CoA Institute Uncovers EPA Investigation into Employees’ Use of Encrypted Messaging App

Hours after filing a lawsuit demanding that the Environmental Protection Agency (“EPA”) disclose records about its employees’ use of an encrypted messaging application, Cause of Action Institute (“CoA Institute”) received a letter from the EPA’s Office of General Counsel acknowledging that there is an “open law enforcement” investigation looking into the matter.

The EPA indicated that records created or received by its employees on “Signal,” and records concerning efforts “to retrieve, recover, or retain” those messages, were “part of one or more open law enforcement file(s).” The agency claimed such records were exempt from disclosure under the Freedom of Information Act (“FOIA”) because they were compiled for “law enforcement purposes” and their disclosure “could reasonably be expected to interfere with ongoing enforcement proceedings.”  Further, the EPA stated that it could not find any records reflecting “permission, clearance, or approval” for the use of the encrypted messaging app.

Cause of Action Institute Assistant Vice President Henry Kerner: “The EPA’s response to our lawsuit is unsurprising, but still deeply disturbing.  The unauthorized use of an encrypted messaging app by a government employee is inappropriate, and the EPA appears to agree that its employees might have broken the law.  Although we are pleased to learn that the agency is examining potential wrongdoing, we will continue to fight for the disclosure of records responsive to our FOIA request because we do not agree that the law prohibits the disclosure of the Signal messages.  It will be up to the courts to decide.”

Even though the EPA purports to have provided a final response to CoA Institute’s FOIA request, the recently filed lawsuit will continue. CoA Institute disputes the sufficiency of the EPA’s determination, which suggests that a search for potentially responsive records was never carried out. In addition, we disagree with the agency’s reliance on FOIA Exemption 7(a).

The EPA’s letter can be found here

 

Lawsuit Demands Records on EPA Employees’ Use of Encrypted Messaging App

Washington, D.C. – Cause of Action Institute (“CoA Institute”) has filed a lawsuit in the U.S. District Court for the District of Columbia after the Environmental Protection Agency (“EPA”) failed to disclose records about its employees’ use of an encrypted messaging application, “Signal,” to discuss the Trump administration’s expected changes to the agency’s policy agenda.

The lawsuit follows a February 2, 2017 Freedom of Information Act (“FOIA”) request, which sought all records of Signal communications created or received by EPA officials, as well as records concerning the EPA’s efforts, if any, to retriever, recover, or retain such work-related correspondence in accordance with federal records management laws.

Cause of Action Institute Assistant Vice President Henry Kerner: “Career employees at the EPA appear to be using Signal to avoid transparency laws and vital oversight by the Executive Branch, Congress, and the public.  Communications on this encrypted application, however, which relate to agency business must still be preserved under the Federal Records Act and be made available for disclosure under the FOIA.  Taxpayers have a right to know if the EPA’s leadership is meeting its record preservation obligations.”

According to media reports, at least a dozen EPA career employees have been using Signal to communicate about work-related issues, including how to prevent President Trump’s political appointees from “undermin[ing] their agency’s mission to protect public health and the environment” or “delet[ing] valuable scientific data.”  CoA Institute’s investigation into this matter has been widely discussed in the press, along with Congress’s request for the EPA’s watchdog to independently investigate the matter.  To date, the EPA has failed to issue a timely determination on CoA Institute’s FOIA request, let alone produce any responsive records.

The full complaint can be found here.

For information regarding this press release, please contact Zachary Kurz, Director of Communications: zachary.kurz@causeofaction.org

 

 

 

The Proof is in the Metadata: Recent Developments in CEI v. OSTP

Last summer, in Competitive Enterprise Institute v. Office of Science & Technology Policy, 827 F.3d 145 (D.C. Cir. 2016) (“CEI v. OSTP”), the D.C. Circuit reached an important decision concerning an agency’s obligation to search private email accounts maintained by government officials for records responsive to a Freedom of Information Act (“FOIA”) request. The court determined that if an official “possesses what would otherwise be agency records [e.g., work-related email], the records do not lose their agency character just because the official . . . takes them out the door [e.g., to a private account][.]” Id. at 149. Thus, if a personal email account may contain agency records, the agency cannot categorically refuse to conduct a search of that private account.

