SAA 2010

View from the sixth floor, Washington Marriott Wardman Park, 14 August 2010, 6:55 AM. Washington National Cathedral is in the background.

The 2010 joint meeting of the Council of State Archivists (CoSA), the National Association of Government Archivists and Records Administrators (NAGARA), and the Society of American Archivists (SAA) has come to an end. Between working on my own presentation (which went pretty well) and being a bit under the weather on Thursday, I haven't had the chance to post anything here. Some of this year's presentations are freely available on the SAA Web site, more (my own included) will be added to the site shortly, and people have been tweeting up a storm about the meeting, so I'm not going to post any detailed session recaps this year. Instead, I'm going to offer up some of the most interesting insights and snippets of information I picked up at this year's meeting:

• Seth Shaw (Duke University): Archivists confronted with unfamiliar materials have an instinctive tendency to gravitate toward item-level description. Photography is an excellent example of this behavior, and it wasn’t until we were deluged with photographic materials that we began moving away from item-level description. Electronic records are another example, and we need to return to archival principles when dealing with them. (Session 104, Taking Scale Seriously: Practical Metadata Strategies for Very Large Digital Collections)

• John MacDonald (Information Management Consulting and Education): We need people who understand the evolving organizational landscape and its impact on recordkeeping and who know how to position themselves to support operational and strategic goals and priorities and individual needs of business lines and the enterprise, how to articulate records issues in business terms, and how to be seen as their organization’s “go-to” person for all records issues. How do we find these people? Do what human resources experts do: define the nature of records work, identify the knowledge, skills, and abilities needed to do the work, develop competency profiles, assess the gap between those competency profiles and existing competencies, build recruitment strategies, develop training and education strategies, etc. (Session 302, So, Like, Byte Me: A Critical Response by Records Professionals to Born-Digital Records)

• Adrian Cunningham (National Archives of Australia): The International Council of Archives is working to reconcile the varied national electronic recordkeeping standards (e.g., DOD 5015.2) , and the results of this project have been been submitted for fast-track approval by ISO, the international standards body. (Session 302, So, Like, Byte Me: A Critical Response by Records Professionals to Born-Digital Records)

• Lisa Weber (National Archives and Records Administration): The Buddhist faith holds that life means suffering, that the origin of suffering is attachment, and that the cessation of suffering is attainable. Records professionals suffer because they are attached to the concept of preservation. However, all records are decaying -- sometimes slowly, and sometimes quickly. We need to think of digital preservation as a series of handoffs to the future and avoid falling into the trap of thinking that everything is too difficult or that we need to build perfect systems; the middle path -- neutral, upright, and unbiased -- is what we should seek. We need to act, observe, and learn, then act, observe, and learn. (Session 302, So, Like, Byte Me: A Critical Response by Records Professionals to Born-Digital Records)

• Victoria Lemieux (University of British Columbia): Traditionally, keyword searching and linear review has been the accepted approach to e-discovery. However, this approach is not scalable. Attorneys and others have been exploring a number of alternatives, including visual analysis, the science of analytic reasoning facilitated by interactive visual interfaces. It facilitates processing of massive sets of data, produces quick answers, and facilitates discovery of the unexpected. It originated in the scientific community and has moved into business intelligence, fraud detection, and other fields, and now it’s moving into e-discovery -- particularly when e-mail is involved. To date, a lot of visual analysis focuses on social networks, but it can also be used to create cluster representations of content. Visual analysis isn't perfect and has yet to be tested in court, but research suggests that doing a “first pass” using visual analysis and then doing keyword searching and linear review is a highly effective approach. (Session 402, E-Discovery and Records Professionals: Overcoming the Digital Tsunami)

• Jason Baron (U.S. National Archives and Records Administration): Researchers have discovered that keyword and Boolean searches fail to retrieve substantial numbers of documents responsive to e-discovery requests. (Session 402, E-Discovery and Records Professionals: Overcoming the Digital Tsunami)

