CONTENTS INTRODUCTION 1 I. PRIVACY-PROMISING TECHNOLOGIES 4 A. Encryption Tools 5 B. Ephemeral Messaging Apps 7 II. FREEDOM OF INFORMATION LAW AND POLICY APPROACHES 8 A. Ban on Use of Encryption and Ephemeral Messaging Apps 9 B. Adapt and Enhance Archiving Policies 14 C. Treat App Developers as Quasi-Governmental Entities 18 CONCLUSION 23 INTRODUCTION
In Donald J. Trump's first month in the White House, staffers concerned about accusations of leaking information to the press "resorted to a secret chat app --Confide--that erases messages as soon as they're read." (2) After the email hacks that haunted Hillary Clinton's presidential campaign in 2016, the Confide app became "the tool of choice for Republicans in Washington" fearing a similar fate. (3) White House press secretary Sean Spicer, who began random phone checks shortly after the Washington Post revelation, reportedly told staffers that using Confide and the encrypted messaging app Signal were potential violations of the Presidential Records Act. (4) In response to these reports, the House Oversight Committee issued a letter to fifty-five federal agencies expressing concerns that the use of Signal, Confide, and WhatsApp by federal employees "could result in the creation of federal records that would be unlikely or impossible to preserve" and may allow "circumventing requirements established by federal recordkeeping and transparency laws." (5) Citizens for Responsibility and Ethics in Washington (CREW) filed suit against Trump, alleging violation of the Presidential Records Act by using encrypted disappearing-messaging apps. (6) During ethics training in 2018, White House lawyers advised personnel not to use encrypted messaging apps such as WhatsApp while conducting government business. (7)
Similar issues have trickled down to the states as well. In Missouri, two attorneys sued then-Governor Eric Greitens, arguing that his use of Confide violated the state's public records law. (8) A county judge denied their request for a temporary restraining order to halt Greitens's use of Confide, in part, because of a lack of evidence that he had been using it to conduct government business, but noted that there were "a whole bunch of open questions here," including whether the governor has a First Amendment right to use the app to communicate, as his attorneys contended. (9)
State open records laws, the federal Freedom of Information Act, and the Presidential Records Act are intended to protect the public's right to know about government officials' conduct. However, the development of privacy-protecting mobile applications that deliberately make archiving and retrieval difficult creates a unique challenge for these transparency laws.
Vanishing message apps, such as Snapchat and Confide, allow public officials, using these apps as intended, to have messages disappear automatically without a way to keep a record for public inspection. Bob Freeman, the long-time executive director of New York state's Committee on Open Government, described the dangers: "If an individual, including a government official, wants to cover his tracks, tell the world, 'I never said that,' or that he never communicated with a certain person...Snapchat, for better or worse, can be used to make it seem true. And there may be nothing we can do about it." (10)
Encrypted messaging apps, such as WhatsApp and Signal, offer a similar challenge, one that former FBI Director James Comey has called "Going Dark." Comey, speaking about the challenges of investigating and preventing crime when people have the ability to use technology to obscure themselves and their activities, largely through encryption, has said, "We have the legal authority to intercept and access communications pursuant to a court order, but we often lack the technical ability to do so." (11)
The same legal communication tools that citizens can use to avoid detection and surveillance are also available to government employees, who now appear to be "going dark" in their communications as part of their official jobs. This is not the first time a new digital communication technology has created a challenge for government record-keeping and accessibility under open records laws. But, in the past, such new technologies--email, private online chat rooms, text messaging, and private messaging through social networks, to name a few--merely offered obscurity as a secondary effect of the messaging system. Ultimately, the messages could be found and subjected to public scrutiny, though doing so may be difficult and time-consuming, and new rules have had to be put in place to account for archiving and providing a means of access to the public.
