Emails considered “abandoned” if older than 180 days


The Electronic Communications Privacy Act – Part 1

Email PrivacyIt turns out that those 30 day email retention policies I have been putting down for years may… actually be the best policy.

This may not be a surprise to some of you but the government can access your emails without a warrant by simply providing a statement (or subpoena) that the emails in question are relevant to an on-going federal case – criminal or civil.

This disturbing fact is legally justified through the misnamed Electronic Communications Privacy Act of 1986 otherwise known as 18 U.S.C. § 2510-22.

There are some stipulations to the government gaining access to your email;

    • The email must be stored on a server, or remote storage (not an individual’s computer).This obviously targets Gmail, Outlook.com, Yahoo mail and others but what about corporate email administered by third parties, what about Outlook Web Access, remote workers that VPN into their corporate email servers, PSTs saved on cloud storage…
    • The emails must have already been opened. Does Outlook auto-preview affect the state of “being read”?
    • The emails must be over 180 days old if unopened

The ECPA (remember it was written in 1986) starts with the premise that any email (electronic communication) stored on a server longer than 180 days had to be junk email and abandoned.  In addition, the assumption is that if you opened an email and left it on a “third-party” server for storage you were giving that “third-party” access to your mail and giving up any privacy interest you had which in reality is happening with several well-known email cloud providers (terms and conditions).  In 1986 the expectation was that you would download your emails to your local computer and then either delete it or print out a hard copy for record keeping.  So the rules put in place in 1986 made sense – unopened email less than 180 days old was still in transit and could be secured by the authorities only with a warrant (see below); opened email or mail stored for longer than 180 days was considered non-private or abandoned so the government could access it with a subpoena (an administrated request) – in effect, simply by asking for it.

Warrant versus Subpoena: (from Surveillance Self-Defense Web Site)

To get a warrant, investigators must go to a neutral and detached magistrate and swear to facts demonstrating that they have probable cause to conduct the search or seizure. There is probable cause to search when a truthful affidavit establishes that evidence of a crime will be probably be found in the particular place to be searched. Police suspicions or hunches aren’t enough — probable cause must be based on actual facts that would lead a reasonable person to believe that the police will find evidence of a crime.

In addition to satisfying the Fourth Amendment’s probable cause requirement, search warrants must satisfy the particularity requirement. This means that in order to get a search warrant, the police have to give the judge details about where they are going to search and what kind of evidence they are searching for. If the judge issues the search warrant, it will only authorize the police to search those particular places for those particular things.

Subpoenas are issued under a much lower standard than the probable cause standard used for search warrants. A subpoena can be used so long as there is any reasonable possibility that the materials or testimony sought will produce information relevant to the general subject of the investigation.

Subpoenas can be issued in civil or criminal cases and on behalf of government prosecutors or private litigants; often, subpoenas are merely signed by a government employee, a court clerk, or even a private attorney. In contrast, only the government can get a search warrant.

With all of the news stories about Edward Snowden and the NSA over the last year, this revelation brings up many questions for those of us in the eDiscovery, email archiving and cloud storage businesses.

In future blogs I will discuss these questions and others such as how does this effect “abandoned” email archives.

Advertisements

Next Generation Technologies Reduce FOIA Bottlenecks


Federal agencies are under more scrutiny to resolve issues with responding to Freedom of Information Act (FOIA) requests.

The Freedom of Information Act provides for the full disclosure of agency records and information to the public unless that information is exempted under clearly delineated statutory language. In conjunction with FOIA, the Privacy Act serves to safeguard public interest in informational privacy by delineating the duties and responsibilities of federal agencies that collect, store, and disseminate personal information about individuals. The procedures established ensure that the Department of Homeland Security fully satisfies its responsibility to the public to disclose departmental information while simultaneously safeguarding individual privacy.

In February of this year, the House Oversight and Government Reform Committee opened a congressional review of executive branch compliance with the Freedom of Information Act.

