It's springtime in Washington, D.C. The cherry blossoms have bloomed, the tourists descended, and on both sides of Pennsylvania Avenue a new "scandal" is erupting.

In the Watergate era, there was the controversy about Rosemary Woods and the 18 ½ minute "gap" - a missing portion of a taped conversation of June 20, 1972. Now in connection with "US Attorney-gate" we have a new controversy. The alleged "destruction" of electronic mail sent by employees of the White House through email servers used by the Republican National Committee. The matter raises more important issues for government agencies, companies, ISPs and others. Do I really have an email retention policy, and what emails do these policies apply to?

The US attorney controversy

The immediate issue arises out of an investigation by Democrats on the United States Senate Judiciary Committee into allegations that certain federal prosecutors were fired for improper political purposes. The US Department of Justice asserts that the firings were for perfectly appropriate "performance" reasons and that these prosecutors serve at the pleasure of the President and can be fired for virtually any reason.

The email controversy arose when it was discovered that White House employees may have sent email communications about the US Attorney matter through US government computers or computer systems using email systems operated by the Republican National Committee (RNC.) Unlike most governmental emails, which as I will show have to be retained, there is generally no legal requirement that emails of the RNC be maintained. Thus, at least according to press reports, the emails in the RNC systems were "deleted" after 30 days. Or were they?

Personal vs non-personal email

The issues surrounding the controversy are not limited to the United States government. Every company that maintains a mail system has the problem of what to retain, and how to retain it. In addition to a "corporate" email system, companies may also provide employees with access to personal email. This may be through a separate exchange server, but more frequently, companies may allow employees to access their personal email through some form of webmail, either by POP3 or IMAP protocols. Most email systems allow access to email over the web, including AOL, Google's GMail, MSN, and its Hotmail service, Comcast, etc. While many companies expressly prohibit and indeed block access to personal email through their servers, there are actually legal reasons to permit such access.

Corporate or government email, coming as it does from "whitehouse.gov" or "company.com" carries with it an imprimatur of authority. It can be likened to a corporate letterhead or official government stationary. Yet people use such email for much more casual conversations then they would for a formal corporate letter. Nobody would consider whipping out company stationary to write a letter to their doctor or send a quick note to the girl scout troop leader. But an email - no problem. As a result, corporations and government agencies end up sending "official" email about all kinds of matters which do not relate in any way to official business. Indeed, it becomes difficult for recipients of email to effectively determine which communications are intended to bind the company, and which ones aren't - what the law calls "apparent authority".

Companies can deal with this problem in several ways. First, they can impose an outright ban on any kind of personal use of email. A quick note to the little league coach that Bobby is going to be late because mom has to work late is a policy violation which may result in disciplinary action.

Would such a policy be effective, workable, and enforceable? In most cases, probably not - at least not without a good deal of technology deployed around it, including "white lists" and content filters. One problem with this approach is that it is generally implemented inconsistently, and this can lead to legal problems. For example, a recent case involved a Virginia newspaper that prohibited personal use of its email system, but apparently only enforced this policy when employees used the email system for union organising activity lead to legal problems for the paper.

In that case (pdf), decided March 15, 2007, the court found that the uneven enforcement of the "no personal use" policy meant that the company could not select union activities for enforcement. The lesson is: if you are going to prohibit personal use of email, you'd better prohibit it entirely.

A second approach is to permit personal use of corporate or governmental email systems, with restrictions (no abusive or inappropriate use) and possibly a mandatory notation on personal email - "this is not an official government email". This is the general approach taken by the US Government. However, depending upon the judgment of individual employees to determine whether an email is "personal" or "official" is inexact at best. Content filtering software may help here, but it is not perfect.

A third approach is to make it clear that corporate or government email is exclusively for corporate or government work, and to enforce such policies (or try to) with white lists, content filtering, spot checks (supervisory monitoring) and actual enforcement, but couple this policy with permission to make limited and non-offensive use of personal email systems (e.g. POP3 mail) with appropriate safeguards (anti-viral, anti-spam, etc). Now remember, such webmail may effectively bypass some corporate security policies, and may be inappropriate in some regulatory environments - such as broker-dealers who have to monitor all communications to potential investors. And this again relies on the individual user to decide that a particular email is "personal" or "business".

