CoA Institute Calls for EPA Watchdog Investigation into the Use of Unauthorized Electronic Messaging and Web-Based Email Apps on Agency Devices

Washington, D.C. – Cause of Action Institute (“CoA Institute”) wrote yesterday to the Environmental Protection Agency (“EPA”) Office of Inspector General (“OIG”) to request an investigation into the unauthorized use of electronic messaging and web-based email applications on agency-furnished and taxpayer-funded mobile devices, including iPhones and iPads. CoA Institute’s request follows the recent release under the Freedom of Information Act (“FOIA”) of a contractor-generated report that proves EPA employees installed at least sixteen different messaging applications, including Facebook Messenger and Google Hangouts, in contravention of official agency policy.  EPA employees also installed personal email programs, such as AOL and Yahoo Mail, on their government phones.  The OIG previously examined the use of two other encrypted messaging applications, “Signal” and “WhatsApp,” after CoA Institute opened its own investigation into allegations concerning the possible avoidance of records management laws.

 Cause of Action Institute Counsel Ryan Mulvey: “The newest details concerning the range of applications that EPA employees installed on their taxpayer-funded phones and tablets raise serious concerns.  Beyond the fact that many of these applications should never have been found on a government phone because of their personal nature, the presence of sixteen different electronic messaging applications raises doubts about the EPA’s compliance with record preservation rules.  All work-related communications created or received on a personal email account, or an electronic messaging program like Facebook Messenger, should have been preserved for disclosure to the public.  The EPA Inspector General must examine this matter and consider what steps the agency should take to rectify any deficiencies in meeting its record preservation obligations.”

Shortly after President Trump took office, Politico reported that a small group of EPA employees were using an encrypted messaging application, called “Signal,” to discuss ways to prevent incoming political appointees from implementing the new Administration’s policy agenda.  CoA Institute opened an investigation and, over the past year, has slowly pieced together details about the Signal scandal.

In response to its first FOIA lawsuit, the EPA acknowledged that there was an “open law enforcement” investigation.  Then, records released to CoA Institute revealed how an EPA contractor “scanned” most agency-furnished devices for the different applications that had been installed by employees.  That scan, which was requested “orally” by the OIG, was conducted with a software tool known as “Mobile Device Management,” or “MDM.”  As part CoA Institute’s second FOIA lawsuit, the EPA disclosed the contractor-generated report, as well as other documents.  A summary of the report, which consists of a list running ninety-six pages long, identifies all of the applications installed on most agency-furnished devices.

In addition to Signal and WhatsApp, at least another sixteen applications with electronic messaging capabilities were used by EPA employees, along with three email programs.  To the extent the OIG was unaware of these other messaging applications, further inquiries are necessary, as the use of these applications raise issues relating to federal records management.  Moreover, although the OIG has reported that the EPA disabled the ability of many iPhone and iPad users to download the “Apple Store app,” and thus to install unauthorized applications, it is unknown whether all unapproved messaging applications have been deleted or, alternatively, whether adequate procedures have been put in place so that the EPA can meet its recordkeeping obligations.

CoA Institute’s April 11, 2018 letter to the EPA Inspector General is available HERE.

For information regarding this press release, please contact Nichole Wilson: Nichole.wilson@causeofaction.org

Cause of Action Institute Launches Investigation into Agency Use of Instant Messaging Applications

The number of communications devices and platforms has mushroomed in recent years, making communication both quicker and easier. Naturally, these technologies have been incorporated into business and government. The use of instant messaging applications (“IM”) for business communications has become so common that most enterprise software includes IM functionality (for example, Google Hangouts, Skype for Business instant messaging, Slack, etc.).

In response to these developments, the Federal Records Act (“FRA”) was amended in 2014 to codify a new definition of electronic messages.  The FRA now states that electronic messages include “electronic mail and other electronic messaging systems that are used for purposes of communicating between individuals” 44 U.S.C. § 2911. Electronic communications sent or received in the course of agency business—regardless of the method of message delivery—are therefore federal records and must be properly captured, retained, and stored such that they can be searched and reproduced upon request. National Archives and Records Administration (“NARA”) Bulletin 2015-02, “Guidance on Managing Electronic Messages,” makes this explicitly clear.

