Investigation Update: EPA Employees Used a Range of Messaging Apps and Other Non-Work-Related Programs on Agency-Issued Mobile Devices

Shortly after President Trump took office, Politico reported that a small group of career employees at the Environmental Protection Agency (“EPA”) were using an encrypted messaging application, called “Signal,” to discuss ways to prevent incoming political appointees from implementing the Trump Administration’s policy agenda.  The use of Signal at the EPA mirrored reports about the use of other electronic messaging platforms across the government.

Records recently released to CoA Institute under the Freedom of Information Act (“FOIA”) now confirm that a number of EPA employees installed Signal, WhatsApp, and at least sixteen other messaging applications on their agency-furnished devices.  These records also reveal that EPA employees installed a panoply of other applications—including email, sports betting, dating, and entertainment applications—that raise questions about the use of government-issued and taxpayer-funded mobile devices for personal purposes.

CoA Institute’s Investigation of Messaging Apps at the EPA

Cause of Action Institute (“CoA Institute”) opened its investigation into the use of Signal because we were concerned that the application might be used to conceal internal agency communications from oversight and to avoid EPA obligations under the FOIA and the Federal Records Act (“FRA”).  We were not alone in our suspicions.  After the House Committee on Science, Space, and Technology’s requested that the EPA Inspector General analyze the allegations reported in the press, the National Archives and Records Administration (“NARA”) opened its own inquiry into the potential violation of federal records management laws.  That inquiry remains open.

Over the past year we have slowly pieced together details about the Signal scandal.  In response to our first FOIA lawsuit, the EPA acknowledged that there was an “open law enforcement” investigation.  Although the EPA initially claimed that many records would be withheld in full, it changed its position and released records that corroborated the alarming facts reported by the media.  But, as we have explained, the records also revealed much more.  Among other things, they confirmed that CoA Institute’s original FOIA request, as reported by the Washington Times, was the actual impetus for the EPA Inspector General’s (“IG”) investigation.  As Assistant Inspector General Patrick Sullivan noted at the time:

The records also confirmed that an EPA contractor “scanned” most agency-furnished devices for the different applications that had been installed by employees.  This scan, which was requested by the IG, was conducted with a software tool known as “Mobile Device Management,” or “MDM.”  As part CoA Institute’s second FOIA lawsuit, the EPA disclosed that contractor-generated report, as well as other documents.

The EPA IG’s Investigatory Conclusions on Signal

The EPA IG memorialized its findings about the Signal scandal in a series of investigatory memoranda.  The watchdog determined that Signal was not used to “purposefully circumvent the applicable Federal record retention rules.”  Nevertheless, it concluded that two employees—one in the Office of the Inspector General and the other in the Office of the Science Advisor—violated agency policy by downloading the unapproved application, as revealed by a summary of a subset of the MDM report.

In each instance, the IG interviewed the offending employee and consulted the Department of Justice before concluding that no “discernable crime” had been committed.  The employee in the Office of Inspector General had downloaded Signal “to see if there was a suitable law enforcement purpose for the application.”

The employee in the Office of the Science Advisor denied having the application on his or her device, but consented to an examination of the phone.  Although Signal “did not appear to be currently installed,” there was no final explanation for how the application originally found its way onto the phone.  The IG opined that it could have happened due to unintentional synching with a personal Apple account.

But Maybe the Problem Was Never Signal . . .

As exonerating as the IG’s conclusion may be, the story does not end there.  While investigating the use of Signal, the EPA and the IG also discovered that fifty-eight employees violated official policy by downloading another encrypted messaging app, named “WhatsApp.”

The IG similarly determined that federal records laws had not been violated based on voluntary interviews of the fifty-eight employees, but this finding is somewhat contradicted by the admission of two employees that they used WhatsApp for “official EPA work.”

When all fifty-eight employees were polled on their “motivation and intent” for downloading WhatsApp, the clear majority cited a “lack of clarity” in the agency’s policy for not installing unapproved applications.  More than half also suggested that they had downloaded WhatsApp for “the purpose of keeping in touch with family/friends domestically or overseas.”

A Potentially Serious Deficiency in the EPA IG’s Inquiry

When the EPA scanned the contents of most mobile devices during the Signal investigation, it also produced a summary of all the applications installed on agency-furnished devices, along with an “install count” for each program.  The list runs ninety-six pages long and its contents are shocking.

