recommended reading

How Feds Can Use Encrypted Apps—Without Breaking the Law

endermasali/Shutterstock.com

“Download Signal,” a career federal employee and longtime source for information told me last month. “We can talk on that. It’s not a good time right now. A lot of us are nervous.”

I received similar messages from federal technologists I regularly engage with and another source who handles federal oversight matters.

“Better safe than sorry,” said a communications official for the Energy Department. “You see what’s going on at National Park [Service]?”

The use of encryption technologies to communicate with peers is undoubtedly safer than using traditional communications, but there are caveats for federal employees. Open records laws dictate how federal employees conduct official business, and those who opt to use encrypted apps need to be aware of the sometimes murky legal ground they’re entering that puts their devices and privacy at risk.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Nonetheless, as Variety reported in November, public downloads have skyrocketed for applications like Signal and WhatsApp, which allow users to exchange encrypted messages via desktops or smartphones. Data from app measurement specialist App Annie indicates Signal downloads are up 170 percent this January over January 2016, with the 3-year-old app achieving its most daily downloads ever on Inauguration Day. It was downloaded 1.2 million times in the fourth quarter of 2016, double its third-quarter downloads.

Politico reports some in government are using encrypted communications to actively dissent, while others, including some who spoke to Nextgov on condition of anonymity, explained they wanted safe, simple and legal means to communicate with peers without possible consequence or retaliation.

“Everything feels politicized at the moment,” said one Commerce Department official. “Nobody wants to get shit on for having an honest conversation in the workplace.”

Why Use Encryption?

Traditional communications, such as SMS and instant messages, send messages in plain text, much like postcards in the mail. Any stop along the postcard’s journey represents a risk—anyone who sees the postcard, be it a friendly mail carrier or less-friendly mail thief, can read its contents.

Those risks are magnified when plain-text messages are sent over the internet. A single unencrypted message sent from a coffee shop to a friend could make a dozen or more stops along its journey, bouncing off various servers until it reaches its destination. End-to-end encryption apps secure the contents of a message in transit and can only be decrypted by a key that rests with the end-user, according to Mike Buratowski, senior vice president of cybersecurity services at Fidelis.

“For these applications, encryption comes into play when the device sends data," Buratowski said. "You wouldn’t be able to intercept that data and decrypt it without the keys."

Anyone who managed to catch the encrypted message in transit would only view a garbled mess without the keys, which makes it exponentially safer than traditional communications.

Yet, it’s important for end-to-end encryption users to note the data is only encrypted “while in motion, not everywhere,” Buratowski said. That means if you archive messages or data on your device’s hard drive without encrypting it, anyone who can access the device can get to the data.

“I think people assume that if they used an encrypted chat program that nobody would be able to get it because they think [data] is encrypted everywhere,” Buratowski said. “If they get your device and are able to log in to the program and have access to it, they’ll be able to see what’s there.”

What’s Legal, What’s Not?

Encrypted communications are relatively new as a technology, but for federal employees, they still fall under the Freedom of Information Act and other open-records laws, said Alex Howard, deputy director of the Sunlight Foundation.

“The key issue here is not the condition of encryption; the key thing to consider is whether official government business is being conducted or not,” Howard told Nextgov.

Federal guidance released by the National Archives Records Administration in July 2015 updated the government’s policies regarding newer forms of communications such as Google Chat and Slack.

The guidance states “agencies must capture and manage these records in compliance with federal records management laws, regulations and policies.” Further, it doesn’t matter whether employees are using official government-issued devices or their own. NARA’s guidance covers all federal employees, contractors, volunteers and external experts “when they conduct agency business using personal electronic messaging accounts or devices,” whether agencies formally allow employees to use personal accounts or devices to conduct government business.

Both the Environmental Protection Agency and the Internal Revenue Service have come under scrutiny for improperly retaining instant messages. Encrypted messages should be treated by federal employees in the same fashion, Howard said, and not doing so flies in the face of sunshine laws.

“It is very straightforward,” Howard said. “If you are using a messaging platform—IM, collaborative chat, email, text messaging, Facebook Messenger, ephemeral messaging or encrypted applications—they are all subject to archiving requirements. If you conduct public business using any computing device, a record of messaging you exchange is something that should be archived, period.”

Howard recommended federal employees make use of archival functions found in most encrypted communications apps like Signal. Other alternatives for archiving, such as taking screenshots of communications, are effective but “obviously suboptimal” because they are slow.

Recent legislation and court cases are beginning to shape this new technological landscape.

Debra D’Agostino, a federal employment attorney and co-founder of the Federal Practice Group, said the Presidential and Federal Records Act Amendment of 2014, for example, mandates federal officials make copies of government business they send over private email.

“If a government employee conducts government business over Gmail, they are now obligated to forward that to an official dot-gov email,” D’Agostino said.

D’Agostino said a District of Columbia Circuit Court decision last year allowed private email accounts to be searched in response to a FOIA request. The decision could open the door to federal employees’ personal phones getting searched for encrypted chats. However, it is unclear whether or what mechanism federal agencies would use to accomplish such a seizure.

Yet, it is vital for federal employees to know that “the mere fact communications are subject to archival requirements does not override” free speech protections, D’Agostino said. She added that those in government need to understand their First Amendment rights, and those free speech rights don’t stop when they walk through the office door.

“Now more than ever, it’s important for federal employees to know when their communications are protected by the First Amendment and when they’re not,” said D’Agostino, who said she’s “never had a week like this,” regarding the number of whistleblowers facing retaliation who’ve sought her counsel.  

“Retaliation for protected speech is illegal,” she added. “Given the concern driving things like encrypted chat is retaliation, it’s important for people to know when retaliation is illegal and when their communications are protected by whistle-blower laws.”

In some cases, the line “is getting messy.”

The Supreme Court has ruled private citizens speaking on matters of public concern is protected speech, D’Agostino said. That means a federal employee on lunch break using his or her own device to text about work-related matters is protected speech.

The law is “less clear,” she said, when it comes to encrypted free speech made on government-issued devices. Should the owners of the unofficial agency Twitter accounts that have popped up in recent weeks turn out to be federal employees, it would present another “murky” situation.

Regardless, D’Agostino said she supports the use of encrypted messaging technologies among Congress and federal employees, as long as it is done with proper archiving.

“It’s permissible, it is secure and it doesn’t skirt compliance with any law,” D’Agostino said.

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

    Download
  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

    Download
  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

    Download
  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

    Download
  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.

    Download

When you download a report, your information may be shared with the underwriters of that document.