I decided to make this a sticky top post for a day or two – it needs wide circulation. New posts will appear below this one. – Anthony
Playing email hidey-ho in Hansenland to circumvent FOI laws
Guest post by Chris Horner
That political appointees and career activists in government would use private computers is in keeping with tactics I have uncovered as being epidemic in government, and particularly the current administration, and which I detail in The Liberal War on Transparency: Confessions of a Freedom of Information “Criminal” released this week.
These tactics range from the widespread use of private emails, hiding meetings with lobbyists, using “handles” and lobby groups as “cutouts” or go-betweens with pressure groups with whom the administration doesn’t want a paper trail. I even detail the White House arranging for a digital equivalent of a “safe house”, a privately owned and managed computer server on which to quietly conduct discussions about the IPCC presumably away from the taxpayers’ prying eyes.
But I also have an affidavit admitting to an elaborate system established by one activist agency — NASA’s Goddard Institute for Space Studies (GISS) — to view its emails remotely on a non-official computer, purchased with taxpayer money and used for the taxpayer’s business but access to which is being denied the government for inspection, whose use erases any trace of the records back on government servers.
This was provided me by NASA in an ongoing FOIA lawsuit we filed at the Competitive Enterprise Institute to obtain records of Gavin Schmidt, a GISS scientist who was running a third-party activist website promoting an ideological agenda on taxpayer time — at least if you believe the time-stamps, which were then “disappeared” after we pointed this out to NASA. But which we captured nonetheless.
The administration attested to this in federal court in order to defend their failure to provide certain emails to and from Schmidt’s email accounts relating to this activity. Their claim is that, because the emails were written or accessed on this unofficial computer, their system is such that the official emails are beyond the administration’s reach. In fact, the government’s copies are destroyed.
This is their defense.
The affidavit, by GISS’s Associate Chief Larry D. Travis, attests in pertinent part (emphasis added):
Dr. Schmidt uses two separate computers on which he conducts his work for NASA. . . . One computer Dr. Schmidt uses is a laptop computer that is owned by NASA. . . . The other computer is a desktop computer owned by Columbia University. Dr. Schmidt purchased this computer with National Science Foundation grant monies he received while he was an employee of Columbia University, prior to his becoming a civil servant with [NASA]; . . . [T]he [Space Station Program or SSP] contract providing IT support to GISS covers service for this computer. Nevertheless, Dr. Schmidt maintains this computer; SSP does not regularly service Dr. Schmidt’s computer and no SSP contractor has administrative privileges on the computer. Dr. Schmidt’s email correspondence is stored on his Columbia desktop computer [NB: that’s the private one, paid for not by Schmidt but by the taxpayer, to which he does not allow NASA access]. Dr. Schmidt accesses his Columbia University email via an Internet browser on the computer. Dr. Schmidt does not download his Columbia email messages to his computer; rather, they are located on a remote Columbia mail server.
NASA’s boast is that official records can be and are accessed by private computers, which not only corrupts the agency’s ability to properly comply with FOIA, it erodes the agency’s record retention and preservation. Elsewhere in the affidavit NASA states that the computer Schmidt uses is (emphases added):
a desktop . . . which Dr. Schmidt uses to send and receive all of his email from the @giss.nasa.gov, @nasa.gov, @columbia.edu, and @ realclimate.org domains. See Travis Decl. ¶ 18. Dr. Schmidt has never given administrative information technology (“IT”) privileges for either computer to the IT support services contractor that serves Agency personnel. See id. Thus, the email sought here is relayed to and resides on a computer that the Agency does not own, to which the Agency has no right of access, and for which no Agency official or contractor has administrative privileges. Moreover, there is no central mechanism by which GISS IT personnel can obtain access remotely to email sent to or received by a GISS email user; instead, the only way to reach such email would be via directly accessing the hard drive of the computer on which the user accessed his or her GISS email. See id. at ¶ 12b.
Which hard drive, you will note, is on a computer to which the government (taxpayer) has no access but for which the government (taxpayer paid). And pays to service. Even if it isn’t permitted to. Had this been the government computer, well, then email traces — in the event a record is destroyed, which we know that would never happen, there are laws….stay tuned — could be reconstructed.
