John Kitzhaber's e-mail

It's been quite a week in re: gubernatorial e-mail.

Yesterday, Oregon's governor, John Kitzhaber, announced that he would resign from office. Last October, an Oregon newspaper reported that the governor's fiancee, Cylvia Hayes, had served as an unpaid energy and economic policymaker at the same time as she was running a private green-energy consulting business. In November, the Government Ethics Commission opened an investigation into Kitzhaber and Hayes. Last week, the state's attorney general announced that a criminal investigation was underway.

Earlier this week, the Willamette Week, the Portland alternative paper that broke the news regarding  Hayes' potential conflicts of interest, reported that a Kitzhaber staffer had requested that the state Department of Administrative Services delete all e-mails from Kitzhaber's personal e-mail accounts that were stored on departmental servers. Kitzhaber's camp maintained that the request covered personal messages that had mistakenly been auto-forwarded to state servers and would not result in the destruction of public records. However, Oregon law specifies that personal e-mail messages that discuss government business are considered public records, and Department of Administrative Services staff were keenly aware that multiple media organizations had filed freedom of information requests that included Kitzhaber's and Hayes's e-mail. They sent the administration's request and their concerns about it up the department's chain of command and the department's director decided that the e-mail should not be deleted.

A few hours after Governor Kitzhaber resigned, U.S. Attorney Amanda Marshall revealed that a federal grand jury investigation was underway and issued a sweeping subpoena seeking e-mail, memoranda, and other records that documenting Kitzhaber's environmental and economic policy initiatives, and Hayes' state government work, consulting business and clients, personal and corporate tax returns, and use of state credit cards. The subpoena covers eleven state government agencies and includes records that the state's Justice Department and Government Ethics Commission created or collected during the course of their investigations. The Federal Bureau of Investigation, which never publicly comments upon investigations in progress, also seems to have taken an interest in Hayes's affairs.

What a mess. I imagine that Salem, Oregon is currently experiencing the sort of surreal standstill that Albany, New York experienced in March 2008, but things are going to start moving again, and very quickly. Eleven state agencies will have to devote a lot of time and effort to responding to the federal subpoena and a host of freedom of information requests. The State Archives must scramble to document the administration of a governor who was re-elected a few months ago, who left office with little advance notice, and whose records are of abiding interest to the feds. Moreover, it must do so as it loses the head of its parent agency: when Kitzhaber's resignation takes effect next Wednesday, Secretary of State Kate Brown will become the state's next governor. However, given the clear-eyed, resolute manner in which the Department of Administrative Services responded to the Kitzhaber administration's e-mail deletion request, the Oregon State Archives' recent history of innovation and effectiveness, and Oregon's tradition of (relatively) clean governance, I suspect that these challenges will be met head-on.

Jeb Bush's e-mail, continued

Earlier this week, Jeb Bush made available online hundreds of thousands of emails he sent and received during his tenure as Florida's governor. As I noted yesterday, the emails Bush's organization placed online contained Social Security numbers, home addresses and phone numbers, and a wealth of other personal information about private citizens. In the wake of the controversy, the Bush camp pledged to review and redact the e-mails, which are identical to the unredacted e-mails held and made accessible to researchers by the Florida State Archives.

Earlier today, Fortune reported that the e-mails approximately 13,000 Social Security numbers and that roughly 12,500 of these numbers were housed within a spreadsheet embedded within a PowerPoint presentation attached to a message that Governor Bush and approximately 50 other people received in October 2003. The other 500 are scattered throughout the correspondence. The Bush team has been able to use software to identify and redact approximately 400 of them, but as of earlier today approximately 100 were still available online because they don’t conform to the usual XXX-XX-XXXX pattern and thus can’t be easily found.

Fortune also reported that a spokesperson for the Florida Department of State, of which the Florida State Archives is part, stated that: “the Department of State is currently reviewing our process for redacting confidential information from documents given to the State Archives.” Ouch.

To add insult to injury, ComputerWorld notes that the Microsoft Personal Storage Table (PST) versions of the Bush e-mails that the Florida State Archives disclosed to researchers and that were, for a short time, made available for downloading on the Bush e-mail site contain a number of old viruses and Trojan Horse applications. Most of them pose little threat to anyone who has a newer computer and up-to-date anti-virus software, but they might cause problems for people who have older machines or don't have anti-virus software installed.

Jeb Bush's e-mail

On Monday, former Florida governor Jeb Bush placed online copies of hundreds of thousands of e-mails he sent and received while in office. Bush is actively exploring the possibility of running for President and has stated that he released the messages to show his commitment to transparency and his embrace of information technology; many political observers have concluded that the release is also meant to prove that he's a dedicated, responsive, and effective executive. Things did not go quite as planned, and the resulting uproar ought to be of interest to any government archivist who might accession electronic records that contain legally restricted information, respond to FOI requests for born-digital or digitized records, or confront the sweeping records requests that invariably occur whenever a former official seeks higher office.

As soon as the e-mails were released, tech journalists and bloggers began exploring the search interface that Bush's staff created and the contents of the messages their searches yielded. They found thousands of Social Security numbers, home addresses, and tons of other personal data that had not been redacted. The Verge, Ars Technica, Buzzfeed, and a host of other media outlets quickly redacted and published copies of numerous e-mails that contained such information, and Bush and his staff quickly promised that they would remove Social Security numbers and other personal data. However, the e-mails – in searchable database form as well as downloadable Microsoft Personal Storage Table (PST) files – were freely available online for almost a day before the Bush team decided to take action.

Bush and his staff were also quick to point fingers. Yesterday, Bush told reporters in Tallahassee that the messages were public records held by the Florida State Archives (which is part of the state's Department of State) and that he and his staff had merely "released what the government gave us." The Bush team also revealed that in May 2014, an attorney representing Bush sent a letter to an unidentified state official asserting that the state was responsible for redacting any legally restricted information found within the e-mails:

We hope these emails will be available permanently to the public, provided the records are first reviewed by state officials in accordance with Florida Statute to ensure information exempt from public disclosure is redacted before release, including social security numbers of Florida citizens who contacted Governor Bush for assistance; personal identifying information related to victims of crime or abuse; confidential law enforcement intelligence; and other information made confidential or exempt by applicable law.

The Florida State Archives holds 26.2 gigabytes of Bush's gubernatorial e-mail, and the catalog record describing the correspondence indicates that the records consist of "PST files" that "must be loaded onto user's hard drive and opened using MS Outlook software." The catalog record makes no mention of access restrictions, and unredacted copies of the files have evidently been disclosed to other researchers. Yesterday, National Public Radio (NPR) reported that many of the e-mails Bush released on Monday had first been disclosed to reporters shortly after they were created or received and that several media organizations, NPR among them, had previously obtained copies of the full set from the Florida State Archives.

At this point in time, I am not going to second-guess or condemn the Florida State Archives. I simply don't know enough about Florida's Sunshine Law, which is more expansive than many other state freedom of information laws, or the Florida State Archives' disclosure protocols to come to any sort of informed conclusion. I do know that the Sunshine Law for the most part bars the disclosure of Social Security numbers, but many freedom of information laws mandate that previously disclosed information cannot be withheld for any reason; given that many of these e-mails had been disclosed to reporters while Bush was in office, the Florida State Archives might have no choice but to release them without redacting them. To date, no one from the Florida State Archives or Florida Department of State has commented upon this matter, but I hope that some sort of explanation will eventually be made.

I am more willing to second-guess Jeb Bush and his associates. As the Miami Herald has pointed out, the May 2014 letter written by Bush's attorney strongly suggests that Bush has been seriously thinking about running for president for quite some time. To my way of thinking, it also suggests that Bush or, at the very least, his lawyers knew that the e-mail contained legally restricted information, decided that the State of Florida was solely responsible for redacting it prior to disclosure, and figured that it was ethically okay to make information that Florida couldn’t or wouldn’t redact a lot easier to find. Requesting a PST file from the Florida State Archives and importing it into Microsoft Outlook doesn’t require a ton of effort or technical know-how, but at least some of the people who are now idly rummaging through the searchable Web database of e-mails created by the Bush campaign probably wouldn’t feel the need to make the effort. Manual redaction and review of e-mail is a pain – trust me on this – but there are numerous tools that will flag and facilitate redaction of Social Security numbers, telephone numbers, and other consistently formatted data. Why didn't the Bush camp make even a modest attempt to weed out the Social Security numbers?