However, apps such as Snapchat and Confide provide automatic deletion of messages after they are read as a core benefit. Similarly, encrypted messaging systems make transparency difficult because people seeking access to those records would need the key to be able to read them. These features have the potential to be deadly to public records laws, providing an easy way for government officials to dodge public scrutiny without any trace of their subversion.
The purpose of this article is to examine the implications of vanishing messaging and encrypted messaging apps for freedom of information laws and to propose potential policy revisions to handle the challenges these apps present. After briefly reviewing how the apps work, three potential policy approaches are examined, using legal research methodology to consider the possible remedies that may be available to legislators and regulators to prevent "killer apps" from undermining the goals of freedom of information laws. Finally, these policy approaches are reviewed for their potential application to the Public Information Act, the open records law in Texas.
At issue are two distinct kinds of communication technology, encryption and ephemeral messaging, that allow users to make records of their discussions harder to observe or retain. Jasmine McNealy and Heather Schoenberger have conceptualized these as "privacy-promising technologies," a definition that includes "technology, such as apps, software, and online tools, in which the maker or creator uses the promise of privacy, or data control, to induce users to use their digital tool." (12) While the authors were writing primarily about apps that either promised anonymity (such as YikYak or Whisper) or provided automatic message deletion (such as Snapchat), it makes sense as a concept to extend the definition to apps that protect user communications from outside scrutiny through encryption as well.
Government use of impermanent messaging apps is becoming commonplace. Presidential contenders Jeb Bush, Hillary Clinton, and Bernie Sanders had Snapchat accounts, and the app has become popular among members of Congress, including "Snapchat King of Congress" Eric Swalwell, a representative from California. (13)
Snapchat users include Washington, D.C. Mayor Muriel Bowser and Los Angeles Mayor Eric Garcetti, (14) as well as Chicago Police Superintendent Eddie Johnson. (15) And government use has not been without controversy. The New York Police Department, for instance, had to investigate an officer who posted images on Snapchat during a Brooklyn apartment raid. The posted Snapchats depicted a family in handcuffs with captions such as "Merry Christmas it's NYPD!" and "Warrant Sweeps it's still a part smh." (16) Beyond the White House examples mentioned above, public officials have also been using encryption apps in other contexts. The mayor and city attorney of Chattanooga, Tennessee, for instance, both admitted using WhatsApp to communicate for government business purposes, drawing the attention of transparency advocates. (17)
However, legal research on these privacy-promising technologies has not yet extended into their implications for transparency laws such as the federal Freedom of Information Act and state open records laws. Below, encryption and ephemeral messaging are briefly described in terms of function and legal analysis to date.
For centuries, cryptography has existed as a way to transmit messages that are only decipherable to the intended receiver, and are indecipherable to an interceptor. Modern encryption technology intends to keep electronic data and communications safe from interception and surveillance by third parties. (18) Simply put, encryption allows its users to restrict who can read a message to those who have the key. Encryption tools, such as PGP (Pretty Good Privacy) and GPG (Gnu Privacy Guard), allow users to create encryption keys for email platforms. This allows users to communicate without fear that someone without a key can intercept and read their communications. Edward Snowden used GPG to contact Micah Lee, a technologist for the Electronic Frontier Foundation, who helped Snowden connect with documentary journalist Laura Poitras. They used GPG encryption to protect their communications and ultimately to facilitate the leak of National Security Agency documents that revealed illegal spying practices. (19)
In the past few years, encryption tools have become simpler to use through the development of smartphone apps. Signal, launched in 2013 by Open Whisper Systems, allows encrypted communications via text messages through an "idiot-proof interface, which . . . is just as straightforward as normal calling and texting." (20)
Instead of the key exchange in PGP and GPG, all Signal requires is that users accept invitations from other users through their phone numbers, and the app encrypts their messages. By password-protecting their phones, users provide the first layer of protection; somebody hoping to access the conversations on Signal must guess or hack the phone passcode to access the app. Signal itself keeps no records of the communications that could be demanded by government or other third parties. The chat app...