As a devastating wildfire burned through a Maui town, killing more than 100 people, emergency management employees traded dozens of text messages, creating a record that would later help investigators piece together the government’s response to the 2023 tragedy.
One text exchange hinted officials might also be using a second, untraceable messaging service.
“That’s what Signal was supposed to be for,” then-Maui Emergency Management Agency Administrator Herman Andaya texted a colleague.
Signal is one of many end-to-end encrypted messaging apps that include message auto-delete functions.
While such apps promise increased security and privacy, they often skirt open records laws meant to increase transparency around and public awareness of government decision-making. Without special archiving software, the messages frequently aren’t returned under public information requests.
An Associated Press review in all 50 states found accounts on encrypted platforms registered to cellphone numbers for over 1,100 government workers and elected officials.
It’s unclear if Maui officials actually used the app or simply considered it — a county spokesperson did not respond to questions — but the situation highlights a growing challenge: How can government entities use technological advancements for added security while staying on the right side of public information laws?
How common is governmental use of encryption apps?
The AP found accounts for state, local and federal officials in nearly every state, including many legislators and their staff, but also staff for governors, state attorneys general, education departments and school board members.
The AP is not naming the officials because having an account is neither against the rules in most states, nor proof they use the apps for government business. While many of those accounts were registered to government cellphone numbers, some were registered to personal numbers. The AP’s list is likely incomplete because users can make accounts unsearchable.
Improper use of the apps has been reported over the past decade in places like Missouri, Oregon, Oklahoma, Maryland and elsewhere, almost always because of leaked messages.
What’s the problem?
Public officials and private citizens are consistently warned about hacking and data leaks, but technologies designed to increase privacy often decrease government transparency.
Apps like Signal, WhatsApp, Confide, Telegram and others use encryption to scramble messages so only the intended end-user can read them, and they typically aren’t stored on government servers. Some automatically delete messages, and some prevent users from screenshotting or sharing messages.
“The fundamental problem is that people do have a right to use encrypted apps for their personal communications, and have those on their personal devices. That’s not against the law,” said Matt Kelly, editor of Radical Compliance, a newsletter that focuses on corporate compliance and governance issues. “But how would an organization be able to distinguish how an employee is using it?”
Are there acceptable government uses of end-to-end encryption apps?
The U.S. Cybersecurity and Infrastructure Security Agency, or CISA, has recommended that “highly valued targets” — senior officials who handle sensitive information — use encryption apps for confidential communications. Those communications are not typically releasable under public record laws.
CISA leaders also say encrypted communications could be a useful security measure for the public, but did not encourage government officials to use the apps to skirt public information laws.
Journalists, including many at the AP, often use encrypted messages when talking to sources or whistleblowers.
What are states doing?
While some cities and states are grappling with how to stay transparent, public record laws aren’t evolving as quickly as technology, said Smarsh general manager Lanika Mamac. The Portland, Oregon-based company helps governments and businesses archive digital communications.
“People are worried more about cybersecurity attacks. They’re trying to make sure it’s secure,” Mamac said. “I think that they are really trying to figure out, ‘How do I balance being secure and giving transparency?’”
Mamac said Smarsh has seen an uptick in inquiries, mostly from local governments. But many others have done little to restrict the apps or clarify rules for their use.
In 2020, the New Mexico Child, Youth and Families Department’s new division director told employees to use the app Signal for internal communications and to delete messages after 24 hours. A 2021 investigation into the possible violation of New Mexico’s document retention rules was followed by a court settlement with two whistleblowers and the division director’s departure.
But New Mexico still lacks regulations on using encrypted apps. The AP’s review found at least three department or agency directors had Signal accounts as of December 2024.
In Michigan, State Police leaders were found in 2021 to be using Signal on state-issued cellphones. Michigan lawmakers responded by banning the use of encrypted messaging apps on state employees’ work-issued devices if they hinder public record requests.
However, Michigan’s law did not include penalties for violations, and monitoring the government-owned devices used by 48,000 executive branch employees is a monumental task.
What’s the solution?
The best remedy is stronger public record laws, said David Cuillier, director of the Brechner Freedom of Information Project at the University of Florida. Most state laws already make clear that the content of communication — not the method — is what makes something a public record, but many of those laws lack teeth, he said.
“They should only be using apps if they are able to report the communications and archive them like any other public record,” he said.
Generally, Cuillier said, there’s been a decrease in government transparency over the past few decades. To reverse that, governments could create independent enforcement agencies, add punishments for violations, and create a transparent culture that supports technology, he said.
“We used to be a beacon of light when it came to transparency. Now, we’re not. We have lost our way,” Cuillier said.