Busted During Sunshine Week: EPA Employees Still Appear to be Using Unauthorized Messaging Applications

Cause of Action Institute Urges Chairman Cummings to Investigate EPA Employees’ Violation of Disclosure & Records Retention Laws

Cause of Action Institute (CoA Institute), a nonpartisan strategic oversight group, sent a letter to U.S. Rep. Elijah Cummings, chairman of the U.S. House Committee on Oversight and Reform (Oversight Committee), on the eve of the committee’s hearing on transparency, to urge Chairman Cummings to investigate government employees using unauthorized messaging applications on their government devices to avoid and/or prevent disclosure, as required under federal law.

“We applaud Chairman Cummings for his commitment to government transparency and urge him to use the powers of his committee to determine why government employees can ignore government policies and federal law and use unauthorized messaging applications that thwart disclosure of government business,” said James Valvo, counsel and senior policy advisor at Cause of Action Institute. “The EPA promised it would clean up its act and eliminate unauthorized apps installed on government devices, but our investigation has found the EPA may have failed to take the necessary action, as a result, these unauthorized apps pose considerable harm to enforcing federal disclosure laws.

By letter, the EPA informed the National Archives and Records Administration (NARA) that as of June 2018, the EPA had “completed its process” of disabling downloads of unauthorized applications subject to two minor exceptions, and removed most previously installed applications. However, CoA Institute uncovered evidence that 62.16 percent of all apps installed on EPA-furnished devices were unapproved applications, including the non-work-related or encrypted messaging applications that violate record retention and disclosure laws.

Cause of Action Institute, by letter, informed Chairman Cummings of this information in order to assist the Oversight Committee’s duty to reign in government abuses. CoA Institute also informed NARA and the EPA Inspector General of the findings.

The letter we sent to Chairman Cummings can be found below.
Background on our investigation can be found here and here.

###
Media ContactMatt Frendewey, matt.frendewey@causeofaction.org | 202-699-2018

 

CoA Institute Lawsuit Prompts Archivist to Examine Potential Record Destruction at NOAA

Cause of Action Institute (“CoA Institute”) filed a lawsuit last summer against the National Oceanic and Atmospheric Administration (“NOAA”) seeking copies of electronic records created through the agency’s Google-based email platform.  These types of records are commonly known as “instant messages.”  The Freedom of Information Act (“FOIA”) requests at issue (available here and here) also sought formal agency guidance on the retention of “Google Chat” or “Google Hangouts” messages.  We had already learned, through earlier investigation, that at least one internal NOAA handbook, dating from March 2012, instructed agency employees to treat all chat messages as “off the record,” raising concerns about potential unlawful record destruction at NOAA.

Media Coverage of CoA Institute’s Lawsuit Tipped-off the National Archives

The Daily Caller News Foundation reported on CoA Institute’s lawsuit shortly after it was filed.  Officials at the National Archives and Records Administration (“NARA”), which is tasked with policing federal records management across the government, took notice of the story and subsequently opened an inquiry on July 17, 2017 into CoA Institute’s allegations.  NARA gave NOAA “30 calendar days” to indicate how it planned to address the retention of “Google Chat and Skype messages,” and, if necessary, to report an “unauthorized disposition,” that is, the improper destruction of records.

As far as we know, eight months later, NOAA still has not responded to NARA.  We only learned about the NARA inquiry due to the agency’s recent decision to proactively disclose information on all pending investigations into the unauthorized disposition of federal records.  We have filed FOIA requests with NOAA and NARA in order to discover the status of the inquiry, and we will provide further updates as more details become available.

The fact that CoA Institute had to file a FOIA request to obtain NOAA’s response to the NARA inquiry, as well as related communications, shows that NARA’s proactive disclosure regime on this topic could be improved.  NARA should add another category of materials to its webpage that includes all correspondence received from an agency under investigation for the improper treatment of records.