This past week, however, the district court on remand appeared to dampen the impact of the D.C. Circuit’s ruling. Judge Gladys Kessler determined that OSTP had met its burden under the FOIA and did not have to conduct a search of former Director John Holdren’s personal email account, the contents of which had been saved on a thumb drive last December under court order. OSTP successfully argued that any agency records on Holdren’s non-governmental account would be duplicative of records already on OSTP servers. The agency pointed to a policy that required Holdren to forward work-related email to his official account or to copy that account on work-related correspondence. OSTP also attested that Holdren obeyed this policy on “approximately 4,500 occasions” and was otherwise entitled to a presumption of compliance “absent evidence to the contrary.” CEI could not rebut the presumption.

The district court’s decision, particularly on the heels of Sunshine Week, is disappointing. First, although a requester admittedly cannot rely on speculation to prove wrongdoing, once a requester has proven that a non-governmental system contains agency records, the agency should not be allowed to forego a search of that system simply because it claims to possess “duplicative” records elsewhere. It is difficult enough to demonstrate that an agency official is violating the spirit, if not the law, of transparent government by using personal email for work-related purposes. The existence and usage of a parallel personal account should be enough, in most cases, to rebut any presumption of compliance with preservation rules. Of course, OSTP may have given sufficient evidence of Holdren’s compliance in this case—an affidavit indicated that he forwarded or copied his official email account approximately 4,500 times—but courts should remain skeptical that all agency records have been forwarded when atypical means of conducting government business are at issue. One need only consider the ongoing saga of former Secretary of State Hillary Clinton’s private email accounts, where additional State Department records were uncovered even after she had averred that all such records had been turned over, to understand why this should be the case.

Second, assuming OSTP had copies of all agency records from Holdren’s personal account, it is not clear that these copies would actually be “duplicative.” For example, CEI argued that it sought Holdren’s email in “electronic format” along with any “metadata.” On this theory, copied or forwarded email records on OSTP’s servers may not, in fact, be “duplicative” because they may not include all original metadata. Judge Kessler found this line of argument unpersuasive and held that the metadata in Holdren’s personal email would “not in itself make each email unique as compared to the forwarded reproduction[.]” This conclusion is wrong and sets a dangerous precedent.

Metadata includes various types of information about an electronic document that are not usually visible, but reflect important characteristics concerning the document’s origin, alteration, or usage. It includes “substantive metadata,” such as tracked changes in Microsoft Word; “system metadata,” which is created by a computer system, such as the information contained in a file’s properties; and “embedded metadata,” such as hyperlink details or Excel formulae. See Aguilar v. Immigration & Customs Enf’t, 255 F.R.D. 350, 354–55 (S.D.N.Y. 2008) (discussing different types of metadata).

Numerous state courts have ruled that metadata forms an integral part of an electronic record and is subject to disclosure under state-based Freedom of Information regimes. No federal court has settled the question for the FOIA, but it seems appropriate to adopt a similar default presumption that metadata must be disclosed so long as it forms an integral part of an electronic record and is readily reproducible. A requester should not even need to specifically request integral metadata.

There may not be a one-size-fits-all approach to distinguishing different types of metadata and which form an integral part of a record. The best approach would take into account an agency’s storage practices and the type of electronic records at issue—Does the agency store email in a hard-copy format or electronically? Are electronic copies kept in native or near-native format? What sort of metadata is preserved in those formats? It would also consider an agency’s ability to readily reproduce metadata—Are email records readily releasable as PDF or MSG files? Finally, it would look to whether a requester has specified that he wants an agency to produce (rather than merely search for) records in a form that includes metadata. See, e.g., Citizens for Responsibility & Ethics in Washington v. Department of Education, 905 F. Supp. 2d 161, 171–72 (D.D.C. 2012) (“CREW did not request that DoEd produce its records in electronic format . . . DoEd thus had no obligation to produce the documents in any particular format.”) (internal citation omitted).

