Search Results for: XP Technology

Investigation Update: EPA Employees Used a Range of Messaging Apps and Other Non-Work-Related Programs on Agency-Issued Mobile Devices

Shortly after President Trump took office, Politico reported that a small group of career employees at the Environmental Protection Agency (“EPA”) were using an encrypted messaging application, called “Signal,” to discuss ways to prevent incoming political appointees from implementing the Trump Administration’s policy agenda.  The use of Signal at the EPA mirrored reports about the use of other electronic messaging platforms across the government.

Records recently released to CoA Institute under the Freedom of Information Act (“FOIA”) now confirm that a number of EPA employees installed Signal, WhatsApp, and at least sixteen other messaging applications on their agency-furnished devices.  These records also reveal that EPA employees installed a panoply of other applications—including email, sports betting, dating, and entertainment applications—that raise questions about the use of government-issued and taxpayer-funded mobile devices for personal purposes.

CoA Institute’s Investigation of Messaging Apps at the EPA

Cause of Action Institute (“CoA Institute”) opened its investigation into the use of Signal because we were concerned that the application might be used to conceal internal agency communications from oversight and to avoid EPA obligations under the FOIA and the Federal Records Act (“FRA”).  We were not alone in our suspicions.  After the House Committee on Science, Space, and Technology’s requested that the EPA Inspector General analyze the allegations reported in the press, the National Archives and Records Administration (“NARA”) opened its own inquiry into the potential violation of federal records management laws.  That inquiry remains open.

Over the past year we have slowly pieced together details about the Signal scandal.  In response to our first FOIA lawsuit, the EPA acknowledged that there was an “open law enforcement” investigation.  Although the EPA initially claimed that many records would be withheld in full, it changed its position and released records that corroborated the alarming facts reported by the media.  But, as we have explained, the records also revealed much more.  Among other things, they confirmed that CoA Institute’s original FOIA request, as reported by the Washington Times, was the actual impetus for the EPA Inspector General’s (“IG”) investigation.  As Assistant Inspector General Patrick Sullivan noted at the time:

The records also confirmed that an EPA contractor “scanned” most agency-furnished devices for the different applications that had been installed by employees.  This scan, which was requested by the IG, was conducted with a software tool known as “Mobile Device Management,” or “MDM.”  As part CoA Institute’s second FOIA lawsuit, the EPA disclosed that contractor-generated report, as well as other documents.

The EPA IG’s Investigatory Conclusions on Signal

The EPA IG memorialized its findings about the Signal scandal in a series of investigatory memoranda.  The watchdog determined that Signal was not used to “purposefully circumvent the applicable Federal record retention rules.”  Nevertheless, it concluded that two employees—one in the Office of the Inspector General and the other in the Office of the Science Advisor—violated agency policy by downloading the unapproved application, as revealed by a summary of a subset of the MDM report.

In each instance, the IG interviewed the offending employee and consulted the Department of Justice before concluding that no “discernable crime” had been committed.  The employee in the Office of Inspector General had downloaded Signal “to see if there was a suitable law enforcement purpose for the application.”

The employee in the Office of the Science Advisor denied having the application on his or her device, but consented to an examination of the phone.  Although Signal “did not appear to be currently installed,” there was no final explanation for how the application originally found its way onto the phone.  The IG opined that it could have happened due to unintentional synching with a personal Apple account.

But Maybe the Problem Was Never Signal . . .

As exonerating as the IG’s conclusion may be, the story does not end there.  While investigating the use of Signal, the EPA and the IG also discovered that fifty-eight employees violated official policy by downloading another encrypted messaging app, named “WhatsApp.”

The IG similarly determined that federal records laws had not been violated based on voluntary interviews of the fifty-eight employees, but this finding is somewhat contradicted by the admission of two employees that they used WhatsApp for “official EPA work.”

When all fifty-eight employees were polled on their “motivation and intent” for downloading WhatsApp, the clear majority cited a “lack of clarity” in the agency’s policy for not installing unapproved applications.  More than half also suggested that they had downloaded WhatsApp for “the purpose of keeping in touch with family/friends domestically or overseas.”

A Potentially Serious Deficiency in the EPA IG’s Inquiry

When the EPA scanned the contents of most mobile devices during the Signal investigation, it also produced a summary of all the applications installed on agency-furnished devices, along with an “install count” for each program.  The list runs ninety-six pages long and its contents are shocking.

