How Feds Can Use Encrypted Apps—Without Breaking the Law

“Download Signal,” a career federal employee and longtime source for information told me last month. “We can talk on that. It’s not a good time right now. A lot of us are nervous.”

I received similar messages from federal technologists I regularly engage with and another source who handles federal oversight matters.

“Better safe than sorry,” said a communications official for the Energy Department. “You see what’s going on at National Park [Service]?”

The use of encryption technologies to communicate with peers is undoubtedly safer than using traditional communications, but there are caveats for federal employees. Open records laws dictate how federal employees conduct official business, and those who opt to use encrypted apps need to be aware of the sometimes murky legal ground they’re entering that puts their devices and privacy at risk.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Nonetheless, as Variety reported in November, public downloads have skyrocketed for applications like Signal and WhatsApp, which allow users to exchange encrypted messages via desktops or smartphones. Data from app measurement specialist App Annie indicates Signal downloads are up 170 percent this January over January 2016, with the 3-year-old app achieving its most daily downloads ever on Inauguration Day. It was downloaded 1.2 million times in the fourth quarter of 2016, double its third-quarter downloads.

Politico reports some in government are using encrypted communications to actively dissent, while others, including some who spoke to Nextgov on condition of anonymity, explained they wanted safe, simple and legal means to communicate with peers without possible consequence or retaliation.

“Everything feels politicized at the moment,” said one Commerce Department official. “Nobody wants to get shit on for having an honest conversation in the workplace.”

Why Use Encryption?

Traditional communications, such as SMS and instant messages, send messages in plain text, much like postcards in the mail. Any stop along the postcard’s journey represents a risk—anyone who sees the postcard, be it a friendly mail carrier or less-friendly mail thief, can read its contents.

Those risks are magnified when plain-text messages are sent over the internet. A single unencrypted message sent from a coffee shop to a friend could make a dozen or more stops along its journey, bouncing off various servers until it reaches its destination. End-to-end encryption apps secure the contents of a message in transit and can only be decrypted by a key that rests with the end-user, according to Mike Buratowski, senior vice president of cybersecurity services at Fidelis.

“For these applications, encryption comes into play when the device sends data," Buratowski said. "You wouldn’t be able to intercept that data and decrypt it without the keys."

Anyone who managed to catch the encrypted message in transit would only view a garbled mess without the keys, which makes it exponentially safer than traditional communications.

Yet, it’s important for end-to-end encryption users to note the data is only encrypted “while in motion, not everywhere,” Buratowski said. That means if you archive messages or data on your device’s hard drive without encrypting it, anyone who can access the device can get to the data.

“I think people assume that if they used an encrypted chat program that nobody would be able to get it because they think [data] is encrypted everywhere,” Buratowski said. “If they get your device and are able to log in to the program and have access to it, they’ll be able to see what’s there.”

What’s Legal, What’s Not?

Encrypted communications are relatively new as a technology, but for federal employees, they still fall under the Freedom of Information Act and other open-records laws, said Alex Howard, deputy director of the Sunlight Foundation.

“The key issue here is not the condition of encryption; the key thing to consider is whether official government business is being conducted or not,” Howard told Nextgov.

Federal guidance released by the National Archives Records Administration in July 2015 updated the government’s policies regarding newer forms of communications such as Google Chat and Slack.

The guidance states “agencies must capture and manage these records in compliance with federal records management laws, regulations and policies.” Further, it doesn’t matter whether employees are using official government-issued devices or their own. NARA’s guidance covers all federal employees, contractors, volunteers and external experts “when they conduct agency business using personal electronic messaging accounts or devices,” whether agencies formally allow employees to use personal accounts or devices to conduct government business.

Both the Environmental Protection Agency and the Internal Revenue Service have come under scrutiny for improperly retaining instant messages. Encrypted messages should be treated by federal employees in the same fashion, Howard said, and not doing so flies in the face of sunshine laws.

“It is very straightforward,” Howard said. “If you are using a messaging platform—IM, collaborative chat, email, text messaging, Facebook Messenger, ephemeral messaging or encrypted applications—they are all subject to archiving requirements. If you conduct public business using any computing device, a record of messaging you exchange is something that should be archived, period.”

Howard recommended federal employees make use of archival functions found in most encrypted communications apps like Signal. Other alternatives for archiving, such as taking screenshots of communications, are effective but “obviously suboptimal” because they are slow.

Recent legislation and court cases are beginning to shape this new technological landscape.

Debra D’Agostino, a federal employment attorney and co-founder of the Federal Practice Group, said the Presidential and Federal Records Act Amendment of 2014, for example, mandates federal officials make copies of government business they send over private email.

“If a government employee conducts government business over Gmail, they are now obligated to forward that to an official dot-gov email,” D’Agostino said.

D’Agostino said a District of Columbia Circuit Court decision last year allowed private email accounts to be searched in response to a FOIA request. The decision could open the door to federal employees’ personal phones getting searched for encrypted chats. However, it is unclear whether or what mechanism federal agencies would use to accomplish such a seizure.

Yet, it is vital for federal employees to know that “the mere fact communications are subject to archival requirements does not override” free speech protections, D’Agostino said. She added that those in government need to understand their First Amendment rights, and those free speech rights don’t stop when they walk through the office door.

“Now more than ever, it’s important for federal employees to know when their communications are protected by the First Amendment and when they’re not,” said D’Agostino, who said she’s “never had a week like this,” regarding the number of whistleblowers facing retaliation who’ve sought her counsel.  

“Retaliation for protected speech is illegal,” she added. “Given the concern driving things like encrypted chat is retaliation, it’s important for people to know when retaliation is illegal and when their communications are protected by whistle-blower laws.”

In some cases, the line “is getting messy.”

The Supreme Court has ruled private citizens speaking on matters of public concern is protected speech, D’Agostino said. That means a federal employee on lunch break using his or her own device to text about work-related matters is protected speech.

The law is “less clear,” she said, when it comes to encrypted free speech made on government-issued devices. Should the owners of the unofficial agency Twitter accounts that have popped up in recent weeks turn out to be federal employees, it would present another “murky” situation.

Regardless, D’Agostino said she supports the use of encrypted messaging technologies among Congress and federal employees, as long as it is done with proper archiving.

“It’s permissible, it is secure and it doesn’t skirt compliance with any law,” D’Agostino said.