Finally, I must be a bit skeptical about the Bush camp's claims of transparency: the Tampa Bay Times recently reported that Bush used a private e-mail account to conduct all state business and transferred only some of the messages associated with this account to the archives when he left office. Specifically, all messages relating to “politics, fundraising, and personal matters” were removed prior to transfer. I have no problem with purging messages relating to purely personal matters, but the removal of messages relating to political affairs and fundraising efforts raises a few questions in my mind. How were these messages identified? Were they identified as they were sent or received, or was there a massive end-of-term review effort? If the latter, who was involved in the review and what criteria were employed? And, of course, why didn't Bush use a state government e-mail account to conduct state business?

State government electronic records in the news

Two stories relating to the management and continued accessibility of state government records popped up on my radar screen earlier today. Both of them warrant watching; it doesn't seem as if either situation will be resolved any time soon.

The first involves gubernatorial records, an ever-present matter of interest and concern. Earlier today, the Boston Globe reported that during the last days of Republican presidential candidate Mitt Romney's tenure as governor of Massachusetts, eleven of his high-ranking staffers used personal funds to purchase their state-supplied hard drives and laptops, staff replaced all of the other computers in the governor's office, and all Romney-era e-mail was deleted from the office's e-mail servers. When Deval Patrick, a Democrat, took office, he and his staffers found an electronic blank slate.

Romney's position is that staffers who purchased hardware did so openly and that he and his staffers complied with all records laws. It does seem that the Romney administration did transfer a substantial body of records to the Massachusetts Archives: according to the Globe, the the repository holds 700-800 boxes of paper records documenting the Romney administration. However, it's not clear whether these records include print copies of the e-mails. The Globe doesn't provide detailed information about them, and the Massachusetts Archives doesn't have an online catalog or detailed online finding aids.

Secretary of State Bill Galvin, who oversees the Massachusetts Archives, told the Globe that the hardware purchases strike him as odd and that the gubernatorial e-mail should have come to the archives: "Electronic records are held to the same standard as paper records. There’s no question. They’re not in some lesser standard."

Romney's campaign manager asserts that the Patrick administration is making a stink about the hardware purchases, computer replacement, and e-mail deletion because it is acting as "an opposition research arm of the Obama reelection campaign." After the Globe story appeared this morning, he filed a state Freedom of Information Act request seeking "all email correspondence, phone logs, and visitor logs" documenting contacts between Patrick administration staffers and prominent Obama political advisers David Plouffe, David Axelrod, and Jim Messina. Governor Patrick’s chief legal counsel has stated that staff will "be happy to fulfill" this request.

I'm not an expert on Massachusetts records laws, so I'm going to have wait for the experts to weigh in on whether the actions of Governor Romney and his staff were legal. Do I wish that the e-mail had been preserved? Of course I do. I'm an archivist, and my job is to preserve records of enduring value and to provide access to them. Gubernatorial correspondence and internal memoranda, regardless of format, do have enduring value. Do I think that Governor Romney should be pilloried for destroying the e-mail? If he violated the law, I hope he gets what's coming to him. If he didn't, I hope that Governor Patrick and other Massachusetts politicians focus on strengthening laws concerning the retention and disposition of gubernatorial records.

Do I think that Governor Patrick brought up these issues in an effort to give President Obama a boost? I don't know. Patrick and Obama are close allies, so it's possible. However, I'm also under the impression that Governor Patrick has his own reasons for disliking Governor Romney, and I'm open to the possibility that he and his staffers are discussing the matter because they keep getting freedom of information requests for Romney-era records. I must admit that I am curious as to how well the Patrick administration is managing its own records.

The second relates to an outrage. As anyone who's been paying even the slightest attention to the American news media knows, former Penn State assistant football coach Jerry Sandusky was recently arrested on charges that he sexually molested eight young boys. Two university administrators have been charged with perjury, and the university's president and football coach have lost their jobs.

Questions as to precisely what the president, the coach, and other university administrators knew about Sandusky and when they knew it are rampant. However, Pennsylvania's Right to Know Law, which was extensively revised in 2008, explicitly exempts most records created by Penn State, Lincoln University, the University of Pittsburgh, and Temple University. As a result, there is a distinct possibility that only those e-mails, phone records, and other Penn State records introduced in open court will be disclosed to the public -- unless, as the New York Times urged earlier today, the Pennsylvania legislature and governor move to lift this exemption.

Publicly funded universities in many other states -- New York included -- are subject to freedom of information laws. For what it's worth, I really don't see why Penn State, Pitt, Temple, and Lincoln should be granted such sweeping exemptions, and I hope that Pennsylvania's law changes. At the very least, I hope that Penn State's new administrators recognize that openness and honesty are essential to restoring the university's good name and start releasing records of their own accord as soon as prosecutors permit them to do so.

Yes, I know that Penn State is going to be hit with civil lawsuit after civil lawsuit and that its lawyers would probably jump for joy if a fire or flood destroyed a ton of university records. However, the lawsuits will come and the cost of settling them will be staggeringly high no matter what the university does.

Of course, Penn State is not the only entity that has relevant records: Sandusky met the boys he is accused of sexually assaulting through The Second Mile, a charitable organization that he founded. However, earlier today, the New York Times reported that investigators have yet to locate some important Second Mile records:

Officials at the Second Mile . . . reported that several years of the organization’s records were missing and had perhaps been stolen. The missing files, investigators worry, may limit their ability to determine if Sandusky used charity resources — expense accounts, travel, gifts — to recruit new victims, or even buy their silence . . . .

Much of the [charity's] older paperwork was stored at an off-site records facility. The travel and expense records, for instance, had been sent over several years earlier. But select members of the charity’s board of directors were alarmed to learn recently that when the records facility went to retrieve them, some of those records — from about 2000 to 2003 — were missing.

. . . . Subsequently, the [Second Mile] foundation located apparently misfiled records from one of the years, but the rest seem to have disappeared.

As awful as the Sandusky-Penn State situation currently appears, I can't help but think that we've seen only the tip of the iceberg. All the more reason to be as honest and as open as possible. The sooner the truth comes out, the sooner the victims can focus on rebuilding their lives and the sooner Penn State can focus on rebuilding itself.

E-mail management, part two

. . . And now for something completely different. David Stephens's approach to managing e-mail, which I posted about yesterday, is an enterprise-level solution to an enterprise-level problem. What about those of us -- l'Archivista among them -- who just can't seem to manage their personal e-mail appropriately? I've got a couple of personal accounts that are filled with sales pitches, listserv detritus, and other stuff that I really should delete, but I've got generous storage quotas and a finite amount of time. I've also got pretty decent search capability, but the volume of junk is starting to affect my search results. I recently needed to track down a Continental e-ticket and had to wade through a bunch of old Continental sales pitches before I could find it. Urgh.

For some of us, a new service, GiveBackMail, may help. GiveBackMail displays a new advertisement each time a user sends, opens, or deletes a message, and the service makes a small donation to charity each time a user performs one of these actions. At present, GiveBackMail allows users to earmark their donations for one of seven non-profit organizations working in a variety of areas: cancer, education, conservation, animal welfare, people with AIDS, microlending, and victims of the recent tornadoes. GiveBackMail hopes to add additional charities, and account holders can suggest charities that might warrant inclusion.

GiveBackMail users have the option of routing one or more of their existing AOL, GMail, Hotmail, and Yahoo accounts through GiveBackMail or setting up a separate GiveBackMail account; if they opt for the latter, they can keep their existing e-mail addresses and their correspondents will be none the wiser. Users can also the service to post updates to their Facebook or Twitter accounts.

