This is a pretty common strategy. Many companies have poor record retention and backup policies because it's in their best interest to "forget" the things they do. I know of large companies that limit email boxes to 50 MB partially because it forces deletion of old, possibly incriminating email. Government agencies are generally supposed to be better about this due to stuff like the Freedom of Information Act. I wonder if there's any teeth in the act for non-compliance like this?
I am reminded of the whole (and multi-part / -dimension) GWB email "fiasco".
"Lost" servers. "Deleted" emails. Suspicious hints of use of non-governmental email accounts for government business and/or avoiding detection of campaigning using official resources (time, location, staff, "trades").
What ever became of that? Not much.
This has a bit of a different flavor in the press. Nonetheless, I'm not optimistic.
There's an entire e-discovery "market"(updside down question mark) for software and services that are frequently quoted as running into six-figure territory at even the mention of the word "lawsuit" (actual quote).
A legal hold is nothing more than the inability to delete when you think you might get sued and culling and deduplication, if anticipated, can always be made easier by better business practices on the front-end instead of incurring costs on the backend.
Of course, as you mentioned there are ZERO companies that would want to be better in this regard. They want to be able to tell a court that it's a pain in the ass to institute these practices and the courts and legislatures have seemingly accepted this proposition either because they are themselves complicit or because they literally hear the word "technology" and piss their pants and cry for their secretary.
tl;dr, the best business from a risk management perspective is an IT nightmare
>"This is a pretty common strategy. Many companies have poor record retention and backup policies because it's in their best interest to "forget" the things they do."
Yep.
From a slightly less nefarious angle, retention costs and servicing discovery requests costs more. It's in your best interest to minimize what's retained even if you don't need to "forget" anything in particular.
I'm not sure how it's less nefarious from a discovery viewpoint as I said below. It's just a cheat, a hack, albeit a commonly accepted one. It would hold no water in an effective and optimally-run business - so it goes that since you are not legally obligated to operate as effective and optimal as against outsiders, only shareholders (and even then only competently), your ineffectiveness and in-optimalness but purposeful conduct is shielded from liability.
In other words, the best run business for your shareholders is somehow demonstrated by being a pain in the ass for the public than it is as actually being a better run company by objective internal standards.
Don't get me wrong, great strategy that works and anyone who runs a business should continue to follow it lest they want to be ousted for cause, but sad reality that it's the state of things.
>Don't get me wrong, great strategy that works and anyone who runs a business should continue to follow it lest they want to be ousted for cause, but sad reality that it's the state of things.
> I know of large companies that limit email boxes to 50 MB partially because it forces deletion of old, possibly incriminating email.
Fortunately it doesn't stop me from archiving locally. I've got emails from 2006 on my desktop machine. It is damn frustrating that my free gmail account is drastically less trouble to manage and search than my (probably expensive) corporate Exchange account.
Archiving my work email by forwarding to a personal email literally won me a decision against a former employer. When they can cut off your credentials in anticipation of firing you and they think it means you don't have access to those emails anymore, it's really satisfying to show up at the next hearing with clear proof that they've come down with a terminal case of foot-mouth syndrome.
Who ever thought there could (could) be a class war fought over privacy? Since this means some Americans do get official privacy protections (many also get to walk through TSA checkpoints unmolested), we now know there is now a two-tiered society in the US that has been engineered from the top down to create this state of affairs based on the 4th Amendment.
I dunno, I think the writing has been on the wall for quite some time that privacy is another incorporeal thing to which access is tiered based on class. Society just has a way of dismissing voices of apprehension, typically as paranoids and/or with libertarian-ish scolds for as much as floating concerns with machinations of non-government entities.
The thing is, privacy doesn't have to be incorporeal, there can be laws passed that either explicitly prohibit privacy invasions or legalize behavior that can currently be used for probable cause, reasonable suspicion, or actual charges (linking to content hosted elsewhere, for instance). To remove the ability to exercise power based on certain things is the strategy here. You can defund the NSA, which I support, but you can also make it so that certain things do not even qualify as evidence of wrongdoing.
Keep in mind that the state of privacy in the Obama administration's "three-hops" strategy allows them to mine the internet and telephone data of anybody who calls a cable company or telephony provider, provided someone suspected of talking to someone suspected of talking to a suspected terrorist has called any of those providers. Which is basically everybody.
The obvious solution is for the NSA to spy on themselves, and then get a court order to "collect" the emails so they can read their own email. Legally.
I'm not quite sure I get what the article's point is.
"Government agency lousy at complying with FOI request"? Well, it's poor but it's nothing new.
"Government agency does not use secret spy programme to search petabytes of communications traffic when responding to FOI requests"?
"Government agency responsible for many secrets successfully keeps its own email secret, even in response to FOI requests"?
Or is it really just the lousy click-bait of "They spy on everyone but can't give us a couple of emails?" (Wouldn't any journalist have gone to both the NSA (who have secrets and who will be difficult to get information out of) and the National Geographic Channel (who don't have secrets and who might be happy to pass on some email addresses or at least names)?)
I think the word "can't" is the operative term and here it's being used to describe technical infeasibility, not legal interpretations or anything else.
I can't explain it any better than that. (see how it works, I could if I actually strived to do better)
Don't forget that the NSA is, when all is said and done, a Government organization with all the multitudinous layers of bureaucracy. I have no doubt that their electronic mail systems are under the control of an IT staff that is just as competent as any many of us deal with in the corporate world. But they have the added restrictions that secrecy entails: it would not surprise me if the server software is a decade old because that was the version they vetted way back when and it has never been updated.
The groups that work in the basement do not have such restrictions: or at least have very different restrictions. This dichotomy is not a surprise to anyone who thinks about it for any length of time.
I'm having a hard time believing that the NSA trusts it's own people so much that they tie their own hands here. Unless it's a strategy to limit the amount of internal information any one person can access (?)
One might even reflect upon their statements about knowing every little step that Edward Snowden took, and exactly which documents he took with him, when the news of his leaks first broke.
I know it's probably not for this reason, but certainly it'd be far more secure that way. If each mailbox is encrypted with a user-provider key, that'd provide the same end result.