To begin with, although the Signal scandal originally concerned the use of that single program, and was later expanded to include WhatsApp, the complete MDM report, which was released to CoA Institute, indicates that at least another sixteen applications with electronic messaging capabilities were being used by EPA employees.  These applications—many of which are likely unapproved and raise the exact same FOIA and FRA concerns as Signal and WhatsApp—include:

AIM (1 phone)
BlackBerry Messenger (3 phones)
Facebook Messenger (227 phones)
Google Hangouts (27 phones)
GroupMe (10 phones)
Jabber (27 phones)
KakaoTalk (3 phones)
Kik (1 phone)
LINE (1 phone)
Skype (58 phones)
Slack (7 phones)
Snapchat (25 phones)
Telegram (1 phone)
Viber (19 phones)
WeChat (2 phones)
WickrMe (1 phone)

Why did the EPA IG fail to investigate these other applications, some of which are capable of encrypted messaging?  Perhaps because the EPA’s Office of Environmental Information never handed over the full MDM report.  This is suggested by two records.

First, the EPA admitted to CoA Institute that it prepared two attachments (here and here) containing subsets of data from the MDM report, namely, those data that revealed the number and identifies of users with Signal or WhatsApp installed on their phones.

Second, the transmission of only the two summaries is suggested by the email referenced above, which also was disclosed to CoA Institute.  An IT team leader, Greg Zurla, sent the heads of the Office of Environmental Information, Steven Fine and Harvey Simon, the data about Signal and WhatsApp, but nothing else.  The IG’s final investigatory memoranda likewise reflect a targeted investigation into Signal and WhatsApp, with no mention of a broader dataset that could expose the unapproved use of similar encrypted messaging applications.

To the extent the IG was not—or still is not—aware of so many other messaging applications, then further inquiries need to be made.  Whether these platforms were used for personal or work-related purposes, they are problematic and raise issues relating to federal records management.  Moreover, although the IG has suggested that the EPA disabled the ability of some iPhone and iPad users to download the “Apple Store app,” and thus to install unauthorized applications, it is unknown whether all unapproved messaging applications have been deleted or, alternatively, whether adequate procedures have been put in place so that the EPA can meet all recordkeeping obligations.

The Use of Government Property for Personal Use is Deeply Troubling

The results of the IG investigation raise other troubling questions.  Why should a government employee be able to justify his installation of an unapproved, and legally problematic, application on agency-furnished hardware by claiming that he wanted to use it for personal purposes?  Should taxpayers pay for EPA employees to use government data plans to communicate with “family and friends”?

The full MDM report disturbingly reveals the sheer number of non-work-related applications that EPA employees installed.  Some of these, such as web-based email programs, raise records management issues that have plagued other agencies like the Department of Homeland Security.  The applications can be grouped into a number of categories.  Here is a sampling:

  • Web-Based Email
    AOL (16 phones)
    Gmail (129 phones)
    Yahoo Mail (56 phones)
  • Social Media
    Facebook (466 phones)
    Instagram (162 phones)
    LinkedIn (117 phones)
    Pinterest (75 phones)
    Reddit (20 phones)
    Twitter (310 phones)
  • Dating
    Coffee Meets Bagel (1 phone)
    OK Cupid (1 phone)
  • Personal Banking and Finance
    AmEx (11 phones)
    Barclaycard (6 phones)
    Bank of America (29 phones)
    CitiMobile (10 phones)
    Wells Fargo (24 phones)
    Navy Federal (11 phones)
    PayPal (10 phones)
  • Entertainment and Sports Betting
    Angry Birds (14 phones)
    Blackjack (5 phones)
    Candy Crush (32 phones)
    Draft Kings (1 phone)
    Duolingo (10 phones)
    ESPN (60 phones)
    Fandango (15 phones)
    HBO (15 phones)
    Netflix (73 phones)
    Pokémon GO (7 phones)
    Shazam (22 phones)
    SiriusXM (19 phones)
    Spotify (71 phones)
    YouTube (237 phones)
  • Shopping
    Amazon (56 phones)
    eBay (16 phones)
  • Religious
    Bible apps (22 phones)
    Catholic TV (1 phone)
  • Political
    Boycott Trump (1 phone)

Again, this is a non-exhaustive list.  The full list can be accessed here.

Based on the EPA’s list of approved “Terms of Service” agreements, it appears that most of these applications were never authorized for work-related business.  To the extent they were used for personal purposes, the EPA should take its workforce to task for abusing the privilege of a government-furnished and taxpayer-funded phone.

Although the IG reports that the EPA has disabled the Apple Store on newer models of the iPhone and iPad, we hope the agency makes serious efforts to remove these troubling applications from all makes and models of the hardware furnished to employees.  Simply stated, the EPA does not exist so its bureaucrats can spend the day watching Netflix, browsing eBay, or swiping right on a dating application.

Ryan P. Mulvey is Counsel at Cause of Action Institute.