Issues related to 'personal' email on company systems

There are many issues that relate to the use of non-business email through business provided - or reimbursed - IT infrastructures. First, may (or must) the employer monitor the contents of such "personal" email systems? May they "intercept" things like the user's userid and password on a personal system, and if so, what can they do with this information? If an employer reimburses an employee for all or part of their home internet connection (or telephone or cell phone service) does that give them the right to monitor the contents of communications on these systems? The answers here are not clear, and may depend on the intersection between privacy law, federal or state wiretap laws, electronic surveillance laws, and actual and stated policies on monitoring.

Who "owns" such "personal" email? Who makes decisions about retaining it? Deleting it? Producing it? The problem is multiplied when we consider telecommuting, use of personal hardware, access to personal email through personal networks for which the company may reimburse the employee. Further complicating the matter is the fact that companies provide employees with other devices from which they may access their corporate and personal email, and these devices may or may not have the same controls on their use.

Smartphones, BlackBerries and other devices have the ability to access both personal and business communications. Who "owns" these devices, and who has a right to access the communications contained in them or transmitted through them? Will we require our employees to maintain two separate communications networks - a personal cell phone and a business one? Many companies do just that - with the result that staff members' attire begins to resemble the batman utility belt - PDA, BlackBerry, cell phone, etc.

The document production problem

The problem of document retention and destruction is complicated by the use of personal communications on corporate or government networks. As a general rule, in response to a subpoena, document demand, court order, preservation request or other legal process or obligation, a company or agency must preserve or produce any "documents" within their "possession, custody or control". But how does this relate to personal emails - particularly on those sent outside of the company email system?

The merger of personal and company business creates privacy problems for employees and production problems for employers. If a company is required to preserve or produce, for example all documents related to "the Jones matter" would that include a personal email sent by an employee on a personal email system from a home PC? Probably not, as that document is not in the "possession, custody or control" of the company. But if the employee connected to the corporate VPN when he or she sends the personal email, the situation changes. What would the company's responsibility be for, for example, an employee's diary sitting on a company desk? Does this need to be preserved and produced? "Reply hazy, try again later".

The Karl Rove issue

Applying these principles to the situation with respect to White House "political" employees like Karl Rove results in less clarity rather than more. As a general rule, the United States Government in general, and the White House in particular, are required to retain certain kinds of documents and records.

This requirement arose out of litigation which had its roots in another White House scandal - this one the Iran-Contra affair, where White House employees John Poindexter and Oliver North deleted PROFS notes - electronic communications related to the scandal.

In a case called Armstrong v Bush the court enjoined the government from deleting these records, holding for the first time that some electronic communications were official records, which were required to be kept and made available under the freedom of information act.

Other laws, like the Presidential Records Act require that the White House:

Take all such steps as may be necessary to assure that the activities, deliberations, decisions, and policies that reflect the performance of his constitutional, statutory, or other official or ceremonial duties are adequately documented and that such records are maintained as Presidential records pursuant to the requirements of this section and other provisions of law.

The Federal Records Act similarly requires preservation of

All books, papers, maps, photographs, machine readable materials, or other documentary materials, regardless of physical form or characteristics, made or received by an agency of the United States Government under Federal law or in connection with the transaction of public business and preserved or appropriate for preservation by that agency or its legitimate successor as evidence of the organization, functions, policies, decisions, procedures, operations, or other activities of the Government or because of the informational value of data in them.

OK, so the government has to preserve and possibly produce government records - including electronic records. But were these records "made or received...in connection with the transaction of public business?"

There is a federal law called the Hatch Act which essentially prohibits partisan political activity on government property. In general, this would keep a government supervisor from saying "vote Republican or be fired" or even from things like running for political office, soliciting campaign contributions, or even possibly displaying partisan political literature in a government office.

While the law does not explicitly prevent the use of government resources in furtherance of political activity, it does generally prohibit employees from engaging in "political activity" while on duty or in a government office.

The Hatch Act was amended in 1993 to give federal employees more freedom to engage in political activities on their own time. Under the 1993 amendments, Section 7324 of the Hatch Act provides that officeholders "paid from an appropriation for the Executive Office of the President" may engage in "political activity while on duty".

