A federal court has given the White House until March 21 to explain why it should not be forced to copy all its hard drives and other storage media that could contain copies of the millions of e-mail messages that two groups suing the White House say have been lost.
The order raises the possibility that the Bush administration, which has been required to preserve backup and disaster recovery tapes covering a two-year period that includes the invasion of Iraq, key developments in the Valerie Plame investigation and Hurricane Katrina, could also be forced to preserve forensic copies of the storage space on its live workstations.
The same U.S. District Court in Washington ordered the White House to preserve its backup tapes in November as part of ongoing litigation brought by George Washington University’s National Security Archive (NSA) and Citizens for Ethics and Responsibility in Washington (CREW), which allege that the Bush administration failed to abide by the Presidential Records Act by not archiving millions of e-mail messages between March 2003 and October 2005. The act requires each administration to maintain official communications, including e-mail, and give those records to the National Archives and Records Administration when it leaves office.
But the two groups suing the administration say that information that has become public since November has made that temporary protective order insufficient. They allege that a sworn statement by Theresa Payton, chief information officer in the Executive Office of the President’s (EOP) Office of Administration (OA) regarding the information contained on backup tapes and the administration’s knowledge of potential e-mail loss conflicts with information that emerged during a congressional hearing on the subject last month.
Today’s court order comes after a March 11 NSA motion requesting that the protective order on backup tapes be expanded to cover live workstations and that the groups be allowed to take emergency depositions from Payton and NARA officials. NARA is also a defendant in the lawsuit.
The administration denied any inconsistencies between Payton’s sworn statement and her congressional testimony in a March 14 motion opposing NSA’s March 11 motion. The administration also asserted that taking sworn depositions from senior OA and NARA officials would amount to “fishing expeditions.” Administration officials have also repeatedly questioned the veracity of a 2005 White House study that identifies hundreds of days when various components of the White House had no archived e-mail. Payton has also said she believes that any missing e-mail is contained on the backup tapes.
However, in today’s order, Federal Magistrate John Facciola noted that if e-mail messages had not been properly archived as plaintiffs allege and copies are not contained in backup tapes, then the deletion of e-mail on the hard drives that have not been archived could result in irreparable harm to the plaintiffs. He also noted that between March 2003 and October 2003 no backup tapes exist. Payton has said that the White House began maintaining all backups in October 2003.
The CREW and NSA lawsuits are aimed at getting the White House to restore the messages the groups say are missing and to force the administration to implement a new automated records management system. Since the White House did away with the Clinton-era Automated Records Management System, the administration has been relying on journaling, a manual process in which employees assign file names to individual messages and save them as .pst files on White House servers.
Facciola said compliance with the archive’s proposed order would require EOP to quarantine every workstation and cause it to halt daily operations — a measure he called draconian.
Facciola said he is weighing several issues in deciding whether to recommend that the court expand the temporary restraining order. He’s balancing the costs the defendants would face in the forensic process, the irreparable harm they face, the likelihood of success and whether the public interest would be furthered by the injunctive relief.
Richard Smith, a forensic specialist at Boston Software Forensics, said the process of making forensic copies of hard drives can be time-consuming and expensive, costing up to $1,500 and taking several hours to complete per machine.
He added that the process is standard computer forensic work in the private sector and could cost less if economies of scale are considered. Smith said the process involves duplicating the hard drive and then building an index and analysis program to search through the copy of the hard drive.
However, although he said that sometimes remnants of deleted files still exist on workstations even after they are deleted, he is unsure how likely recovery is after three to five years.
“I think the probability of finding very much is relatively low given how much time has passed,” he said.
Scott Stanzel, a White House spokesman, said that the administration is reviewing the order and intends to respond appropriately.
The court said that the administration’s response needs to include an affidavit describing costs that would be incurred in making forensic copies and other facts that would involve complying with such an order, if it were made. NSA has until March 25 to respond.