CoA Institute Lawsuit Prompts Archivist to Examine Potential Record Destruction at NOAA

Cause of Action Institute (“CoA Institute”) filed a lawsuit last summer against the National Oceanic and Atmospheric Administration (“NOAA”) seeking copies of electronic records created through the agency’s Google-based email platform.  These types of records are commonly known as “instant messages.”  The Freedom of Information Act (“FOIA”) requests at issue (available here and here) also sought formal agency guidance on the retention of “Google Chat” or “Google Hangouts” messages.  We had already learned, through earlier investigation, that at least one internal NOAA handbook, dating from March 2012, instructed agency employees to treat all chat messages as “off the record,” raising concerns about potential unlawful record destruction at NOAA.

Media Coverage of CoA Institute’s Lawsuit Tipped-off the National Archives

The Daily Caller News Foundation reported on CoA Institute’s lawsuit shortly after it was filed.  Officials at the National Archives and Records Administration (“NARA”), which is tasked with policing federal records management across the government, took notice of the story and subsequently opened an inquiry on July 17, 2017 into CoA Institute’s allegations.  NARA gave NOAA “30 calendar days” to indicate how it planned to address the retention of “Google Chat and Skype messages,” and, if necessary, to report an “unauthorized disposition,” that is, the improper destruction of records.

As far as we know, eight months later, NOAA still has not responded to NARA.  We only learned about the NARA inquiry due to the agency’s recent decision to proactively disclose information on all pending investigations into the unauthorized disposition of federal records.  We have filed FOIA requests with NOAA and NARA in order to discover the status of the inquiry, and we will provide further updates as more details become available.

The fact that CoA Institute had to file a FOIA request to obtain NOAA’s response to the NARA inquiry, as well as related communications, shows that NARA’s proactive disclosure regime on this topic could be improved.  NARA should add another category of materials to its webpage that includes all correspondence received from an agency under investigation for the improper treatment of records.

NOAA’s Questionably Legal Google Chat Policy Flouts NARA Guidance

It goes without saying that an agency-wide policy to treat all chat messages as categorically “off the record” is problematic.  Even if an agency expects its employees to keep business-related communications, which could qualify for retention under the Federal Records Act (“FRA”), off a chat-based platform, it is reasonable to assume that some messages worthy of preservation will be sent or received over instant messaging.  NARA Bulletin 2015-02 makes that point clear.  And even if some instant messages were not worthy of long-term historical preservation, they would still qualify as transitory records subject to NARA-approved disposition schedules.

A categorical policy such as the one that NOAA has adopted creates a moral hazard.  Officials who want to thwart transparency can communicate with chat or instant messaging and, at least in this case, there is no way for the agency, NARA, or the public to catch them in the act.  NOAA officials have been observed using Google Chat to communicate during a contentious meeting of the New England Fishery Management Council.  If an agency like NOAA refuses to police how its employees are using the chat function on their Google-based email accounts, it should disable the function all together.

Regardless of whether electronic messages created through Google Chat or Google Hangouts are subject to the FRA, they may still be subject to the FOIA, which defines an “agency record” in broader terms than the FRA’s definition of a “federal record.”  By failing to implement any sort of mechanism for preserving chat messages—even for the briefest period—NOAA is depriving the American public of access to records that could be particularly important in showing how the agency operates and regulates.

The worst part of this saga is that NOAA knew it was treading a thin line in deciding to treat Google Chat messages as “off the record.”  According on documents obtained through the FOIA, NOAA’s lawyers and records management specialists were aware that electronic messages would need to be saved for public disclosure if Google Chat were “on the record.”  Notes from an October 20, 2011 meeting reflect this:

NOAA also recognized that chat messages could, in theory, be subject to the FRA.  Yet NOAA Records Officer Patricia Erdenberger reasoned that, by treating Google Chat as “off the record,” the agency’s FRA obligations could be bypassed.  Making a questionable analogy to phone calls, Erdenberger suggested that chat messages be “considered transient electrons.”

Agencies must do a better job at keeping pace with evolving forms of technology.  As one of my colleagues has argued, the use of non-email methods of electronic communication—including text and instant messaging, as well as encrypted phone applications like Signal—has serious implications for federal records management.  The Department of Commerce, NOAA’s parent agency, has not updated it policy for handling electronic records since May of 1987.  NARA, for its part, has been critical of the Department’s failure to revise this guidance, which is “heavily oriented towards the management of digital records on storage media such as diskettes and magnetic tape.”  Still, thirty years is a long time for such inaction, even for the federal government.  The transparency community must therefore intensify its efforts to hold the government accountable until more effective ways of handling electronic records are introduced.

Ryan Mulvey is Counsel at Cause of Action Institute

CoA Institute calls on Millennium Challenge Corporation to revise problematic FOIA rule

Cause of Action Institute (“CoA Institute”) submitted a comment today to the Millennium Challenge Corporation (“MCC”) concerning the agency’s publication of a deficient rule that proposes revisions to the agency’s Freedom of Information Act (“FOIA”) regulations.  The MCC is a small agency tasked with delivering foreign aid to combat global poverty.  CoA Institute explained that the MCC’s problematic FOIA rule failed to provide a definition of a “representative of the news media” that conforms with statutory and judicial authorities.  The proposed regulations could also cause confusion by directing requesters to consult outdated fee guidance published by the White House Office of Management and Budget (“OMB”).

