In October, Laurence Brewer, records manager for the National Archives and Records Administration, told US Customs and Border Protection officials he was concerned about the agency’s use of an app called Wickr. The Amazon-owned encrypted messaging platform is known for its ability to automatically delete messages.
Brewer, who is responsible for ensuring government officials handle records properly, wrote in a letter that he was “concerned about the agency-wide rollout of a messaging app with this functionality. without appropriate policies and procedures governing its use”.
Brewer addressed his letter to Eric Hysen, the director of information for the Department of Homeland Security. He was uploaded to the National Archives website and his concerns had not previously been reported. The document offers rare insight into the use of Wickr by Customs and Border Protection and highlights the broader concerns of some officials and watchdogs about the growing use of messaging apps at all levels of government. American.
Wickr has been acquired by Amazon’s cloud computing division last june and has contracts with a number of government agencies. Customs and Border Protection (CBP), which has come under fire from human rights activists and immigration lawyers for what they say are its secretive practices, has spent more than $1.6 million dollars for Wickr since 2020, according to public procurement records.
But little is known about how the agency rolled out the app, which is popular among security-conscious people from journalists to the criminals. Its auto-delete feature has made the platform a source of concern for government registrars, as well as external watchdogs, who fear that Wickr and other similar apps are creating ways for customs officials to circumvent government transparency requirements.
“CBP, like ICE and other agencies overseen by DHS, has an abysmal record of compliance with record-keeping laws,” said Nikhel Sus, senior counsel for Citizens for Responsibility and Ethics in Washington. (CREW), a non-profit watchdog group. , in a report. “This has had real consequences for accountability by hampering investigations and oversight of agency activities. The agency’s use of Wickr, a messaging app with “auto-delete” features, certainly raises red flags. »
CREW filed a trial against CBP last month after failing to respond to a Freedom of Information Act request the nonprofit filed for documents about its Wickr implementation. CREW is asking CBP to “fully and expeditiously process CREW’s FOIA request and immediately produce all non-exempt documents.”
CBP spokeswoman Tammy T. Melvin said the agency could not comment on ongoing litigation. “Distribution/use of Wickr is currently under review,” she said in an email. Since 2019, she said, the agency has only used the app in “several small-scale pilots.”
Melvin said the Customs and Border Protection contracts relate to use of the Enterprise version of Wickr, which is designed for business communications, and allows organizations to appoint administrators who can control email settings on the platform. -form, including those regarding deletion. The feature could theoretically give CBP more control over how individual employees use Wickr and prevent records from being deleted, but details about how the agency uses Wickr remain unclear and Melvin declined to specify.
Wickr also offers another product called Wickr RAM, aimed at the military – the company advertises as being accredited by the United States Department of Defense. It’s unclear how its features and capabilities differ from the Enterprise version of the app used by CBP.
Advertising materials for both professional products from Wickr say they can be used in a way that allows for record keeping compliance. But both also allow users to delete their posts, according to the Wickr website. In a Wickr RAM training presentation as of 2021, the company even touted a feature it called the “Secure Shredder”.
“To reduce the risk of recovering deleted Wickr data, Secure Shredder runs whenever your Wickr application is running,” reads the training. “The goal is to ‘sanitize’ or overwrite deleted Wickr data, where possible.”
Amazon did not respond to two requests for comment on Wickr’s various government products and contracts.
The use of apps that destroy messages is a growing problem at many levels of government
Other officials, including Maryland Governor Larry Hogan, have been criticized for using Wickr’s self-destruct feature (Hogan defended its use as “common practice” and said it was the same as making a phone call). CREW also unsuccessfully sued the White House in 2017, claiming it violated the Presidential Records Act after The Washington Post reported that staff members were using another app called Confide, which also allows users to automatically delete messages.
United States Court of Appeals Judge David Tatel wrote in his opinion that while “Richard Nixon could only have dreamed of the technology at issue in this case”, the court “would have no jurisdiction to order the correction of any defect at the time of the White House-day-to-day compliance” with the rules of record.
In his letter, Brewer gave Customs and Border Protection 30 days to respond with documentation of its policies, training guidelines and other resources the agency had established “to mitigate the risk of managing records associated with improper use of Wickr” and similar applications.
Melvin said Customs and Border Protection provided an initial response to the letter in December and provided quarterly updates to the agency on its progress. But CBP still hasn’t released all of the information it was asked for. The case associated with the letter remains open, according to the National Archives website.
A spokesperson for the National Archives declined to comment.
Customs and Border Protection has had issues in the past with their disclosures of records. In September, the Department of Homeland Security’s Office of Inspector General (OIG) issued a report which revealed that CBP had failed to consistently log WhatsApp messages between US and Mexican officials. The report said it was unclear whether the agency was allowed to use the app for official business in the first place.
The WhatsApp messages dated back to 2018, when a group of Central American migrants started making their way to the US border in Tijuana, Mexico. Journalists and other US citizens who accompanied the caravan said they were subjected to intensive screenings and interviews, first Democratic lawmakers are calling for an investigation.
The OIG report found that CBP officials in a number of instances failed to retain WhatsApp messages regarding the trailer, likely in violation of the agency’s record keeping policies.
“Many CBP officials in various offices regularly used WhatsApp to communicate both with individuals and in various WhatsApp groups, some of which contained up to hundreds of US and Mexican officials,” the report said. “Yet these officials have not consistently withheld them. WhatsApp messages or copy or forward them to their official CBP accounts.
The Inspector General recommended that CBP discontinue its use of WhatsApp or ensure it was in compliance with record-keeping laws. CBP responded by saying it was “currently piloting a managed messaging platform to replace WhatsApp.”
In response to questions about the platform the report referred to, Melvin, the CBP spokesperson, said the agency had been piloting Wickr for more than two years.
But so far, CBP has not shared those pilots’ findings with the Office of Inspector General, according to Melvin. An OIG spokesperson told NBC News that its recommendation is still open.
“We will close this recommendation when CBP provides documentation showing the results of its pilot project to replace WhatsApp and ensure that messages are retained according to legal and policy requirements, including records retention schedules,” the Bureau’s report said. of the Inspector General.