But GISS is using private computers, it seems, for this public service, denying the public access to the legally required record of its activities.
NASA might explain how it is not hereby knowingly sanctioning a corruption of responsibilities to create, retain, and preserve documents, both for the Federal Records Act and for FOIA. This ain’t rocket science. But we do know it is with NASA’s sanction.
However, as Dr. Travis explains, even with respect to the emails from the @giss.nasa.gov and @nasa.gov domains, these have not been integrated into an agency record system or file.
Once a[n agency] employee accesses his or her [agency] email via his or her personal computer, those emails are no longer located on any server at [the agency]; in other words, the act of accessing a specific email deletes that email from the ‘spool’ on the server. [The agency] does not currently have (nor has it had in the past) a centralized backup of [agency] email traffic.” Id. at ¶ 12b. Moreover, even if the Agency did have a centralized backup of emails from the @giss.nasa. gov or @nasa.gov domains, emails sent or received by Dr. Schmidt pertaining to his work on the RealClimate blog would not be integrated into an Agency records system or file. . . .
Traces of the records are only on the computer the employee uses to access them. Which, at great pains, is not a government computer or one to which the government is being permitted access.
In this affidavit, NASA’s point was that its own system has gotten so far out of their control that an entire class of records cannot possibly be deemed “agency records” and so they have no obligation to search for or release them because the truth is while they may relate to official business, well, their employee won’t let them see them. And as is inherent in the system, the approved process destroys the government’s copies.
One could not hope to find a more explicit acknowledgment—or, more accurately, series of admissions, enthusiastically volunteered in an effort to get out of one frying pan (producing emails the employee wants to keep to himself) into an apparently bigger fire—that employees use unofficial computers for official duties and keep the records accessed on these computers away from the prying taxpayer eyes, skirting FOIA and, it seems other laws. They even use them to access official email accounts in a way that destroys the record.
As we have already been forced to argue to the Obama White House regarding the IPCC “safe house”, and have already filed an action to argue in court, conducting public business on private accounts or computers doesn’t make the business, and therefore the records, any less public. This particular example is simply an extreme case of flaunting disregard for this principle, particularly given NASA’s brazenness of sanctioning it and invoking the abusive practices as an expedient excuse to not turn over records produced on taxpayer time and resources.
Christopher C. Horner is a Washington, DC attorney and author of the newly released The Liberal War on Transparency: Confessions of a Freedom of Information “Criminal” (Threshold Editions).
It would be naive to credit these practices solely to liberal policy or to imagine them confined to questions of climate.
James Hastings-Trew says:
October 4, 2012 at 10:09 pm
The NASA email accounts should be configured to be IMAP. The emails should be retained on the server as per US Law that such emails be retained. In no way, shape, or form should the employee be responsible for the retaining of emails that are subject to FOIA requests – this should be done at the server, beyond the reach of any employee action, up to and including the deletion of email. That is to say, deleted emails are removed from the inbox and placed in a deleted email folder – but everything should be retained (and backed up), server side, in order to comply with the law. This is BASIC system administration, period. Whoever is in charge of their email system should at minimum be fired for incompetence, and more ideally, charged with aiding and abetting the circumvention of applicable federal law.
=====================
Very well stated sir. And to follow up with the comment from kadaka (KD Knoebel) would summarize the importance of such policies.
kadaka (KD Knoebel) says:
October 4, 2012 at 10:10 pm
So a system has been set up that allows unknown parties acting against the interests of the United States to directly communicate with US government employees without traceability and record retention accessible by US government security agencies without subpoena, while simultaneously allowing US government employees to communicate with unknown parties acting against the interests of the US without traceability and record retention accessible by US government security agencies without subpoena, and it is installed in and operating from a US government installation, thus allowing US government employees to transfer US government documents directly from a US government installation to parties acting against the interests of the US without traceability and record retention accessible by US government security agencies without subpoena, which includes controlled documents of a sensitive nature.
The fact that the agency’s email server is explicitly configured (must be, not an accident) to delete emails is a violation.
I am curious, about how this is stated. It sounds like an email access program, (Outlook, etc.) choice in configuring individual IMAP email account downlads where the user gets to choose deleting them from the server. Even though this box is checked, most Federal email servers should not delete any emails.