News Media Fee Category

The MCC’s proposed rule improperly retains the so-called “organized and operated” standard in the definition of a “representative of the news media.”  This is an important deficiency because the “organized and operated” standard has been used in the past to deny news media requester status to nascent media groups and government watchdog organizations like CoA Institute.  Indeed, CoA Institute took another agency—the Federal Trade Commission—to court, and argued its case all to the way to the D.C. Circuit, just to get the agency to acknowledge that its similar retention of the “organized and operated” standard was unlawful and led to improperly denying CoA Institute a fee reduction.  The D.C. Circuit eventually issued a landmark decision in CoA Institute’s favor to clarify proper fee category definitions and their application in FOIA cases.

Congress amended the FOIA to provide a straightforward and comprehensive definition of a “representative of the news media.”  The MCC—and all other agencies—should not attempt to modify that definition or introduce additional hurdles for news media requesters.

OMB Fee Guidelines

The MCC’s problematic FOIA rule also proposes to introduce an explicit reference to the OMB’s 1987 FOIA fee guidelines, which are the genesis of the “organized and operated” standard.  The MCC should strike this reference because the OMB fee guidelines are outdated and unreliable.  Over the past thirty years, Congress has amended the FOIA on numerous occasions, courts have developed overriding FOIA jurisprudence, and technology has evolved in significant ways.  Yet OMB has made no effort to revisit its fee guidance.  It should not be used as a reference point for the proper administration of the FOIA.

In 2016, the FOIA Advisory Committee and the Archivist of the United States called on OMB to update the fee guidelines.  CoA Institute even filed a petition for rulemaking on this issue.  Last November, we filed a lawsuit to compel the agency to provide a response to that petition.  Until they are revised, the MCC should not direct requesters to OMB’s fee guidelines.

Other Agencies Have Followed CoA Institute’s Advice

CoA Institute has succeeded in convincing a number of other agencies to abandon the OMB’s “organized and operated” standard in favor of a proper definition of “representative of the news media” in line with the FOIA statute and controlling case law.  Those agencies include, among others, the Consumer Product Safety Commission, Office of the Special Counsel, Department of Defense, U.S. Agency for International Development, and Department of Homeland Security.  We hope that the MCC will similarly revisit its problematic FOIA rule and eliminate the “organized and operated” standard in lieu of a proper definition of a news media requester.

Ryan Mulvey is Counsel at Cause of Action Institute

GAO audit of Office of Special Counsel referrals under FOIA reveals weakness in the statute

An audit report released yesterday by the Government Accountability Office (“GAO”) provides alarming details concerning the lack of referral of cases of wrongful withholding under the Freedom of Information Act (“FOIA”) to the Office of Special Counsel (“OSC”).  Since at least 2008, neither the Department of Justice (“DOJ”) nor any federal court has referred a single case to the OSC so that the agency could investigate whether disciplinary action would be warranted for the arbitrary or capricious withholding of records litigated in court.  The publication of the audit coincided with the testimony of the GAO’s Director of Information Technology Management Issues, David Powner, at a hearing before the Senate Judiciary Committee.

OSC’s Investigatory Role under the FOIA

Congress envisaged a special role for the OSC in policing agency behavior with respect to the withholding of records.  Section 552(b)(4)(F) of the FOIA obliges the OSC to investigate whether disciplinary action is warranted against an official responsible for withholding records if a federal court has (1) ordered the production of those records, (2) assessed reasonable attorney fees and litigation costs against the government, and (3) issued a “written finding” that the case “raises questions whether agency personnel acted arbitrarily and capriciously with respect to the withholding.”

Once these conditions are met in any given case, the Attorney General must refer the matter for investigation to the OSC, and the agency at issue must take any corrective action recommended by the OSC.  If the government fails to comply, a court can punish a responsible official with contempt.  Apart from the FOIA, the OSC also has independent authority under 5 U.S.C. § 1216(a)(3) to investigate most allegations of arbitrary or capricious withholding of records.

No Referrals Have Been Made to the OSC Over the Past Ten Years

After examining various records and interviewing officials at the DOJ and OSC, the GAO concluded that, since 2008, no court orders have issued in a FOIA lawsuit such that referral to the OSC was appropriate.  At the same time, between 2013 and 2016, requesters in at least six cases nevertheless sought a court-ordered referral to the OSC.  In all six cases, the court denied the requests.

