By Koosh Orandi, CIPP/US

In the narrow cracks between popular conversations on privacy within the last year was a nuanced legal decision that has the potential to impact a rarely discussed expectation of privacy for federal employees while impacting transparency for U.S. government agencies.

Enacted on July 4, 1966, the Freedom of Information Act (FOIA) provides any person with the right, enforceable in court, to obtain access to federal agency records, except to the extent that such records are protected from public disclosure by one of nine exemptions, or one of three special law enforcement record exclusions. Requests can be made for any agency record, and as recognized by Congress, numerous presidents and the Supreme Court, the FOIA is an important tool of democracy, enabling public oversight of federal government agencies. Between Fiscal Years 2008 and 2012, over half a million FOIA requests were filed annually at all federal agencies.

Information obtained through FOIA requests may be used in litigation against a government agency, but FOIA requests are not typically preludes to a judicial proceeding, unlike pretrial discovery to obtain evidence against another party.

In August 2012, a FOIA request was filed by the public interest legal advocacy group Landmark Legal Foundation against the U.S. Environmental Protection Agency (EPA). Essentially, Landmark suspected the EPA of intentionally delaying a controversial environmental regulation until after the November 2012 presidential election. To investigate that suspicion, the request sought records from “senior EPA officials” at each of the agency’s headquarter offices regarding any proposed EPA rule or regulation for which public notice had not been made but was contemplated or under consideration.

More importantly, Landmark sought information on whether any such records or knowledge had been communicated to individuals or organizations outside of the agency. Following discussions between the legal counsels of the EPA and Landmark, along with a series of FOIA responses producing over 1,000 documents, one record stood out.

Were Government Employees Doing Business Via Personal E-mail?

Then-Deputy Administrator Robert Perciasepe had sent a work-related e-mail from his personal account, which was included in the FOIA response package. This seemingly minor event became a significant concern; using personal e-mail to conduct federal business could be an innocent mistake or a convenient alternative to using a government e-mail account, but it could also be an attempt to circumvent federal records laws.

Regardless of actual intent, Perciasepe’s e-mail proved that personal accounts were used by a federal employee conducting official business in at least that one circumstance. Landmark sought clarity on this in a meeting with the EPA in March 2013 and later on in various briefs and responses, but the EPA never directly responded to that point.

In August, presiding U.S. District Judge Royce Lamberth issued an opinion stating the EPA’s “failure to deny the allegations that personal accounts were being used to conduct official business leaves open the possibility that they were.” Accompanying the opinion was an order permitting Landmark to conduct discovery limited to the following issues: whether and to what extent the EPA administrator, deputy administrator and/or chief of staff utilized personal e-mail accounts to conduct official business during the relevant time periods and whether the EPA intentionally excluded those personnel from the FOIA request response.

Allowing discovery is a judicial rarity in matters like these, as explained by a Department of Justice guide on FOIA responses cited by Lamberth. That guide stated that discovery is the exception, and not the rule, in FOIA cases. Other cases cited in Lamberth’s opinion reiterated that discovery would only be warranted when the plaintiff raises a sufficient question about the agency’s good faith in processing documents. Lamberth did not explicitly grant access to any personal e-mail accounts, but allowing Landmark to even inquire about the possibility that they were used brings us one step closer to creating precedent that could regularly allow this level of depth into an employee’s personal correspondence.

This would likely be surprising to many employees. Despite the lower expectation of privacy inherent with using employer-owned technology, workers seldom expect their personal correspondence, business-related or not, to be the subject of a FOIA request, or, worse, a media headline. Besides, personal e-mail accounts and their content would not ordinarily be subject to disclosure under the FOIA, since the act targets communications that constitute “agency records.” But, like many statutes, the FOIA does not define what an agency record is, leaving it up to interpretation by the Supreme Court and lower federal courts.

“The Method of Communication Is Less Important than the Information Being Communicated”

A 2012 Federalist Society article entitled “Gmail.gov: When Politics Gets Personal, Does the Public Have a Right to Know?"examined a line of cases that shows how courts have tried to define this boundary. Interestingly, some already consider work-related communications over private e-mail as a kind of “agency record” being fair game for disclosure. One case cited in this article is Yonemoto v. Department of Veterans Affairs, which stated that when it comes to FOIA, it is difficult to make a broad rule about when personal e-mails would be subject to a FOIA request. Instead, the court stated that the analysis should focus on the content of the information and “nature of the attending circumstances” rather than whether it was sent over a personal or public e-mail system.

Either way, there is a clear lesson here for federal agencies: Ensure that employees conduct business over either government-owned resources, or resources contracted for use by the agency or its employees—such as contractor-owned e-mail systems, contractor-owned cloud computing systems, government-operated e-mail on personally-owned hardware pursuant to a “Bring Your Own Device” policy, etc. If employees avail themselves of their own personal e-mail accounts to communicate official government business, they cannot have a reasonable expectation of privacy over those contents when compared to purely personal communications.

Accordingly, some agencies have drafted internal policies prohibiting the use of personal e-mail to conduct government business pursuant to federal guidance, both for increased transparency and protection for their staff. But given the cases cited here, the strategy has had mixed results so far and restrictions may not be enforced.

Analogous to this discussion is an aspect of communications that has not been heavily addressed within the FOIA disclosure context: personal online storage accounts. Some agencies use these to exchange files that are too large for e-mail messages, communicating within and outside of the agency. But, cloud storage solutions like Google Drive, Microsoft OneDrive or Dropbox present new security concerns for federal agencies.

One concern is that employees could use these resources to covertly communicate information that should not leave the agency or vice-versa. A federal employee could use a personal online storage account to store a non-sensitive—but nonpublic—document and then permit unauthorized personnel to retrieve that information. This would be akin to the espionage tactic of using a “dead drop” to pass along physical items by stashing them in a secret location, allowing retrieval by someone else later on.

But as the court in Yonemoto stated, the method of communication is less important than the information being communicated.

What’s an Agency To Do?

Going forward, agencies need a proactive, all-encompassing approach to protect the public interest and their employees simultaneously, with strict enforcement and widespread organizational awareness and training.

At least one executive branch agency has developed a security policy that prohibits federal government employees from using any unauthorized external information systems to conduct federal government business, such as personally owned e-mail or personally owned storage accounts. Through the combined use of security controls and policies, another major agency has mandated the use of one specific government-contracted cloud storage service for all file transfers, either intra-agency or with outsiders. Both agencies have issued memoranda on the subject, bolstering employee awareness.

If the EPA is discovered to have transacted government business over personal e-mails on a regular basis, then those e-mails would likely be considered “agency records” and thus, subject to disclosure under the FOIA. But even so, the EPA would likely not be the only offender. By addressing this concern head-on via internal policies, security controls, training and awareness, or all of the above, government agencies can avoid “forcing the judicial hand” to expose employees’ information while upholding the law in the face of new and changing technologies.

Koorosh Orandi, CIPP/US, is a licensed attorney and consultant in the Cyber Risk Services Practice of Deloitte & Touche, LLP.  Mr. Orandi specializes in the development of information security and privacy policy and has broad experience in various policy areas, ranging from technology and cybersecurity to national security and critical infrastructure. He can be reached at KOrandi@Deloitte.com.