The use of secret texting app Confide, which former Missouri Gov. Eric Greitens’ and several of his staff members communicated with, may very well be a violation of Missouri law. But it’s important to understand that when properly employed, encrypted messaging should help our elected leaders protect democracy — not subvert it. But the Greitens case brings up an interesting discussion that sits at the intersection of security, technology, transparency and government efficiency.
There are encrypted communications tools available that allow you to both conduct business and chat with friends using military-grade encryption — protected from hackers who prey on email. And, unlike the app that Greitens and his staff used, those other tools also offer capability for government entities to integrate encryption in a way that allows them to comply with laws and policies governing data retention.
We now know that government officials must be on high-alert for cybersecurity breaches. Email continues to be the single biggest entry point for nefarious actors to gain unauthorized access to sensitive information. On any given day, state government officials might deal with sensitive public safety issues or security threats, personal information of constituents (such as tax returns, Social Security benefits information, child welfare information and more) or state-related business that could be misused by bad actors. The public expects these officials to do everything in their power to protect this confidential information.
Encrypted tools allow users to communicate securely and protect sensitive information from falling into the wrong hands. Using auto-deletion, or ephemerality settings ensures that critical communications are not accessible to adversaries. But there are also systems that include compliance capabilities so that when something needs to be retained, either by law or policy, it can be.
There are two primary considerations for any organization in today’s cyber-attack-rich environment when considering how to best engage with encrypted messaging tools:
First, what is actually required to be retained by law or regulation? Our tendency to horde data “just in case” leaves government entities vulnerable to would-be hackers and increases the amount of data open attack so they can sew maximum chaos. Many states’ open records laws were created years or even decades ago, before we began generating the vast amounts of data that we can now produce in a very short period of time, and before there were the sophisticated cyber threats we see today.
It is time for policymakers to revisit antiquated data-retention policies and have a thoughtful conversation about what is necessary to retain for transparency and state business and — importantly — what is not.
Second, how do we responsibly embrace the best new technologies in the interest of protecting the confidential personal information that we trust our government to gather and hold? Would we be in a different place as a nation if the officials and campaign organizations hacked by the Russians in 2016 were using encrypted messaging instead of standard email — and therefore had not been vulnerable to the hacking that occurred?
Experts agree nearly uniformly that secure encrypted messaging is the best way to protect electronic communications between individuals and organizations. Several federal government and intelligence agencies are currently working on how to best integrate encrypted messaging into their day-to-day operations, while remaining in compliance with all record retention laws. There’s no reason the state of Missouri shouldn’t be having those same discussions. And it would be a real shame if the former governor’s apparent misuse of encrypted apps prevent these discussions from occurring.
Policymakers and government officials should come together with tech leaders and cybersecurity experts to revisit their data retention, security and open records policies in light of the modern-day threats.
Audra Grassia is the political and government
lead for secure collaboration