How Feds Can Use Encrypted Apps—Without Breaking the Law

endermasali/Shutterstock.com

Featured eBooks
Space Tech
Read Now

CDM

Read Now

Digital Transformation

Read Now
Frank Konkel By Frank Konkel,
Vice President, Editorial

By Frank Konkel

|

The use of encryption technologies to communicate with peers is undoubtedly safer than using traditional communications, but there are caveats for federal employees.

“Download Signal,” a career federal employee and longtime source for information told me last month. “We can talk on that. It’s not a good time right now. A lot of us are nervous.”

I received similar messages from federal technologists I regularly engage with and another source who handles federal oversight matters.

“Better safe than sorry,” said a communications official for the Energy Department. “You see what’s going on at National Park [Service]?”

The use of encryption technologies to communicate with peers is undoubtedly safer than using traditional communications, but there are caveats for federal employees. Open records laws dictate how federal employees conduct official business, and those who opt to use encrypted apps need to be aware of the sometimes murky legal ground they’re entering that puts their devices and privacy at risk.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Nonetheless, as Variety reported in November, public downloads have skyrocketed for applications like Signal and WhatsApp, which allow users to exchange encrypted messages via desktops or smartphones. Data from app measurement specialist App Annie indicates Signal downloads are up 170 percent this January over January 2016, with the 3-year-old app achieving its most daily downloads ever on Inauguration Day. It was downloaded 1.2 million times in the fourth quarter of 2016, double its third-quarter downloads.

Politico reports some in government are using encrypted communications to actively dissent, while others, including some who spoke to Nextgov on condition of anonymity, explained they wanted safe, simple and legal means to communicate with peers without possible consequence or retaliation.

“Everything feels politicized at the moment,” said one Commerce Department official. “Nobody wants to get shit on for having an honest conversation in the workplace.”

Why Use Encryption?

Traditional communications, such as SMS and instant messages, send messages in plain text, much like postcards in the mail. Any stop along the postcard’s journey represents a risk—anyone who sees the postcard, be it a friendly mail carrier or less-friendly mail thief, can read its contents.

Those risks are magnified when plain-text messages are sent over the internet. A single unencrypted message sent from a coffee shop to a friend could make a dozen or more stops along its journey, bouncing off various servers until it reaches its destination. End-to-end encryption apps secure the contents of a message in transit and can only be decrypted by a key that rests with the end-user, according to Mike Buratowski, senior vice president of cybersecurity services at Fidelis.

“For these applications, encryption comes into play when the device sends data," Buratowski said. "You wouldn’t be able to intercept that data and decrypt it without the keys."

Anyone who managed to catch the encrypted message in transit would only view a garbled mess without the keys, which makes it exponentially safer than traditional communications.

Yet, it’s important for end-to-end encryption users to note the data is only encrypted “while in motion, not everywhere,” Buratowski said. That means if you archive messages or data on your device’s hard drive without encrypting it, anyone who can access the device can get to the data.

“I think people assume that if they used an encrypted chat program that nobody would be able to get it because they think [data] is encrypted everywhere,” Buratowski said. “If they get your device and are able to log in to the program and have access to it, they’ll be able to see what’s there.”

What’s Legal, What’s Not?

Encrypted communications are relatively new as a technology, but for federal employees, they still fall under the Freedom of Information Act and other open-records laws, said Alex Howard, deputy director of the Sunlight Foundation.

“The key issue here is not the condition of encryption; the key thing to consider is whether official government business is being conducted or not,” Howard told Nextgov.

Federal guidance released by the National Archives Records Administration in July 2015 updated the government’s policies regarding newer forms of communications such as Google Chat and Slack.

The guidance states “agencies must capture and manage these records in compliance with federal records management laws, regulations and policies.” Further, it doesn’t matter whether employees are using official government-issued devices or their own. NARA’s guidance covers all federal employees, contractors, volunteers and external experts “when they conduct agency business using personal electronic messaging accounts or devices,” whether agencies formally allow employees to use personal accounts or devices to conduct government business.

Both the Environmental Protection Agency and the Internal Revenue Service have come under scrutiny for improperly retaining instant messages. Encrypted messages should be treated by federal employees in the same fashion, Howard said, and not doing so flies in the face of sunshine laws.

“It is very straightforward,” Howard said. “If you are using a messaging platform—IM, collaborative chat, email, text messaging, Facebook Messenger, ephemeral messaging or encrypted applications—they are all subject to archiving requirements. If you conduct public business using any computing device, a record of messaging you exchange is something that should be archived, period.”

Howard recommended federal employees make use of archival functions found in most encrypted communications apps like Signal. Other alternatives for archiving, such as taking screenshots of communications, are effective but “obviously suboptimal” because they are slow.

Recent legislation and court cases are beginning to shape this new technological landscape.

Debra D’Agostino, a federal employment attorney and co-founder of the Federal Practice Group, said the Presidential and Federal Records Act Amendment of 2014, for example, mandates federal officials make copies of government business they send over private email.

“If a government employee conducts government business over Gmail, they are now obligated to forward that to an official dot-gov email,” D’Agostino said.

D’Agostino said a District of Columbia Circuit Court decision last year allowed private email accounts to be searched in response to a FOIA request. The decision could open the door to federal employees’ personal phones getting searched for encrypted chats. However, it is unclear whether or what mechanism federal agencies would use to accomplish such a seizure.

Yet, it is vital for federal employees to know that “the mere fact communications are subject to archival requirements does not override” free speech protections, D’Agostino said. She added that those in government need to understand their First Amendment rights, and those free speech rights don’t stop when they walk through the office door.

“Now more than ever, it’s important for federal employees to know when their communications are protected by the First Amendment and when they’re not,” said D’Agostino, who said she’s “never had a week like this,” regarding the number of whistleblowers facing retaliation who’ve sought her counsel.  

“Retaliation for protected speech is illegal,” she added. “Given the concern driving things like encrypted chat is retaliation, it’s important for people to know when retaliation is illegal and when their communications are protected by whistle-blower laws.”

In some cases, the line “is getting messy.”

The Supreme Court has ruled private citizens speaking on matters of public concern is protected speech, D’Agostino said. That means a federal employee on lunch break using his or her own device to text about work-related matters is protected speech.

The law is “less clear,” she said, when it comes to encrypted free speech made on government-issued devices. Should the owners of the unofficial agency Twitter accounts that have popped up in recent weeks turn out to be federal employees, it would present another “murky” situation.

Regardless, D’Agostino said she supports the use of encrypted messaging technologies among Congress and federal employees, as long as it is done with proper archiving.

“It’s permissible, it is secure and it doesn’t skirt compliance with any law,” D’Agostino said.

NEXT STORY: Security clearance process still slow, but more secure

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.