A recent New York Times article notes that GiveBackMail's business model seeks to redirect users' eyeballs: instead of viewing ads served up by AOL, Google, Microsoft, or Yahoo, GiveBackMail wants you to route your e-mail through its servers and to view the ads it displays, and its charitable donations are designed to induce you not only to reroute your e-mail but also to change your e-mail management practices.

The Times article also notes that GiveBackMail is built upon the embedded-giving model that myriad corporations have recently embraced. If you purchase something or do something, a portion of the purchase price or corporate funds (up to a certain amount) will be donated to a specific cause. As Laura Starita points out, we should all think critically about this model, which can render "philanthropy subject to the retail cycle," undermine donor trust by failing to communicate how donations are being used, corrupt the desire to give by melding it with the desire to acquire, and paper over problematic environmental, labor, or other practices. However, if you're comfortable with viewing a few ads, think that the prospect of directing small sums of money to a non-profit organization will motivate you to clean up your inbox, and keep in mind that using GiveBackMail won't make you any sort of activist, then you might want to check it out. Moreover, GiveBackMail supplies monthly statements outlining how each users' donations have helped the charity he or she selected, which ought to help users feel more confident about the service.

I recently registered with GiveBackMail, and I found the process simple. I have only one complaint: I discovered only when I first attempted to register that GiveBackMail cannot be used to manage free, basic Yahoo e-mail accounts. GiveBackMail works only with Yahoo Plus accounts, but there is no mention of this fact anywhere in the "How It Works" or "Features" sections of the GiveBackMail site. I can't determine from the GiveBackMail site whether GiveBackMail works with the free versions of AOL, GMail, or Hotmail.

Undeterred by GiveBackMail's inability to help me get a grip on my Yahoo accounts, I set up a separate GiveBackMail account and plan on using it for a few routine things. GiveBackMail is currently in beta mode, and, as the Times points out, there's always the possibility that Google or one of the other big Web e-mail providers will undercut GiveBackMail by replicating its view-an-ad-make-a-donation business model, so I'm not 100 percent certain I want to make it my primary account at this time. However, so far I've been pretty pleased with GiveBackMail. Its interface is simple and intuitive, and it seems to do what it's supposed to do -- enable me to send, receive, organize, and delete messages and keep track of contacts -- without any hitches. Moreover, at least in the short term, I've gotten better at deleting all those useless messages . . . .

E-mail management, part one

A few days ago, I attended a Central New York ARMA event at which David O. Stephens analyzed the Top Ten Issues Driving Records Management Today. As might be expected, Stephens devoted a lot of attention to the challenges posed by electronic records, and I was particularly struck by his strategy for improving the management of e-mail.

Stephens noted that e-mail is now the dominant form of business communication: more than 60 percent of electronic business documents are transmitted as e-mail attachments, and up to 60 percent of business-critical information is stored in the messaging environment. However, IT departments struggling to keep e-mail systems operational typically purge all messages after a relatively short time (e.g., 90 days) or force end users to limit the number of messages stored in the system. End users who need to retain older messages must either save them to an "archive" on a local or shared hard drive or print them out.

From a legal discovery standpoint, these practices are profoundly troubling: retaining messages that could have been disposed of increases an organization's legal exposure, combing through individual e-mail archives, paper printouts, or backup tapes is time- and resource-intensive, and overlooking an obscure archive or tape stored offsite can have devastating consequences.

Stephens also pointed out that the orthodox records management approach to e-mail -- having end users match the content of individual messages to a specific records series and organize the messages accordingly -- is, quite simply, a recipe for failure. Unfortunately, too many records managers still believe that end users must be responsible for managing their own e-mail.

Stephens asserted that individual messages fall into one of three categories -- short-term value, medium-term value, and long-term value -- and treating each category as follows:

• Short-term. This category comprises messages of transitory value. Users should be trained to identify such messages and to delete them from their mailboxes on a daily basis. Most users will have to devote 10-15 minutes a day to doing so, and supervisors should support and encourage this practice.
• Medium-term. Messages not deleted by users should be classified as having routine business value and should be automatically transferred to an e-mail archiving system at regular intervals. These messages should be retained in the e-mail archiving system for 3-7 years depending upon the organization's resources and needs; 3 years is generally the minimum retention period needed to satisfy legal requirements, but organizations that opt for a more conservative approach may opt to keep e-mail for 5-7 years.
• Long-term: The number of employees who send or receive messages that should be retained for more than 3-7 years is relatively small, and the total number of messages that warrant lengthy retention is also small. Employees who are likely to send or receive such messages should be taught how to identify them and to either print them out or transfer them to an electronic records management (ERM) system.
  

As Stephens points out, this approach isn't perfect: some employees simply won't identify and delete messages of transitory value, and some employees who send and receive messages that have long-term retention needs won't consistently identify them and remove them from the messaging environment. However, it is a vast improvement upon current practice: it relieves end users of all responsibility for managing messages of routine business value, relieves IT and legal staff of the obligation to go through backup tapes and those pesky individual e-mail archives, and ensures that messages that have reached the end of their retention period won't hang around and increase the organization's legal exposure.

The only problem that I have with Stephens's approach is its reliance upon technology -- not because I believe that e-mail archiving systems and ERM systems are inherently deficient but because many records managers will find it hard to justify their purchase, particularly in the current economic climate. In the absence of pressing e-discovery concerns or regulatory requirements, governments and a substantial number of non-profit and corporate bodies will no doubt continue to classify e-mail archiving systems and electronic recordkeeping systems as second- or third-tier priorities.

Moreover, in some instances, organizations that see the need for these IT investments may have difficulty finding products that truly meet their needs. Owing to the market dominance of Microsoft Enterprise/Outlook, users of Enterprise/Outlook systems can select from a wide array of compatible e-mail archiving products. Lotus Notes users also have a decent number of choices, but users of other systems have fewer options. Users who are outsourcing their e-mail to the cloud may well be dependent upon their cloud service providers.

I nonetheless hope that records managers embrace this approach and start pressing their employers to make the requisite IT investments. Stephens noted that when we get snail mail at home, we toss the junk mail, put the magazines on the coffee table or nightstand, and place the bills in our "to-do" pile, but we don't put any of this stuff back in the mailbox. Why, then, are we storing e-mail in our inboxes? We need to start asking senior managers and IT personnel this question and pushing them for a better answer.

NYAC/ARTNY: E-mail management and preservation

The Hudson River, as seen from Walkway Over the Hudson State Historic Park, Poughkeepsie, New York, 4 June 2010.

This post concerns something that happened 11 days ago, which I suppose makes me a full-fledged slow blogger . . . .

I noted a little while ago that I thought that Session 1, which focused on the Archivists’ Toolkit, was the highlight of the recent joint meeting of the New York Archives Conference/Archivists Roundtable of Metropolitan New York. However, Session 7, Management and Preservation of E-mail, was a very, very close second.

Nancy Adgent of the Rockefeller Archive Center (RAC) got things rolling by discussing one of my favorite preservation projects, the Collaborative Electronic Records Project (CERP) undertaken by the RAC and the Smithsonian Institution Archives (SIA).

Using RAC-held Microsoft Outlook .pst files e-mail in a variety of formats and SIA e-mail in a variety of formats Microsoft Outlook .pst files, the CERP team developed separate workflows that took into account their institutional differences. They also tested off-the-shelf conversion tools and and developed a parser that converts e-mail messages and attachments to an XML-based preservation format; over 99 percent of the 89,000 testbed messages parsed successfully.