The referral provisions of the FOIA are toothless in practice.  According to one source, the OSC has investigated only two possible cases of punishable wrongdoing.  In Holly v. Acree, the OSC concluded that it could not determine the “officer or employee who was primarily responsible for the [wrongful] withholding.”  And in Long v. Internal Revenue Service, the OSC closed its investigation without any public findings.  Furthermore, despite numerous allegations and some instances of field investigation over the years, it does not appear that the OSC has ever initiated a disciplinary proceeding under Section 1216(a)(3).

Judicial decisions likewise exemplify the reticence of courts to refer cases to the OSC.  The judicial branch is already highly deferential to the government when assessing justifications for the treatment of FOIA records.  That deference appears to affect the analysis of whether it is appropriate to issue a “written finding” that an official or employee may have personally acted wrongfully.  For example, in the case of Kempker-Cloyd v. Department of Justice, No. 97-253, 1999 U.S. Dist. LEXIS 4813 (W.D. Mich. 1999), the court acknowledged that an agency failed to act in a timely manner, to conduct adequate searches, or to comply with the FOIA “in good faith.”  On further order, the court also determined the agency was liable for attorney fees and litigation costs.  Yet the court still did not believe there was evidence suggesting the agency acted in an arbitrary or capricious manner.  In a more recent case, Consumer Federation of America v. Department of Agriculture, 539 F. Supp. 2d 225 (D.D.C. 2008), when faced with a motion to refer the case to the OSC after the agency conducted an inadequate search and lost responsive records, the court sidestepped the issue altogether by ordering the agency to file a supplemental declaration confirming its promise—made during oral argument—to revise the process for handling requests for electronic records and to correct the problems that led to the loss of the records at issue.  Countless other examples of judicial refusal to engage with the OSC referral provisions abound.

The FOIA Should Be Strengthened to Hold Agency Officials Responsible for Wrongful Withholdings

As it stands, agency officials are effectively unaccountable for their decision-making under the FOIA.  There is no punishment for an agency when it mishandles a request or forces a requester to file a lawsuit to obtain records or fight wrongful withholdings.  Indeed, it is the taxpayer who ends up footing the bill for the government’s litigation costs.  The individuals responsible for processing requests, therefore, have little incentive aside from their personal commitment to transparency to ensure that agency decision-making is consistent with the law.  Even if a requester prevails in court, he faces the uphill battle of securing attorney fees and recoverable litigation costs, not to mention the tremendous difficulty of obtaining a written finding of arbitrary and capricious behavior on the part of the agency.

The requester community deserves better.  If agency officials knew that they would be held personally responsible for their administration of the FOIA, we would have a more efficient disclosure regime and a more transparent government.  The OSC can and should play an important role here, but the FOIA, as implemented, does not currently facilitate that endeavor.  Congress should undertake efforts to remedy the situation.

Ryan Mulvey is Counsel at Cause of Action Institute

DHS Fails to Locate Records Concerning Compliance with Federal Records Act over Private Web-based Email Accounts

Cause of Action Institute (“CoA Institute”) filed a Freedom of Information Act (“FOIA”) appeal with the Department of Homeland Security (“DHS”) yesterday, challenging the adequacy of the agency’s search for records concerning the use of private web-based email accounts by former DHS officials, as well as efforts to recover federal records from those officials’ accounts, as required by the Federal Records Act (“FRA”).  Although DHS disclosed two records in response to our request—namely, a letter from the National Archives and Records Administration (“NARA”), which expressed concern over the possible alienation of federal records, and DHS’s response to NARA—DHS’s repeated representations in federal court demonstrate the existence of countless other responsive records.

High-Ranking DHS Officials Received “Waivers” to Use Private Web-based Email Accounts

In July 2015, Bloomberg reported that then-Secretary Jeh Johnson and at least twenty-eight other senior officials at DHS were granted special permission to used private web-based email accounts—such as Google and Yahoo—to conduct official business.  These “waivers” were exceptions to an agency-wide ban on the use of private email that was imposed in April 2014.  Agency insiders admitted that the practice of issuing such waivers was a “national security risk.”  As reported by Politico, DHS ended its use of waivers, but the agency still faced numerous FOIA requests—and a lawsuit brought by Judicial Watch—from those seeking access to the work-related records created or received on the private web-based email accounts.

CoA Institute’s Initial Investigation into the DHS Webmail Waivers

On September 11, 2015, CoA Institute submitted a FOIA request to DHS for all agency records maintained on Secretary Johnson’s—or any other official’s—private web-based email account.  We also sought records concerning the DHS webmail waiver regime, including policies on how waivers were granted or guidance on record retention that may have been provided to waiver recipients.  In response to the request, DHS provided a substantial number of records concerning the actual processing of waivers, but it failed to produce any official correspondence from the private accounts.  Although we appealed that determination, DHS upheld the adequacy of its search, even though it had openly admitted in court to having control over actual responsive records.  A federal district court judge even issued a preservation order to ensure that former officials would continue to cooperate with recovery efforts under the Trump Administration.