• Chien-Yi Hou (University of North Carolina, Chapel Hill) demonstrated a prototype of the Distributed Archival Custodial and Preservation Environments (DCAPE) system. He used it to detect a virus in a test batch of records submitted to the system, move files from his laptop to a storage location in North Carolina, and did some other cool stuff. (Session 501, Distributed Archival Custodial and Preservation Environments (DCAPE) Project: Status Report and Demonstration)
  

• Juan Williams's son once asked him, "What's the biggest building in Washington?" Wiliams named the Capital and several other buildings, but his son kept telling him he was wrong. After Williams exasperatedly gave up, his son told him the answer: "The National Archives, because that's where all the stories are." (Plenary III)

New York State Cyber Security Conference

I’m doubling up on conferences this week. Yesterday, I got the chance to sit in on a couple of sessions of the New York State Cyber Security Conference, which is always held in Albany. I then headed for Syracuse to attend the annual meeting of the New York Archives Conference, which started today.

The first session I attended, Acquiring Computer Communications: Often a Treacherous Task, focused on the use of electronic communications as evidence in legal or disciplinary proceedings. Stephen Treglia, an Assistant District Attorney with the Nassau County District Attorney’s Office, highlighted the many problems that employers and law enforcement agencies in New York State must confront. The legal terrain is laden with pitfalls.

The search and seizure of electronic communications (e.g., e-mail) has been the subject of a substantial amount of case law, and many of the non-computer issues relating to search and seizure translate well to computer issues. However, to date, most of the case law pertaining specifically to electronic communications has focused on child pornography. The courts are only now turning their attention to search and seizure of electronic communications relating to white-collar crime, and archivists and records managers should note that very little case law focuses upon search and seizure of electronic communications that document improper recordkeeping.

As if the situation weren’t murky enough, and most of the case law is federal. New York State law tends to be more respectful of individual rights than federal law, and not all federal case law is applicable in New York.

Treglia then provided an overview of current case law, with a particular focus on the workplace. He emphasized that current case law regarding employer searches of staff computers indicates that office policies trump individual privacy concerns. However, the court that handed down the prevailing opinion noted that the employee did not assert that he did not know about the policy, and future defendants may make this argument. As a result, employers should establish computer and Internet use policies and have each employee sign a statement indicating that s/he is aware of these policies and of the penalties for violating them.

Treglia’s presentation, which highlighted many inconsistencies and oddities in case law, made it plain that legislators and the courts have a lot of work to do to bring the law into line with the age of the Internet and that law enforcement personnel, attorneys, employers, schools -- and even some parents attempting to monitor their children’s Internet and cell phone usage -- will find themselves stumbling across uncertain terrain for some time to come.

The next session I attended, Incident Response Using Open Source Forensic Tools, focused on the New York State Digital Forensics Workgroup’s testing of open source alternatives to commercial forensics packages such as EnCase. The Digital Forensics Workgroup is headed by the New York State Police and consists of staff employed by many other agencies. Tom Hrbanek of the State Police, who initiated the discussion, noted that many agencies struggle to find the resources needed to do forensics work, and the workgroup wanted to see whether open source software would lower training and other costs. It also wanted to determine whether open source tools would make it easier for the workgroup to expand its focus to include live capture of evidence as well as post facto incident response.

John Griffin of the New York State Multi-Agency Digital Forensics Analysis Center, which focuses on state employee misconduct, explained how the workgroup conducted its tests. It spent about $400 to purchase a desktop computer that ran Linux and installed several open source forensic tools. It then downloaded and ran a hypothetical hacking scenario created by the National Institute for Standards and Technology (NIST). This scenario is accompanied by 31 questions that forensic analysts should be able to answer, and the testing team was able to answer all 31 questions with the open source tools and to validate the results with commercial forensics applications.