Unfortunately, recent events have highlighted the failure of federal agencies to properly capture, retain, and store electronic messages, including:

  • five months of missing, and then recovered, text messages between the FBI’s Peter Strzok and Lisa Page related to their official duties,
  • 2016 EPA Inspector General investigation into the use of encrypted text messages,
  • CFPB using encrypted messaging apps, the so-called “Dumbledore’s Army”,
  • IRS not retaining communications through their internal instant messaging system due to a memorandum of understanding with the Treasury Employees Union, and
  • NOAA’s questionable use of Google Hangouts.

It appears incidents of federal agencies neglecting and/or intentionally failing to properly capture, retain, and store electronic messages that are federal records are not isolated or exceptional. In light of this, CoA Institute has launched a broad inquiry into federal agencies’ efforts to implement the 2014 FRA amendments and NARA Bulletin 2015-02. Last week, CoA Institute sent FOIA requests to nearly forty agencies seeking records:

  • regarding policies on the use, retention, and management of electronic (instant) messages;
  • related to implementation of or compliance with NARA Bulletin 2015-02;
  • reflecting the electronic messaging systems installed on agency devices; and
  • reflecting whether the agency has enabled automatic electronic message archiving, indexing, and eDiscovery features on instant messaging platforms in use.

The FRA and Freedom of Information Act are essential to government transparency and accountability and they must be enforced even when—or especially when—government regulations, policies, and practices lag behind the implementation of new technologies. With respect to instant messages, the federal government’s characteristic bureaucratic torpidity bears potentially far-reaching implications for proper oversight of the federal government. With this investigation, CoA Institute seeks to discover whether (and where) government neglect or exploitation of new technologies threatens transparency and accountability.

 

Thomas Kimbrell is a research fellow at Cause of Action Institute.

DHS Fails to Locate Records Concerning Compliance with Federal Records Act over Private Web-based Email Accounts

Cause of Action Institute (“CoA Institute”) filed a Freedom of Information Act (“FOIA”) appeal with the Department of Homeland Security (“DHS”) yesterday, challenging the adequacy of the agency’s search for records concerning the use of private web-based email accounts by former DHS officials, as well as efforts to recover federal records from those officials’ accounts, as required by the Federal Records Act (“FRA”).  Although DHS disclosed two records in response to our request—namely, a letter from the National Archives and Records Administration (“NARA”), which expressed concern over the possible alienation of federal records, and DHS’s response to NARA—DHS’s repeated representations in federal court demonstrate the existence of countless other responsive records.

High-Ranking DHS Officials Received “Waivers” to Use Private Web-based Email Accounts

In July 2015, Bloomberg reported that then-Secretary Jeh Johnson and at least twenty-eight other senior officials at DHS were granted special permission to used private web-based email accounts—such as Google and Yahoo—to conduct official business.  These “waivers” were exceptions to an agency-wide ban on the use of private email that was imposed in April 2014.  Agency insiders admitted that the practice of issuing such waivers was a “national security risk.”  As reported by Politico, DHS ended its use of waivers, but the agency still faced numerous FOIA requests—and a lawsuit brought by Judicial Watch—from those seeking access to the work-related records created or received on the private web-based email accounts.

CoA Institute’s Initial Investigation into the DHS Webmail Waivers

On September 11, 2015, CoA Institute submitted a FOIA request to DHS for all agency records maintained on Secretary Johnson’s—or any other official’s—private web-based email account.  We also sought records concerning the DHS webmail waiver regime, including policies on how waivers were granted or guidance on record retention that may have been provided to waiver recipients.  In response to the request, DHS provided a substantial number of records concerning the actual processing of waivers, but it failed to produce any official correspondence from the private accounts.  Although we appealed that determination, DHS upheld the adequacy of its search, even though it had openly admitted in court to having control over actual responsive records.  A federal district court judge even issued a preservation order to ensure that former officials would continue to cooperate with recovery efforts under the Trump Administration.

Exploring DHS’s Compliance with the Federal Records Act

Armed with the knowledge that DHS was working to recover potential federal records from Secretary Johnson’s private web-based email account, as well as the accounts of three other former officials, CoA Institute filed two additional FOIA requests on June 1, 2017.  We asked both DHS and NARA to disclose records concerning NARA approval for the practice of issuing webmail waivers, as well as records reflecting the agencies’ compliance with their FRA obligations.  For example, we wanted to know whether DHS had involved the Attorney General in recovery efforts, or whether anything had been done to recover records from the other twenty-five webmail recipients that were not the subject of Judicial Watch’s ongoing FOIA litigation.