Exploring DHS’s Compliance with the Federal Records Act

Armed with the knowledge that DHS was working to recover potential federal records from Secretary Johnson’s private web-based email account, as well as the accounts of three other former officials, CoA Institute filed two additional FOIA requests on June 1, 2017.  We asked both DHS and NARA to disclose records concerning NARA approval for the practice of issuing webmail waivers, as well as records reflecting the agencies’ compliance with their FRA obligations.  For example, we wanted to know whether DHS had involved the Attorney General in recovery efforts, or whether anything had been done to recover records from the other twenty-five webmail recipients that were not the subject of Judicial Watch’s ongoing FOIA litigation.

DHS could only locate two responsive records.  The first was a February 22, 2017 letter from NARA, which was prompted by the Judicial Watch lawsuit and raised concerns about the possible alienation of federal records.  NARA asked DHS to prepare a report on its recover efforts, along with a description of the “safeguards” that had been implemented to prevent the future alienation of records from private web-based email accounts.  The second responsive record was DHS’s Mary 19, 2017 response to NARA, in which the agency described its ongoing communications with Secretary Johnson and others to facilitate the return of potential federal records.  DHS claimed it was unable to locate any other responsive material.

This is an absurd determination.  DHS has repeatedly described its ongoing efforts to comply with the FRA and to ensure that work-related emails from the private web-based email accounts are returned to the agency, at least with respect to the four officials identified by Judicial Watch.  Whither the records of such communications?  CoA Institute’s request to DHS was intentionally broad and sought to capture, among other things, “any correspondence from a webmail recipient indicating that he or she no longer ha[s] possession of DHS records in a personal email account, or that he or she ha[s] forwarded them to a DHS-hosted email account, and any records evidencing agency efforts to confirm the truth of such representations.”

As for our request to NARA, that agency has failed to provide any sort of interim response, let alone a final determination, despite the fact it had granted CoA Institute’s FOIA request expedited processing.

The Lack of Transparency in Agency Compliance with the Federal Records Act is Troubling

The Obama Administration established a pattern of high-ranking officials using personal email accounts to conduct agency affairs, thereby potentially ignoring federal laws that require the preservation of records for future disclosure to Congress and the American public.  The lack of transparency with respect to the use of private email is concerning enough; the lack of transparency over efforts to remedy abusive and unauthorized use of personal email, and to return records to agency custody, is even more worrisome.  Government-oversight organizations such as CoA Institute have increasingly been forced to seek judicial relief to ensure agency compliance with the FRA, and this tendency is only likely to increase given the pace of technological development.

DHS seems to be working extra hard to keep secret whether it has fully met its FRA obligations.  It was certainly embarrassing for the agency when its practice of issuing waivers that allowed agency leadership to use private web-based email accounts came to light.  It will be even more embarrassing if evidence surfaces to show that DHS is still dragging its feet to recover those records, as required by law.

Ryan Mulvey is Counsel at Cause of Action Institute

 

Investigation Update: EPA Employees’ Use of an Encrypted Messaging App to Thwart Transparency and Fight the White House

Shortly after President Trump took office, Politico reported that a small group of career employees at the Environmental Protection Agency (“EPA”)—“numbering less than a dozen”—were using an encrypted messaging application, called “Signal,” to discuss ways in which to prevent incoming political appointees from implementing the Trump Administration’s policy agenda, which may violate the Federal Records Act.  These employees sought to form a sort of “opposition network” to combat any shift in the EPA’s mission and to preserve the “integrity” of “objfedective” scientific data collected for years by the agency.

The use of Signal at the EPA mirrored reports about the use of electronic messaging platforms at other agencies, including the State Department and the Department of Labor.  But the EPA seemed to present a particularly potent site for the fermentation of political opposition among the civil service bureaucracy.  As reported by Reuters, for example, “[o]ver 400 former EPA staff members” wrote an open letter to the U.S. Senate, asking that former Oklahoma Attorney General Scott Pruitt’s nomination as Administrator be rejected, and employees in the EPA’s Chicago regional office held a joint protest against Pruitt with the Sierra Club.  Such resistance, as our investigative findings suggested, has yet to dissipate.

* * *

Cause of Action Institute (“CoA Institute”) opened its investigation into the use of Signal following Politico’s report.  We were concerned that Signal might have been used to conceal internal agency communications from oversight and that the EPA had failed to meet its legal obligations under the Freedom of Information Act (“FOIA”) and the Federal Records Act to preserve records of official government business created or obtained on Signal.  The EPA’s less-than-sterling reputation for managing electronic records likely inspired the House of Representatives to seek similar clarification from the EPA Inspector General on the Signal scandal.

