparency and accountability.

 

Thomas Kimbrell is a research fellow at Cause of Action Institute.

Filed Under: Blog, Media Tagged With: , , , , , ,

Sixth Circuit Should Follow Supreme Court’s Precedent and Recognize Limits of Anti-Injunction Act

April 4, 2018 by

Today, Cause of Action Institute filed an amicus brief in CIC Services, Inc. v. IRS in the U.S. Court of Appeals for the Sixth Circuit.  At issue in the case is whether the Anti-Injunction Act prohibits courts from reviewing whether the IRS complied with the Administrative Procedure Act (“APA”) when it issued a notice related to captive insurance companies.  We urged to appellate court to reverse the district court’s ruling that the Act blocks the suit and to resist the temptation to extend the D.C. Circuit’s flawed reasoning from Florida Bankers.

Notice 2016-66 and Captive Insurance

The rule at issue is contained in Notice 2016-66.  The IRS believes that small companies are using captive insurance companies (i.e., a type of self-insurance vehicle owned by the company or an affiliate) as a tax shelter.  But the IRS isn’t really sure if they are or what types of captives could be problematic.  So the IRS created a new category of “reportable transaction” known as a “transaction of interest,” which requires companies to proactively disclose when they are using a captive insurance company to self-insure.

The problem is that this creates a recordkeeping and reporting burden on small businesses and threatens fines if they do not comply.  CIC Services, the plaintiff-appellant in the case, estimates it would require hundreds of hours of labor and more than $100,000 to comply with the notice.  Further, “reportable transactions” are a scarlet letter in the tax world, and many businesses would rather avoid the underlying behavior than disclose they are engaging in a “reportable transaction.”

The IRS is doing all of this without notice and comment, without studying the adverse impact of its fishing expedition, and in conflict with Congress repeatedly authorizing captive insurance vehicles for small businesses.  CIC Services is also challenging whether the IRS can create a “transaction of interest” without issuing a formal regulation because Congress has limited the IRS’s ability to make “reportable transactions” to those “as determined under regulations prescribed” by the agency.[1]  A simple notice does not meet this standard.

An Overbroad Use of the Anti-Injunction Act Stands in the Way

The parties’ dispute over Notice 2016-66 and whether it violates substantive and procedural limitations on the agency has all the makings of a rather pedestrian APA case.  This is why we have preenforcement judicial review of agency rulemaking.  Enter the Anti-Injunction Act, which prohibits suits “for the purpose of restraining the assessment or collection of any tax shall be maintained in any court by any person.”[2]  The district court agreed with the IRS that the Act blocked the CIC Services suit.

But Notice 2016-66 deals with neither the “assessment” nor the “collection” of any tax; it creates a reporting requirement.  The U.S. Supreme Court unanimously has held that “notice and reporting requirements precede the steps of ‘assessment’ and ‘collection’” and that suits challenging reporting requirements do not “restrain” those activities and do not trigger the Anti-Injunction Act.[3]    But the D.C. Circuit recently ignored the Supreme Court’s decision in Direct Marketing in Florida Bankers[4] and the Six Circuit may be tempted to extend the D.C. Circuit’s ruling.  CoA Institute submitted an amicus brief in support of a cert petition in Florida Bankers, but the Supreme Court declined to hear the case.

CoA Institute Shows the Court the Consequences of an Overbroad Anti-Injunction Act

The litigants in the case will present the court with all of the issues above.  CoA Institute’s contribution was to introduce the court to the consequences of allowing IRS rulemaking to go unreviewed.  We presented the research underlying our recent investigative report, Evading Oversight: the Origins and Implications of the IRS Claim that its Rules Do Not Have an Economic Impact.  The danger of allowing the IRS to continue to use an over-expansive reading of the Anti-Injunction Act to block judicial review of its rulemakings is that the IRS will continue to ignore the substantive and procedural limitations on its authority.

Congress and the president have established a series of oversight mechanisms to ensure that agencies are complying with procedural requirements, taking public comments into account, and properly mitigating the adverse impacts of their rules, when possible.  But the IRS has erected a series of self-made exemptions from these oversight requirements.  One of those exemptions is at issue in CIC Services: does the IRS have to comply with the APA when it promulgates legislative rules?  A broad reading of the AIA blocks the courts from answering that question and so the IRS continues to flout the rules.

Conclusion

The Sixth Circuit should reject any invitation to extend Florida Bankers, adhere to Supreme Court precedent from Direct Marketing, and reverse the district court’s ruling that the Anti-Injunction Act prevents preenforcement judicial review of whether the IRS complied with the APA when it issued Notice 2016-66.

James Valvo is Counsel and Senior Policy Advisor at Cause of Action Institute.  He is the principal author of Evading Oversight.  You can follow him on Twitter @JamesValvo.

[1] 26 U.S.C. § 6707A(c)(1).

