I’m livid about FBI Director James Comey’s handling of the Huma Abdein e-mails. “Reckless” doesn’t begin to describe Comey’s self-indulgent decision to release information about a situation he clearly does not yet grasp, in a manner that elevates Jim Comey above longstanding Justice Department policy and the integrity of a Presidential election. Mr. Comey’s justification is couched entirely in his personal predilections, not those of the Bureau or Justice. It is all “I, I, I” and none of “we the Bureau” or “we the Justice Department.” Mine is a procedural objection, not a political one. Whatever my glee at seeing Trump exposed for the weasel I know him to be, I would be every bit as critical had Comey’s half-baked announcement concerned Trump’s e-mail as Clinton’s. But, Comey’s folly is an opportunity to glean some e-discovery insight. This post will not be a political screed, so while I always welcome critical and substantive comments on anything I write, please hew to the e-discovery aspects of same. Please.
Let’s start with a few facts on which even the most partisan among us can likely agree:
- Huma Abedin is a trusted senior aide for Hillary Clinton and has served in that role for decades. She started working for the First Lady as an intern in the 1990’s and was Secretary Clinton’s deputy chief of staff at the State Department. Abedin serves as vice-chairwoman to Secretary Clinton’s presidential campaign. Reportedly, the relationship between the two women is more like mother and daughter.
- Until two months ago, Huma Abedin lived with her husband, disgraced congressman Antony Weiner, with whom she has a four-year-old son. Fed up with, and humiliated by yet another instance of Weiner texting his weiner, Abedin announced the couple were separating on August 29.
- Four weeks later, on October 3, FBI agents seized a laptop, iPad, iPhone and router from Weiner, presumably from the home Weiner had lately shared with Abedin.
- Almost four more weeks later, in a letter dated October 28, 2016, Comey advised eight Congressional Committee Chairs and several other members of Congress:
- “of the existence of e-mails that appear to be pertinent” to the completed investigation of the Clinton e-mail server; and
- “that the FBI cannot yet assess whether or not this material may be significant” or how long it will take the FBI to determine whether the e-mails contain classified information or assess their importance.
There’s a lot the voting public doesn’t know about this material and may need to know. Paramount among the unknowns are those very things that Comey admits he is clueless about: Is the material pertinent and significant? What all of us want to know is whether we are dealing with new information, i.e., pertinent, significant e-mail that the FBI hasn’t seen before, or are these copies of communications that mirror what the Bureau has already seen and assessed in the Clinton inquiry?
“How much of this is new?” That’s the threshold question, and one that should have been answered before going public. It’s an issue frequently encountered in rolling e-discovery productions.
We are once more confronted with the challenge of cross-collection correlation of e-mail messages. I wrote quite a bit about that last month. Coincidentally, it was just a few days later that Director Comey and I were at the same table, speaking at the same program in San Juan. I lacked the foresight and testicular fortitude to lean over and say, “Hey, Yonkers Boy, bend your freakishly tall head down here and read this before you do something even more stupid than you did in your last press conference.” That would have been unforgivably ungracious, and there were a lot of guys with guns and curly earpieces around to discourage such a frank exchange, even between kids from adjoining villages (I grew up in Bronxville; Comey’s from Yonkers next door).
So you don’t think I’m dumping on Comey unfairly, I admire the renegade courage and sense he once showed by spilling the beans about another kid from my distant past, a Rice University ’79 Poli-Sci classmate named Alberto Gonzales, who became White House Counsel and did some pretty unsavory stuff at the bedside of ailing Attorney General John Ashcroft. I note the coincidental connections because they went on to power and fame. Neither one of these gentlemen would know me from Adam.
So, back to, “how much of this is new?” Here, I have to make some assumptions. I assume that the Abedin e-mails resided in one or more container files on the devices seized. I don’t know if the laptop was a PC or a Mac, and I don’t know if Abedin used Microsoft Outlook, an Apple mail app or something else. I further assume that the FBI didn’t simply use the devices to access webmail because, at this stage of the investigation, that would be illegal and it would horrifically corrupt the evidence. Bureau personnel understand digital forensics well enough to know that. So, let’s assume they used sound forensic practice and imaged the devices before undertaking triage of the data.