In our view, to the extent intra-agency Signal correspondence pertained to employees’ plans, in their official capacities, to fight the White House on policy issues, those records were governed by the FOIA and the Federal Records Act, even if created or received on private devices.  Applicable guidance from the National Archives and Records Administration (“NARA”) on electronic records states as much.  Although some have argued that Signal could have been used in the employees’ personal capacity or “off the record,” such claims rest on “murky legal ground.”  At least to the extent employees used Signal on EPA devices, there should have been some mechanism in place to preserve messages until agency authorities could determine whether federal records laws applied.  Such a mechanism was particularly important given the difficulty of recovering encrypted messages after deletion.

* * *

To date, CoA Institute’s investigation has unearthed previously undisclosed information about the Signal scandal and the EPA’s efforts to address allegations of legal wrongdoing.  In response to our first FOIA lawsuit, the EPA acknowledged that there was an “open law enforcement” investigation and, therefore, many of the records at issue would be withheld in full.  The EPA eventually changed its position on this matter and released a number of partially-redacted records.  Those records corroborate the alarming facts reported in the media and reveal much more.

For example, the EPA Office of Inspector General apparently opened its official investigation into the use of Signal only after reading the Washington Times report on CoA Institute’s FOIA efforts.  As Assistant Inspector General Patrick Sullivan noted:

Figure 1: February 3, 2017 E-mail from Patrick Sullivan to Arthur Elkins et al.

An unidentified special agent then explained how an official “hotline complaint” would be initiated, but only after consulting with IT staff.

Figure 2: February 3, 2017 E-mail from Unidentified Special Agent

The EPA’s administrative offices appear to have been alerted to the Signal scandal before the Inspector General, and only because of the efforts of President Trump’s political appointees.  David Schnare almost immediately highlighted the need for a high-level response.

Figure 3: February 2, 2017 E-mail from David Schnare

Mr. Schnare subsequently resigned from the EPA in March 2017, citing difficulties with “antagonistic” career staff opposed to President Trump’s policy agenda.

The next day, again in response to the Washington Times, another Trump-appointed advisor, former State Senator Donald Benton, described the media reports as “disturbing if true,” and wondered whether the EPA could detect whether Signal had been improperly downloaded on any devices. (Senator Benton also left the EPA following alleged clashes with Administrator Pruitt.)

Figure 4: February 3, 2017 E-mail from Donald Benton

Steven Fine, the EPA’s Acting Assistant Administrator of the Office of Environmental Information and Acting Chief Information Officer, assured Senator Benton that the agency could not detect “app downloads,” but could, in fact, scan devices for already-installed programs.

Figure 5: February 3, 2017 E-mail from Steven Fine

The EPA’s ability to “scan” for the installation of Signal was also revealed during summary judgment briefing against Judicial Watch in unrelated FOIA litigation.  A declarant for the EPA described a software tool known as “Mobile Device Management” or “MDM,” which can compile a master report that identifies the applications running on most EPA-furnished equipment.  Indeed, Mr. Fine likely wrote to Senator Benton with knowledge of the Inspector General’s pending request for “assistance in identifying whether certain mobile apps, including Signal, had been downloaded” to EPA devices.

Figure 6: February 3, 2017 E-mail from Patrick Sullivan

* * *

Figure 7: February 3, 2017 E-mail from Rena Key

Interestingly, an unidentified special agent in the Office of the Inspector General recognized the limitations in retrieving Signal messages, regardless of the agency’s ability to use MDM to identify the relevant devices on which the application was installed.

Figure 8: February 3, 2017 E-mail from Unidentified Special Agent

An EPA contractor eventually generated the requested report in the MDM devices and transmitted it to the Office of Environmental Information.  CoA Institute has a pending FOIA request for a copy of the MDM report.

Records released to CoA Institute also raise or confirm other concerning facts:

  • Based on a list of approved “Terms of Service” agreements, EPA employees never were, and still are not, authorized to download and use Signal. Although various social medial tools are approved for use, Signal is not one of them.
  • Internal agency guidance leaves individual employees with total discretion in determining whether text or instant messages need to be forwarded to an official e-mail address and agency recordkeeping system. Although the guidance highlights the differences between “substantive (or non-transitory)” records and those that need not be retained, there is no clear system of oversight to prevent the unauthorized deletion of electronic records.
  • On February 22, 2017, NARA wrote to the EPA to request an update on the records management issues involved in the Signal scandal. The EPA responded a month later, explaining that its investigation was still ongoing and a final report would be forthcoming.  The agency referred to its existing list of approved “Terms of Service” agreements, as well as its efforts to remind employees of their individual responsibility to preserve certain records.  No specific mention was made of the use of Signal.