[2] 26 U.S.C. § 7421.

[3] Direct Mktg. Ass’n v. Brohl, 135 S. Ct. 1124, 1131 (2015).

[4] Florida Bankers Ass’n v. Dep’t of Treasury, 799 F.3d 1065 (D.C. Cir. 2015)

Filed Under: Media, Blog Tagged With: , , , ,

Investigation Update: EPA Employees Used a Range of Messaging Apps and Other Non-Work-Related Programs on Agency-Issued Mobile Devices

April 4, 2018 by

Shortly after President Trump took office, Politico reported that a small group of career employees at the Environmental Protection Agency (“EPA”) were using an encrypted messaging application, called “Signal,” to discuss ways to prevent incoming political appointees from implementing the Trump Administration’s policy agenda.  The use of Signal at the EPA mirrored reports about the use of other electronic messaging platforms across the government.

Records recently released to CoA Institute under the Freedom of Information Act (“FOIA”) now confirm that a number of EPA employees installed Signal, WhatsApp, and at least sixteen other messaging applications on their agency-furnished devices.  These records also reveal that EPA employees installed a panoply of other applications—including email, sports betting, dating, and entertainment applications—that raise questions about the use of government-issued and taxpayer-funded mobile devices for personal purposes.

CoA Institute’s Investigation of Messaging Apps at the EPA

Cause of Action Institute (“CoA Institute”) opened its investigation into the use of Signal because we were concerned that the application might be used to conceal internal agency communications from oversight and to avoid EPA obligations under the FOIA and the Federal Records Act (“FRA”).  We were not alone in our suspicions.  After the House Committee on Science, Space, and Technology’s requested that the EPA Inspector General analyze the allegations reported in the press, the National Archives and Records Administration (“NARA”) opened its own inquiry into the potential violation of federal records management laws.  That inquiry remains open.

Over the past year we have slowly pieced together details about the Signal scandal.  In response to our first FOIA lawsuit, the EPA acknowledged that there was an “open law enforcement” investigation.  Although the EPA initially claimed that many records would be withheld in full, it changed its position and released records that corroborated the alarming facts reported by the media.  But, as we have explained, the records also revealed much more.  Among other things, they confirmed that CoA Institute’s original FOIA request, as reported by the Washington Times, was the actual impetus for the EPA Inspector General’s (“IG”) investigation.  As Assistant Inspector General Patrick Sullivan noted at the time:

The records also confirmed that an EPA contractor “scanned” most agency-furnished devices for the different applications that had been installed by employees.  This scan, which was requested by the IG, was conducted with a software tool known as “Mobile Device Management,” or “MDM.”  As part CoA Institute’s second FOIA lawsuit, the EPA disclosed that contractor-generated report, as well as other documents.

The EPA IG’s Investigatory Conclusions on Signal

The EPA IG memorialized its findings about the Signal scandal in a series of investigatory memoranda.  The watchdog determined that Signal was not used to “purposefully circumvent the applicable Federal record retention rules.”  Nevertheless, it concluded that two employees—one in the Office of the Inspector General and the other in the Office of the Science Advisor—violated agency policy by downloading the unapproved application, as revealed by a summary of a subset of the MDM report.

In each instance, the IG interviewed the offending employee and consulted the Department of Justice before concluding that no “discernable crime” had been committed.  The employee in the Office of Inspector General had downloaded Signal “to see if there was a suitable law enforcement purpose for the application.”

The employee in the Office of the Science Advisor denied having the application on his or her device, but consented to an examination of the phone.  Although Signal “did not appear to be currently installed,” there was no final explanation for how the application originally found its way onto the phone.  The IG opined that it could have happened due to unintentional synching with a personal Apple account.

But Maybe the Problem Was Never Signal . . .

As exonerating as the IG’s conclusion may be, the story does not end there.  While investigating the use of Signal, the EPA and the IG also discovered that fifty-eight employees violated official policy by downloading another encrypted messaging app, named “WhatsApp.”

The IG similarly determined that federal records laws had not been violated based on voluntary interviews of the fifty-eight employees, but this finding is somewhat contradicted by the admission of two employees that they used WhatsApp for “official EPA work.”

When all fifty-eight employees were polled on their “motivation and intent” for downloading WhatsApp, the clear majority cited a “lack of clarity” in the agency’s policy for not installing unapproved applications.  More than half also suggested that they had downloaded WhatsApp for “the purpose of keeping in touch with family/friends domestically or overseas.”

A Potentially Serious Deficiency in the EPA IG’s Inquiry

When the EPA scanned the contents of most mobile devices during the Signal investigation, it also produced a summary of all the applications installed on agency-furnished devices, along with an “install count” for each program.  The list runs ninety-six pages long and its contents are shocking.