I say they’ve triaged the data because surely someone looked at the content at least long enough for Director Comey to report the messages “appear” to be pertinent. They have to know something more than that Abedin had e-mail exchanges with Clinton because Abedin had long ago testified to that fact (old news), and Abedin stated that she didn’t routinely delete e-mails (more old news). So, unless this is more nakedly political than imaginable, someone has accessed the messages using a forensic review tool affording a look at the data seized and allowing the messages to be processed and hashed. As well, they would have the unique message IDs and other useful intelligence from the headers of the messages to support quick, cross-collection de-duplication.
The Bureau has already painstakingly vetted tens of thousands of Clinton e-mails, permitting the Justice Department to conclude that no crime had been committed or, as Mr. Comey put it on July 5, “we cannot find a case that would support bringing criminal charges on these facts” and “no reasonable prosecutor would bring such a case.”
Assuming the Bureau had the same metavalues (like Message IDs) from the tens of thousands of messages they’ve had for months and which they have scrutinized with excruciating exactitude, why have they not made a hash-based comparison of the comparable components of the messages to assess how much is new and how much is yesterday’s news? If they failed to do so because they lacked the legal authority to proceed (i.e., a more specific warrant than that used to seize the devices), then Mr. Comey should have followed Justice Department guidelines and not selectively released incomplete and potentially misleading information about a ‘concluded’ investigation impacting a presidential contest.
It’s not like they wouldn’t get the warrant, for heaven’s sake! After nearly four weeks with the devices, Mr. Comey might have waited for the results of a mechanized analysis that would typically take minutes against a single custodian’s locally-stored e-mail.
Would cross-collection deduplication tell the FBI whether laws have been broken? It’s unlikely. But, would it have supplied some insight into the content and whether it’s new stuff or old? It would, and it’s sound practice.
Why should we expect sound, cautious practice from the Director of the FBI while early voting is proceeding? Because that’s what Justice Department policy requires. Doing the necessary groundwork before going off half-cocked is also good e-discovery and good forensics.
In my work as a forensic examiner, the decisions I’ve rued the most were those where I unwisely shared incomplete information with parties crazed to know something that would advance their position. No amount of cautionary disclaimers stopped them from making reckless claims before all the facts were in. That’s on me.
This mess is on Comey.
Steve Wade said:
Thanks Craig! Finally a sane reasoned analysis of this situation. Well done!
LikeLike
Chris A Quintanilla said:
The announcement should have been made, at an absolute minimum, after a judge made a decision regarding the warrant. Ideally, it would have been after the warrant was issued and there was a determination whether there was new evidence.
LikeLike
Andy Wilson (Logikcull.com) said:
I would LOVE to see the many drafts of this post before you published it, Craig =)
Who would’ve thought that an eDiscovery mess could sway the election? Unreal. There will be many lessons to come from this e-debacle and I look forward to seeing your subsequent posts on the matter.
LikeLike
craigball said:
No drafts. Probably should have been, once I see all the typos. Could have slept on it, too.
I don’t think it will sway the election. I think it means a terrible burden on Ms. Abedin, who’s been through the wringer already. I think that it will be a blow to Mr. Comey. In his effort to be above the fray, he ends up with his Weiner in the dirt.
LikeLike
Bob Barnes said:
Mr. Ball: You will never in a bazillion years be able to persuade anyone that your attack on Mr. Comey is not partisan. (Of course, just because it’s partisan doesn’t mean it’s not right.) You say, “I’d be just as outraged if this were an attack on Trump,” but you can cite no evidence. There are many, many outlets for expressing your view, and I am agnostic about the merits. My only point is that your rant is not why most of us subscribe to your very helpful and informative blog. Your political passions do not need to affect (or infect, depending on one’s perspective) everything you do.