DHS could only locate two responsive records.  The first was a February 22, 2017 letter from NARA, which was prompted by the Judicial Watch lawsuit and raised concerns about the possible alienation of federal records.  NARA asked DHS to prepare a report on its recover efforts, along with a description of the “safeguards” that had been implemented to prevent the future alienation of records from private web-based email accounts.  The second responsive record was DHS’s Mary 19, 2017 response to NARA, in which the agency described its ongoing communications with Secretary Johnson and others to facilitate the return of potential federal records.  DHS claimed it was unable to locate any other responsive material.

This is an absurd determination.  DHS has repeatedly described its ongoing efforts to comply with the FRA and to ensure that work-related emails from the private web-based email accounts are returned to the agency, at least with respect to the four officials identified by Judicial Watch.  Whither the records of such communications?  CoA Institute’s request to DHS was intentionally broad and sought to capture, among other things, “any correspondence from a webmail recipient indicating that he or she no longer ha[s] possession of DHS records in a personal email account, or that he or she ha[s] forwarded them to a DHS-hosted email account, and any records evidencing agency efforts to confirm the truth of such representations.”

As for our request to NARA, that agency has failed to provide any sort of interim response, let alone a final determination, despite the fact it had granted CoA Institute’s FOIA request expedited processing.

The Lack of Transparency in Agency Compliance with the Federal Records Act is Troubling

The Obama Administration established a pattern of high-ranking officials using personal email accounts to conduct agency affairs, thereby potentially ignoring federal laws that require the preservation of records for future disclosure to Congress and the American public.  The lack of transparency with respect to the use of private email is concerning enough; the lack of transparency over efforts to remedy abusive and unauthorized use of personal email, and to return records to agency custody, is even more worrisome.  Government-oversight organizations such as CoA Institute have increasingly been forced to seek judicial relief to ensure agency compliance with the FRA, and this tendency is only likely to increase given the pace of technological development.

DHS seems to be working extra hard to keep secret whether it has fully met its FRA obligations.  It was certainly embarrassing for the agency when its practice of issuing waivers that allowed agency leadership to use private web-based email accounts came to light.  It will be even more embarrassing if evidence surfaces to show that DHS is still dragging its feet to recover those records, as required by law.

Ryan Mulvey is Counsel at Cause of Action Institute

 

CoA Institute Asks Court to Order Enforcement Action in Colin Powell Email Case

Washington, D.C. – Cause of Action Institute (“CoA Institute”) today filed a motion for summary judgment in a lawsuit that seeks to compel Secretary of State Rex Tillerson and U.S. Archivist David Ferriero to fulfill their non-discretionary obligations under the Federal Records Act (“FRA”).  Specifically, CoA Institute has asked the court to order Tillerson and Ferriero to initiate an enforcement action through the Attorney General to recover the work-related email records of former Secretary of State Colin Powell from a personal account hosted by AOL, Inc.

“To date, Defendants have undertaken meagre recovery efforts that have proven entirely ineffectual,” argued CoA Institute.  “None of Secretary Powell’s work-related email records have been recovered.  And Defendants have not proven their fatal loss—the only exception in this case that would excuse their intransigence.  Now is the time to involve the Attorney General, the highest law enforcement authority of the federal government, as contemplated and required by the FRA.”

CoA Institute filed its lawsuit in October 2016 after then-Secretary John Kerry and Archivist Ferriero failed to act on CoA Institute’s FRA notice and Freedom of Information Act request.  Just last month, CoA Institute successfully defended its claims against the government’s motion to dismiss.  In denying that motion, U.S. District Court Judge Trevor McFadden highlighted the State Department’s “anemic” recovery efforts and its seeming disregard for the power of leveraging the law enforcement authority exercised by the Attorney General in recovering government records.

Cause of Action Institute President and CEO John J. Vecchione: “Executive Branch officials have no discretion in choosing when to recover unlawfully removed federal records.  For too long, agency leadership—particularly at the State Department—has not been held accountable for its failure to abide by federal record management laws.  Secretary Colin Powell conducted official government business on a private email account; records of his correspondence belong to the federal government and should have been retained for permanent preservation.  We are confident that the law requires more effort to recover the records at issue, including the initiation of an enforcement action through the Attorney General.”