This proposed approach under the FOIA is supported by the treatment of metadata in other legal contexts. Under implementing regulations for the Federal Records Act, for example, “electronic record” is defined as “both record content and associated metadata that the agency determines is required to meet agency business needs.” 36 C.F.R. § 1220.18. “Metadata,” in turn, “consists of preserved contextual information describing the history, tracking, and/or management of an electronic document.” Id. When it comes to email records, some metadata can form an integral part of the electronic record. See id. § 1236.22(a). In the civil discovery context, when metadata exists as part of a document’s native format, it should be produced to an opponent. If a party seeks discovery of additional metadata, a court will typically grant it so long as the metadata is reasonably accessible and potentially relevant to the dispute at hand.

From the outset of its case, CEI argued that it sought agency records that were stored on Holdren’s personal email account in an electronic format. Metadata integral to those records (viz., sender, recipient, and “BCC” recipient information, etc.) might not have carried over in toto to the copies on OSTP’s servers. Such information could be instructive, as any litigator or investigative journalist would attest, and might even explain why Holdren was using a personal email account for official government business in the first place. The district court considered OSTP’s “duplicative” email records “functionally equivalent” to the originals on Holdren’s private account. That much is true when considering the visible content of the email. But that’s only half of the story. Metadata lurks beneath, and without the original integral metadata, any copies of Holdren’s email on OSTP’s servers are incomplete and not duplicative.

Ryan Mulvey is counsel at Cause of Action Institute.

Selective Memory: Presidential Control of Press and Information

Among people who know and use the Freedom of Information Act and similar laws to discover and report what the government is doing, this week is known as Sunshine Week, a time to promote government transparency. But a disorienting fog has settled in.

When was the last day that the news did not include a report about the President’s use of direct social media to avoid traditional press outlets whom he regularly disparages for using unlawfully leaked information to unfairly report what the government is doing and planning? Allegations abound that the administration regularly imposes unprecedented policies that restrict or remove access to government information and impede contacts between the press and knowledgeable civil servants.  For example:

“White House curbs routine disclosure of information and deploys its own media to evade scrutiny by the press.”

“It’s turning out to be the administration of unprecedented secrecy and unprecedented attacks on a free press.”

The “administration’s steadily escalating war on leaks, the most militant I have seen since the Nixon administration, has disregarded the First Amendment and intimidated a growing number of government sources of information — most of which would not be classified — that is vital for journalists to hold leaders accountable.”

The administration’s anti-leak effort “targets not only national security departments and agencies but most federal bureaucracies from the Peace Corps to the Social Security Administration and the Education and Agriculture Departments.”

“[W]e now have evidence of a pattern of anti-media behavior…. The suspicion has to be that maybe these ‘leak’ investigations are less about deterring leakers and more about intimidating the press.”

The administration’s “recent effort to stem leaks in the federal workforce doesn’t just exemplify … cluelessness. It verges on being a parody of it.”

The depth of dismay is hard to overstate. An executive editor of The New York Times put it this way: “I would say it is the most secretive White House that I have ever been involved in covering, and that includes — I spent 22 years of my career in Washington and covered presidents from President Reagan on up through now, and I was Washington bureau chief of the Times during George W. Bush’s first term.”

But none of the above-linked stories is about President Trump or current events. All of these complaints were written about President Obama early in his second term.

This selection of stories about how the Obama administration manipulated the media and restricted independent access to government information is representative. If anything, it’s too cautious.  Readers can find much more, and much worse, reported by the most respected of voices. Even so, complaints about the relationship between the press and the Obama and Trump administrations and their unprecedented, programmatic restriction of access to information are strikingly similar.  Perhaps such practices sting more sharply after a President takes the oath and starts to govern.  Politico reports that the President’s aides are “obsessed with taking advantage of Twitter, Facebook, YouTube and every other social media forum, not just for campaigns, but governing.” Yet that story, too, was about President Obama, not President Trump.

