Private-messaging apps undermine CORA’s accountability mandate

By Jeffrey A. Roberts
CFOIC Executive Director

In a recent Denver Post article, reporter Alex Burness revealed that nearly a third of state lawmakers in Colorado use the private-messaging app Signal and at least 15 use a similar tool called Confide.

“Many other public officials, including political staffers, use these apps, too,” Burness wrote.

That’s not too surprising, given the apps’ growing popularity among people seeking to protect their digital privacy. Confide promises “the comfort of knowing that your private communication will now truly stay that way.” Signal’s homepage boasts, “We can’t read your messages or see your calls, and no one else can either.”

But if it’s becoming commonplace for state and local officials to communicate using disappearing or encrypted messages, what does that mean for government’s obligations under the state’s transparency laws?

Although electronic messages are subject to disclosure under the Colorado Open Records Act (CORA) with some exceptions (such as a state legislator’s work product related to bill drafts), it’s hopeless to request public records that self-destruct or can’t be accessed. If this is how some public officials now conduct official business, doesn’t that subvert the purpose of a statute meant to combat government secrecy?

“It’s a fairly obvious point, but if a public record evaporates into thin air – or is tossed in the trash or shredded – before a records request has been submitted, then the accountability mandated by CORA is undermined,” said First Amendment attorney Steve Zansberg, president of the Colorado Freedom of Information Coalition.

As CFOIC pointed out in an October research report, CORA is silent as to how long government entities must keep electronic records. The law merely says records custodians must adopt a policy “regarding the retention, archiving and destruction” of records kept in miniaturized or digital form. It doesn’t outline any specifications for such a policy.

Many government entities have adopted records management schedules promulgated by the Colorado State Archives. Because the schedules make it clear that public records are to be retained for certain specified periods based on their content – not the format of the records – Zansberg said it’s “irresponsible and indefensible” and “a violation of the spirit of our state’s laws” for public officials to deliberately evade those mandates by using private messaging apps for official business.

The state archives’ model retention schedule for state agencies calls for the permanent retention of emails and other communications that have “enduring long-term value.” Communications with “routine value” should be kept two years; if their value is “transitory,” of extremely short-term interest, they should be kept until read or 90 days. The model retention schedule for municipalities sets similar time frames.

Enforcement is problematic, however, because the rules essentially give government entities and individual public employees wide discretion to decide which messages are important enough to keep.

If public officials use Confide or Signal, they’ve pre-determined that their messages shouldn’t be retained or be subject to public inspection, even if records requesters might think otherwise. Confide messages are deleted once read; the app even prevents users from making screenshots. Signal lets users set a timer for when messages will disappear. WhatsApp is testing a similar feature.

“Those kinds of technologies literally undermine, through the technology itself, state open government laws and policies,” Dan Bevarly, executive director of the National Freedom of Information Coalition, told an Associated Press reporter last year. “And they come on top of the misuse of other technologies, like people using their own private email and cellphones to conduct (public) business.”

How then should state transparency laws be updated to keep pace with changing technology?

In early 2018, the now-former governor of Kansas signed an executive order that required employees in the governor’s office to use official email accounts to conduct official state business.

Some Missouri state lawmakers have been trying to ban the use of self-destructing messaging apps for public business, but so far have been unsuccessful. In that state, a circuit court judge ruled earlier this year that now-former Gov. Eric Greitens’ use of Confide to communicate with aides didn’t violate the state’s open records law because the messages were never officially retained.

In Texas, a law that went into effect Sept. 1 requires government officials to preserve personal-device text messages that concern public business or transfer them to an official government account. The measure makes it clear that the records are subject to the retention schedules set for a particular agency or type of government entity.

“If there’s a retention schedule of any length of time, they’ve got to find a way to retain the messages or forward them,” said Kelley Shannon, executive director of the Freedom of Information Foundation of Texas. The new law should effectively outlaw the use of private-messaging apps for official government business, Shannon said, “but we’ll see whether it does or not. It will come down to how a particular government entity embraces or implements the law.”

Some cities in Texas have banned or limited texting by public employees in response to the new state law. “It will no longer be appropriate for us to text official business through our personal or work cellphones,” a Waco police sergeant wrote to others in his department in August.

Brazos County in Texas took a different approach, requiring its employees to use county-issued cellphones equipped with Smarsh software that archives text messages and makes them searchable if they need to be provided in response to an open records request.

“Technology is changing faster than the statutory framework,” Colorado state Rep. Chris Hansen, a Denver Democrat, told Burness for his article in The Post. “It’s something we need to collectively discuss.”

Follow the Colorado Freedom of Information Coalition on Twitter @CoFOIC. Like CFOIC’s Facebook page. Do you appreciate the information and resources provided by CFOIC? Please consider making a tax-deductible donation.

Subscribe to Our Blog