To begin with, although the Signal scandal originally concerned the use of that single program, and was later expanded to include WhatsApp, the complete MDM report, which was released to CoA Institute, indicates that at least another sixteen applications with electronic messaging capabilities were being used by EPA employees.  These applications—many of which are likely unapproved and raise the exact same FOIA and FRA concerns as Signal and WhatsApp—include:

AIM (1 phone)
BlackBerry Messenger (3 phones)
Facebook Messenger (227 phones)
Google Hangouts (27 phones)
GroupMe (10 phones)
Jabber (27 phones)
KakaoTalk (3 phones)
Kik (1 phone)
LINE (1 phone)
Skype (58 phones)
Slack (7 phones)
Snapchat (25 phones)
Telegram (1 phone)
Viber (19 phones)
WeChat (2 phones)
WickrMe (1 phone)

Why did the EPA IG fail to investigate these other applications, some of which are capable of encrypted messaging?  Perhaps because the EPA’s Office of Environmental Information never handed over the full MDM report.  This is suggested by two records.

First, the EPA admitted to CoA Institute that it prepared two attachments (here and here) containing subsets of data from the MDM report, namely, those data that revealed the number and identifies of users with Signal or WhatsApp installed on their phones.

Second, the transmission of only the two summaries is suggested by the email referenced above, which also was disclosed to CoA Institute.  An IT team leader, Greg Zurla, sent the heads of the Office of Environmental Information, Steven Fine and Harvey Simon, the data about Signal and WhatsApp, but nothing else.  The IG’s final investigatory memoranda likewise reflect a targeted investigation into Signal and WhatsApp, with no mention of a broader dataset that could expose the unapproved use of similar encrypted messaging applications.

To the extent the IG was not—or still is not—aware of so many other messaging applications, then further inquiries need to be made.  Whether these platforms were used for personal or work-related purposes, they are problematic and raise issues relating to federal records management.  Moreover, although the IG has suggested that the EPA disabled the ability of some iPhone and iPad users to download the “Apple Store app,” and thus to install unauthorized applications, it is unknown whether all unapproved messaging applications have been deleted or, alternatively, whether adequate procedures have been put in place so that the EPA can meet all recordkeeping obligations.

The Use of Government Property for Personal Use is Deeply Troubling

The results of the IG investigation raise other troubling questions.  Why should a government employee be able to justify his installation of an unapproved, and legally problematic, application on agency-furnished hardware by claiming that he wanted to use it for personal purposes?  Should taxpayers pay for EPA employees to use government data plans to communicate with “family and friends”?

The full MDM report disturbingly reveals the sheer number of non-work-related applications that EPA employees installed.  Some of these, such as web-based email programs, raise records management issues that have plagued other agencies like the Department of Homeland Security.  The applications can be grouped into a number of categories.  Here is a sampling:

  • Web-Based Email
    AOL (16 phones)
    Gmail (129 phones)
    Yahoo Mail (56 phones)
  • Social Media
    Facebook (466 phones)
    Instagram (162 phones)
    LinkedIn (117 phones)
    Pinterest (75 phones)
    Reddit (20 phones)
    Twitter (310 phones)
  • Dating
    Coffee Meets Bagel (1 phone)
    OK Cupid (1 phone)
  • Personal Banking and Finance
    AmEx (11 phones)
    Barclaycard (6 phones)
    Bank of America (29 phones)
    CitiMobile (10 phones)
    Wells Fargo (24 phones)
    Navy Federal (11 phones)
    PayPal (10 phones)
  • Entertainment and Sports Betting
    Angry Birds (14 phones)
    Blackjack (5 phones)
    Candy Crush (32 phones)
    Draft Kings (1 phone)
    Duolingo (10 phones)
    ESPN (60 phones)
    Fandango (15 phones)
    HBO (15 phones)
    Netflix (73 phones)
    Pokémon GO (7 phones)
    Shazam (22 phones)
    SiriusXM (19 phones)
    Spotify (71 phones)
    YouTube (237 phones)
  • Shopping
    Amazon (56 phones)
    eBay (16 phones)
  • Religious
    Bible apps (22 phones)
    Catholic TV (1 phone)
  • Political
    Boycott Trump (1 phone)

Again, this is a non-exhaustive list.  The full list can be accessed here.

