Not-So-Secret Service: Text Retention and Deletion Policies
Recent news reports indicate that the United States Secret Service, as part of a hardware replacement policy for agents’ phones, allowed individual agents to wipe all of the data from their devices, and failed to preserve text messages as required both by federal law and pursuant to demands from both Congress and the USSS’s oversight agency, the DHS Office of the Inspector General.
It was reported that, long before the replacement program was implemented, employees were advised of their document retention requirements, and were provided specific procedures about how to restore their old devices to factory settings while preserving the data formerly contained therein. Apparently, nobody got the memo, or — in a more sinister interpretation — they got and deliberately ignored that memo. Generally, I am a fan of not attributing to venality that which mere stupidity can adequately explain, but when the device wiping was systematic and programmatic, that’s an awful lot of stupidity to explain. Many government agencies and private entities have both a hardware and data life cycle. Laptops, hard drives and smartphones are replaced. Emails that are no longer needed for the company, and for which there is no legal retention requirement are purged, as are outdated documents, files, attachments, etc. In fact, from a privacy and data security standpoint, it is important to get rid of data that is no longer needed and to update hardware and software in a way that includes the latest security and privacy protections.
The flip side of this, of course, is that data that is needed for the functioning of the entity—or which is required to be maintained by law—must be preserved in the process of upgrading or migrating.
As such, companies need to have robust document retention and destruction programs to identify data that needs to be deleted and data that needs to be kept. This includes a process for a litigation hold—that is, a suspension of the document destruction program when the data that is to be destroyed is relevant to ongoing or anticipated litigation or investigation. To be subject to a litigation hold, it is not necessary that there actually be litigation and formal discovery—simply that the party with the documents knows or reasonably should know that the data that is going to be deleted or destroyed is likely to be relevant to some anticipated legal proceeding. The litigation hold process also requires that individuals who might delete data be informed of the hold and its scope, and that there be some centralized mechanism to prevent data deletion with respect to the data subject to the hold. This includes educating each data custodian about the nature of the litigation hold and the data that should not be deleted.
Employees also need to be trained to know what documents and records are required to be maintained and for what time period. This can be tricky. For example, contract documents may be required to be kept for seven years—but is that seven years from the date the contract is entered into? Or the date when all tasks under that contract have been completed or have been successfully completed? Invoices, receipts, correspondence, compliance documents, tax records, etc., all may have different retention periods.
In government circles, laws like the Presidential Records Act and the Federal Records Act are just a few examples of statutes that require government records to be maintained and archived. FOIA laws also govern when they are to be made public and accessible. Data policies which permit data that is required to be kept to be destroyed violate these laws.
The Secret Service
Almost immediately after the January 6, 2021 events, the United States Secret Service implemented a device replacement program for devices held by agents and employees—starting in the Washington, D.C. area. As anyone who has replaced an outdated device knows, the procedure generally is to back up the data and apps from the old phone either to a hard drive, to iTunes or to iCloud. This ensures that no data is lost. Then, the new device is synched with the backup, and voila! The data exists on the new device. Easy peasy lemon squeezy. The process is similar for Android phones and for Microsoft phones—well, who cares, right? When the USSS implemented its device replacement program however, it apparently allowed each individual agent to decide what data to back up and what to delete. Even though it was likely that the events of January 6 would be (and, in fact, almost immediately were) subject to various investigations (including an impeachment inquiry), apparently no litigation hold was provided in connection with the device replacement program. When the USSS was formally notified to preserve records (in February of 2021) the data specifically related to the January 5 and January 6 had been deleted from the DC-area devices. Even if not done deliberately, when implementing a device replacement program that includes data that is required to be maintained (under the FRA if not the PRA) you establish and implement a program that does not allow individual users to decide whether to preserve or delete the data.
Can it Be Restored?
One serious question is whether or not the missing text messages can be restored. The answer is maybe, but probably not—particularly for texts between agents.
The problem is that we have generally built document retention requirements around the “island/moat” model. Data is created on the corporate/government device and sent and received on the corporate/government network. Routers, hubs, switches, etc., can send this data for backup which is controlled by the company/agency. Data that crosses the moat is captured by the ferryman. Centralized rules and backup.
With cloud and BYOD, this changes. The USSS agents’ text messages were sent from Apple or Android devices through a network owned by AT&T, Sprint/T-Mobile or Verizon, and these text messages likely never passed through the DHS network. Unless DHS implemented a mobile device management (MDM) solution (which they should have, and very well may have) the text messages (unlike emails) never went through USSS.
If so (and again, it’s probably not the case), this is bad for a number of reasons. As noted, the text message retention and deletion schedule is set either by the individual agent when they decide what to “keep” or delete, or by the telco provider. (By the way—we are only discussing SMS or MMS messages—not those sent through messaging apps like Messenger, Telegram, Signal, Chat, etc.). This means that USSS, DHS OIG and congressional oversight committees have little ability to police the police. In City of Ontario v. Quon, the U.S. Supreme Court held that police officers have no reasonable expectation of privacy with regard to the content of text messages sent and/or received on a municipally provided pager—despite the fact that the municipality had to obtain the messages from the pager company. If the SMS and MMS messages were sent from a device without MDM controls through a third-party network, they would be preserved in three places. First, on the sender’s device. Second, on the recipient’s device. Third, on any intermediary’s network incidental to the transmission of the message. So Sprint/T-Mobile, AT&T and Verizon would maintain a copy of both the fact of the message and the content of the message—at least for a period of time. Problem is, we don’t formally know what that period of time is. Telco providers are notoriously opaque about their data collection and retention practices. In fact, on July 20, the FCC notified the big three telcos that they needed information about their retention and use practices with respect to geolocation data—what they collect and how they use the data—and how long they keep it. These practices should be prominently displayed on each provider’s website. I should know how long T-Mobile keeps records of the fact of and contents of my text messages.
Similarly, it does not appear that the USSS had a uniform practice or requirement that mandated full device backup. For iPhones, a simple setting can force the full contents of the device to be backed up either to a hard drive or to iCloud. I can understand why the USSS might not want sensitive data about investigations and protectees to be transmitted and stored by a commercial entity in Cupertino, California. But the same data could easily be backed up to a server in Springfield, Virginia. It appears that it wasn’t. And that’s even without any MDM solution.
Not having full backups and MDM not only means that data is lost/wiped, but also means that, like in the situation in Quon, the USSS as employer loses the ability to manage its employees. A Secret Service agent is engaged in sexual harassment in Singapore? Pull up their text messages. Want to discipline an agent for inappropriate conduct in Tel Aviv? Text messages may be relevant. And that’s not to mention the laws mandating data preservation.
All of this is a mess. The fact that virtually the entire Washington field office of the USSS deleted the entire contents of their phones without any backup does not bode well for document retention practices. We need to make document retention, deletion and litigation hold practices idiot-proof. Well, idiot-resistant at least. Since idiots can be pretty damned clever.