CoA Institute Calls for EPA Watchdog Investigation into the Use of Unauthorized Electronic Messaging and Web-Based Email Apps on Agency Devices

Washington, D.C. – Cause of Action Institute (“CoA Institute”) wrote yesterday to the Environmental Protection Agency (“EPA”) Office of Inspector General (“OIG”) to request an investigation into the unauthorized use of electronic messaging and web-based email applications on agency-furnished and taxpayer-funded mobile devices, including iPhones and iPads. CoA Institute’s request follows the recent release under the Freedom of Information Act (“FOIA”) of a contractor-generated report that proves EPA employees installed at least sixteen different messaging applications, including Facebook Messenger and Google Hangouts, in contravention of official agency policy.  EPA employees also installed personal email programs, such as AOL and Yahoo Mail, on their government phones.  The OIG previously examined the use of two other encrypted messaging applications, “Signal” and “WhatsApp,” after CoA Institute opened its own investigation into allegations concerning the possible avoidance of records management laws.

 Cause of Action Institute Counsel Ryan Mulvey: “The newest details concerning the range of applications that EPA employees installed on their taxpayer-funded phones and tablets raise serious concerns.  Beyond the fact that many of these applications should never have been found on a government phone because of their personal nature, the presence of sixteen different electronic messaging applications raises doubts about the EPA’s compliance with record preservation rules.  All work-related communications created or received on a personal email account, or an electronic messaging program like Facebook Messenger, should have been preserved for disclosure to the public.  The EPA Inspector General must examine this matter and consider what steps the agency should take to rectify any deficiencies in meeting its record preservation obligations.”

Shortly after President Trump took office, Politico reported that a small group of EPA employees were using an encrypted messaging application, called “Signal,” to discuss ways to prevent incoming political appointees from implementing the new Administration’s policy agenda.  CoA Institute opened an investigation and, over the past year, has slowly pieced together details about the Signal scandal.

In response to its first FOIA lawsuit, the EPA acknowledged that there was an “open law enforcement” investigation.  Then, records released to CoA Institute revealed how an EPA contractor “scanned” most agency-furnished devices for the different applications that had been installed by employees.  That scan, which was requested “orally” by the OIG, was conducted with a software tool known as “Mobile Device Management,” or “MDM.”  As part CoA Institute’s second FOIA lawsuit, the EPA disclosed the contractor-generated report, as well as other documents.  A summary of the report, which consists of a list running ninety-six pages long, identifies all of the applications installed on most agency-furnished devices.

In addition to Signal and WhatsApp, at least another sixteen applications with electronic messaging capabilities were used by EPA employees, along with three email programs.  To the extent the OIG was unaware of these other messaging applications, further inquiries are necessary, as the use of these applications raise issues relating to federal records management.  Moreover, although the OIG has reported that the EPA disabled the ability of many iPhone and iPad users to download the “Apple Store app,” and thus to install unauthorized applications, it is unknown whether all unapproved messaging applications have been deleted or, alternatively, whether adequate procedures have been put in place so that the EPA can meet its recordkeeping obligations.

CoA Institute’s April 11, 2018 letter to the EPA Inspector General is available HERE.

For information regarding this press release, please contact Nichole Wilson: Nichole.wilson@causeofaction.org

Cause of Action Institute Launches Investigation into Agency Use of Instant Messaging Applications

The number of communications devices and platforms has mushroomed in recent years, making communication both quicker and easier. Naturally, these technologies have been incorporated into business and government. The use of instant messaging applications (“IM”) for business communications has become so common that most enterprise software includes IM functionality (for example, Google Hangouts, Skype for Business instant messaging, Slack, etc.).

In response to these developments, the Federal Records Act (“FRA”) was amended in 2014 to codify a new definition of electronic messages.  The FRA now states that electronic messages include “electronic mail and other electronic messaging systems that are used for purposes of communicating between individuals” 44 U.S.C. § 2911. Electronic communications sent or received in the course of agency business—regardless of the method of message delivery—are therefore federal records and must be properly captured, retained, and stored such that they can be searched and reproduced upon request. National Archives and Records Administration (“NARA”) Bulletin 2015-02, “Guidance on Managing Electronic Messages,” makes this explicitly clear.

Unfortunately, recent events have highlighted the failure of federal agencies to properly capture, retain, and store electronic messages, including:

  • five months of missing, and then recovered, text messages between the FBI’s Peter Strzok and Lisa Page related to their official duties,
  • 2016 EPA Inspector General investigation into the use of encrypted text messages,
  • CFPB using encrypted messaging apps, the so-called “Dumbledore’s Army”,
  • IRS not retaining communications through their internal instant messaging system due to a memorandum of understanding with the Treasury Employees Union, and
  • NOAA’s questionable use of Google Hangouts.

It appears incidents of federal agencies neglecting and/or intentionally failing to properly capture, retain, and store electronic messages that are federal records are not isolated or exceptional. In light of this, CoA Institute has launched a broad inquiry into federal agencies’ efforts to implement the 2014 FRA amendments and NARA Bulletin 2015-02. Last week, CoA Institute sent FOIA requests to nearly forty agencies seeking records:

  • regarding policies on the use, retention, and management of electronic (instant) messages;
  • related to implementation of or compliance with NARA Bulletin 2015-02;
  • reflecting the electronic messaging systems installed on agency devices; and
  • reflecting whether the agency has enabled automatic electronic message archiving, indexing, and eDiscovery features on instant messaging platforms in use.

The FRA and Freedom of Information Act are essential to government transparency and accountability and they must be enforced even when—or especially when—government regulations, policies, and practices lag behind the implementation of new technologies. With respect to instant messages, the federal government’s characteristic bureaucratic torpidity bears potentially far-reaching implications for proper oversight of the federal government. With this investigation, CoA Institute seeks to discover whether (and where) government neglect or exploitation of new technologies threatens transparency and accountability.

 

Thomas Kimbrell is a research fellow at Cause of Action Institute.