recommended reading

How Feds Can Use Encrypted Apps—Without Breaking the Law

endermasali/Shutterstock.com

“Download Signal,” a career federal employee and longtime source for information told me last month. “We can talk on that. It’s not a good time right now. A lot of us are nervous.”

I received similar messages from federal technologists I regularly engage with and another source who handles federal oversight matters.

“Better safe than sorry,” said a communications official for the Energy Department. “You see what’s going on at National Park [Service]?”

The use of encryption technologies to communicate with peers is undoubtedly safer than using traditional communications, but there are caveats for federal employees. Open records laws dictate how federal employees conduct official business, and those who opt to use encrypted apps need to be aware of the sometimes murky legal ground they’re entering that puts their devices and privacy at risk.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Nonetheless, as Variety reported in November, public downloads have skyrocketed for applications like Signal and WhatsApp, which allow users to exchange encrypted messages via desktops or smartphones. Data from app measurement specialist App Annie indicates Signal downloads are up 170 percent this January over January 2016, with the 3-year-old app achieving its most daily downloads ever on Inauguration Day. It was downloaded 1.2 million times in the fourth quarter of 2016, double its third-quarter downloads.

Politico reports some in government are using encrypted communications to actively dissent, while others, including some who spoke to Nextgov on condition of anonymity, explained they wanted safe, simple and legal means to communicate with peers without possible consequence or retaliation.

“Everything feels politicized at the moment,” said one Commerce Department official. “Nobody wants to get shit on for having an honest conversation in the workplace.”

Why Use Encryption?

Traditional communications, such as SMS and instant messages, send messages in plain text, much like postcards in the mail. Any stop along the postcard’s journey represents a risk—anyone who sees the postcard, be it a friendly mail carrier or less-friendly mail thief, can read its contents.

Those risks are magnified when plain-text messages are sent over the internet. A single unencrypted message sent from a coffee shop to a friend could make a dozen or more stops along its journey, bouncing off various servers until it reaches its destination. End-to-end encryption apps secure the contents of a message in transit and can only be decrypted by a key that rests with the end-user, according to Mike Buratowski, senior vice president of cybersecurity services at Fidelis.

“For these applications, encryption comes into play when the device sends data," Buratowski said. "You wouldn’t be able to intercept that data and decrypt it without the keys."

Anyone who managed to catch the encrypted message in transit would only view a garbled mess without the keys, which makes it exponentially safer than traditional communications.

Yet, it’s important for end-to-end encryption users to note the data is only encrypted “while in motion, not everywhere,” Buratowski said. That means if you archive messages or data on your device’s hard drive without encrypting it, anyone who can access the device can get to the data.

“I think people assume that if they used an encrypted chat program that nobody would be able to get it because they think [data] is encrypted everywhere,” Buratowski said. “If they get your device and are able to log in to the program and have access to it, they’ll be able to see what’s there.”

What’s Legal, What’s Not?

Encrypted communications are relatively new as a technology, but for federal employees, they still fall under the Freedom of Information Act and other open-records laws, said Alex Howard, deputy director of the Sunlight Foundation.

“The key issue here is not the condition of encryption; the key thing to consider is whether official government business is being conducted or not,” Howard told Nextgov.

Federal guidance released by the National Archives Records Administration in July 2015 updated the government’s policies regarding newer forms of communications such as Google Chat and Slack.

The guidance states “agencies must capture and manage these records in compliance with federal records management laws, regulations and policies.” Further, it doesn’t matter whether employees are using official government-issued devices or their own. NARA’s guidance covers all federal employees, contractors, volunteers and external experts “when they conduct agency business using personal electronic messaging accounts or devices,” whether agencies formally allow employees to use personal accounts or devices to conduct government business.

Both the Environmental Protection Agency and the Internal Revenue Service have come under scrutiny for improperly retaining instant messages. Encrypted messages should be treated by federal employees in the same fashion, Howard said, and not doing so flies in the face of sunshine laws.

“It is very straightforward,” Howard said. “If you are using a messaging platform—IM, collaborative chat, email, text messaging, Facebook Messenger, ephemeral messaging or encrypted applications—they are all subject to archiving requirements. If you conduct public business using any computing device, a record of messaging you exchange is something that should be archived, period.”

Howard recommended federal employees make use of archival functions found in most encrypted communications apps like Signal. Other alternatives for archiving, such as taking screenshots of communications, are effective but “obviously suboptimal” because they are slow.

Recent legislation and court cases are beginning to shape this new technological landscape.

Debra D’Agostino, a federal employment attorney and co-founder of the Federal Practice Group, said the Presidential and Federal Records Act Amendment of 2014, for example, mandates federal officials make copies of government business they send over private email.

“If a government employee conducts government business over Gmail, they are now obligated to forward that to an official dot-gov email,” D’Agostino said.

D’Agostino said a District of Columbia Circuit Court decision last year allowed private email accounts to be searched in response to a FOIA request. The decision could open the door to federal employees’ personal phones getting searched for encrypted chats. However, it is unclear whether or what mechanism federal agencies would use to accomplish such a seizure.

Yet, it is vital for federal employees to know that “the mere fact communications are subject to archival requirements does not override” free speech protections, D’Agostino said. She added that those in government need to understand their First Amendment rights, and those free speech rights don’t stop when they walk through the office door.

“Now more than ever, it’s important for federal employees to know when their communications are protected by the First Amendment and when they’re not,” said D’Agostino, who said she’s “never had a week like this,” regarding the number of whistleblowers facing retaliation who’ve sought her counsel.  

“Retaliation for protected speech is illegal,” she added. “Given the concern driving things like encrypted chat is retaliation, it’s important for people to know when retaliation is illegal and when their communications are protected by whistle-blower laws.”

In some cases, the line “is getting messy.”

The Supreme Court has ruled private citizens speaking on matters of public concern is protected speech, D’Agostino said. That means a federal employee on lunch break using his or her own device to text about work-related matters is protected speech.

The law is “less clear,” she said, when it comes to encrypted free speech made on government-issued devices. Should the owners of the unofficial agency Twitter accounts that have popped up in recent weeks turn out to be federal employees, it would present another “murky” situation.

Regardless, D’Agostino said she supports the use of encrypted messaging technologies among Congress and federal employees, as long as it is done with proper archiving.

“It’s permissible, it is secure and it doesn’t skirt compliance with any law,” D’Agostino said.

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

    View
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    View
  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

    View
  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

    View
  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

    View
  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.

    View

When you download a report, your information may be shared with the underwriters of that document.