The committee sent a six page letter to the Director of Information Policy at the Department of Justice (DOJ), Melanie Ann Pustay. In the letter, the committee questions why, based on a December 2012 survey, 62 of 99 government agencies have not updated their FOIA regulations and processes which was required by Attorney General Eric Holder in a 2009 memorandum. In fact the Attorney General’s own agency have not updated their regulations and processes since 2003.

The committee also pointed out that there are 83,000 FOIA request still outstanding as of the writing of the letter.

In fairness to the federal agencies, responding to a FOIA request can be time-consuming and expensive if technology and processes are not keeping up with increasing demands. Electronic content can be anywhere including email systems, SharePoint servers, file systems, and individual workstations. Because content is spread around and not usually centrally indexed, enterprise wide searches for content do not turn up all potentially responsive content. This means a much more manual, time consuming process to find relevant content is used.

There must be a better way…

New technology can address the collection problem of searching for relevant content across the many storage locations where electronically stored information (ESI) can reside. For example, an enterprise-wide search capability with “connectors” into every data repository, email, SharePoint, file systems, ECM systems, records management systems allows all content to be centrally indexed so that an enterprise wide keyword search will find all instances of content with those keywords present. A more powerful capability to look for is the ability to search on concepts, a far more accurate way to search for specific content. Searching for conceptually comparable content can speed up the collection process and drastically reduce the number of false positives in the results set while finding many more of the keyword deficient but conceptually responsive records. In conjunction with concept search, automated classification/categorization of data can reduce search time and raise accuracy.

The largest cost in responding to a FOIA request is in the review of all potentially relevant ESI found during collection. Another technology that can drastically reduce the problem of having to review thousands, hundreds of thousands or millions of documents for relevancy and privacy currently used by attorneys for eDiscovery is Predictive Coding.

Predictive Coding is the process of applying machine learning and iterative supervised learning technology to automate document coding and prioritize review. This functionality dramatically expedites the actual review process while dramatically improving accuracy and reducing the risk of missing key documents. According to a RAND Institute for Civil Justice report published in 2012, document review cost savings of 80% can be expected using Predictive Coding technology.

With the increasing number of FOIA requests swamping agencies, agencies are hard pressed to catch up to their backlogs. The next generation technologies mentioned above can help agencies reduce their FOIA related costs while decreasing their response time.

Huge French Company Cuts off Nose to Spite Face


Susanna Kim of ABC published an article on November 29th describing how a French company has decided to implement a “Zero Email” policy, a policy banning employees from sending internal emails.

The CEO of Atos, Thierry Breton, (a French information technology company!) has said that only 10 percent of the average 200 emails employees receive per day are useful and 18 percent are spam.  Because of this statistic, he hopes the company can eradicate all internal emails in the next 18 months forcing the company’s 74,000 employees to communicate with each other via instant messaging and other Facebook style interfaces.

This reminds me of the story about an HR VP who was so tired of employees calling her with questions and problems she stopped answering her phone. She had 30 whole minutes of peace… until employees figured out where her office was.

Why not stop all internal phone calls? It would seem to me that internal phone calls would have the same “waste” statistic.  How about this… program your corporate phone system to not allow any calls from one internal number to another and instruct employees that to contact internal employees, they must use Skype. That should solve the problem, right?

Email has become a wildly successful world-wide business productivity tool. To force thousands of employees to abandon it for other types of communications technology doesn’t seem to address the problem. Won’t only 10 percent of employee’s communications using the new communications solutions be useful as well. Is there something magical about the new technology that won’t allow employees to send wasteful communications?

The other problem that arises with this particular strategy is the problem of litigation holds and eDiscovery. Email systems are well known and technology exists to enable organizations to handle email in a legally defensible manner. It seems to me an organizations risk of insufficient eDiscovery and spoliation will rise with a switch to a new communications technology.

The problem is not the technology… its employee’s use of that technology. If 70-90 percent of emails employees send internally is junk, then train the employees on proper etiquette and use policies around the use of email. Train employees to not “reply all” or “BCC” on every email. Audit employee use of the email system and punish those that misuse it.

Running away from one of the most useful business tools ever seems like a gigantic over-reaction.