Background

In September 2016, the House Oversight & Government Reform Committee held a hearing at which then-Under Secretary of State Patrick Kennedy testified that the State Department had undertaken minimal efforts to retrieve the work-related emails of Colin Powell.  After learning that Powell no longer had access to his AOL account or its contents, the State Department merely asked Powell to contact AOL to see if anything could be retrieved.  Despite a request from the National Archives and Records Administration (“NARA”) to contact AOL directly, the State Department never did so.  Ultimately, the agency relied on unreliable hearsay—namely, the reported representations of Secretary Powell’s personal secretary about an apparent phone conversation between someone at AOL and a staff member of the House Oversight Committee—to conclude that no records could be recovered.

CoA Institute’s memorandum in support of its motion can be read here.

State Department Motion to Dismiss Denied in Colin Powell Email Case

Washington, D.C. – U.S. District Court Judge Trevor McFadden has denied the federal government’s motion to dismiss a lawsuit to compel Secretary of State Rex Tillerson and U.S. Archivist David Ferriero to fulfill their statutory obligations under the Federal Records Act (“FRA”) to recover former Secretary of State Colin Powell’s work-related email records from a personal account hosted by AOL, Inc.  Cause of Action Institute (“CoA Institute”) filed the lawsuit in October 2016 after then-Secretary John Kerry and Archivist Ferriero both failed to act on CoA Institute’s FRA notice and Freedom of Information Act (“FOIA”) request.

Although the government argued it had no reason to believe that copies of Colin Powell’s email records still existed and were recoverable from AOL servers, Judge McFadden rejected that conclusion, describing the State Department’s recovery efforts as “anemic,” particularly in light of the fruitful “leveraging” of law enforcement authority in the case of former Secretary Hillary Clinton.  “The Defendants’ refusal to turn to the law enforcement authority of the Attorney General is particularly striking in the context of a statute with explicitly mandatory language,” Judge McFadden opined.  “[T]here is a substantial likelihood that [CoA Institute’s] requested relief would yield access to at least some of the emails at issue.”

Cause of Action Institute President and CEO John J. Vecchione: “Agencies must take their responsibility to secure federal records seriously. For too long, agencies have allowed federal employees to use personal email accounts without ensuring those records are recovered and maintained in accordance with the law.  We are encouraged that the court recognized that agencies must do more to recover lost records.”

In September 2016, the House Oversight & Government Reform Committee held a hearing at which then-Under Secretary of State Patrick Kennedy testified that the State Department had undertaken minimal efforts to retrieve Colin Powell’s work-related email.  After learning that Powell no longer had access to his AOL account or its contents, the State Department merely asked Powell to contact AOL to see if anything could be retrieved.  Despite a request from the National Archives and Records Administration (“NARA”) to contact AOL directly, the State Department never did so.  Ultimately, the agency relied on unreliable hearsay—namely, the reported representations of Colin Powell’s personal secretary about an apparent phone conversation between someone at AOL and a staff member of the House Oversight Committee—to conclude that no records could be recovered.

Following yesterday’s ruling on the motion to dismiss, the government Defendants must now either comply with their non-discretionary obligations under the FRA, which requires them to initiate action through the Attorney General to recover unlawfully removed records, or they must proffer new evidence to prove the “fatal loss” and irrecoverability of Colin Powell’s email records from AOL servers.

Judge McFadden’s opinion can be accessed HERE.

For information regarding this press release, please contact Zachary Kurz, Director of Communications at CoA Institute: zachary.kurz@causeofaction.org.

Inside NOAA’s Secret Staff Newsletter

Imagine being a New England fisherman.  You’re subject to complex and burdensome regulation, and the federal government isn’t exactly helping to keep your way of life afloat.  In fact, its officials have worked increasingly to limit your ability to catch fish and to impose onerous costs on your continued livelihood.  Take, for example, the legally dubious requirement that groundfish sector members pay up to $700 per day to have “at-sea monitors” ride their boats and watch them fish—a scheme that could put 60% of small-scale fishermen out of business.  Consider also the efforts underway to expand industry-funded monitoring to all other regional fisheries.

If oppressive regulation weren’t enough, now picture these same officials publishing a secret internal newsletter that describes their dealings with you and your fellow fishermen in less-than-flattering terms.  Sadly, this isn’t a hypothetical situation.  According to records obtained by Cause of Action Institute (“CoA Institute”) from whistleblowers and under the Freedom of Information Act (“FOIA”), National Oceanic and Atmospheric Administration (“NOAA”) employees in the Greater Atlantic Regional Fisheries Office have long circulated a paper that often contains their candid feelings towards the fishermen with whom they are supposed to collaborate.