Controlling information in service of a president’s political objectives is not new. It is not sui generis and did not spring forth fully formed like Athena from Zeus’s head—or President Trump’s.  The current administration has taken another step in a well-known progression, and not a big one at that.  In historical context we can recognize it without surprise as the next manifestation of Leviathan’s thirst for ever more power and control.  Bob Schieffer, after decades as a Washington correspondent and broadcast news anchor, sums up the situation this way:  “When I’m asked what is the most manipulative and secretive administration I’ve covered, I always say it’s the one in office now.”

Mike Geske is counsel at Cause of Action Institute

CoA Institute Files Lawsuit for ObamaCare Records

Washington, D.C. – Cause of Action Institute (“CoA Institute”) filed a lawsuit in the U.S. District Court for the District of Columbia after the Department of Health and Human Services (“HHS”) failed to disclose records about the potential misuse of taxpayer information to market the Affordable Care Act (“ACA”), as well as records on the funding of two controversial ACA programs.

The lawsuit follows three Freedom of Information Act (“FOIA”) requests to HHS and its subsidiary agency, the Centers for Medicare and Medicaid Services (“CMS”), seeking records relating to obligations under the transitional reinsurance program and the risk corridors program, as well as attempts to market ObamaCare to individuals who declined coverage by using information obtained from individual federal tax returns. The agencies failed to produce any responsive records well past the applicable FOIA time limits.

Cause of Action Institute President and CEO John Vecchione: “It appears that senior Obama administration officials acted against taxpayers’ interests and disregarded the law to make ObamaCare appear more successful. Under the law, Americans’ tax information may be used to determine eligibility for subsidies, but not to market ObamaCare to individuals who have already declined to enroll. Disclosures of taxpayer information by the IRS raises serious privacy concerns. As Congress continues its efforts to repeal and replace the ACA, it’s more important than ever for HHS to be transparent and forthcoming about ObamaCare’s failures and missteps in implementation.”

Background

Taxpayer Information: To boost enrollment in ACA programs, it appears the Obama administration attempted to market the ACA to individuals who declined coverage by using information obtained from individual tax returns. A fact sheet released by CMS highlights its plan to “conduct outreach to individuals and families who paid the fee for being uninsured, or claimed an exemption from that fee, for 2015.” Under the ACA, however, tax information may only be used to determine ACA subsidy eligibility; it may not be used to market the ACA to individuals who have already declined to enroll. Taxpayer information disclosures by the IRS to an unknown number of individuals at CMS and throughout the government raises serious legal and privacy concerns.

Risk Corridors: Since its enactment, the ACA has faced considerable funding issues. The risk corridors program was supposed to collect payments from insurers with lower than expected losses and redirect the money to subsidize insurers with higher than expected losses. Because of low enrollment and monetary shortfalls, a CMS memorandum announced that funding for the risk corridors program would not be available to insurers in 2015. The memorandum, however, appears to invite insurers to sue CMS and then settle with the Department of Justice (“DOJ”) to obtain funding, which would constitute an end-run of a provision enacted by Congress in 2014 to prevent shifting funds into the risk corridors program and a violation of DOJ guidance regarding “backdoor bailouts.” Obtaining risk corridor funding through the DOJ Judgment Fund would be an illegal misuse of appropriated taxpayer money.

Reinsurance Program: Section 1341 of the ACA requires the HHS to return payments to taxpayers under the transitional reinsurance program. Under this program HHS collects reinsurance contributions from health insurance providers and third party administrators on behalf of group health plans. In 2014, HHS was supposed to collect $10 billion in payments to health insurers who enroll high-risk individuals and an additional $2 billion in contributions to be deposited directly to the U.S. Treasury. Unfortunately for taxpayers, it appears when HHS collected less money than required by the ACA, the agency violated the law by allocating all funding to health insurers, depriving taxpayers of billions of dollars.

The full complaint can be found here

For information regarding this press release, please contact Zachary Kurz, Director of Communications: zachary.kurz@causeofaction.org