Along the way, they learned a host of lessons:

• Transfers from active systems go most smoothly when an archivist and an IT person work together.
• Minor problems will arise. Some attachments that should have accompanied messages were missing, most likely because they were stored in a central server and the messages were copied from individual users’ desktops. The dates of some individual messages were replaced by the date they were bundled into a .pst file, and the name of the author was sometimes changed to that of the archivist who examined the file. Most strikingly, the installation of new GIS software on testbed equipment changed the display of some message fonts.
• E-mail requires some processing before it’s converted to XML. The CERP team used a variety of off-the-shelf tools in order to do so.
• Different anti-virus tools sometimes yield different results. The CERP team used Kaspersky and Symantec, each of which detected a few viruses that the other didn’t find.
• Searching file names is not a foolproof means of identifying “sensitive” materials. Although both repositories conducted such searches and either removed sensitive information from access copies or documented its existence in finding aids and metadata, they realized that some sensitive information was still lurking in the messages.

Paul Szwedo of the New York State Office of Real Property Services (ORPS) then discussed how his 300-person agency began managing its e-mail. To the best of my knowledge, ORPS has made a lot more progress than any other New York State agency, and I hope that other agencies follow its example.

Prompted by recent changes in the Federal Rules of Civil Procedure, ORPS decided that staff had to take responsibility for their own information. It first reviewed, updated, and consolidated its e-mail, the Internet, and IT equipment use policies so that they harmonized with the state’s information security policy, ethics law, and relevant executive orders. It then amended its e-mail retention policy, which now mandates that users who want to keep their e-mail longer than 120 days must move it into a centralized archive.

ORPS already owned EMC’s DiskXtender archiving product and purchased the EmailXtender (now SourceOne) component (which the Obama White House also uses) for e-mail archiving. Instead of keeping every message, the agency opted to create folders based on length of retention period and rely upon staff to file messages appropriately. Folder access is customized by unit, so units that create records with longer retention periods can manage them properly and those that don’t can’t keep records forever.

After the system was installed, ORPS began providing training and guidance to staff. Staff had eight weeks to manage their existing e-mail, and Lotus Notes’ save-to-local-drive option was disabled. Project leaders sent out reminders to staff and stressed that managers were responsible for ensuring that unit records were managed properly and that unit staff knew how to do so.

Paul identified a number of key success factors:

• Backing of senior management. (In a brief conversation we had after the session, he indicated that senior managers’ support was the single most important factor. If only figuring out how to secure the backing of senior management were as simple.)
• Policy development preceded implementation. Business needs should drive IT investment, not the other way around.
• Staff educated themselves via State Archives workshops and discussions with other agencies.
• Availability of funding
• Records management liaisons served as a test group, which facilitated identification of problems and prepared the liaisons to handle questions from other staff
• All tutorials, videos, and communications relating to the project were placed online

The challenges were nonetheless substantial:

• Turning a “save everything” organization into an organization that manages its information requires a lot of effort
• Some people saw e-mail management as a distraction from their “real” work
• Everyone wanted more time to review and sort messages
• Upper managers retired, resulting in loss of momentum
• Networking staff had other responsibilities thrust upon them
• People save e-mail for easy reference, and don’t necessarily think of it as a record

Project staff also learned several lessons along the way:

• Don’t assume people are paying attention. Despite repeated warnings and reminders, one person did not review and organize his/her messages and as a result lost all of them.
• Elicit concerns, and do so upfront if at all possible (As Fynette Eaton has pointed out, this is a key principle of change management)
• Weigh overhead against policy. On several occasions, ORPS had to tweak its policies because they were placing an undue burden on network personnel.

Christine Midwood of Iron Mountain Digital ended the session by highlighting how new products and services can help address the challenges associated with e-mail:

• Legal risks and discovery. New products can provide consistent, rapid search across email archives, apply litigation holds by message (and apply multiple holds to a given message), and manage e-discovery cases so that teams can access only those messages responsive to the case they’re working on.
• Expense. New products can apply retention schedules, streamline costs via outsourcing storage to a cloud environment (my take: the cloud isn’t ready for state and local government records), and consolidate archiving, business continuity, security, anti-virus, etc. functions into a single product.
• Data loss. Technology can provide a tight, documented chain of custody, capture complete delivery information, and consolidate or eliminate message files stored on individual users’ hard drives.
• Privacy. Software can now block or quarantine e-mail that contains prohibited or suspect content (e.g., Social Security Numbers) and provide role-based access to e-mail (whole message, metadata only, no access)
• Productivity. New products offer “continuity” features that minimize e-mail outages, eliminate e-mail quotas, and automate application of retention policies.

In response to a question from an audience member, she made a really interesting point: Iron Mountain and other vendors work with companies that are keenly aware of the risks of keeping information too long, and as a result they get few inquiries about how to handle e-mail that has a permanent retention period. She noted that allowing end users to sort and classify their own messages might open the door to permanent retention, but I suspect that something more (e.g., migration/conversion, preservation metadata) is going to be needed.

Open Government in the Digital Age Summit: David Ferriero

Approximately 150 people -- IT professionals, archivists and records managers, public policy experts, and journalists -- attended the Open Government in the Digital Age Summit jointly sponsored by the New York State Office of the Chief Information Officer/Office for Technology and the New York State Archives.

In lieu of a lengthy recap, I’m going to put up two or three shorter posts -- one centering on the keynote address delivered by David Ferriero, the 10th Archivist of the United States, and at least one other post highlighting the key threads of the day’s discussion. I have several reasons for doing so:

• I expect that all you archivists out there are at least a little curious about the new Archivist.
  
• Certain points and themes kept coming to the fore throughout the day, and it makes more sense to take a little time and tease them out than to do a session-by-session summary.
• I’m on vacation. I have some pretty intense sightseeing plans for the next few days -- which means that I need to break things up a bit and that posts about the Summit are likely going to alternate with posts about my travels. (Where am I? Come back tomorrow, and you’ll find out.)

First, however, a few words about “open government.” As a number of speakers and panelists pointed out, “openness” is commonly seen as being synonymous with transparency of operations and decision-making processes, accountability to citizens, and promotion of citizen participation in the creation of policy and development of services. Moreover, as several Summit participants noted as the day went on, open government requires an ongoing commitment to transparency and accountability -- and to ensuring that essential government information remains uncorrupted and accessible over the long term.

David Ferriero really helped to bring into focus the relationship between records and openness by stressing that if open government is your goal, you should focus on records management. In many respects, his point is obvious, but it’s all too often overlooked: how can you promise transparency and accountability if you can’t find the records that provide insight into government operations or policy development or can’t guarantee their completeness, accuracy, or integrity?

He then focused on the management of electronic records and the immense amount of work awaiting the federal government: a recent U.S. National Archives and Records Administration (NARA) survey of federal agencies revealed that agency records management and information technology staff, who really need to work together in order to manage electronic records appropriately, rarely do so. Moreover, almost every agency surveyed had records subject to a moderate or high risk of loss.

(Sadly, this situation isn’t unique to the federal government: the records management-IT disconnect is a big problem in New York State government and, judging from what I’ve heard from colleagues elsewhere, most other state and local governments are in the same boat. We’re all falling far short of the mark.)