The difference is an agency’s email server versus a users email account.
Now if the IT group specifically set the server to delete emails after downloading, well, fraud comes to mind, along with gross incompetence or wilful malfeasance. And yes, if I was that IT guy, I’d insist on written and signed orders explicitly telling me to break regulations.
In the long ago time of ancient text email, about 1990, it was common to have a mail server just “deliver the email’ and delete the copy in “spool”. Then SarBox hit (and the Gov FOIA equivalents). It then became mandatory to ‘retain records’.
I have painful memories of changing entire email systems to “keep for years”. Network Appliance made a bundle selling specially configured vast file storage devices that could be written, but no one could delete the records, specifically for “records retention” in compliance wiht law. NASA buys a lot of NetAp equipment.
We hired some of our better programmers for sys admin work from NASA then too.
So I conclude:
The Tech guys know exactly what to do.
Their server is NOT configured in compliance with retention requirements OR you are being told it isn’t, but it really is.
In any case, the process described is in violation.
@Ian H:
Doesn’t matter WHERE or by WHOM the email services are run or operated. The legal retention requirements still apply. One of the standard “talking points” in selling external services is “Backups, disaster recovery, and retention policy compliance”.
@chris H.:
I would not be surprised to “discover” that the I.T. departement has “backups” of the email server that are not being discussed in the letter to you. A request for “Backup procedures for email servers” might be productive…
If they really are running as a straight “spool only” email transit server, I would be astounded. That would say that they have NO retention policy other than whatever individuals do on their desktop machines. That alone likely breaks several laws…
Ian H says:
October 4, 2012 at 9:36 pm
……………….. Just wanted to point that out to y’all before we get too carried away here.
————————————-
Cloud does not mean they are allowed a lack of sunshine.
Access via cloud does not prevent communications and use trails from being downloaded and archived. It’s the law. The folks our president hired to lead these organizations for taxpayer benefit need to figure out how to comply with, not circumvent the FOIA. Hey Mr Holder, it’s the law.
Instead of declaring how they didn’t follow the law they need to tey need to step up and fix it. They need to establish an information and data trail.
Poor leaders accept poor excuses. How do NASA and the rest of the Alphabet Departments not recognize this failure and how this it the root of skepticism. (along with climategate, UN failures, data loss and manipulation and model failure etc)
Question is how do a Hansen, Schmidt, and the team keep their positions with such contempt for the law?
cn
Three cheers for Sherlock alias Charles The Moderator.
For a government agency, working on classified material ,to allow this seems unbelievable. No need to leave microfilm or memory sticks tucked into tree knotholes for your minder to pick up. Just bring in your own computer and upload all you want to wherever in the world you want, and instantly delete the trail.
“In any case, the process described is in violation.”
Worse – the process as described is so stupid that it is not credible.
So a NASA employee is reading email on a laptop and power failure occurs. Data not saved locally – never mind – power returns – log in again – oh dear, all that vital data from my boss has gone, and the IT folk have no way to recover it?
Seriously? I for one don’t beleive it.
***Schmidt’s words below seem somehow hollow:
25 June: 2009: Nature: Olive Hefferman: Funding cut for UK climate research
Ministry of Defence pulls £4.3 million from Met Office
The loss of £4.3 million (US$7.0 million) in funding from the MoD will affect the Met Office Hadley Centre for Climate Change in Exeter, the world-class climate modelling institute whose researchers made key contributions to the last assessment report of the Intergovernmental Panel on Climate Change (IPCC) in 2007.
“This news comes as a shock,” says climate scientist Martin Parry, formerly at the Met Office and now at the Grantham Institute for Climate Change at Imperial College London. “The UK’s core modelling work on climate change has been funded from this source, up to now.”…
This will be the first time that Met Office climate research has gone without MoD cash, according to a Met Office spokesman. The office became an executive agency of the ministry in 1990 and a commercialized trading fund in 1996. By 2008, one-sixth of its budget of £176.5 million came from commercial services. But government, and the MoD in particular, has continued to be its main customer and funder….
Although the MoD has withdrawn its remaining funding, a Met Office spokesman insisted that the programme is not threatened.
