In October, Laurence Brewer, the chief data officer of the National Archives and Records Administration, advised officers at U.S. Customs and Border Protection he was frightened about how the company was utilizing an app known as Wickr. The Amazon-owned encrypted messaging platform is understood for its means to routinely delete messages.
Brewer, who’s chargeable for guaranteeing that authorities officers deal with data accurately, wrote in a letter that he was “concerned about agencywide deployment of a messaging application that has this functionality without appropriate policies and procedures governing its use.”
Brewer addressed his letter to Eric Hysen, the chief data officer of the Department of Homeland Security. It was uploaded to the National Archives web site, and its considerations had not been beforehand reported. The doc affords a uncommon perception into Customs and Border Protection’s use of Wickr, and highlights the broader worries that some officers and watchdogs have concerning the rising use of messaging apps in any respect ranges of the U.S. authorities.
Wickr was purchased by Amazon’s cloud-computing division final June and has contracts with a lot of authorities businesses. Customs and Border Protection (CBP), which has been criticized by human rights activists and immigration legal professionals over what they are saying are its secretive practices, has spent greater than $1.6 million on Wickr since 2020, in keeping with public procurement data.
But little is understood about how the company has deployed the app, which is in style amongst security-minded individuals starting from journalists to criminals. Its auto-deletion characteristic has made the platform a reason behind concern amongst authorities report keepers, in addition to exterior watchdogs, who fear that Wickr and different related apps are creating methods for customs officers to sidestep authorities transparency necessities.
“CBP, like ICE and other agencies DHS oversees, has an abysmal track record when it comes to complying with record-keeping laws,” mentioned Nikhel Sus, senior counsel for Citizens for Responsibility and Ethics in Washington (CREW), a nonprofit watchdog group, in an announcement. “This has had real consequences for accountability by impeding investigations and oversight of the agency’s activities. The agency’s use of Wickr, a messaging app with ‘auto-delete’ features, certainly raises red flags.”
CREW filed a lawsuit in opposition to CBP final month after it failed to reply to a Freedom of Information Act request the nonprofit filed searching for data about its implementation of Wickr. CREW is asking CBP to “fully and promptly process CREW’s FOIA request and produce all non-exempt documents immediately.”
Tammy T. Melvin, a spokesperson for CBP, mentioned the company couldn’t touch upon pending litigation. “The distribution/use of Wickr is currently under review,” she mentioned in an e mail. Since 2019, she mentioned, the company has solely used the app in “several small-scale pilots.”
Melvin mentioned that Customs and Border Protection’s contracts are to be used of the Enterprise model of Wickr, which is designed for enterprise communications, and permits for organizations to nominate directors who can management messaging settings on the platform, together with these relating to deletion. Theoretically, this characteristic might give CBP extra management over how particular person workers use Wickr, and stop data from being scrapped, however the particulars of how the company is utilizing Wickr stay unclear, and Melvin declined to specify them.
Wickr additionally has one other product known as Wickr RAM, which is meant for the navy — the corporate advertises it as being accredited by the U.S. Department of Defense. It’s not clear how its options and functionality differ from the Enterprise model of the app utilized by CBP.
Advertising supplies for each of Wickr’s skilled merchandise say they can be utilized in ways in which permit for record-keeping compliance. But each additionally let customers delete their messages, in keeping with Wickr’s web site. In a Wickr RAM coaching presentation from 2021, the corporate even touted a characteristic it known as the “Secure Shredder.”
“To reduce the risk of deleted Wickr data being recovered, the Secure Shredder runs whenever your Wickr app is running,” the coaching learn. “The goal is to ‘sanitize’ or overwrite deleted Wickr data, on a best-effort basis.”
Amazon didn’t reply to 2 requests for remark about Wickr’s numerous merchandise and authorities contracts.
The use of apps that destroy messages has been a rising problem at many ranges of presidency
Other public officers, together with Maryland Gov. Larry Hogan, have been criticized for utilizing Wickr’s self-destructing characteristic (Hogan defended its use as “common practice” and mentioned it was the identical as making a telephone name). CREW additionally unsuccessfully sued the White House in 2017, claiming it was violating the Presidential Records Act after The Washington Post reported that employees members had been utilizing one other app known as Confide, which equally lets customers routinely delete messages.
U.S. Court of Appeals Judge David Tatel wrote in his opinion that whereas “Richard Nixon could only have dreamed of the technology at issue in this case,” the court docket “would have no jurisdiction to order the correction of any defects in the White House’s day-to-day compliance” with data guidelines.
In his letter, Brewer gave Customs and Border Protection 30 days to reply with documentation about its insurance policies, coaching tips and different assets the company had established “to mitigate the records management risk associated with the improper use of Wickr” and related apps.
Melvin mentioned Customs and Border Protection offered an preliminary response to the letter in December, and had been offering quarterly updates to the company on its progress. But CBP has nonetheless not divulged all the knowledge requested of it. The case related to the letter stays open, in keeping with the National Archives web site.
A spokesperson for the National Archives declined to remark.
Customs and Border Protection has run into issues up to now with its report disclosures. In September, the Department of Homeland Security’s Office of the Inspector General (OIG) launched a report that discovered CBP had did not constantly save WhatsApp messages between U.S. and Mexican officers. The report mentioned that it wasn’t clear whether or not the company was allowed to make use of the app for official enterprise within the first place.
The WhatsApp messages dated to 2018, when a bunch of migrants from Central America started touring to the U.S. border in Tijuana, Mexico. Journalists and different U.S. residents who accompanied the caravan mentioned they’d been subjected to intensive screenings and interviews, main Democratic lawmakers to name for an investigation.
The OIG report discovered that CBP officers in a lot of cases did not maintain WhatsApp messages concerning the caravan, possible in violation of the company’s record-keeping insurance policies.
“Numerous CBP officials, across various offices, regularly used WhatsApp to communicate both with individuals and in various WhatsApp groups, some of which contained up to hundreds ofU.S. and Mexican officials,” the report mentioned. “Yet, these officials did not consistently retain their. WhatsApp messages or copy or forward them to their official CBP accounts.”
The Inspector General really helpful that CBP both finish its use of WhatsApp or guarantee it was in compliance with record-keeping legal guidelines. CBP responded by saying that it was “currently piloting a managed messaging platform to replace WhatsApp.”
In response to questions on what platform was being referred to within the report, Melvin, the CBP spokesperson, mentioned that the company had been conducting pilots of Wickr for greater than two years.
But thus far, CBP hasn’t shared the findings of these pilots with the Office of the Inspector General, in keeping with Melvin. A spokesperson for the OIG advised NBC News that its advice was nonetheless open.
“We will close this recommendation when CBP provides documentation showing the results of its pilot to replace WhatsApp and to ensure that messages are retained in compliance with legal and policy requirements including records retention schedules,” the report from the Office of the Inspector General mentioned.