Based on the EPA’s list of approved “Terms of Service” agreements, it appears that most of these applications were never authorized for work-related business.  To the extent they were used for personal purposes, the EPA should take its workforce to task for abusing the privilege of a government-furnished and taxpayer-funded phone.

Although the IG reports that the EPA has disabled the Apple Store on newer models of the iPhone and iPad, we hope the agency makes serious efforts to remove these troubling applications from all makes and models of the hardware furnished to employees.  Simply stated, the EPA does not exist so its bureaucrats can spend the day watching Netflix, browsing eBay, or swiping right on a dating application.

Ryan P. Mulvey is Counsel at Cause of Action Institute.

CoA Institute Files Second Lawsuit for Records Concerning EPA Employees’ Use of Encrypted Messaging App

Washington, D.C. – Cause of Action Institute (“CoA Institute”) today filed a second lawsuit in the U.S. District Court for the District of Columbia against the Environmental Protection Agency (“EPA”) for the failure to disclose records about an ongoing investigation into agency employees’ use of an encrypted messaging application, called “Signal.”  The records at issue—which were the subject of two Freedom of Information Act (“FOIA”) requests (here and here)—include a special report, requested by the EPA Office of Inspector General and generated by an agency contractor, which identifies the mobile applications running on most EPA-furnished devices, as well as documents concerning the agency’s continuing efforts to address allegations of wrongdoing, including the avoidance of federal records management laws.

CoA Institute Counsel Ryan Mulvey: “We now know that a small group of career EPA employees used Signal to avoid transparency.  These employees’ work-related communications—including their messages concerning any proposed efforts to thwart the new administration’s political appointees from carrying out the president’s policy agenda—should have been preserved for disclosure to the public.  Records released by the EPA, however, prove that this preservation never took place.  Now, the EPA has effectively refused to disclose any additional documents that could show how pervasive the use of Signal was and how seriously the agency has tried to rectify deficiencies in meeting its record preservation obligations.”

CoA Institute opened its investigation into the use of Signal at the beginning of the year, following media reports that suggested a select number of career officials were using the application to plan methods for obstructing the Trump administration’s incoming political leadership.  CoA Institute’s investigation was widely discussed in the press, along with Congress’s request for the EPA’s watchdog to independently investigate the matter.

Just hours after CoA Institute filed its first FOIA lawsuit, on March 23, 2017, the EPA’s Office of General Counsel acknowledged that there was, indeed, an “open law enforcement” investigation and, as a result, responsive records would have to be redacted.  The EPA ultimately reconsidered its position and, notwithstanding its active investigation, agreed to release relevant records.  Those records prompted the follow-up FOIA requests at issue in today’s lawsuit.

More information on CoA Institute’s investigation can be found here.

The full complaint can be found here.

For information regarding this press release, please contact Zachary Kurz, Director of Communications at CoA Institute: zachary.kurz@causeofaction.org.

Investigation Update: EPA Employees’ Use of an Encrypted Messaging App to Thwart Transparency and Fight the White House

Shortly after President Trump took office, Politico reported that a small group of career employees at the Environmental Protection Agency (“EPA”)—“numbering less than a dozen”—were using an encrypted messaging application, called “Signal,” to discuss ways in which to prevent incoming political appointees from implementing the Trump Administration’s policy agenda, which may violate the Federal Records Act.  These employees sought to form a sort of “opposition network” to combat any shift in the EPA’s mission and to preserve the “integrity” of “objfedective” scientific data collected for years by the agency.

The use of Signal at the EPA mirrored reports about the use of electronic messaging platforms at other agencies, including the State Department and the Department of Labor.  But the EPA seemed to present a particularly potent site for the fermentation of political opposition among the civil service bureaucracy.  As reported by Reuters, for example, “[o]ver 400 former EPA staff members” wrote an open letter to the U.S. Senate, asking that former Oklahoma Attorney General Scott Pruitt’s nomination as Administrator be rejected, and employees in the EPA’s Chicago regional office held a joint protest against Pruitt with the Sierra Club.  Such resistance, as our investigative findings suggested, has yet to dissipate.

* * *

Cause of Action Institute (“CoA Institute”) opened its investigation into the use of Signal following Politico’s report.  We were concerned that Signal might have been used to conceal internal agency communications from oversight and that the EPA had failed to meet its legal obligations under the Freedom of Information Act (“FOIA”) and the Federal Records Act to preserve records of official government business created or obtained on Signal.  The EPA’s less-than-sterling reputation for managing electronic records likely inspired the House of Representatives to seek similar clarification from the EPA Inspector General on the Signal scandal.