Ferriero then discussed NARA’s own efforts to become more open and citizen-centered. Its Open Government Working Group, which is responsible for enhancing NARA’s ability to interact and collaborate with agency personnel and the general public, will post a formal plan for doing so on NARA’s Web site on 7 April. However, Ferriero gave us a preview of some of the recommendations that may appear in it:

• Establish an ongoing group charged with figuring out new ways of doing business and increasing openness
• Retool NARA’s strategic plan to include open government
• Create staff-only Web 2.0 tools that will enable NARA personnel to share ideas and collaborate more effectively
• Seek to engage the public via Facebook and other popular social media sites -- in essence, go where users are instead of waiting for users to come to NARA’s site
• Redesign NARA’s Web site with end users in mind, update the records management section, incorporate an “Ask an Archivist” interactive feature, and set up a wiki so that researchers can share the results of their research
• Sponsor an Apps for Archives competition (akin to the Apps for Army and other federal competitions) competition for development of applications that will improve access to NARA’s holdings
• Realign digitization priorities and give users ability to see what’s in the digitization queue
• Continue publishing high-value datasets in open formats on www.data.gov -- in essence, move from providing services to providing a platform for others to develop services
• Investigate the possibility of developing a Freedom of Information Act (FOIA) Web dashboard on FOIA services and responsiveness
• Actively declassify records and streamline declassification protocols
• Create an open government Web portal

Ferriero also took questions from the audience and offered up a number of fascinating tidbits:

• NARA is working with the secretaries of the Senate and the House of Representatives to ensure that draft versions of bills are captured and preserved appropriately
• NARA holds about 1 million e-mails from the Reagan administration, 250 million e-mails from the administration of George H.W. Bush, and anticipates getting approximately 1 billion e-mails from the Obama administration. Several of the people sitting around me gasped audibly.
• In an effort to breach the records management-IT divide, he’s convening the first-ever joint meeting of the federal CIO Council and the federal Records Management ??
• Like everyone else, NARA is still trying to figure out how to preserve Web sites, which change constantly; however, it’s plain that sporadic crawls such as those performed by the Internet Archive aren’t sufficient. (I agree; however, it’s just about the only practical approach available to most archivists at this time.)
• When developing new online tools and services, you really need to focus on users’ circumstances and preferences, not your own internal uses of technology; if you don't, you're not really committed to openness. For example, only fifty percent of New York City residents have home Internet connections, but most of them have cell phones -- and want mobile services and applications.
  

The last couple of questions centered on e-mail, BlackBerries, and cell phones, all of which pose particular challenges for archivists and records managers.

• Even the most conscientious employees occasionally use them to send and receive personal messages. Ferriero noted that, in the absence of automated tools that can pick out personal messages, it’s probably easier to keep everything than to conduct a manual review of messages. As an archivist who works with a small but growing volume of e-mail “archives,” I agree wholeheartedly: weeding these archives would be a time-consuming, soul-sucking task, and the resulting reduction in storage costs simply wouldn’t justify the investment of staff time.
• Determining which messages to keep is a particular challenge. I disagree with the approach that Ferriero advocated -- keeping everything -- but I understand why someone charged with upholding the Presidential Records Act and acutely cognizant of the research potential of routine correspondence would advance this argument. There has to be a way to preserve an adequate historical record -- sampling (by individual or by agency), targeting the accounts of key personnel -- without committing to saving every message that passes through an agency’s e-mail servers.

Ferriero’s speech was really well received, and I’m really looking forward to seeing how NARA evolves under his direction. The next few years ought to be really interesting.

How the White House Archives Its E-mail

Last month, the National Security Archive (NSA) and Citizens for Responsibility and Ethics in Washington (CREW) settled their 2007 lawsuit against the Executive Office of the President (EOP) and the U.S. National Archives and Records Administration (NARA). In keeping with the terms of the settlement, earlier today EOP conveyed to CREW and NSA a letter outlining its e-mail archiving and backup practices. A few hours ago, CREW posted a copy of the letter and supporting information on its Web site.

So how's EOP doing? From the looks of it, a pretty good job:

• Since 20 January 2009, it has been using EMC's EmailXtender (now EMC SourceOne E-mail Management for Microsoft Exchange) to capture copies of all messages sent or received via its unclassified e-mail network. The EmailExtender system, which is centrally managed and housed in a secure offsite location, captures messages from EOP's central Microsoft Exchange Journal Servers (EOP's using Microsoft 2000 and will soon upgrade to Exchange 2010) immediately after they are sent or received by an EOP desktop computer or BlackBerry.
  
• EOP network operations staff continuously monitor the status and storage capacity of the system via "health-check dashboard reports."
• The system produces full backups on the second Tuesday of each month and incremental backups on every Monday, Wednesday, Friday, and Sunday.
• Although some users of the e-mail network can search the EmailXtender system and view archived messages, they can search and view only those messages created by their own offices and do not have the ability to alter or delete messages.
  
• Only a select handful of people have the ability to delete messages from the system, and only those messages that were subsequently found to contain classified information are deleted. EOP seems quite serious about preventing inappropriate deletions: messages are deleted only after the Office of Security and Emergency Preparedness and the National Security Council have been consulted and EOP's Office of the CIO, Office of the General Counsel, and the Director of Office Administration have granted permission. Moreover, record copies of deleted messages and records documenting adherence to the deletion protocols are maintained separately
  
• The system produces weekly audit reports that identify individuals who conducted searches, the search terms they used, and whether they opened any messages in connection with their searches. The audit reports also document the deletion of messages, thus ensuring that unauthorized deletions will not go undetected.
  

From an archival/records management perspective, there's a lot to like about EOP's approach:

• Mindful of some of the problems that confronted the previous administration, EOP has configured its e-mail network so that access to "all known Web based external e-mail systems" is blocked and neither the e-mail network nor EOP-issued BlackBerries can access "known instant messaging systems. Of course, secrecy-minded White House personnel could conduct official business via personal cell phones or PDA's -- and I would like to know how EOP is combating this practice -- but EOP seems to be doing whatever it can to ensure that its own hardware is locked down.
  
• The EmailXtender system somehow determines whether a given message is subject to the Presidential Records Act or the Federal Records Act, which ought to make it a lot easier for NARA staff to manage these records after transfer. I wouldn't mind knowing more about this neat trick, which is probably based on analysis of the message's content, the account holder's role within EOP, or some combination of the two.
  
• Although the EmailXtender system stores the messages and their attachments in their native formats, they can be extracted in .eml (Microsoft Outlook Express Electronic Mail) format for transfer to NARA. I would be happier if the messages could be exported in some sort of optimal preservation format, but the archival profession is just starting to figure out precisely what an optimal e-mail preservation format would look like. If, as EOP's letter implies, NARA can take in .eml files and convert them to a preservation format, .eml is okay.
  

This sounds all well and good, but a caveat is in order: we almost certainly don't have the whole picture. The very first sentence of EOP's letter indicates that the system and protocols described above relate only to "unclassified White House e-mails," which suggests that there is a separate system and set of protocols for messages containing classified information. Getting information about the workings of the classified system -- which I really hope isn't based on Exchange or any other off-the-shelf application -- is doubtless going to be a lot more difficult, and there is legitimate reason for not disclosing at least some of it. The care with which EOP is handling deletions from the unclassified system suggests that there is a substantial degree of commitment to doing the right thing, but we may not know with certainty just how well the Obama administration is managing classified e-mails until well after President Obama leaves office.

Bush White House e-mail settlement

News that 22 million lost e-mail messages sent or received by the Bush White House have been recovered and that the National Security Archive (NSA) and Citizens for Responsibility and Ethics in Washington (CREW) have settled their 2007 lawsuit against the Executive Office of the President (EOP) has been all over the media for the past couple of days.

A lot of the media coverage is focusing on a couple of items in the settlement document. First, for reasons of cost, the White House will focus on recovering e-mails sent or received on select days, not every "missing" e-mail that the Bush White House created. Second, the U.S. National Archives and Records Administration (NARA) will take custody of the e-mails and manage them in accordance with the Presidential Records Act, which means that the e-mails won't be disclosed to researchers for years.

However, a quick review of the settlement document itself reveals that, with a handful of exceptions, the media isn't calling attention to a provision that ought to interest anyone who wants to know how the White House does business or how EOP manages its electronic records:

4. Description of Current EOP System: Defendants [EOP and NARA] will provide Plaintiffs [NSA and CREW] with a publicly releasable letter describing in as much detail as possible the current EOP computer system, including its email archiving and backup systems. This document will include a detailed description of the controls in the system that prevent the unauthorized deletion of records.

a. Prior to sending the letter, Defendants will review with Plaintiffs draft(s) of the letter and the Parties will agree upon a final version.

b. Defendants recognize that Plaintiffs intend to release the letter publicly, and Defendants do not object to such a release.

c. Defendants will produce this letter by January 15, 2010.

Although I'm sorry that the EOP and NARA personnel charged with producing this document will likely have to curtail their holiday breaks, I'm looking forward to the end result. It should make for interesting reading.

