Missing E-Mail Is the Least of the IRS's Problems
By Megan McArdle
Last Friday afternoon brought a disturbing news dump from the Internal Revenue Service: A big chunk of Lois Lerner’s e-mail has disappeared. A hard drive crash, the agency says, permanently destroyed much of Lerner’s e-mail in 2011, wiping out records from the previous two years.
This is the critical period during which some suspect she may have coordinated with the White House to target conservative nonprofits for special attention. So naturally, many are suspicious that this is a convenient cover-up for destroying evidence, along the lines of the infamous missing 18 minutes of the Nixon tapes, which were allegedly erased when President Richard Nixon's secretary, Rose Mary Woods, accidentally stepped on the recording pedal while answering the phone. The very least you can say is that the timing looks awfully suspicious: The sudden destruction of Lerner's archived e-mail seems to have occurred on or around June 13, 2011, just 10 days after Representative David Camp sent a letter to then-IRS Commissioner Doug Shulman asking whether conservative groups were being targeted.
As it happens, I used to administer just the sort of e-mail systems that the IRS seems to be using. So I fired off a set of queries to the IRS about its e-mail system, its archiving policies and how the loss of data happened. Many of those queries remain unanswered, but I was given some documents that explain how the files could have been lost. My conclusion: It is plausible that this was an innocent coincidence. But it is only plausible if the IRS is managing its IT systems so badly that it is very easy to lose critical records -- or for abusive employees to destroy the evidence of their misbehavior. A private company under investigation that responded to regulators, or a judge, with this sort of explanation rather than producing the requested documents would rightly expect to be handed an adverse judgment or a whopping fine. This incident should be thoroughly investigated, and steps should be taken throughout the government to make sure that no similar incident can ever happen again.
As far as I can tell, the agency is using exchange servers with Microsoft Outlook e-mail clients. In a system like this, messages are normally stored on the server. However, the IRS sharply limits the size of mailboxes. In 2009, the limit was 150 megabytes; by 2011, it had increased that to 500 MB. Either way, this is a low limit, in these days of sizable attachments. This would require anyone but the proverbial Web-browsing grandmother to regularly archive their e-mails on a hard drive or delete them.
According to documents provided by the IRS, Lerner was archiving her e-mails on her local hard drive, which developed fatal problems (bad sectors) in the middle of June 2011. The data proved unrecoverable despite heroic efforts on the part of the IT staff. They can partially reconstruct her mailbox by searching the archives of other IRS employees but cannot retrieve any e-mails to or from outside users, because the server's backup tapes have been recycled, and the hard drive is gone.
Is this plausible? Unfortunately, yes. I have worked for organizations that used these sorts of restrictions on hard drive space.
However, it’s also moronic IT policy. Hard drive space has been dirt cheap for more than a decade. The IRS's policies on e-mail storage were primitive even by the standards of 15 years ago, when I was working as a technology consultant. At that time, it was bog standard policy at every office I worked at, including small businesses, to regularly pull a set of backup tapes out of rotation -- once a week at financial firms, once a month at smaller businesses with less regulatory overhead, once every three months for the truly cash-strapped -- and stash it in a vault in case you needed to recover something later. It should not have been possible for the IRS to lose more than a few days -- at most a few weeks -- of Lois Lerner’s e-mail. Unfortunately, the IRS only started storing its backup tapes last year, long after the scandal broke.
Such policies indicate either an agency that is not concerned with preserving good audit chains or one that has an extremely penny-wise, pound-foolish approach to IT policy. At prevailing wages -- and hard drive prices -- it is a waste of money to force even your lowest-level employee to spend time painstakingly deleting or archiving e-mails. If IRS staffers don’t have anything better to do with their time, then the IRS needs fewer staffers, not stricter mailbox policies.
In the case of a government agency, however, it’s especially troubling. Records pertaining to agency decisions are supposed to be systematically archived forever. I’m not saying that the IRS's e-mail retention policy is uniquely bad in the federal government, only that whatever the current practice is, the IRS did not preserve nearly as much as one would like in a representative, transparent democracy.