In our view, to the extent intra-agency Signal correspondence pertained to employees’ plans, in their official capacities, to fight the White House on policy issues, those records were governed by the FOIA and the Federal Records Act, even if created or received on private devices.  Applicable guidance from the National Archives and Records Administration (“NARA”) on electronic records states as much.  Although some have argued that Signal could have been used in the employees’ personal capacity or “off the record,” such claims rest on “murky legal ground.”  At least to the extent employees used Signal on EPA devices, there should have been some mechanism in place to preserve messages until agency authorities could determine whether federal records laws applied.  Such a mechanism was particularly important given the difficulty of recovering encrypted messages after deletion.

* * *

To date, CoA Institute’s investigation has unearthed previously undisclosed information about the Signal scandal and the EPA’s efforts to address allegations of legal wrongdoing.  In response to our first FOIA lawsuit, the EPA acknowledged that there was an “open law enforcement” investigation and, therefore, many of the records at issue would be withheld in full.  The EPA eventually changed its position on this matter and released a number of partially-redacted records.  Those records corroborate the alarming facts reported in the media and reveal much more.

For example, the EPA Office of Inspector General apparently opened its official investigation into the use of Signal only after reading the Washington Times report on CoA Institute’s FOIA efforts.  As Assistant Inspector General Patrick Sullivan noted:

Figure 1: February 3, 2017 E-mail from Patrick Sullivan to Arthur Elkins et al.

An unidentified special agent then explained how an official “hotline complaint” would be initiated, but only after consulting with IT staff.

Figure 2: February 3, 2017 E-mail from Unidentified Special Agent

The EPA’s administrative offices appear to have been alerted to the Signal scandal before the Inspector General, and only because of the efforts of President Trump’s political appointees.  David Schnare almost immediately highlighted the need for a high-level response.

Figure 3: February 2, 2017 E-mail from David Schnare

Mr. Schnare subsequently resigned from the EPA in March 2017, citing difficulties with “antagonistic” career staff opposed to President Trump’s policy agenda.

The next day, again in response to the Washington Times, another Trump-appointed advisor, former State Senator Donald Benton, described the media reports as “disturbing if true,” and wondered whether the EPA could detect whether Signal had been improperly downloaded on any devices. (Senator Benton also left the EPA following alleged clashes with Administrator Pruitt.)

Figure 4: February 3, 2017 E-mail from Donald Benton

Steven Fine, the EPA’s Acting Assistant Administrator of the Office of Environmental Information and Acting Chief Information Officer, assured Senator Benton that the agency could not detect “app downloads,” but could, in fact, scan devices for already-installed programs.

Figure 5: February 3, 2017 E-mail from Steven Fine

The EPA’s ability to “scan” for the installation of Signal was also revealed during summary judgment briefing against Judicial Watch in unrelated FOIA litigation.  A declarant for the EPA described a software tool known as “Mobile Device Management” or “MDM,” which can compile a master report that identifies the applications running on most EPA-furnished equipment.  Indeed, Mr. Fine likely wrote to Senator Benton with knowledge of the Inspector General’s pending request for “assistance in identifying whether certain mobile apps, including Signal, had been downloaded” to EPA devices.

Figure 6: February 3, 2017 E-mail from Patrick Sullivan

* * *

Figure 7: February 3, 2017 E-mail from Rena Key

Interestingly, an unidentified special agent in the Office of the Inspector General recognized the limitations in retrieving Signal messages, regardless of the agency’s ability to use MDM to identify the relevant devices on which the application was installed.

Figure 8: February 3, 2017 E-mail from Unidentified Special Agent

An EPA contractor eventually generated the requested report in the MDM devices and transmitted it to the Office of Environmental Information.  CoA Institute has a pending FOIA request for a copy of the MDM report.