NOAA’s Questionably Legal Google Chat Policy Flouts NARA Guidance

It goes without saying that an agency-wide policy to treat all chat messages as categorically “off the record” is problematic.  Even if an agency expects its employees to keep business-related communications, which could qualify for retention under the Federal Records Act (“FRA”), off a chat-based platform, it is reasonable to assume that some messages worthy of preservation will be sent or received over instant messaging.  NARA Bulletin 2015-02 makes that point clear.  And even if some instant messages were not worthy of long-term historical preservation, they would still qualify as transitory records subject to NARA-approved disposition schedules.

A categorical policy such as the one that NOAA has adopted creates a moral hazard.  Officials who want to thwart transparency can communicate with chat or instant messaging and, at least in this case, there is no way for the agency, NARA, or the public to catch them in the act.  NOAA officials have been observed using Google Chat to communicate during a contentious meeting of the New England Fishery Management Council.  If an agency like NOAA refuses to police how its employees are using the chat function on their Google-based email accounts, it should disable the function all together.

Regardless of whether electronic messages created through Google Chat or Google Hangouts are subject to the FRA, they may still be subject to the FOIA, which defines an “agency record” in broader terms than the FRA’s definition of a “federal record.”  By failing to implement any sort of mechanism for preserving chat messages—even for the briefest period—NOAA is depriving the American public of access to records that could be particularly important in showing how the agency operates and regulates.

The worst part of this saga is that NOAA knew it was treading a thin line in deciding to treat Google Chat messages as “off the record.”  According on documents obtained through the FOIA, NOAA’s lawyers and records management specialists were aware that electronic messages would need to be saved for public disclosure if Google Chat were “on the record.”  Notes from an October 20, 2011 meeting reflect this:

NOAA also recognized that chat messages could, in theory, be subject to the FRA.  Yet NOAA Records Officer Patricia Erdenberger reasoned that, by treating Google Chat as “off the record,” the agency’s FRA obligations could be bypassed.  Making a questionable analogy to phone calls, Erdenberger suggested that chat messages be “considered transient electrons.”

Agencies must do a better job at keeping pace with evolving forms of technology.  As one of my colleagues has argued, the use of non-email methods of electronic communication—including text and instant messaging, as well as encrypted phone applications like Signal—has serious implications for federal records management.  The Department of Commerce, NOAA’s parent agency, has not updated it policy for handling electronic records since May of 1987.  NARA, for its part, has been critical of the Department’s failure to revise this guidance, which is “heavily oriented towards the management of digital records on storage media such as diskettes and magnetic tape.”  Still, thirty years is a long time for such inaction, even for the federal government.  The transparency community must therefore intensify its efforts to hold the government accountable until more effective ways of handling electronic records are introduced.

Ryan Mulvey is Counsel at Cause of Action Institute

DHS Fails to Locate Records Concerning Compliance with Federal Records Act over Private Web-based Email Accounts

Cause of Action Institute (“CoA Institute”) filed a Freedom of Information Act (“FOIA”) appeal with the Department of Homeland Security (“DHS”) yesterday, challenging the adequacy of the agency’s search for records concerning the use of private web-based email accounts by former DHS officials, as well as efforts to recover federal records from those officials’ accounts, as required by the Federal Records Act (“FRA”).  Although DHS disclosed two records in response to our request—namely, a letter from the National Archives and Records Administration (“NARA”), which expressed concern over the possible alienation of federal records, and DHS’s response to NARA—DHS’s repeated representations in federal court demonstrate the existence of countless other responsive records.

High-Ranking DHS Officials Received “Waivers” to Use Private Web-based Email Accounts

In July 2015, Bloomberg reported that then-Secretary Jeh Johnson and at least twenty-eight other senior officials at DHS were granted special permission to used private web-based email accounts—such as Google and Yahoo—to conduct official business.  These “waivers” were exceptions to an agency-wide ban on the use of private email that was imposed in April 2014.  Agency insiders admitted that the practice of issuing such waivers was a “national security risk.”  As reported by Politico, DHS ended its use of waivers, but the agency still faced numerous FOIA requests—and a lawsuit brought by Judicial Watch—from those seeking access to the work-related records created or received on the private web-based email accounts.

