Rational Insights: Discovering Secret Service Text Messages

Rational Insights: Discovering Secret Service Text Messages

Earlier this summer, we learned that the January 6th Select Committee sought to obtain Secret Service text messages on or relating to the insurrection at the US Capitol on January 6, 2021, only to be informed that any text messages from that timeframe were deleted across the agency. With this news, the gears in the minds of all of us in the eDiscovery world began turning, as we know there’s more than one way to recover a deleted text message. So, why aren’t common text message recovery methods applicable in this scenario? And why wasn’t a legal hold in place to preserve these messages?

Deleted Text Messages

When you or I delete a text message from our phone, from our perspective, the text disappears. However, it’s not truly gone. Forensic analysts have a myriad of tools that allow them to access not only the data we can see on our phones, but several layers of memory and other data remnants beneath. Deleting a text message from our phone simply removes the information from the device’s user interface. The underlying data remains stored on the device, which can be retrieved with tools like Cellebrite (a tool that can perform a full device image and analysis). When text messages are unable to be retrieved from a device, all is still not lost. Mobile carriers have been known to retain text message for several days past deletion, though they’re often successful in asserting the Federal Stored Communications Act to defend against subpoenas for production. For mobile devices that are part of a corporation’s data management plan, text messages might also be backed up on a server and recoverable post deletion.

So, why weren’t these options available for the Secret Service text messages?

The Secret Service deletion appears to be a part of what they are describing as “a planned reset and replacement program” or “system migration” across the agency. Not only were messages deleted, but phones were entirely wiped or reset to factory conditions. Compounding the problem, it would seem nothing was archived or backed up in the process, which complicates, but doesn’t entirely prevent the recovery of such messages.

A spokesperson for the Secret Service told CNN,

“We are taking all feasible steps to identify records responsive to the subpoena, to include forensic examinations of agency phones and other investigative techniques.”

The agency is likely using tools like Cellebrite to image and identify anything left on the phones after they were reset, looking for thumbnail files or partial remnants of data they can piece together that are associated with the January 6th timeframe. The agency may also be looking to phones that received messages from Secret Service agents, such as close relatives or colleagues outside the agency. Even though agency phones were wiped, any messages sent to people outside of the agency will be retained on the recipients’ devices. 

Shouldn’t this data be subject to retention policies or legal hold?

The Secret Service is said to have received three emails asking individual employees to personally upload data that was required to be retained prior to the system migration: two related to standard records management and a third specific to January 6th. A senior official told NBC that Secret Service employees received two emails — at least one prior to January 6th, 2021— reminding them to preserve records on their cellphones, including text messages, before their devices were wiped. A third email was sent on February 4, 2021, asking employees to preserve all data subject to the January 6th Committee subpoena. Devices were wiped shortly after the third email was received. 

The records management program of the Secret Service is not unlike that of many corporations: reliant on end users for the execution of records, privacy, and preservation policies on their own data. Unfortunately, relying on end-users almost always results in non-compliance, regardless of intention. After all, end users are trying first and foremost to accomplish the goals of their day job. 

Data Governance Platforms as a Shield

How can companies or our federal government avoid the legal, security, regulatory, and privacy liabilities that are inherent in end user non-compliance? By instituting an enterprise data governance platform that would allow administrators to auto-classify data and automate the preservation or retention of data in place, backing it up should the threat of deletion arise.

Enterprise data governance platforms like Rational Governance would have allowed key stakeholders to search for, identify, classify, preserve, and collect January 6th-related messages for all agents in real time, from a centralized interface. The Secret Service would also have been able to set up autoclassification to automate the preservation, collection, or retention of sensitive data, rather than leaving it up to the agents themselves. Had the Secret Service had an enterprise data governance system in place, we wouldn’t be having this conversation today. 

Whether or not forensic analysts are able to find any data crumbs of the January 6th text messages is yet to be determined. Regardless of the outcome, the Secret Service’s bumbling of routine records management activities shines a light on the vulnerabilities of information management policies that rely on end-users to for compliance. 

Sarah Cole

About The Author

Sarah Cole

Senior Director of Consulting
Sarah Cole serves as Senior Director of Consulting at Rational Enterprise. As a technologist and eDiscovery veteran, Sarah is best known for her ardent advocacy of predictive and textual analytics in the legal technology space.