Rebecca Boone and Claudia Lauer
A devastating wildfire burned the town of Maui, killing more than 100 people, emergency management employees exchanged dozens of text messages, and later created records that would help investigators connect the government’s response to the 2023 tragedy.
It is also possible that an official who suggests one text exchange is using a second, non-trackable messaging service.
“That was supposed to be the signal,” Herman Andaya, then-Emergency Management Office administrator, texted her colleagues.
Signal is one of many end-to-end encrypted messaging apps that include an automatic message derating function.
Such apps promise increased security and privacy, but in many cases they are open records laws that aim to increase transparency and public awareness of government decisions. Without special archival software, messages are often not returned based on requests for public information.
Reviews from all 50 states found accounts on encrypted platforms registered on mobile phone numbers for over 1,100 government workers and elected officials.
Whether Maui officials actually used the app or simply considered it (it is unclear whether the county spokesman did not respond to questions, but the situation underscores the growing challenges. How can government agencies use technological advances to add security while staying on the right side of the Public Information Act?
How common is government use of encryption apps?
The AP has discovered accounts of almost every state, local and federal official, including many lawmakers and their staff, but also includes staff from the governor, state attorney general, education department and school board members.
The AP has not named officials because having an account does not oppose most state rules and therefore has not proven that they use the app for government business. Many of these accounts were registered with government mobile numbers, while some were registered with personal numbers. The list of APs can be incomplete as users cannot search for accounts.
Inappropriate use of apps has been reported over the past decade in places like Missouri, Oregon, Oklahoma and Maryland, but most of the time, due to messages leaked.
What’s the problem?
While civil servants and private citizens have been consistently warned of hacking and data leaks, technologies designed to increase privacy often reduce government transparency.
Apps like Signal, WhatsApp, Confide, Telegram, and others scramble messages using encryption, so only the intended end users can read them and are not normally stored on government servers. Some automatically delete messages, while others prevent users from screenshotting the messages or sharing them.
“The basic problem is that people have the right to use encrypted apps for personal communication and use them on their personal devices. That’s not against the law,” said Matt Kelly, editor of Radical Compliance, a newsletter focusing on corporate compliance and governance issues. “But how can an organization distinguish between how employees use it?”
Is government use of end-to-end encryption apps acceptable?
The US Department of Cybersecurity and Infrastructure Security, or CISA, recommends that “high-value goals” that process sensitive information (high-level officials who process sensitive information) use encryption apps for sensitive communications. These communications cannot normally be released under the public records law.
CISA leaders also say that encrypted communication could be a useful security measure for the public, but they have not encouraged government officials to use the app to skirt public information.
Journalists, including many of the APs, often use encrypted messages when talking to sources and whistleblowers.
What does the state do?
While some cities and states are working on ways to maintain transparency, public record laws have not evolved as fast as technology, said Ranikamama, general manager of Smarsh. The Portland, Oregon-based company helps governments and businesses archive digital communications.
“People are more concerned about cybersecurity attacks. They’re trying to make sure it’s safe,” Mamack said. “I think they’re really trying to understand ‘How can I balance it out and be safe and transparent?” โ
Mamac said Smarsh has seen an increase in inquiries, mainly from local governments. But many others have done little to clarify the rules for limiting or using the app.
In 2020, the new department director of children, youth and families in New Mexico instructed employees to use app signals for internal communications and delete messages after 24 hours. A 2021 investigation into possible violations of New Mexico’s document retention rules was followed by court settlements with two whistleblowers and a divisional director’s departure.
However, New Mexico still has no regulations regarding the use of encrypted apps. The AP review found that as of December 2024, at least three department or agency directors had signal accounts.
In Michigan, state police leaders were found to use signals on state-issued mobile phones in 2021. Michigan lawmakers responded by banning the use of encrypted messaging apps on state employees’ work issuing devices when blocking requests for public records.
However, Michigan law does not include penalties for violations, and monitoring government-owned devices used by 48,000 enforcement department employees is a monumental job.
What is the solution?
David Quillier, director of the Brechner Freedom Information Project at the University of Florida, says the best remedy is the stronger public record law. Most state laws already make it clear that communications, not methods, are public records, but many of those laws lack teeth, he said.
“They should only use the app if they can report communications and archive them like other public records,” he said.
Generally, Cuillier said government transparency has been declining over the past decades. To reverse that, he said the government could create independent enforcement agencies, add punishments for violations, and create a transparent culture that supports technology.
“When it comes to transparency, it used to be a beacon of light. Now we’re not. We’ve lost our way,” Cuillier said.
Boone was reported from Boise, Idaho. Lauer reported from Philadelphia. Associated Press reporters from Statehouses across the country contributed to the report.
Original issue: March 20, 2025, 1:06pm EDT