CoA Institute’s Initial Investigation into the DHS Webmail Waivers

On September 11, 2015, CoA Institute submitted a FOIA request to DHS for all agency records maintained on Secretary Johnson’s—or any other official’s—private web-based email account.  We also sought records concerning the DHS webmail waiver regime, including policies on how waivers were granted or guidance on record retention that may have been provided to waiver recipients.  In response to the request, DHS provided a substantial number of records concerning the actual processing of waivers, but it failed to produce any official correspondence from the private accounts.  Although we appealed that determination, DHS upheld the adequacy of its search, even though it had openly admitted in court to having control over actual responsive records.  A federal district court judge even issued a preservation order to ensure that former officials would continue to cooperate with recovery efforts under the Trump Administration.

Exploring DHS’s Compliance with the Federal Records Act

Armed with the knowledge that DHS was working to recover potential federal records from Secretary Johnson’s private web-based email account, as well as the accounts of three other former officials, CoA Institute filed two additional FOIA requests on June 1, 2017.  We asked both DHS and NARA to disclose records concerning NARA approval for the practice of issuing webmail waivers, as well as records reflecting the agencies’ compliance with their FRA obligations.  For example, we wanted to know whether DHS had involved the Attorney General in recovery efforts, or whether anything had been done to recover records from the other twenty-five webmail recipients that were not the subject of Judicial Watch’s ongoing FOIA litigation.

DHS could only locate two responsive records.  The first was a February 22, 2017 letter from NARA, which was prompted by the Judicial Watch lawsuit and raised concerns about the possible alienation of federal records.  NARA asked DHS to prepare a report on its recover efforts, along with a description of the “safeguards” that had been implemented to prevent the future alienation of records from private web-based email accounts.  The second responsive record was DHS’s Mary 19, 2017 response to NARA, in which the agency described its ongoing communications with Secretary Johnson and others to facilitate the return of potential federal records.  DHS claimed it was unable to locate any other responsive material.

This is an absurd determination.  DHS has repeatedly described its ongoing efforts to comply with the FRA and to ensure that work-related emails from the private web-based email accounts are returned to the agency, at least with respect to the four officials identified by Judicial Watch.  Whither the records of such communications?  CoA Institute’s request to DHS was intentionally broad and sought to capture, among other things, “any correspondence from a webmail recipient indicating that he or she no longer ha[s] possession of DHS records in a personal email account, or that he or she ha[s] forwarded them to a DHS-hosted email account, and any records evidencing agency efforts to confirm the truth of such representations.”

As for our request to NARA, that agency has failed to provide any sort of interim response, let alone a final determination, despite the fact it had granted CoA Institute’s FOIA request expedited processing.

The Lack of Transparency in Agency Compliance with the Federal Records Act is Troubling

The Obama Administration established a pattern of high-ranking officials using personal email accounts to conduct agency affairs, thereby potentially ignoring federal laws that require the preservation of records for future disclosure to Congress and the American public.  The lack of transparency with respect to the use of private email is concerning enough; the lack of transparency over efforts to remedy abusive and unauthorized use of personal email, and to return records to agency custody, is even more worrisome.  Government-oversight organizations such as CoA Institute have increasingly been forced to seek judicial relief to ensure agency compliance with the FRA, and this tendency is only likely to increase given the pace of technological development.

DHS seems to be working extra hard to keep secret whether it has fully met its FRA obligations.  It was certainly embarrassing for the agency when its practice of issuing waivers that allowed agency leadership to use private web-based email accounts came to light.  It will be even more embarrassing if evidence surfaces to show that DHS is still dragging its feet to recover those records, as required by law.

Ryan Mulvey is Counsel at Cause of Action Institute

 

Court Dismisses Hillary Clinton Email Recovery Case

Washington D.C. – A federal judge in the U.S. District Court for the District of Columbia today dismissed a case brought by Cause of Action Institute (“CoA Institute”) and Judicial Watch against the Secretary of State and the Archivist of the United States to compel them to fulfill their legal obligations to recover all of Hillary Clinton’s unlawfully removed email records during her tenure as Secretary of State.