MARAC Fall 2009, S1: Solutions to Acquiring and Accessing Electronic Records

Pavonia Arcs, by Robert Pfitzenmeier (2004), Newport, Jersey City, 29 October 2009.

Along with Ricc Ferrante (Smithsonian Institution Archives) and Mark Wolfe (M.E. Grenander Department of Special Collections and Archives, University at Albany), I had the good fortune to participate in this session, which was graciously chaired by Sharmila Bhatia (U.S. National Archives and Records Administration).

Ricc Ferrante discussed the challenges of accessioning and preserving archival e-mail created by employees of the Smithsonian Institution's semi-autonomous museums and research institutes. His experience should resonate with many government and college and university archivists. Until late 2005, the Smithsonian's component facilities used a variety of e-mail applications, and retention guidelines were implemented in 2008. As a result, the archives is both actively soliciting transfers of cohesive groups (i.e., accounts) of documented and backed-up messages at predetermined intervals and passively accepting transfers of older groupings of records in a variety of formats.

Ricc then discussed the processing of these e-mails, which is performed on PC or Mac desktop computers. Incoming transfers are backed up, analyzed and documented, converted to a preservation format, and securely stored. The Smithsonian Institution Archives uses a tool to convert accounts or groupings of messages in formats other than MBOX to the MBOX format, and the Collaborative Electronic Records Project (CERP) parser then converts the MBOX files to an XML-based preservation format. Experimenting with the MBOX conversion tool and the CERP parser has been on my to-do list for some time, so I was really glad I got the chance to hear Ricc discuss these tools.

Mark Wolfe discussed how the M.E. Grenander Department of Special Collection and Archives is using Google Mini, a modestly priced "plug and play" search appliance that will index up to 300,000 documents, to improve access to its student newspapers. Prior to the installation of Google Mini, a paper card file was the only access mechanism for these publications, and Google MIni has made it possible for staff to find information about people who became prominent well after they left the university (e.g., gay rights activist Harvey Milk, '51), respond quickly to reference inquiries, and enhance access to the newspapers.

Mark also highlighted the shortcomings of Google Mini's indexing of digitized materials. When assigning titles, it looks for the most prominent text on a given page, which in a newspaper may be part of an ad, not a story. Dates are another problem. When sorting search results by date, it hones in on the date the digital file was created, not the date of the scanned original. The former problem can be corrected, albeit with considerable effort, by manually changing the author, title, etc. properties of the files, which are in text-based PDF format. However, the date properties, which help to safeguard the authenticity of born-digital files, cannot easily be changed and thus inhibit date-based access to scanned archival materials. There's been a lot of talk lately about how the management of born-digital and born-again digital materials will eventually converge, but Mark's talk is a good reminder that we're not quite there yet.

My presentation concerned our capture of New York State government sites and the redaction (i.e.. removal of legally restricted information from records prior to making them accessible) of electronic records converted to PDF format. In lieu of giving an exhaustive recap, I'll just offer a few words of advice to people contemplating electronic redaction. At present, there are several good tools for redacting PDF files, including the built-in tool bundled with Adobe Acrobat 8 and 9, Redax, and Redact-It. If you are using an older version of Adobe Acrobat and can't or don't want to upgrade or purchase an add-on tool, the National Security Agency has produced a document that outlines a laborious but effective redaction procedure. If you commit to electronic redaction, you need to keep abreast of the relevant legal and digital forensics literature: people are trying to figure out how to crack these tools and techniques and recover redacted information, and one of them may eventually succeed.

There are also several really bad PDF redaction techniques. Never, ever use Adobe Acrobat's Draw or Annotate tool to place black, white, etc. boxes over information you wish to redact. Another spectacularly bad idea: "redacting" a word processing document by changing the font color to white or using a shading or highlighting feature to obscure the text and then converting the document to PDF format.

Want to know why these options are so bad? Read this. And this. And this. And this. And this. And this, too (thanks to John J. @ W&L for drawing my attention to this recent blunder.)

Government archives and records in the news

Sorry about the light posting over the past couple of weeks. Between being under the weather for most of last week and getting ready to go on vacation later this week, a few things -- blog included -- have fallen between the cracks. Posting will probably continue to be light until the second half of next week, but I'll do what I can.

In the meantime, this trio of stories concerning various state archives may be of interest to you:

• Alaska Governor Sarah Palin has left office, but year-old public records requests for her e-mail are still outstanding. Alaska Democrats are starting to suspect that officials responsible for filling the request are stalling for some reason, but officials in charge of responding to the requests state that the delay is due to the staggering size of the requests and the state's limited resources. My own $.02: I'm really inclined to believe the officials. Given the fiscal climate, the generally wretched state of e-mail management within the public (and private) sector, and the unprecedented size and scope of the requests, they've got to be completely overwhelmed. And here's another $.02 for good measure: until governments do a better job of managing e-mail, requests of this nature will eat up a steadily increasing percentage of staff time and other resources.

• California now has a replevin law! Governor Arnold Schwarzenegger signed the bill, which was sponsored by Assemblymember Bill Monning, into law on the evening of 11 October. The legislation allows the Secretary of State, in consultation with the State Archivist, to take action to recover any "public record belonging to a state or a local agency . . . in the possession of a person, organization, or institution not authorized by law to possess the record.: Archival repositories that follow Society of American Archivists guidelines for managing and preserving historical records and observe state laws concerning access to public records are exempt from the provisions of this legislation, which is intended to protect records that may otherwise be lost to Californians.

• The Indiana State Archives has a very, very leaky roof, and, owing to the state's fiscal situation, the problem likely won't be fixed anytime soon. My heart goes out to my Indiana colleagues: they're dealing with this terrible situation as best they can, and being the subject of this sort of news coverage is never pleasant. However, sometimes a little attention from the Fourth Estate is the spur to legislative and executive branch action -- which is why I'm drawing your attention to these stories. If you live in Indiana, please contact your legislators and Governor Mitch Daniels and request that they act before disaster strikes.
  

And here's a federal-level tidbit. David Ferriero, who has been nominated to serve as the next Archivist of the United States, recently completed a pre-hearing questionnaire at the request of the Senate Committee on Homeland Security and Governmental Affairs. The questionnaire is now available online, and Ferriero's statements concerning the U.S. National Archives and Records Administration's Electronic Records Archives program and electronic records generally are pretty interesting. (A sweeping tip o' the hat to the indefatigable Kate T. over at ArchivesNext for finding this document!)

Government e-records

On the eve of the 4th, here are a couple of examples of the heady new opportunities and horrific challenges that governments face in the digital era:

• The City of New York's NYC Big Apps contest exemplifies how a little creative thinking can make government more open and enhance citizen access to government information. The city is inviting software developers to create applications that enhance access to and use of one or more of roughly 80 datasets created by 32 city agencies and commissions. Officials are still determining which datasets will be released -- and are soliciting public comment -- but some possibilities include restaurant inspection data, recreational facility directories, and citywide event schedules. The developers who produce the applications most useful to New Yorkers will get a cash prize, dinner with Mayor Michael Bloomberg, and opportunities to market their work.

• On the other hand, the plight of Alaska illustrates just how damaging deficiencies in government records systems and recordkeeping practices can be, particularly in an era of hiring freezes and scant funds for upgrades. Alaska officials have announced that, to date, they have devoted over 4,000 hours of staff time (roughly $450,000 in salaries) to attempting to fulfill freedom of information requests for e-mails sent or received by Governor Sarah Palin, who a few hours ago announced her intention to resign from office on 26 July. This unenviable situation is what happens when an unprecedented number of sweeping requests intersects with an electronic recordkeeping system that doesn't facilitate electronic search, retrieval, and disclosure of e-mail.
  

New York Archives Conference, day one

Grewen Hall, LeMoyne College

Yesterday was the first day of the New York Archives Conference (NYAC), which is being held at Lemoyne College in Syracuse. One of the things I really like about NYAC is its informality: many people either know each other or know of each other’s work, and the atmosphere is intimate and convivial as a result.

