In the midst of a catastrophic wildfire that swept through a town in Maui, claiming the lives of over 100 individuals, emergency management personnel were engaged in a flurry of text message exchanges. These communications have since become crucial for investigators attempting to reconstruct the official response to the tragic events of 2023.
One exchange between officials hinted at the possible use of a secondary, untraceable messaging service. Herman Andaya, the then-administrator for the Maui Emergency Management Agency, texted a colleague stating, “That’s what Signal was supposed to be for.”
Signal is known as one of several end-to-end encrypted messaging apps, which are designed with message auto-deletion features for enhanced security and privacy. Such applications, however, pose a challenge to open records laws intended to ensure transparency and inform the public about governmental actions. Without specific archiving tools, it is often challenging to retrieve such messages under public information requests.
An examination across all 50 states uncovered accounts on encrypted platforms tied to over 1,100 government employees and elected officials. While it is unclear if the Maui officials utilized the app or merely considered it, the scenario underscores an escalating issue: how governmental institutions can leverage technological advancements for heightened security while remaining compliant with public information laws.
The review revealed that state, local, and federal officials in nearly every state, including legislators, staff, and individuals from governors’ offices, state attorney generals, and education departments, are associated with these apps. However, the possession of such accounts is not inherently against regulations in most states, nor is it definitive evidence of app usage for official government business. While many accounts were linked to government phone numbers, some were registered under personal lines, suggesting potential gaps in the review’s scope given users can make accounts non-searchable.
Instances of improper app usage have surfaced periodically over the past decade in states like Missouri, Oregon, Oklahoma, and Maryland, predominantly due to leaked communications.
Although they offer protection against hacking and data breaches, apps promising increased privacy can detract from government transparency. Apps such as Signal, WhatsApp, Confide, and Telegram encrypt messages, rendering them readable only by the intended recipient and often not stored on government servers. Some automatically delete these messages and prevent screenshotting or sharing.
Matt Kelly, editor of Radical Compliance, noted the intrinsic right individuals have to use encrypted apps for personal communications on personal devices, though the challenge lies in an organization’s ability to determine how an employee might utilize such tools.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) advises “highly valued targets” handling sensitive data to use encryption apps for their confidential communications. Such communications generally fall outside the remit of public record laws. While encrypted communications can be a beneficial security measure for the public, CISA does not advocate their use to circumvent public information laws by government officials.
Many journalists, including those within the Associated Press, commonly employ encrypted messaging when discussing sensitive topics with sources or whistleblowers.
Efforts to maintain transparency have lagged behind technological innovation, as reflected in ongoing struggles among cities and states. Lanika Mamac, general manager at Smarsh, a firm aiding in archiving digital communications, highlighted the tension between ensuring cybersecurity and maintaining transparency. Although inquiries from local governments on how to archive such communications have increased, many have not yet established rules or restrictions.
In 2020, the New Mexico Child, Youth, and Families Department introduced the use of Signal for internal communications with instructions to delete messages after 24 hours. Subsequent investigations revealed potential breaches of records retention rules, leading to a court settlement and administrative changes, although New Mexico still lacks comprehensive regulations on app usage.
Michigan saw State Police leaders using Signal on state-issued devices, prompting lawmakers to ban encrypted messaging apps on state-owned equipment if they impede public record requests. However, this law does not impose penalties for violations and managing compliance across 48,000 government devices poses a significant challenge.
David Cuillier from the University of Florida’s Brechner Freedom of Information Project advocates for stronger public record laws, suggesting these laws currently emphasize the content rather than the method of communication. To enhance transparency, he proposes the creation of independent enforcement agencies, penalties for non-compliance, and fostering a culture of transparency aligned with technological progress.
Cuillier reflected on the U.S.’s historical commitment to transparency, acknowledging a decline and emphasizing the need to reclaim lost ground in governmental transparency.