In December 2016, the D.C. Circuit Court of Appeals ruled in favor of CoA Institute and Judicial Watch, overturning an earlier opinion by the same district court judge that had dismissed the case as “moot.” Despite the higher court’s rebuke, the Secretary of State and U.S. Archivist still refused to perform their statutory obligations under the Federal Records Act to recover Secretary Clinton’s email records by initiating action through the Attorney General.

CoA Institute President and CEO John J. Vecchione: “The fact that this case was dismissed does not absolve Secretary Clinton or show that all of her unlawfully removed email records have been recovered. In fact, the Court’s decision shows that Secretary Clinton violated the Federal Records Act and that a subset of her work-related emails remains missing. Unfortunately, the Court concluded that efforts by the FBI in its investigation of Secretary Clinton’s handling of classified material, which resulted in the recovery of numerous emails that Clinton had not previously turned over, left nothing further for the Attorney General to do.”

This case, for the first time, brought to light that the FBI’s investigation included the issuance of grand jury subpoenas. The Court stated that “referral to the Attorney General” is the typical remedy for unrecovered records, but found that unnecessary in this case because:

The Government has already deployed the law enforcement authority of the United States to recover Clinton’s emails, as the FBI has sought those records as part of its investigation into whether Clinton mismanaged classified information. The Court thus need not speculate about what the Attorney General might do.

Testimony submitted by FBI Assistant Director E.W. Priestap opined that the Bureau’s investigation was conclusive. However, the FBI’s investigation focused solely on “unauthorized transmission and storage of classified information” and was not a Federal Records Act record-recovery effort, which was the focus of this litigation. Regardless, the Court found Agent Priestap’s opinions “relevant and reliable,” stating:

Although the FBI and the Attorney General are not one and the same, Jeff Sessions would necessarily look to his investigative arm to recover Clinton’s emails. The FBI’s own assessment of its searches is therefore telling.

Read the full opinion here

Federal Records Law Must Keep Pace with Evolving Technology

Technology develops faster than law.  This maxim has implications across society, but one place it has particular purchase is in federal recordkeeping and the public’s right to access government information.  The two primary federal statutes that require government to preserve records and then allow the public to access those records are the Federal Records Act (“FRA”) and the Freedom of Information Act (“FOIA”).  Federal agencies, unfortunately, do not always live up to their obligations under these laws and government-oversight organizations turn to the courts to seek relief.  The public’s right to sue under the FOIA is well established.  However, courts rarely compel agencies to fulfil their FRA obligations.  My organization, Cause of Action Institute (“CoA Institute”), is currently involved in two important FRA lawsuits that may shape the future of agency obligations under the FRA for decades to come, as information technologies continue to change.

Both lawsuits arose from Secretaries of State failing to preserve their emails in compliance with the Federal Records Act.  Former Secretary Hillary Clinton’s email travails are well catalogued.  But former Secretary Colin Powell also used a non-governmental email account to conduct official government business.  The factual difference between these two cases is that while Secretary Clinton primarily used a personal email service with a server in her basement, Secretary Powell used an AOL account.  But Secretary Clinton also used a BlackBerry email account for the first two months of her tenure as Secretary of State.  So, from these two cases the same legal issue arises: what is an agency’s FRA obligation to recover unlawfully removed federal email records that are housed on commercial email servers?

This question is important to the future of federal recordkeeping law and public access to information because we are already seeing an explosion of non-email methods of electronic communication.  Some of these methods of communication store information locally, such as on a phone or computer, and some store them on commercial servers.  For example, FOIA requesters have been battling for access to text messages for years, agency employees use various forms of instant messaging while at work, and we’ve now seen the rise of the surreptitious use of phone applications such as Signal and Confide that do not always preserve the communications.

