As a devastating wildfire burned through a Maui town, killing more than 100 people, emergency management employees traded dozens of text messages, creating a record that would later help investigators piece together the government’s response to the 2023 tragedy. One text exchange hinted officials might also be using a second, untraceable messaging service. “That’s what Signal was supposed to be for,” then-Maui Emergency Management Agency Administrator Herman Andaya texted a colleague. Signal is one of many end-to-end encrypted messaging apps that include message auto-delete functions. While such apps promise increased security and privacy, they often skirt open records laws meant to increase transparency around and public awareness of government decision-making. Without special archiving software, the messages frequently aren’t returned under public information requests. An Associated Press review in all 50 states found accounts on encrypted platforms registered to cellphone numbers for over 1,100 government workers and elected officials. It’s unclear if Maui officials actually used the app or simply considered it — a county spokesperson did not respond to questions — but the situation highlights a growing challenge: How can government entities use technological advancements for added security while staying on the right side of public information laws? How common is governmental use of encryption apps? The AP found accounts for state, local and federal officials in nearly every state, including many legislators and their staff, but also staff for governors, state attorneys general, education departments and school board members. The AP is not naming the officials because having an account is neither against the rules in most states, nor proof they use the apps for government business. While many of those accounts were registered to government cellphone numbers, some were registered to personal numbers. The AP’s list is likely incomplete because users can make accounts unsearchable. Improper use of the apps has been reported over the past decade in places like Missouri, Oregon, Oklahoma, Maryland and elsewhere, almost always because of leaked messages. What’s the problem? Public officials and private citizens are consistently warned about hacking and data leaks, but technologies designed to increase privacy often decrease government transparency. Apps like Signal, WhatsApp, Confide, Telegram and others use encryption to scramble messages so only the intended end-user can read them, and they typically aren’t stored on government servers. Some automatically delete messages, and some prevent users from screenshotting or sharing messages. “The fundamental problem is that people do have a right to use encrypted apps for their personal communications, and have those on their personal devices. That’s not against the law,” said Matt Kelly, editor of Radical Compliance, a newsletter that focuses on corporate compliance and governance issues. “But how would an organization be able to distinguish how an employee is using it?” Are there acceptable government uses of end-to-end encryption apps? The U.S. Cybersecurity and Infrastructure Security Agency, or CISA, has recommended that “highly valued targets” — senior officials who handle sensitive information — use encryption apps for confidential communications. Those communications are not typically releasable under public record laws. CISA leaders also say encrypted communications could be a useful security measure for the public, but did not encourage government officials to use the apps to skirt public information laws. Journalists, including many at the AP, often use encrypted messages when talking to sources or whistleblowers. What are states doing? While some cities and states are grappling with […]