Today was jam-packed with sessions and other activities. IT started with a plenary session led by Maria Holden (New York State Archives), who outlined how the State Archives has responded to a recent internal theft and left the attendees with the following advice:

• It is up to you to take ownership of security. It isn’t something that just happens or is the concern of a handful of people.
• Do not wait until something bad happens. Addressing security issues before trouble occurs helps to avert problems and makes it easier to manage change and secure staff support.
• Become with security standards and guidelines relating to cultural heritage institutions.
• Do your due diligence: develop policies and procedures, and document what you have done to improve security.
• Remember that security is as much about protecting the innocent as it is about protecting collections. Employees need to understand that good security practices help to ensure that they will not become suspects in the event that a theft takes place.

The “Everyday -- Ethics (or What Do I Do Now?)” session touched on a host of related issues, and all of the panelists made some great points.

• Geoff Williams (University at Albany, SUNY) asserted that archivists need to question whether they should use their own holdings when conducting their own scholarly research; any archivist who does so will have to figure out what to do when other scholars want access to the results of their research and determine what to do when other users want to see the records that they’re using.
• Kathleen Roe (New York State Archives) discussed the thorny issue of collecting manuscripts, ephemera, and artifacts that fall within their own institution’s collection parameters and concluded that the safest course of action is to avoid collecting anything that, broadly defined, falls within the collecting scope of one’s employer; this approach avoids both the actuality and the appearance of impropriety -- and frees one to develop new collecting interests.
• Trudy Hutchinson (Bellevue Alumnae Center for Nursing History, Foundation of New York State Nurses) discussed how her nursing background informs her understanding of archival ethics and how, as an undergraduate majoring in public history, she had been required to develop a written personal code of ethics. She has since updated and expanded this code, which she discussed with her current employer during the interview process, and would like to see all archives students develop such does. (This is a great idea for current professionals, too.)
• Patrizia Sione (Kheel Center, Cornell University) discussed a variety of ethical issues that she has confronted, and noted that she would like to see employers develop written policies relating to scholarly research undertaken by staff. She also emphasized the importance of working with donors to ensure that the privacy of correspondents, etc., is appropriately protected; doing so will ensure that appropriate access restrictions are spelled out in deeds of gift. Finally, she noted that archivists need to be sensitive to the ways in which the pressure to assist researchers with ties to high-level administrators can conflict with their ethical obligation to treat all users equitably.

In the next session, “Can We Afford Not to Act? Strategies for Collection Security in Hard Times,” Richard Strassberg (independent archival consultant) and Maria Holden (New York State Archives) outlined a wide array of low-cost security measures.

Richard Strassberg noted that the recession makes protection of collections particularly important: instances of shoplifting and employee theft are on the rise, and archivists and researchers face the same financial pressures as everyone else. He also noted that the increasing prevalence of online finding aids and digitized images has had mixed results: although they make it easier for honest dealers and collectors to identify stolen materials, they also make it easier for dishonest individuals to hone in on valuable materials.

He then outlined what he called “minimal level protection” strategies for cultural institutions, all of which require staff time but don’t cost much:

• Have a crime prevention specialist employed by the local or state police do an assessment of your facility.
• Establish links with the local police so that they know that you hold valuable materials.
• Have a fire inspection conducted (but make sure that your management knows in advance that you’re planning to do so -- the fire department will close your facility if it finds serious problems that management isn’t able to fix).
• Get a security equipment quote; even if you don’t have the money, the cost might be lower than you expect, and having the quote will give you a fundraising target.
• Do an insurance review and have your holdings appraised; doing so will help you in the event that you suffer a loss.
• Protect your perimeter by tightly controlling keys and, if possible, screwing window sashes shut.
• Avoid drawing attention to valuable materials. Don’t put up red-flag labels (e.g., “George Washington letter”) in your stacks and be cautious about what you display to VIPs and other visitors.
• Tighten up on hiring. Conduct background checks if you can, and carefully check references by phone.

Strassberg emphasized that these measures will protect collections from “conditionally honest visitors,” but will not guard against thefts by staff. Moreover, they are not sufficient for repositories that hold materials of particular interest to thieves (e.g., collections relating to politics, sports, Native Americans, African Americans, and literary figures); such institutions will likely have to invest in electronic anti-theft technology.

In the event that a theft occurs or is suspected, contact, in the following order: your supervisor (or, if s/he is the suspect, his/her boss), the police, the donor (if applicable and he/she is still around), and your staff. Staff must be cautioned not to talk about the theft with family, friends, or co-workers. Also, develop a local phone tree -- external thieves tend to hit all of the repositories in a region within a short amount of time, and your colleagues will appreciate being informed. Avoid sending out e-mail alerts; you don’t want to document suspicions that might be unfounded.

Strassberg concluded by noting that librarians and archivists must be trained to confront suspected thieves in a legal and appropriate manner -- or how to set the process of confrontation in motion by contacting security or the police. They also need to know that they cannot physically prevent anyone from leaving the research room; in New York State, they might be guilty of battery if they attempt to do so.

Maria Holden then focused upon internal theft, which is the most common security threat that archives face. Employee theft is a complex problem, and full understanding of it is hard to come by. Theft is motivated by a variety of factors: personality disorders, gambling or substance abuse problems, retaliation for actual or perceived slights, and feelings of being unvalued.

We need to create a work environment that discourages theft and to control when, where, and how people interact with records; doing so protects not only the records but also innocent people who might be otherwise be suspected of wrongdoing. There are several ways we can do so:

• Hiring should be done carefully and with due diligence. The references of prospective employees should be screened carefully, and their collecting habits should be scrutinized carefully; the results of these checks should be documented. Many archives compel staff to adhere to codes of ethics and sign disclosure statements re: their collecting and dealing habits. The code of ethics developed by the Association of Research Libraries might be a good model.
• A number of recent thefts have been perpetrated by interns and volunteers. Develop a formal application process for interns and volunteers, document the process, and supervise interns and volunteers at all times.
• Keep order in your house. There is growing evidence in the literature that disordered environments can encourage delinquent behavior. Order begets respect for collections.
• Keep collections in the most restricted space possible. The State Archives has looked at every space in which records might be found (research room, scanning lab, etc.) and then figured out when it’s appropriate to bring records into a given space and how long they should remain in it. Develop overarching rules governing removal and return of records to the stacks.
• Keep collections in the most secure space possible, grant access rights thoughtfully, designate spaces for storage, work, and research, and establish parameters for working hours; many internal thefts occur during off-hours.

During the question and answer period, Kathleen Roe made an important point: Sometimes, people start out honest, then fall prey to gambling or other addictions or personal problems. We have to make it difficult for desperate people to steal from our holdings.

Richard Strassberg also emphasized the research proves that most people are conditionally honest, i.e., they won’t steal from their friends. We need to create work environments that make people feel valued.

I took part in one of the late afternoon sessions, “The Challenge of the New: Archivists and Non-Traditional Records,” which focused on various electronic records projects at the New York State Archives. Ann Marie Przybyla discussed our new e-mail management publication, Michael Martin detailed our Web crawling activities, and I discussed the processing and description of a series of records relating to the “Troopergate” scandal.

At the end of the day, we went to a reception and a great tour of the LeMoyne College Archives led by College Archivist Fr. Bill Bosch. Afterward, I went out to dinner with my State Archives colleagues Monica Gray and Pamela Cooley, Capital Region Documentary Heritage Program Archivist Susan D’Entremont, and Nathan Tallman, who just graduated from the University at Buffalo’s library school and is a project archivist at the Herschell Carousel Museum. We had a great time, and all of us would recommend Phoebe’s to anyone visiting Syracuse.

Bush e-mails

According to the Washington Post, the transfer of Bush administration e-mail messages to the National Archives might, for a variety of reasons, go less smoothly than desired:

Federal law requires outgoing White House officials to provide the Archives copies of their records, a cache estimated at more than 300 million messages and 25,000 boxes of documents depicting some of the most sensitive policymaking of the past eight years.