As additional information becomes available, we will provide further analysis on the EPA’s investigation into the unauthorized use of Signal.

Selected records from CoA Institute’s FOIA production, excepts of which have been used above, can be accessed here.

Ryan P. Mulvey is Counsel at Cause of Action Institute.

CoA Institute Sues OMB, Compelling it to Take Transparency Policy Seriously

Cause of Action Institute (“CoA Institute”) has sued the White House Office of Management and Budget (“OMB”) for failing to respond to two petitions for rulemaking that CoA Institute submitted to the agency.  These two petitions—both aimed at increasing government transparency—were filed during the Obama Administration but were ignored. One petition for rulemaking focused on the OMB’s outdated Freedom of Information Act fee guidelines while the other focused on an executive order related to earmarking. We hope these lawsuits will spur the Trump Administration to action to increase the public’s ability to know what its government is up to.

Petition for Rulemaking on OMB’s Outdated FOIA Fee Guidelines

The Freedom of Information Act requires agencies to produce records on a reduced fee schedule if the requester qualifies as a “representative of the news media” or other favored category.  The FOIA requires agencies to issue records free of charge if the information is in the public interest and the requester has a means to distribute it.  Unfortunately, agencies often use these fee provisions as a mechanism to block requesters that are doing rigorous oversight of the agency.

As information technology advanced over the past two decades, Congress recognized that journalism was changing in fundamental ways and that citizen journalists and nonprofit organizations were just as vital to conducting government oversight as the traditional news media.  That’s why, in the Open Government Act of 2007, Congress provided a statutory definition of a “representative of the news media” that expressly noted that “as methods of news delivery evolve (for example, the adoption of the electronic dissemination of newspapers through telecommunications services), such alternative media shall be considered to be news-media entities.”[1]

But the FOIA also requires OMB to develop and maintain guidelines on FOIA fee issues and it requires agencies to conform their regulations to OMB’s guidelines.  In 1987, OMB issued its one and only guidance document on FOIA fees and in that document it requires “representatives of the news media” to work for organizations that are “organized and operated to publish or broadcast news to the public.”  The Federal Trade Commission (“FTC”) attempted to use this outdated standard against CoA Institute to deny us a preferable fee status and thus drive up the cost of our oversight of that agency.  We took the FTC to the D.C. Circuit and won.  The opinion in that case explained that the “organized and operated” standard was no longer proper.[2]

Yet ten years after Congress changed the statutory standard and two years after the D.C. Circuit directed that the “organized and operated” standard was no longer viable, dozens of agencies still employ it and OMB still has not updated its 1987 FOIA fee guidance.

In an effort to spur OMB to reform its outmoded guidance and to move all agencies toward compliance with the statute, CoA Institute filed a petition for rulemaking with OMB in June 2016.  The agency has not responded to that petition and we were forced to sue to bring the issue to resolution.

Petition for Rulemaking on Executive Order 13457

In 2008, President George W. Bush issued Executive Order 13457 to pressure Congress to reform its profligate earmarking practices.  The order required, inter alia, that executive-branch agencies proactively disclose any attempts by members of Congress or their staff to influence discretionary spending decisions the agencies were making.  President Bush directed OMB to ensure that agencies complied with the order.

Through an investigation, CoA Institute was able to establish that OMB understood Executive Order 13457 to apply to both legislative earmarks (i.e., spending directives in statute and committee reports) and executive branch earmarks (i.e., efforts by outside forces to pressure agencies to make certain spending decisions).  CoA Institute’s investigation also revealed that very few agencies were complying with the order; the Department of Energy was a notable exception.

In an effort to spur the Obama Administration to implement Executive Order 13457, CoA Institute joined with Demand Progress and filed a petition for rulemaking at OMB asking it “to issue a rule ensuring the continuing force and effect of Executive Order 13457, Protecting American Taxpayers From Government Spending on Wasteful Earmarks[.]”  More than two years have passed since we filed the petition and OMB has not responded.

Conclusion

The White House Office of Management and Budget sits at a unique place in the federal administrative state.  It has the opportunity to put in place and require adherence to cross-agency rules that can increase or decrease government transparency.  Ensuring that FOIA fees are not improperly used to block agency oversight and requiring proactive disclosure of congressional attempts to influence agency discretionary spending decisions are two ways OMB can make a difference.  CoA Institute has filed suit today to compel them to take these responsibilities seriously.

James Valvo is counsel and senior policy advisor at Cause of Action Institute.  He was instrumental in crafting both petitions for rulemaking and the lawsuit discussed in this post.  You can follow him on Twitter @JamesValvo.

[1] 5 U.S.C. § 552(a)(4)(A)(ii)

[2] Cause of Action v. Fed. Trade Comm’n, 799 F.3d 1108 (D.C. Cir. 2015).