First, it made it difficult for even the most well-intentioned of users to preserve any significant amount of e-mail. Second, the documents seem to show that it left the choice of what to save up to individual users, with, as far as I can tell, no ability to audit those decisions after a short period. Third, most of the e-mails that were retained would end up on local hard drives that weren’t backed up. And fourth, the IRS inexplicably declined to archive any of its backup tapes. This left it wide open to losing important records, either to deliberate destruction or unfortunate accident.
My experience in IT is, of course, a bit elderly at this point (I installed my last Exchange server in 2003), but given the normal lifespan of a well-cared-for computer, it seems likely that most e-mails would be permanently lost within five years, as hard drives failed and users left the agency or moved to new computers. Within a much shorter period, it would be easy for a malfeasant employee to engineer an oopsie that destroyed anything incriminating.
If I were in charge of data policy for the IRS or any other government agency, I’d make it damned hard to permanently delete so much as a single e-mail. But if it didn’t want to upgrade its servers for permanent archival (however absurd this may seem in an era when Google will give me 20 GB for free), there were other ways to ensure that e-mail at least survived a catastrophic hardware failure -- for example, with a login script that routinely scraped (compressed) Outlook archives, Word documents and Excel files up to a (backed-up) server. I was writing such login scripts for Microsoft servers in 1998, so it seems unlikely that the IRS hadn’t heard of this idea, or that it lacked the technical expertise to implement it. It apparently simply didn’t bother.
The IRS's response on this is that more storage is expensive (it would cost, it says, more than $10 million to upgrade the servers to handle unlimited mailboxes). It also complains that it’s incredibly time-consuming to manually search everyone’s hard drive. But it should have been able to get the job done in 10 minutes -- by archiving Lerner’s e-mail account and sending it to the investigators. The only reason it has to waste thousands of man-hours manually searching the hard drives of other employees is that it first decided to waste thousands of man-hours manually deleting e-mails or storing them on local hard drives where they wouldn’t be backed up. This to save $10 million at an agency with an annual IT budget of $1.8 billion.
Using relatively conservative assumptions -- 90,000 employees, making $50,000 a year on average, spending half an hour a week deleting or archiving e-mails to stay below their mailbox limits -- the IRS is wasting almost $6 million a year just on the labor being used to actively make records less secure and available to audit. At the companies I’ve worked at with e-mail caps, half an hour a week is probably less than most of us spend managing e-mail; once you hit the caps, you have to spend a whole lot of time fiddling with your e-mail box, because if you go above your limit, Exchange won’t let you send any more e-mail.
But call it 15 minutes a week, and we’re still talking about a policy that pays for itself with higher productivity in a few years, while also improving your audit trail. If the IRS is hard-put to find the money for this kind of systems improvement, then Congress should immediately provide it.
In short, yes, there is an innocent explanation: An accident combined with a really bad e-mail storage policy to wipe out critical records. There’s also a semi-innocent explanation, where really bad storage policy could have enabled Lerner to arrange a hard drive accident that destroyed incriminating e-mails before she had to respond to Camp’s initial letter. I find the innocent explanation much more plausible than a conspiracy, or even the semi-innocent explanation -- even assuming that she was conspiring with the White House, why bother with the elaborate schemes when you could just send your incriminating e-mails from an outside account?
But that still leaves me really concerned about the terrible policy decisions. The timing of the data loss is incredibly suspicious, and the IRS has left itself completely unable to answer those suspicions with anything better than a shrug. It should expect -- in fact, it should request -- a thorough outside investigation of this incident, but even the most scrupulous audit will not be able to entirely quell the worry that the IRS enabled a rogue agent to get away with destroying evidence.
To believe the IRS requires a pretty low opinion of government competence. My friends who work in regulated sectors such as finance are outraged by the IRS's description of how it was running its backup process, because the government subjects them to constantly ratcheting standards for document retention -- specifying how long, and on what format, they have to keep every communication ever generated by their firms. How dare they demand higher standards of regulated companies than they do of the regulators?
In 2014, every government agency should be storing every e-mail that goes in or out in an easily accessible format. That they weren’t bothering suggests that the IRS does not expect to deliver the kind of accountability that it routinely demands of taxpayers. That’s potentially a much bigger problem than anything Lois Lerner stands accused of -- and it should be rectified, government-wide, with all due speed.
http://www.bloombergview.com/articles/2014-06-17/missing-e-mail-is-the-least-of-the-irs-s-problems