Records released to CoA Institute also raise or confirm other concerning facts:

  • Based on a list of approved “Terms of Service” agreements, EPA employees never were, and still are not, authorized to download and use Signal. Although various social medial tools are approved for use, Signal is not one of them.
  • Internal agency guidance leaves individual employees with total discretion in determining whether text or instant messages need to be forwarded to an official e-mail address and agency recordkeeping system. Although the guidance highlights the differences between “substantive (or non-transitory)” records and those that need not be retained, there is no clear system of oversight to prevent the unauthorized deletion of electronic records.
  • On February 22, 2017, NARA wrote to the EPA to request an update on the records management issues involved in the Signal scandal. The EPA responded a month later, explaining that its investigation was still ongoing and a final report would be forthcoming.  The agency referred to its existing list of approved “Terms of Service” agreements, as well as its efforts to remind employees of their individual responsibility to preserve certain records.  No specific mention was made of the use of Signal.

As additional information becomes available, we will provide further analysis on the EPA’s investigation into the unauthorized use of Signal.

Selected records from CoA Institute’s FOIA production, excepts of which have been used above, can be accessed here.

Ryan P. Mulvey is Counsel at Cause of Action Institute.

CoA Institute Uncovers EPA Investigation into Employees’ Use of Encrypted Messaging App

Hours after filing a lawsuit demanding that the Environmental Protection Agency (“EPA”) disclose records about its employees’ use of an encrypted messaging application, Cause of Action Institute (“CoA Institute”) received a letter from the EPA’s Office of General Counsel acknowledging that there is an “open law enforcement” investigation looking into the matter.

The EPA indicated that records created or received by its employees on “Signal,” and records concerning efforts “to retrieve, recover, or retain” those messages, were “part of one or more open law enforcement file(s).” The agency claimed such records were exempt from disclosure under the Freedom of Information Act (“FOIA”) because they were compiled for “law enforcement purposes” and their disclosure “could reasonably be expected to interfere with ongoing enforcement proceedings.”  Further, the EPA stated that it could not find any records reflecting “permission, clearance, or approval” for the use of the encrypted messaging app.

Cause of Action Institute Assistant Vice President Henry Kerner: “The EPA’s response to our lawsuit is unsurprising, but still deeply disturbing.  The unauthorized use of an encrypted messaging app by a government employee is inappropriate, and the EPA appears to agree that its employees might have broken the law.  Although we are pleased to learn that the agency is examining potential wrongdoing, we will continue to fight for the disclosure of records responsive to our FOIA request because we do not agree that the law prohibits the disclosure of the Signal messages.  It will be up to the courts to decide.”

Even though the EPA purports to have provided a final response to CoA Institute’s FOIA request, the recently filed lawsuit will continue. CoA Institute disputes the sufficiency of the EPA’s determination, which suggests that a search for potentially responsive records was never carried out. In addition, we disagree with the agency’s reliance on FOIA Exemption 7(a).

The EPA’s letter can be found here

 

Lawsuit Demands Records on EPA Employees’ Use of Encrypted Messaging App

Washington, D.C. – Cause of Action Institute (“CoA Institute”) has filed a lawsuit in the U.S. District Court for the District of Columbia after the Environmental Protection Agency (“EPA”) failed to disclose records about its employees’ use of an encrypted messaging application, “Signal,” to discuss the Trump administration’s expected changes to the agency’s policy agenda.

The lawsuit follows a February 2, 2017 Freedom of Information Act (“FOIA”) request, which sought all records of Signal communications created or received by EPA officials, as well as records concerning the EPA’s efforts, if any, to retriever, recover, or retain such work-related correspondence in accordance with federal records management laws.

Cause of Action Institute Assistant Vice President Henry Kerner: “Career employees at the EPA appear to be using Signal to avoid transparency laws and vital oversight by the Executive Branch, Congress, and the public.  Communications on this encrypted application, however, which relate to agency business must still be preserved under the Federal Records Act and be made available for disclosure under the FOIA.  Taxpayers have a right to know if the EPA’s leadership is meeting its record preservation obligations.”

According to media reports, at least a dozen EPA career employees have been using Signal to communicate about work-related issues, including how to prevent President Trump’s political appointees from “undermin[ing] their agency’s mission to protect public health and the environment” or “delet[ing] valuable scientific data.”  CoA Institute’s investigation into this matter has been widely discussed in the press, along with Congress’s request for the EPA’s watchdog to independently investigate the matter.  To date, the EPA has failed to issue a timely determination on CoA Institute’s FOIA request, let alone produce any responsive records.

The full complaint can be found here.

For information regarding this press release, please contact Zachary Kurz, Director of Communications: zachary.kurz@causeofaction.org