Secretary Clinton will likely do unintentionally for the duty to preserve electronic records in controversy what Edward Snowden did intentionally for the very right to privacy from government surveillance that Secretary Clinton now claims: She may put it on the map—into the global, public tag cloud—in a big way.
Authors: Jon Neiditz, Ronald J. Hedges and Rebecca Landel-Hernandez
Disseminating deep understanding of electronic records and electronically stored information (“ESI”) is an important component of enabling the free world of digitally-resilient people that we arguably need. In order to help the public achieve that benefit and make informed choices about its legal and political future, we need to take a step back from the political and media feeding frenzy, as well as the minutiae of what the State Department did or did not require or provide, however, to focus on the largest societal issues and teachable moments provided by the email scandal. Those largest messages all relate to dominant and evolving legal and professional standards of “reasonableness” in at least several professional areas of focus. For that reason, we have assembled a team of independent information governance commentators to speak to different dimensions, a team that may grow as more facts emerge and as we benefit from your thoughts.
We are not political people. For purposes of this article, we are specialists in the reasonableness of certain critical processes and safeguards relating to electronic documents. We are (Ron Hedges) a former federal magistrate judge and well-known information governance/electronic discovery expert, (Jon Neiditz) a leader of an information governance/privacy/cybersecurity law practice and blogger who focuses on helping his clients develop effective ways of protecting their knowledge assets, and (Rebecca Landel-Hernandez) a deeply committed government and private archivist. Together, we will try to illuminate the apparent deliberate destruction of electronic communications not under the control of any federal archivist and being sought in a Congressional investigation.
The lion’s share of the attention in the Clinton email scandal has focused and will continue to focus on transparency, but other risks relating to the records of senior Cabinet officials are important to note. Particularly critical to the records of such federal departments as State and Defense are the extraordinary resources devoted to secure and resilient communication networks designed not only to protect sensitive electronic communications against unauthorized access, but WHEN those networks are hacked, designed to detect and respond to that unauthorized activity immediately so as to prevent or mitigate harm, and designed to speed recovery from such cyber-attacks. As important to the functioning of our democracy are archival standards designed to assure public accountability, disaster recovery and accessibility of records under freedom of information statutes.
In this case, all such standards appear to have been bypassed by a private communication system the legality of which will be tested under the law in effect at the time of its establishment and use, and we will discuss them all, below. Most troubling, however, is that decisions were apparently made simply to destroy all documents subject to Congressional production requests and deemed “personal” in this system without any review by a trusted third party, on the purported basis of protecting the “privacy” of all such communications, even though those who made the decision to destroy all such records were undoubtedly well aware that the privacy of all such communications could easily have been preserved by such a privileged and confidential third-party review.
John Cassidy reported on Secretary Clinton’s Tuesday press conference in the New Yorker as follows:
Shortly before Clinton spoke, David Gergen, a former communications adviser to Bill Clinton and other Presidents, suggested, from his perch at CNN, that she should “surprise everyone” by promising to hand over the family server and to submit to an independent review process, in which a respected third party would go through all of the server’s contents and decide if it contained anything else that should be forwarded to the official archives. “I think concrete steps are going to go a lot further,” Gergen said, referring to the expected verbal statements.
On the face of it, that seemed like sound advice. But it turned out to be advice that Clinton wasn’t in a position to take. “We went through a thorough process to identify all of my work-related e-mails and deliver them to the State Department,” she said. “At the end, I chose not to keep my private personal e-mails.” Why so? The messages she jettisoned were “about planning Chelsea’s wedding or my mother’s funeral arrangements, condolence notes to friends, as well as yoga routines, family vacations, the other things you typically find in inboxes.” She added, “No one wants their personal e-mails made public, and I think most people understand that and respect that privacy.”
It took a few seconds for me to grasp what Clinton was doing: she was attempting to appeal to voters’ sense of fair play, over the heads of her opponents and the media. Not only did she have no intention of handing over more e-mails but the material had been deleted months ago, or so it seemed, without any outside review.
