When Ontario’s privacy and information commissioner released her report on deleted gas plant emails last week, it was a fiery 40-page rebuke of government record keeping. Among the revelations in Ann Cavoukian’s investigation is energy ministry chief of staff Craig MacLennan’s “indiscriminate” and “longstanding” practice of regularly deleting all his incoming and outgoing emails, right down to the trash bin. But while most of the attention since has centered on the subsequent criminal investigation by police into the missing emails, one question nags: when we’re constantly told our digital information lasts forever, how did those emails simply vanish?
Of course, “delete” doesn’t always mean “eviscerate.” And buried in the report’s Footnote 8 is the suggestion that “depending on the IT system in place… and if massive amounts of resources were devoted to retrieving a deleted email, then there maybe a remote possibility” of recovering what’s been dumped.
Surely, with the revelation Ontario taxpayers will fork out at least $585 million to pay for cancelled gas plants in Mississauga and Oakville, with a legislative committee probe and now an Ontario Provincial Police investigation, this would be the time to deploy those “vast resources.” They’d include “significant man hours” and “significant cost,” Cavoukian notes in an email to Maclean’s, plus the hiring of third-party sleuths to conduct the technically challenging search, and the possibility that government email might be suspended while investigators delved into the government’s email systems. (The Ministry of Government Services manages about one billion emails from 90,000 email addresses.)
But the reality is, even if such a mammoth forensic recovery operation were undertaken, Cavoukian says, “the chances of recovering a relevant, readable email would be extremely remote.” There might be a word here, part of a word there, “literally, digital crumbs.”
It completely debunks the “myth,” as Cavoukian puts it, that emails last forever. And it underlines that while the government’s systems can help employees recover recently lost messages, they do nothing to preserve potentially vital documents in the long-term. At the end of the day, the government offers little oversight for what staff say or do through email, and it leaves the preservation of crucial communications up to a single employee.
Here’s how the gas plant emails were so easily destroyed.
The backup system
In the private sector, email backup systems are typically designed to do two things, says Scott Weissent, head of Grant Thorton’s forensic technology services, where its his job to hunt down elusive data: They restore emails in the short term in case of some major email breakdown, and archive important communications in the long term. Ontario’s does the former, but crucially, not the latter.
“Typically, large organizations would have a backup schedule where they would do regular backups throughout the week, and usually at month’s end, and that tape or copy would be saved for a period of time, ” he notes. “And they would do one typically on an annual basis, and keep those for regulatory, businesses or legal reasons for upwards of seven years.”
Ontario’s routine for the Minster of Energy and Premier’s offices—the focus of Cavoukian’s report—involves a backup made every day, and one made at the end of the month. The daily backup tapes are kept for 24 hours, or 10 days in the case of the Premier’s office, and then overwritten. The monthly tapes are kept for one year. Cavoukian’s report found the government IT system creates no full-year backup tapes. As a result, any relevant emails from 2010 and 2011 that may have been backed up, despite MacLennan’s diligent email deletion practices, have already been overwritten.
In both the private and public sector, though, backup tapes include emails present on the server at the exact time the tapes are made, which means emails deleted from the trash bin wouldn’t show up.
Cavoukian’s report also probed whether emails might remain on MacLennan’s desktop computer, where emails are often copied to a local hard drive. When email is stored on a hard drive and deleted, it doesn’t instantly disappear, notes Ryerson computer scientist Alex Ferworn. Instead, the computer flags that data as free space, and over time it gets re-written with new data as part of normal computer use. MacLennan’s computer, subsequently used by his replacement, contained no trace of old emails, Cavoukian found.
That’s where the report’s exploration of the possibility of retrieving emails ends, which leads Fernworn to dub it “forensically incomplete. No mention is made of network traffic,” he says.
The network logs
Servers typically compile logs of who sent what email to whom, and when. “Depending on who is monitoring the network, a pattern of behaviour might be discernible. For example, if we knew the IP addresses of the various boxes that people involved in this scheme were using, we might be able to determine who was emailing who,” Ferworn notes.
Some companies even keep daily logs of entire, complete emails, Weissent says, but both kinds are regularly overwritten on a daily or weekly basis. Though the efforts aren’t described in the report, Cavoukian’s investigation “explored the possibility of deleted emails being retrieved through the use of logs,” she says, but found the chances, again, “remote.”
The other devices
Smartphones, iPads and even other desktops from which you can access email all have the potential to store emails locally, on their hard drives. Though also absent from the report, Cavoukian says her team did search “the relevant devices and systems” and came up, again, empty-handed.
Perhaps if the government made yearly backup tapes—like many large companies do—Cavoukian might have caught a break in the case of the missing emails, because as Weissent notes, backup disks are practically impenetrable. “Once an email system has been backed up, it’s virtually impossible for someone to come in and manipulate the content of the backup to delete a particular message,” he says. “It really can’t be done.”
And yet there’s no guarantee MacLennan’s emails would appear on an annual snapshot of millions of government emails—thanks to his diligent deletion practices, MacLennan may have still managed to leave office, as he has, without a digital trace.
Whether his actions were part of an alleged cover-up, or something more innocent, will be up to the police to determine. MacLennan told the legislative probe into the gas plant cancellations that he though he was doing his part to avoiding clogging the government’s email servers when he regularly dumped his entire email history. Other staff copied on some emails would have duplicates, he noted. He wasn’t aware he was breaking government information policy rules, he said.
Cavoukian, in her report, wasn’t buying it. “While I cannot state with certainty that emails had been deleted improperly… in an effort to avoid transparency and accountability, it strains credulity that no one knew that the practice of deleting all emails was not in compliance with applicable records management and retention policies.”