Mike Gibbs of the New York State Office of Children and Family Services then outlined some of the technical dimensions of the project. The forensics tool that the testing team used is called PTK, which runs on a variety of Linux distributions and on Mac OS X, and he discussed some of the problems they encountered. He also directed attendees to more information about the project and the software used.

Tom Hrbanek concluded by noting that work on the project continues and that it will expand to include capturing live memory dumps and data moving across networks, etc., and that the group will present its findings in detail at the International Conference on Digital Forensics & Cyber Crime, which will be held at the University at Albany, SUNY in September.

Although some components of this presentation exceeded my technical expertise, it was fascinating to hear that forensics personnel focus on issues of authenticity and integrity and use some of the techniques (e.g., fixity checking, keeping computers offline) that we often use. There are of course huge differences between the two fields -- they're trying to put away bad guys, and we’re trying to keep records intact and accessible across time. It’s always fascinating to see how the digital era has forced professions that formerly had little in common to focus on some of the same concerns.

Coming up: an e-discovery tsunami?

Earlier today, Computerworld posted an interesting piece speculating that requests for information about the lending practices of failed banks may highlight sloppy records retention policies and practices and propel regulators to crack down on institutions that don't comply fully with Sarbanes-Oxley and other records-related laws and regulations. Among those quoted in the article is Debra Logan of Gartner, who predicts that disgruntled employers and customers will file all manner of lawsuits and that e-discovery and e-recordkeeping issues will come to the fore as a result:

The amount of litigation that's going to be generated out of this Wall Street meltdown is going to be unbelievable. The regulators will be asking the banks what happened . . . . Lawsuits stemming from problems at government-backed mortgage finance companies ' Freddie Mac and Fannie Mae will result in systemic change.

Other experts quoted predict that, in addition to stricter enforcement of existing laws and regulations, lawmakers and regulators might impose even more stringent record-keeping controls upon the financial sector -- and the health care industry, which is moving toward electronic-record keeping despite shortcomings in its records retention practices.

It will be most interesting to see how record-keeping practices evolve as people try to make sense of the chaos that has consumed the financial industry and come to grips with the challenges of electronic medical records. Maybe we will start seeing some real attention paid to records management -- and a diffusion of lessons learned in the financial and health care sectors to other industries and government.

Records management at Apple

I've been meaning to post about this matter for a few days, but haven't had the chance . . . .

During the past few months, Apple and Psystar have been engaged in a running legal battle: Apple alleges that Psystar, which sells computers that come with Mac OSX installed, is guilty of copyright infringement, and Psystar alleges that Apple, which does not want other companies to sell computers that have Mac OSX operating system software factory installed, violates antitrust laws. Psystar's antitrust claims have just been dismissed, but it looks as if Apple's suit is going to make it to court in 2009.

From an electronic records angle, the most interesting aspect of this dispute is that it's led Apple to disclose some information about its electronic records management practices. The Industry Standard, which was apparently the first media outlet to make note of this fact, reproduces in its entirety a document outlining Apple's and Psystar's agreed-upon rules for responding to each others' requests for evidence; you can either view this document via the Justia.com scroll box that appears at the bottom of the page or download a copy in PDF format.

The good stuff is on pages 7-8 of the document, which contains Apple's statement about its routine records management practices and the actions it has taken as a result of the lawsuit:

At Apple, individual employees are tasked with maintenance of their own files including hard copy documents, emails, voicemails and other electronically recorded materials. Apple has not implemented any programs that result in the automatic deletion of emails. Similarly Apple does not determine which voicemails are saved or deleted by an individual recipient. However, the voicemail system is set up to delete saved messages after ninety days. At the institution of this lawsuit, Apple identified a group of employees who could potentially have documents relevant to the issues reasonably evident in this action. Apple then provided those individuals with a document retention notice which included a request for the retention of any relevant documents, including but not limited to emails, voicemails and other electronically-recorded materials relating to the issues in this lawsuit. As a result of the counterclaims asserted by Psystar, Apple has also sent out a follow-up retention notice asking for the retention of documents reasonably relevant to the antitrust and unfair competition claims asserted by Psystar. Apple will be working with Psystar to narrow the list of individuals from whom documents will be retrieved for purposes of this lawsuit.