These passages raise legal concerns given the legal burdens on which Secretary Clinton and many of her advisors are expert regarding the preservation of information relevant to a pending or reasonably likely investigation or litigation, particularly given the length of time during which the records that were destroyed have been sought by the House of Representatives. Intent to destroy ESI under such circumstances could lead to very substantial sanctions against both Secretary Clinton and her counsel. It appears that the former holder of the most senior federal Cabinet position has simply stated at a press conference that she unilaterally and without either public accountability or private independent third-party review decided to destroy and did in fact destroy documents sought in a federal investigation. Therefore, in assessing the reasonableness of Secretary Clinton’s actions, we begin with the reasonableness of the document destruction.
1. Reasonable Decisions to Destroy Documents
Let’s look at the known facts from a civil litigation viewpoint. Assume that, at the time Secretary Clinton “destroyed” her electronic documents, she was under a legal obligation to instead preserve those documents. If so, she might have spoliated information that she was under a duty to preserve. What’s more, at least based on her comments at the press conference, Secretary Clinton arguably “acted with the intent to deprive another party of the information’s use in the litigation.” (quoting the proposed amendment to Fed. R. Civ. P. 37(e)(1)). Secretary Clinton might attempt to avoid the imposition of serious sanctions by arguing that the lost information could be “restored or replaced” (quoting the proposed amendment to Rule 37(e)(1)). That, of course, would presuppose that electronic “duplicates” of the lost information exist somewhere else or could somehow be reconstructed. She could also argue that she had no such intent and that, instead, her intent was to protect privacy interests. And that could lead to an argument that (again quoted 37(e)(1), she has taken “reasonable steps to preserve it,” perhaps by having segregated her “official” communications from those of others with whom she shared her email account.
When the amendment to Rule 37(e) becomes effective in December 1, 2015, whether a party did or did not take “reasonable steps” to avoid the loss of ESI will become a central focus of any spoliation analysis. The latest news reports go beyond Secretary Clinton’s private email account and suggest that the State Department itself allowed email to “self-delete” after a relatively short time. The reports also appear to suggest that State personnel could “self-select” what email they chose to keep and avoid self-deletion. Under amended Rule 37(e), might this procedure be reasonable? There are several potential problems:
- One could argue that 37(e) will place an emphasis on written procedure that an employee of an organization should follow. Did State have one, what did it say, and how was it communicated?
- Monitoring might also be emphasized under 37(e). What did State do to monitor compliance or non-compliance with whatever the procedure might have been?
- Self-selection might be problematic, especially if a particular employee is either an electronic “pack rat” or someone who might have a reason to avoid an established procedure. What did State do to monitor what that employee did or did not do?
There are other questions to which State’s procedure might give rise, especially if someone acted with the intent to avoid a legal duty to preserve. Also, remember that, in the litigation context, intent to destroy ESI could lead to severe sanctions. State’s procedure is even more troubled in the context of the Freedom of Information Act (FOIA) and from the archival viewpoint discussed below.
2. Reasonableness of Information Security
Very little information has been provided regarding the information security of the Clintons’ private system, or how it responded to the constant hacking to which it was almost certainly subject, whether its managers were aware of such hacking or not. The statements made by Secretary Clinton about the security of the system, however, raise very significant issues about whether the system could meet the “reasonableness” standard in the security area.
Reasonableness in security is best viewed as a combination of physical, technical and administrative safeguards, including processes of protection, detection, response and recovery, that are designed to address the risks associated with the data, including the attractiveness of the database as a target for hackers. In this case, the server on which the head of the Clinton Global Foundation and the U.S. Secretary of State did all their email business would be regarded by hackers, foreign governments, the NSA and almost anyone else in the world as a prime hacking target. The physical security of the server has probably been very good given Secret Service and other protection of both the former President and Secretary Clinton, but given the sensitivity of the information on the server, the technical security would need constant upgrades and monitoring, and the administrative issues of access of non-State Department personnel to the servers would likely raise many other questions. Secretary Clinton’s emphatic statement that “there were no security breaches” was generally a depressing one for security professionals, because it appeared primarily to indicate the system’s lack of state-of-the-art data loss detection and prevention systems, as well as an overly narrow definition of “security breach.”