In one article, dated June 29, 2010, Port Agent Victor Vecchio, who works in the “Stakeholder Engagement Division,” described fishermen at a “groundfish outreach meeting” as spreading “various conspiracy theories,” at least until they “ran out of steam (or vodka . . . or whatever).”

Figure 1: Vic Vecchio, “Groundfish Outreach Meeting–Montauk, NY 6/29/2010,” Fathoms (July 2, 2010)

In response to an October 17, 2017 FOIA request, the National Oceanic and Atmospheric Administration released a complete copy of its April 1-15, 2017 issue of Fathoms, which was heavily redacted to “protect” confidential commercial information.  The range of topics covered in the paper include news about enforcement actions, in-season events (such as the opening of the recreational fishery), the impact of weather patterns on fishing activity, and even scientific developments.  Much of this appears benign and, indeed, informative.  But, as expected, the issue also discusses the industry’s frustration with planned regulatory actions.  The entire content of that article was conspicuously redacted.

In addition to filling a follow-up request for all issues of Fathoms from December 2015 to the present, CoA Institute has filed an administrative appeal challenging NOAA’s heavy-handed redactions.  Exemption 4, which protects confidential commercial information, does not typically apply to government-generated information.  More importantly, the sort of information contained in Fathoms could hardly be described as “confidential” because it would neither impair NOAA’s ability to obtain information from fishermen in the future nor cause a competitive disadvantage to any part of the fishing industry.

It seems instead that the National Oceanic and Atmospheric Administration is hiding behind an exemption designed to protect businesses in order to actually keep secret its criticism of businesses.  CoA Institute’s staff attorneys have spoken to a number of fishermen who are completely unaware of the existence of Fathoms.  Given the derision they likely receive in its pages, they are unlikely to be too pleased by efforts from the National Oceanic and Atmospheric Administration to block disclosure.

NOAA’s shenanigans don’t end there.  Another record disclosed to CoA Institute suggests that there’s a second internal digest—Dock Buzz—that could similarly provide insight into the government’s relationship with the New England fishing industry.  CoA Institute also continues to investigate NOAA’s likely violation of federal records management laws in failing to preserve employee Google Chat/Google Hangout records.

Ryan P. Mulvey is Counsel at Cause of Action Institute.

CoA Institute Investigates CFPB’s ‘Dumbledore Army’ Using Encrypted Messaging Apps to Thwart Transparency

Washington D.C. – Cause of Action Institute (“CoA Institute”) today filed a Freedom of Information Act (“FOIA”) request after media reports identified a number of career employees at the Consumer Financial Protection Bureau (“CFPB”) who use encrypted messaging apps to communicate about ways to resist changes under newly Trump-appointed acting director Mick Mulvaney. The group reportedly refers to itself as Dumbledore’s Army, a nod to a fictional resistance movement in the Harry Potter novels.

CoA Institute Counsel Eric Bolinder: “A number of CFPB employees are reportedly using encrypted apps on their phones to evade transparency laws and conceal their communications from oversight. Under the Federal Records Act, the CFPB has a legal obligation to preserve all records made by employees working on official government business. Congress and the public have a right to know if federal employees are intentionally evading transparency in order to resist changes under CFPB’s new leadership.”

A December 5, 2017 article by the New York Times reported that CFPB employees are communicating among themselves using encrypted messaging applications:

An atmosphere of intense anxiety has taken hold, several employees said. In some cases, conversations between staff that used to take place by phone or text now happen almost exclusively in person or through encrypted messaging apps.

It is unknown whether these employees discuss work-related issues using their CFPB-issued or personal devices. Under the Federal Records Act, the CFPB has a legal obligation to preserve records evidencing employees working on government business, no matter the medium of their communication.

CoA Institute’s FOIA seeks all records reflecting the number of CFPB devices on which encrypted messaging applications were installed, internal policy guidelines on the use of such apps, as well as the communications themselves and efforts by CFPB to recover and archive these messages. The FOIA also specifically requests all communications that contain the words “Dumbledore,” “Dumbledore’s Army,” “Snape,” “Voldemort,” and “He-who-shall-not-be-named,” among other records.

The full FOIA can be found here.

For information regarding this press release, please contact Zachary Kurz, Director of Communications at CoA Institute: zachary.kurz@causeofaction.org.