As the Industry Standard asserts, it's a bit startling that a large (no. 103 on the 2008 Fortune 500 list), publicly traded technology company would have such a . . . decentralized approach to the management of its records. However, I don't think that Apple's approach is inherently "negligent," as an unnamed attorney specializing in e-discovery is quoted as saying. I also have to take issue with the Industry Standard's assertion that Apple has "no company-wide policy for archiving, saving, or deleting" records. Apple's policy is indeed company-wide -- it just makes individual employees responsible for managing the records they create or receive.

Is Apple's policy as good as it could be? No. Records managers concur that the best approach to the management of electronic records involves use of recordkeeping systems that have built-in records management applications. These applications manage records centrally, inform records managers when a given grouping of records has reached the end of its legal retention period and can thus be destroyed, and enable them to suspend the destruction of records that might be needed as a result of litigation.

However, it's plain that Apple is not the only large corporation struggling with electronic records management issues. Cohasett Associates' 2007 Electronic Records Management Survey: A Call for Collaboration reveals that although companies have begun addressing e-discovery concerns, incorporating electronic records into records schedules, and moving responsibility for day-to-day management of electronic records out of the hands of IT staff, they still have a lot of work to do:

• For most organizations, a great deal still remains to be done to achieve credibility in the management of their electronic records and, in time, a sustainable “best practice” level performance.
• Major gaps and risks related to the handling of archival and backup media were confirmed.
  
• Significant gaps in accountability for day-to-day management of all types of electronic records were reported.

So Apple isn't alone in having a less-than-perfect policy, and I can think of several reasons it hasn't adopted an more technologically oriented approach to records management. To date, it hasn't developed any recordkeeping/records management products of its own, and its vertically integrated business model, secretive corporate culture, and legitimate security concerns may militate against use of products developed by other tech firms.

Short of implementing a recordkeeping system that has a built-in records management application, how could Apple improve its records management policy? Well, one key element that Apple doesn't seem to have addressed (at least in this filing) is training, which is a prerequisite for the success of any records management policy. Sending out policy notices to staff is one thing. Explaining -- on more than one occasion -- the reasons for the policy, the importance of adhering to it, and how records management fits into the day-to-day operations of the organization is another, and organizations that fail to do so often find that their policies aren't producing the desired results.

Apple's statement also neglects to mention the extent to which its records management policy has executive support. Are the policy directives being distributed by counsel or mid-level managers with little fanfare, or are Steve Jobs and other senior managers repeatedly driving home the importance of adhering to these policies -- and ensuring that staff have the time needed to do so?

Finally, what of Psystar? Judging from the filing outlining Apple's and Psystar's agreement regarding responses to discovery request, it doesn't have any sort of records management policy in place. Here is the full text of Psystar's statement concerning its records:

Counsel for Psystar has personally counseled the principals of Psystar as to the retention of documents and other information as they pertain to the issues in this lawsuit. A retention notice was subsequently issued to the principals of Psystar memorializing the same. Retention of documents includes but is not limited to electronic mail, physical documents and things, and other electronically-recorded materials.

I get the distinct impression that even though Apple is falling short of the mark, it has devoted much more attention to records management issues than Psystar has. However, given that Psystar seems to have appeared out of thin air (even its physical location is a bit of a mystery), perhaps that's not surprising.

Update, 29 November 2008: In the interest of full disclosure, I've been an Apple user since the mid-1980s, when my parents purchased an Apple II-series machine, and my trusty (so far) mid-2007 MacBook is my constant companion. However, I don't believe that the company is infallible or that its products are flawless: I know two people who have had serious problems with the hard drives of brand-new late 2006 and late 2007 MacBooks, and I have my own Apple horror story involving a PowerBook 150.