In other words, if the RNC paid for the email, and possibly for the computer time and employee time, and maybe even a portion of the office expenses related to Rove's activity, then it doesn't violate the Hatch Act for certain employees like Karl Rove to engage in such activity. Note that there is nothing in this amendment that mandates the use of a separate email system, nor anything that prohibits it.

The result of these laws is a mess. The emails may or may not be in the "possession, custody and control" of the White House. Copies may be on the laptops or desktops of White House employees - including Mr. Rove. If the communications traveled through the White House system (via Outlook, webmail, POP or IMAP) then all or parts of them may be physically present on backup tapes of the White House. Another question is who "owns" the blackberry, PDA and/or cell phone through which these communications may have been transmitted? Where is the blackberry server?

These problems are not unique to the White House and RNC, or the government in general. When we mix business and pleasure, we are bound to create such problems - no clear lines of demarcation. Where do official government communications end and political communications begin? Which of your employees' activities are "official" and which are "private?"

Many of these problems can be ameliorated by having clearly written, well-though out and enforced policies on privacy and use of systems. Oh, and the time to write these policies is not after you receive a subpoena.

This article originally appeared in Security Focus.

Copyright © 2007, SecurityFocus

Related stories

• Disability law can protect alcoholic workers (19 November 2007)

  https://www.theregister.com/2007/11/19/disability_law_protects_alcoholic_workers/

• Boeing guards its right to tail employees (16 November 2007)

  https://www.theregister.com/2007/11/16/boeing_employee_surveillance/

• Government backs down on controversial FOI fees change (26 October 2007)

  https://www.theregister.com/2007/10/26/foi_changes_dropped/

• Power corrupts, says workplace bullying survey (28 August 2007)

  https://www.theregister.com/2007/08/28/workplace_bullying_survey/

• Don't be evil (25 June 2007)

  https://www.theregister.com/2007/06/25/third_party_data_storage/

• Jack Straw: let MPs use handhelds, laptops in Commons (20 June 2007)

  https://www.theregister.com/2007/06/20/handhelds_n_laptops_in_parliament_sez_straw/

• Employers must spot signs of depression (20 June 2007)

  https://www.theregister.com/2007/06/20/cipd_report_workplace_health/

• Investigators find secret White House email accounts (19 June 2007)

  https://www.theregister.com/2007/06/19/whitehouse_cogr_emails/

• Red hair bullying cases could end up in court (14 June 2007)

  https://www.theregister.com/2007/06/14/red_hair_bullying/

• Britons are workaholics, survey says (8 June 2007)

  https://www.theregister.com/2007/06/08/work_hours_study/

• Who do you think you are? (8 May 2007)

  https://www.theregister.com/2007/05/08/cfp_final/

• Living on the wrong side of the technology tracks (3 May 2007)

  https://www.theregister.com/2007/05/03/cfp_blog_0305/

• The surveillance arms race (2 May 2007)

  https://www.theregister.com/2007/05/02/surveillance/

• Marshal aims to secure laptop content (30 April 2007)

  https://www.theregister.com/2007/04/30/marshal_pc_content_sec/

• RIM explains BlackBerry failure (20 April 2007)

  https://www.theregister.com/2007/04/20/rim_explains/

• Data disposal: Every action leaves a trace (11 April 2007)

  https://www.theregister.com/2007/04/11/secure_data_deletion/

• Home Office rethinks call data plans (4 April 2007)

  https://www.theregister.com/2007/04/04/ho_phone_data_retention/

• Google to anonymize user data (15 March 2007)

  https://www.theregister.com/2007/03/15/google_anonymizes_data/

• AMD's lawyers go ballistic as Intel's e-mails disappear (6 March 2007)

  https://www.theregister.com/2007/03/06/amd_intel_missingemails/

• Congress pushes (again) for ISP data retention (12 February 2007)

  https://www.theregister.com/2007/02/12/congress_isp_data_retention_push/

• EU data retention laws 'too costly' for telcos (10 January 2007)

  https://www.theregister.com/2007/01/10/data_retention/