In Armstrong v. Bush, the D.C. Circuit recognized two cognizable private rights of action under the Federal Records Act.  First, a plaintiff may bring a case against an agency if that agency does not have the requisite recordkeeping policies in place or if the policies are insufficiently clear so that an employee does not know what type of records he is required to save.  Second, a plaintiff may bring a case to compel the head of an agency or the Archivist of the United States to recover records that have been unlawfully removed from the agency.  If the agency head or Archivist is either unable or unwilling to perform that duty, then the FRA requires them to “initiate action through the Attorney General for the recovery” of those records.  To our knowledge, no such referral to the Attorney General has ever occurred.

At stake in CoA Institute’s Clinton and Powell cases is whether a plaintiff can force the agency head and Archivist to refer the matter to the Attorney General when, through their own actions, they have failed to recover all the missing records.  In both cases the State Department asked representatives of Secretaries Clinton and Powell to recover the unlawfully removed records and return them to the agency for historical preservation and for response to FOIA requests.  In both cases those representatives responded that they were unable to obtain copies of the records that were housed on BlackBerry and AOL servers, respectively.  The State Department and Archivist have responded in the ongoing suits that those efforts are sufficient and that they are not required to use legal process or refer the matter to the Attorney General for more forceful efforts at record recovery.

CoA Institute’s case related to Secretary Clinton has already been to the D.C. Circuit once and the appellate court held that the agency is only absolved of its Federal Records Act obligations if it can establish the “fatal loss” of the records in question.  The State Department and Archivist have not made a sufficient affirmative showing that BlackBerry, and AOL in the case of Secretary Powell, do not have, and cannot recover, these email records.  They have offered no statements from either company or detailed efforts by those companies to recover and return the federal records.

Whether the district court compels the current Secretary of State and Archivist to make such an affirmative showing or requires them to refer the matter to the Attorney General for him to attempt record recovery could set an important precedent.  This decision will shape the future of agency responsibilities under the Federal Records Act and the public’s ability to have access to its government’s information as communications technology continues to change.

James Valvo is counsel and senior policy advisor at Cause of Action Institute.  He is counsel in both cases discussed in this article.  You can follow him on Twitter @JamesValvo.

CoA Institute Presses CFPB on Agency Records Kept on Personal Mobile Device

No matter what messaging medium agencies use to conduct business, federal records must be preserved.  If government employees are allowed to evade the Federal Records Act and the Freedom of Information Act (“FOIA”) through use of messaging on their private mobile devices, it threatens government transparency and encumbers efforts to hold agencies accountable.

Just last week, CoA Institute received documents from the Consumer Financial Protection Bureau (“CFPB”) indicating that, in response to our FOIA request, it conducted a search of Director Richard Cordray’s personal mobile device for any text messages that may be agency records.  That action represents the minimum required of CFPB under the law, but the agency has not yet clarified whether it has adequate recordkeeping procedures in place to preserve all agency records created on such personal devices.  It also is unclear whether Director Cordray’s text messages represent the whole body of agency business done on the Director’s phone and if any records may have been destroyed before responding to our request.

In addition, CoA Institute discovered that the National Archives and Records Administration (“NARA”) sent a February 1, 2017 letter to CFPB, requesting information and reports regarding potential destruction of the above-mentioned records.  NARA demanded a reply from CFPB by March 1, 2017.  Today, we filed FOIA requests with both CFPB and NARA in an effort to uncover CFPB’s response and clarify what actions, if any, the agency has taken to fortify its recordkeeping practices.

DC Circuit Holds Cause of Action Institute Federal Records Act Case on Clinton Emails Not Moot

Today, the DC Circuit held the Judicial Watch and CoA Institute cases against the Secretary of State and Archivist seeking to enforce their Federal Records Act duties as they relate to Hillary Clinton’s emails are not moot. 

The court held that because the statute requires the agencies to reach out to the Attorney General to seek record recovery, and because they have not done so, CoA Institute and Judicial Watch have not received everything to which they are entitled and, therefore, the cases are not moot.

CoA Institute Vice President John Vecchione -who argued the case before the circuit“The DC circuit has reinforced the lesson that the government is bound to follow the law and that measures short of what the law requires to recover government documents can not be substituted as ‘good enough’.”

Read the opinion here.