The Department of the Environment, Food and Rural Affairs (DEFRA) is committed to providing £4 million per year in funding up until 2011 to ICP, and the Department of Energy and Climate Change (DECC) will provide approximately £10 million in annual funding over the same period…
***”If they don’t recoup it, they are going to be in serious trouble,” said Gavin Schmidt, a climate modeller at NASA’s Goddard Institute of Space Studies in New York. “Losing 25% of your funding is a huge deal. Five percent is generally containable, but 25% is not an amount you can hope to absorb easily.” …
However, the cuts could also lead to a better way of funding climate research, says Schmidt. The Met Office’s link to the defence ministry is unusual among national climate research centres, and some feel that it can lead to unnecessary bureaucracy.
***”Climate research should be as open and transparent as possible,” says Schmidt, “and institutional links with the defence establishment can sometimes impede that goal.
http://www.nature.com/news/2009/090625/full/news.2009.602.html
Reply: good find ~ctm
This I’m-above-the-law attitude is also manifested in GISS’s evasion of the rules requiring it to document the rationale for changes to its historic global temperature anomaly records, as a thread here within the past two weeks or so complained.
So, based on the investigation by CEI described in the post by Chris Horner, there are two things to ask.
First, did Gavin Schmidt of NASA’s GISS evade FOI exposure?
Second, if Gavin Schmidt of NASA’s GISS did evade FOI exposure, was it intentional evasion?
The investigation is important to establish the answers, because the reputation of science is once again in a uncomfotable spotlight due to the behavior of some climate researchers.
John
I don’t understand this:
“Dr. Schmidt accesses his Columbia University email via an Internet browser on the computer. Dr. Schmidt does not download his Columbia email messages to his computer; rather, they are located on a remote Columbia mail server.”
Schmidt is no longer employed by Columbia University. Can someone explain this with words and preferably graphics.? Chefio? Charles?
It is quite unheard of that a federal agency would not have an email retention policy by using a MAPI interface for email clients to read or retrieve local copies of email permanently stored and backed up on/from the main email server. It also is quite unheard of that a federal agency would permit the use of equipment not issued by the same agency to access the computer network, retrieve outside data or transmit data from within to the outside of the network. That is a major security breach and for that point alone heads at GISS/NASA IT should roll.
National Aeronautics and Space Administration
Office of Inspector General
Washington, DC 20546-0001
February 28, 2008
TO: Chief Information Officer
FROM: Assistant Inspector General for Auditing
SUBJECT: Final Memorandum on Audit of Retention of NASA’s Official Electronic Mail (Report No. IG-08-010; Assignment No. A-07-007-00)
So NASA has been in breach of these regulations now for 4 years?
I would think that Congress should defund all IT and computing for NASA (including all remuneration to IT staff and scientific computing, operational space and Mars exploration systems) until the agency has taken corrective action and put in place solid legal procedures which all agency staff are mandated to follow. NASA might take notice of such a blunt approach.
If there really is no server backup, what happens when (not if) Gavin’s personal PC hard drive finally refuses to store & retrieve data, or gets hit by a really nasty virus? He’s going to be in a bit of a pickle then! Unless, of course, he has his own personal backup on a portable drive somewhere….
John Silver,
From:
http://www.giss.nasa.gov/about/
GISS works cooperatively with area universities and research organizations, most notably with Columbia University. Many of our personnel are members of Columbia’s Earth Institute, Center for Climate Systems Research (CCSR), Department of Earth and Environmental Sciences, and/or Department of Applied Physics and Applied Mathematics. We also collaborate with researchers and educators at Columbia’s Lamont-Doherty Earth Observatory, the City College of New York, the American Museum of Natural History and elsewhere
Gav is certainly still affiliated with Columbia.
Kaboom says:
October 5, 2012 at 3:47 am
It is quite unheard of that a federal agency would not have an email retention policy by using a MAPI interface for email clients to read or retrieve local copies of email permanently stored and backed up on/from the main email server. It also is quite unheard of that a federal agency would permit the use of equipment not issued by the same agency to access the computer network, retrieve outside data or transmit data from within to the outside of the network. That is a major security breach and for that point alone heads at GISS/NASA IT should roll.