The security of the Federal Government’s information systems are governed by very demanding standards, against which auditing can easily be and is frequently performed. Secretary Clinton’s statement that the server “was on property guarded by the Secret Service and there were no security breaches” really tells us only about physical security, and if she wants to be transparent about the security of the system, an audit of technical as well as administrative security is certainly necessary. There may in fact be important national security reasons for such a security audit as well as a forensic audit, because the other important fact that we do not know yet is whether the emails that were on the server have truly been destroyed, or whether they are, in fact, forensically recoverable on their original server.
As a practical matter, without enormous resources, a personal server of the Secretary of State connected to the internet – no matter how many Secret Service agents you put in front of it – simply cannot achieve adequate technical security. The establishment of such a server might have been a reasonable arrangement for a former President at the end of the Clinton Administration, but one would expect that even for a former President at the end of the Obama Administration, a secure cloud platform meeting new Federal cloud security standards will be established, because the large cloud provides are among the only entities that can afford and deploy the constantly adaptive security that is required to meet constantly changing threats. The sensitivity of the emails of the nation’s senior-most Cabinet official and top diplomat demand the full security resources of the State Department, and the fact that even State Department emails are known to have been hacked is not a good argument for using a private server in the Secretary of State’s home in this way. It appears that the only credible information concerning the security of the server – and indeed the current security of the emails – would be based on security and forensics audits, which could be structured so as not to compromise privacy in any way.
3. Reasonableness of Archival Preservation and Public Access
There are numerous preservation concerns that come with the decision to bypass departmentally-issued issue email accounts and opt for a private email server housed in a private residence. Server hosting requires disaster recovery and preservation planning to insure the integrity and authenticity of the emails residing on the private server. At a minimum, the agency should have a record of any disaster recovery plan employed by officials utilizing a private server outside the walls of that agency.
Servers require specific environmental conditions for optimum performance. What happens when the power goes down? Who maintains the server? Who re-commissions the server? What is the redundancy protocol and backup if the existing home server suffers fire or water damage? How will data on a server that was temporarily taken off line or out of service be authenticated and verified?
These are preservation questions raised by the use of a personal email server in the service of agency responsibilities. Hosting an email server requires a capability to insure the message integrity of the hosted email data. Hash functions serve as a digital or unique fingerprint of each message. The hash size of each message is a unique “wrapper” of information not easily inverted or duplicated. Hash sizes are created when email is sent. The hash function represents data integrity and authentication. The preservation of the hash sizes of email files is essential in order to insure message integrity and message authentication for disaster recovery.
Electronic files are vulnerable to bit rot, alteration and file degradation. The ability to read, open and interpret electronic files is dependent on three things: the medium, the media, and the software. The preservation of messages on a personal server requires a great deal of knowledge, workflow and redundancy in order to insure the viability of the data being stored and exchanged.
If the emails had originated in State’s email system, then they should have fallen into an archival classification such that the email would have been retained for the appropriate time and perhaps been subject to disclosure under the Freedom of Information Act. That retention and possible disclosure would have furthered the access and transparency established under FOIA and would have made the email available for researchers, historians, and archivists.
4. More to Follow
During the Watergate scandal, the public did not learn much about technology; mostly, it saw tape transcripts covered with the words “Expletive Deleted.” The investigation of the Clinton emails could teach a great deal more about a much faster-changing world, addressing issues about which the public needs to know if government is to function effectively and accountably now and in the future. Our continued response to new disclosures as responsible information governance professionals will maximize the chances of that civic and technical education.
As a practical matter, without enormous resources, a personal server of the Secretary of State connected to the internet – no matter how many Secret Service agents you put in front of it – simply cannot achieve adequate technical security.