To begin with, although the Signal scandal originally concerned the use of that single program, and was later expanded to include WhatsApp, the complete MDM report, which was released to CoA Institute, indicates that at least another sixteen applications with electronic messaging capabilities were being used by EPA employees.  These applications—many of which are likely unapproved and raise the exact same FOIA and FRA concerns as Signal and WhatsApp—include:

AIM (1 phone)
BlackBerry Messenger (3 phones)
Facebook Messenger (227 phones)
Google Hangouts (27 phones)
GroupMe (10 phones)
Jabber (27 phones)
KakaoTalk (3 phones)
Kik (1 phone)
LINE (1 phone)
Skype (58 phones)
Slack (7 phones)
Snapchat (25 phones)
Telegram (1 phone)
Viber (19 phones)
WeChat (2 phones)
WickrMe (1 phone)

Why did the EPA IG fail to investigate these other applications, some of which are capable of encrypted messaging?  Perhaps because the EPA’s Office of Environmental Information never handed over the full MDM report.  This is suggested by two records.

First, the EPA admitted to CoA Institute that it prepared two attachments (here and here) containing subsets of data from the MDM report, namely, those data that revealed the number and identifies of users with Signal or WhatsApp installed on their phones.

Second, the transmission of only the two summaries is suggested by the email referenced above, which also was disclosed to CoA Institute.  An IT team leader, Greg Zurla, sent the heads of the Office of Environmental Information, Steven Fine and Harvey Simon, the data about Signal and WhatsApp, but nothing else.  The IG’s final investigatory memoranda likewise reflect a targeted investigation into Signal and WhatsApp, with no mention of a broader dataset that could expose the unapproved use of similar encrypted messaging applications.

To the extent the IG was not—or still is not—aware of so many other messaging applications, then further inquiries need to be made.  Whether these platforms were used for personal or work-related purposes, they are problematic and raise issues relating to federal records management.  Moreover, although the IG has suggested that the EPA disabled the ability of some iPhone and iPad users to download the “Apple Store app,” and thus to install unauthorized applications, it is unknown whether all unapproved messaging applications have been deleted or, alternatively, whether adequate procedures have been put in place so that the EPA can meet all recordkeeping obligations.

The Use of Government Property for Personal Use is Deeply Troubling

The results of the IG investigation raise other troubling questions.  Why should a government employee be able to justify his installation of an unapproved, and legally problematic, application on agency-furnished hardware by claiming that he wanted to use it for personal purposes?  Should taxpayers pay for EPA employees to use government data plans to communicate with “family and friends”?

The full MDM report disturbingly reveals the sheer number of non-work-related applications that EPA employees installed.  Some of these, such as web-based email programs, raise records management issues that have plagued other agencies like the Department of Homeland Security.  The applications can be grouped into a number of categories.  Here is a sampling:

  • Web-Based Email
    AOL (16 phones)
    Gmail (129 phones)
    Yahoo Mail (56 phones)
  • Social Media
    Facebook (466 phones)
    Instagram (162 phones)
    LinkedIn (117 phones)
    Pinterest (75 phones)
    Reddit (20 phones)
    Twitter (310 phones)
  • Dating
    Coffee Meets Bagel (1 phone)
    OK Cupid (1 phone)
  • Personal Banking and Finance
    AmEx (11 phones)
    Barclaycard (6 phones)
    Bank of America (29 phones)
    CitiMobile (10 phones)
    Wells Fargo (24 phones)
    Navy Federal (11 phones)
    PayPal (10 phones)
  • Entertainment and Sports Betting
    Angry Birds (14 phones)
    Blackjack (5 phones)
    Candy Crush (32 phones)
    Draft Kings (1 phone)
    Duolingo (10 phones)
    ESPN (60 phones)
    Fandango (15 phones)
    HBO (15 phones)
    Netflix (73 phones)
    Pokémon GO (7 phones)
    Shazam (22 phones)
    SiriusXM (19 phones)
    Spotify (71 phones)
    YouTube (237 phones)
  • Shopping
    Amazon (56 phones)
    eBay (16 phones)
  • Religious
    Bible apps (22 phones)
    Catholic TV (1 phone)
  • Political
    Boycott Trump (1 phone)

Again, this is a non-exhaustive list.  The full list can be accessed here.

Based on the EPA’s list of approved “Terms of Service” agreements, it appears that most of these applications were never authorized for work-related business.  To the extent they were used for personal purposes, the EPA should take its workforce to task for abusing the privilege of a government-furnished and taxpayer-funded phone.

Although the IG reports that the EPA has disabled the Apple Store on newer models of the iPhone and iPad, we hope the agency makes serious efforts to remove these troubling applications from all makes and models of the hardware furnished to employees.  Simply stated, the EPA does not exist so its bureaucrats can spend the day watching Netflix, browsing eBay, or swiping right on a dating application.

Ryan P. Mulvey is Counsel at Cause of Action Institute.

Filed Under: Media, Blog Tagged With: , ,