Actually it is quite common for unclassified government email and networks to have web access enabled. I work for a DoD agency as a contractor, and I can access my unclassified official email from my home network, and a good bit of of SharePoint file system, from my home computer. Of course, email I access from my system, or even delete from my system, emails stored on the agency email server archives.
At the risk of being really dumb here, surely it doesn’t matter which computer Gavin accesses and sends his NASA emails from? He will be using a mail client of some description, but this is accessing mail on the NASA mail servers. The only local items would be any private folders on the computer to which he moves mail for storage.
But that mail is still NASA mail that passed through the NASA mail system and which will have been logged there and be subject to all their retention and archiving policies (if any). I access my corporate emails from all over the place thanks to the joys of OWA, VPN, mobile integration and so on. It doesn’t matter where or how, because the mail is on the corporate mail server.
Perhaps someone who isn’t quite so many years removed from email admin can correct me, but this sounds like extremely basic bluster and misdirection.
If there is nothing to hide, why work so hard to hide it?
“the Archivist shall request the Attorney General to initiate such an action”
With Eric Holder as AG, there’s no chance of that ever happening.
John Trigge (in Oz) says:
October 4, 2012 at 10:49 pm
Should the proverbial bus come along and hit any of these people using their own PCs, inaccessible to their departments IT personnel, how much important info would be lost?
—-
Given the quality of work demonstrated so far. None.
John Trigge (in Oz) says:
October 4, 2012 at 10:49 pm
Should the proverbial bus come along and hit any of these people using their own PCs, inaccessible to their departments IT personnel, how much important info would be lost?
————–
Not to mention damage to the bus.
cn
Sorry, but you couldn’t be more wrong. As a litigation support and IT professional with decades of experience and specializing in e-discovery, this type of records management and retention is so far out of the bounds of what is considered acceptable that it is clearly evidence of the intent to hide these records from discovery. Compliant government agencies back-up everything, including all emails, daily. Email servers are mirrored and all communications can be accessed and retrieved from the server itself. No need to go to the user’s computer. For example, Financial firms in the US are required to keep, archive, index, and have ready for retrieval all emails for a period of not less than 10 years. This includes instant messaging, by whatever means, as well as all telephone communications. Financial firms, and the government, spend millions on this to be compliant.
Moreover, GISS is not using “a cloud based” solution. They have their own email server that is purposely configured to only act as a relay, not a repository, of email communications.
Nope, this isn’t even close to being acceptable records retention and viewing it as a deliberate attempt to “hide or conceal” is an obvious and common sense conclusion.
Those who wish to do secret things will find a way. The best we can do is make small secrets too awkward to hid well so that we can find them should the need arise: these small ones will lead us to the bigger ones if we push hard enough.
Consider “waterboarding” and other illegal-in-America, tortures. Although strictly against all federal, state and local laws, the CIA (and other national agencies around the democratic, “free” world) continue to use torture as local agents deem necessary. They do this with the third-party cut-outs, and we now know they do. But does this stop the activity? Rhetorical question.
FOIA laws do not prevent secrets being held, they allow us to uncover them. The CTI has found the “small” secet of off-site computer usage and record/non-record keeping. The larger secret is in GS’s harddrives. Like Nixon’s taperecording, I would expect any FOIA requirement for that harddrive to be seeking for something that mysteriously disappeared (before it was legally required to be kept, of course).
The business of democratic politicians is manipulation. (Otherwise it is known as “force”, which is what fascists do.) Manipulation does not work in the full light of understanding, but in the dimness of shadows and dark. Secrets are the primary weapon in the politician’s arsenal. Uncovering them is a full-time job in our society, not because we are inherently ruled by criminals, but because we have chosen to be ruled by discourse rather than fear.
If that is their excuse than they are in violation of federal email retention laws.
Basically as written you must retain every single email that passes through your government server forever. That by the way that is congress not having a clue what is involved in email archiving. Over time at least for agencies such as school state, federal, and local agencies it has been accepted by the courts that so long as you have a consistent data retention policy in place and follow it you can use a shorter data retention time than forever. Say 1 year. But that said you still must retain everything for that year. And if you don’t you are vulnerable to lawsuits.