But archivists are uncertain whether the transfer will include all the electronic messages sent and received by the officials, because the administration began trying only in recent months to recover from White House backup tapes hundreds of thousands of e-mails that were reported missing from readily accessible files in 2005.

The risks that the transfer may be incomplete are also pointed up by a continuing legal battle between a coalition of historians and nonprofit groups over access to Vice President Cheney's records. The coalition is contesting the administration's assertion in federal court this month that he "alone may determine what constitutes vice presidential records or personal records" and "how his records will be created, maintained, managed, and disposed," without outside challenge or judicial review.

As the Post points out, previous administrations have also experienced technical difficulties or simply didn't want to transfer some electronic records to the National Archives. However, as Robert Blanton of the National Security Archive is quoted as saying, the quantity of electronic records created by the Bush Administration is much larger than that created by past administrations; as a result, both the cost of and the amount of time needed to recover improperly stored electronic records are going to be higher than they were in the past.

Another complicating factor: some White House aides improperly used Republican National Committee e-mail accounts to conduct official business. All such e-mail messages are subject to federal records laws, even if they were created and sent using non-governmental e-mail accounts. Administration officials are apparently negotiating with the RNC to secure copies of messages that meet the legal definition of a presidential record, but at present it doesn't seem that there is any definite timeframe for doing so.

The article notes that transfers of paper records from the White House to Dallas, where the George W. Bush Presidential Library will be located, and to NARA's Electronic Records Archives (identified in the story as "a remote Navy research center in the mountains of West Virginia") have already begun

At the Navy base, all the electronic data are supposed to be "ingested" by a new electronic system meant to allow such efficient cataloguing, indexing and searching that millions of documents can eventually be provided to researchers and citizens online.

"Ingested": I wasn't expecting to find Open Archival Information System terminology in a newspaper article. Maybe all of the attention being devoted to the Electronic Records Archives and the controversies surrounding presidential electronic records will gradually popularize the term.

The article goes on to explain some of the development and budget problems that the Electronic Records Archives project has experienced, and it includes a snippet of information about its e-mail searching capability:

The system, which has been under development for a decade by Lockheed Martin and other contractors at a cost of $67.5 million, will rely on software created after the collapse of Enron, when that company's creditors demanded new tools for quickly sorting its e-mail trove to find damaging information.

I wish the National Archives folks all the best as they take in truly mammoth quantities of electronic records, and I'll be interested in seeing what happens in the coming weeks, months, and years.

Records management at Apple

I've been meaning to post about this matter for a few days, but haven't had the chance . . . .

During the past few months, Apple and Psystar have been engaged in a running legal battle: Apple alleges that Psystar, which sells computers that come with Mac OSX installed, is guilty of copyright infringement, and Psystar alleges that Apple, which does not want other companies to sell computers that have Mac OSX operating system software factory installed, violates antitrust laws. Psystar's antitrust claims have just been dismissed, but it looks as if Apple's suit is going to make it to court in 2009.

From an electronic records angle, the most interesting aspect of this dispute is that it's led Apple to disclose some information about its electronic records management practices. The Industry Standard, which was apparently the first media outlet to make note of this fact, reproduces in its entirety a document outlining Apple's and Psystar's agreed-upon rules for responding to each others' requests for evidence; you can either view this document via the Justia.com scroll box that appears at the bottom of the page or download a copy in PDF format.

The good stuff is on pages 7-8 of the document, which contains Apple's statement about its routine records management practices and the actions it has taken as a result of the lawsuit:

At Apple, individual employees are tasked with maintenance of their own files including hard copy documents, emails, voicemails and other electronically recorded materials. Apple has not implemented any programs that result in the automatic deletion of emails. Similarly Apple does not determine which voicemails are saved or deleted by an individual recipient. However, the voicemail system is set up to delete saved messages after ninety days. At the institution of this lawsuit, Apple identified a group of employees who could potentially have documents relevant to the issues reasonably evident in this action. Apple then provided those individuals with a document retention notice which included a request for the retention of any relevant documents, including but not limited to emails, voicemails and other electronically-recorded materials relating to the issues in this lawsuit. As a result of the counterclaims asserted by Psystar, Apple has also sent out a follow-up retention notice asking for the retention of documents reasonably relevant to the antitrust and unfair competition claims asserted by Psystar. Apple will be working with Psystar to narrow the list of individuals from whom documents will be retrieved for purposes of this lawsuit.

As the Industry Standard asserts, it's a bit startling that a large (no. 103 on the 2008 Fortune 500 list), publicly traded technology company would have such a . . . decentralized approach to the management of its records. However, I don't think that Apple's approach is inherently "negligent," as an unnamed attorney specializing in e-discovery is quoted as saying. I also have to take issue with the Industry Standard's assertion that Apple has "no company-wide policy for archiving, saving, or deleting" records. Apple's policy is indeed company-wide -- it just makes individual employees responsible for managing the records they create or receive.

Is Apple's policy as good as it could be? No. Records managers concur that the best approach to the management of electronic records involves use of recordkeeping systems that have built-in records management applications. These applications manage records centrally, inform records managers when a given grouping of records has reached the end of its legal retention period and can thus be destroyed, and enable them to suspend the destruction of records that might be needed as a result of litigation.

However, it's plain that Apple is not the only large corporation struggling with electronic records management issues. Cohasett Associates' 2007 Electronic Records Management Survey: A Call for Collaboration reveals that although companies have begun addressing e-discovery concerns, incorporating electronic records into records schedules, and moving responsibility for day-to-day management of electronic records out of the hands of IT staff, they still have a lot of work to do:

• For most organizations, a great deal still remains to be done to achieve credibility in the management of their electronic records and, in time, a sustainable “best practice” level performance.
• Major gaps and risks related to the handling of archival and backup media were confirmed.
  
• Significant gaps in accountability for day-to-day management of all types of electronic records were reported.

So Apple isn't alone in having a less-than-perfect policy, and I can think of several reasons it hasn't adopted an more technologically oriented approach to records management. To date, it hasn't developed any recordkeeping/records management products of its own, and its vertically integrated business model, secretive corporate culture, and legitimate security concerns may militate against use of products developed by other tech firms.

Short of implementing a recordkeeping system that has a built-in records management application, how could Apple improve its records management policy? Well, one key element that Apple doesn't seem to have addressed (at least in this filing) is training, which is a prerequisite for the success of any records management policy. Sending out policy notices to staff is one thing. Explaining -- on more than one occasion -- the reasons for the policy, the importance of adhering to it, and how records management fits into the day-to-day operations of the organization is another, and organizations that fail to do so often find that their policies aren't producing the desired results.

Apple's statement also neglects to mention the extent to which its records management policy has executive support. Are the policy directives being distributed by counsel or mid-level managers with little fanfare, or are Steve Jobs and other senior managers repeatedly driving home the importance of adhering to these policies -- and ensuring that staff have the time needed to do so?

Finally, what of Psystar? Judging from the filing outlining Apple's and Psystar's agreement regarding responses to discovery request, it doesn't have any sort of records management policy in place. Here is the full text of Psystar's statement concerning its records:

Counsel for Psystar has personally counseled the principals of Psystar as to the retention of documents and other information as they pertain to the issues in this lawsuit. A retention notice was subsequently issued to the principals of Psystar memorializing the same. Retention of documents includes but is not limited to electronic mail, physical documents and things, and other electronically-recorded materials.

I get the distinct impression that even though Apple is falling short of the mark, it has devoted much more attention to records management issues than Psystar has. However, given that Psystar seems to have appeared out of thin air (even its physical location is a bit of a mystery), perhaps that's not surprising.

Update, 29 November 2008: In the interest of full disclosure, I've been an Apple user since the mid-1980s, when my parents purchased an Apple II-series machine, and my trusty (so far) mid-2007 MacBook is my constant companion. However, I don't believe that the company is infallible or that its products are flawless: I know two people who have had serious problems with the hard drives of brand-new late 2006 and late 2007 MacBooks, and I have my own Apple horror story involving a PowerBook 150.