The best news is that this is not “outcome-determinative.” Ms. Clinton will still win on November 8. She probably will not keep Mr. Comey as FBI director.
DISCLOSURE: I went to law school with Jim Comey, and I might even have been in his section. (That was a LONG time ago.) But I have had no personal or professional involvement with him since we left Hyde Park, and I think he’s a bit liberal for my tastes.
Thanks.
LikeLike
craigball said:
I’ve made no secret of my personal choice in this race. I’m with her.
Mr. Barnes, when you claim that there is “no evidence” that what I say is how I feel, I have to wonder where that comes from? There’s a great deal of evidence going to the consistency of my views in that I’ve published something laying out my opinions at least monthly on average for upwards of a dozen years. On this blog. In Law Technology News. On the EDD Update blog. In dozens of published papers. In upwards of 1,750 speeches. If you knew me, with whatever insight into my heart and character you’d have, I suppose you’d be within your rights to say, “I don’t believe you’d feel as you say.” But, do you know me? Why would I need to say anything other than what I feel on my own blog? Who do you think I need to impress? Who do you think I’d be fooling?
As to other outlets for expressing my views, I can’t think of one where I should be more entitled to same than on my own personal blog. No one is sponsoring me, and I’m not speaking for anyone else, nor do I seek to leave another impression. I don’t want to lose your interest, and I rarely stray into politics. But, this front page news item is, squarely, an ESI issue; and, it’s a learning opportunity, whatever one’s politics.
When this election is over, I will studiously try to keep my politics to myself once more and stay focused on e-discovery and computer forensics; that is, until and unless e-discovery and computer forensics become front page news again and I see a teachable moment like this one.
I appreciate your being a reader. Thanks for weighing in.
LikeLike
Pingback: e-discovery lessons from the emails/comey letter | THE SOPHIST: TWO SIDES TO EVERY QUESTION
Angel Tomasino said:
I appreciate this post, quite a bit. After reading the breaking news stories, my first thoughts were “I wonder what Craig Ball thinks”, and — thanks to the education you’ve provided here and elsewhere — surely it’s not hard to figure out whether these emails are “new”. Thanks, Craig, for the insight and sharing your views.
LikeLike
craigball said:
That’s very kind. Thank you.
LikeLike
Frank Daddario said:
i just feel for the FBI agent that has to handle WEINERs keyboard
LikeLike
Steve Sanchez said:
Food for thought from the law enforcement perspective of things. What I read into the Comey statement was that the FBI did find something that will change the outcome of the Clinton investigation.
And while they cannot comment on the specifics this soon in that investigation Comey wanted to go on record that they do have new evidence that pertains to the Clinton Investigation. Which as a retired LEO is what I read into that. I’m hoping that is the case since I am basing my opinion on his letter and comments.
If Comey is in fact premature and does not have any “new” evidence then I agree his actions are shameful and misleading. My guess is that is not the case.
LikeLike
craigball said:
Mr. Sanchez, Your guess is as valid as any guess might be. But, considering that the warrant hadn’t been secured when the letter was sent and that Mr. Comey used language so vague as to leave himself a giant Emily Litella “never mind,” my guess is that we will be speculating about the cryptic import of same until the last ballot is cast. The alternative, I suppose, are daily updates to keep the e-mail issue on the front page for the coming week. My heart (an untrustworthy organ on its best day) tells me that Comey is acting from egoism, not political opportunism. I don’t think he’s trying to help Trump. Maybe, Comey is trying to help himself in the eyes of his LEO colleagues who won’t be satisfied until and unless an election eve indictment of someone on the Clinton team issues on some theory–frankly, on any theory. I’d guess out of the New York office in a rogue action. But, we are both guessing based on speculation, which is just the sort of thing the DOJ policy was intended to forestall in an election. Thanks for weighing in.
LikeLike
Joy Holley said:
EXACTLY! Craig, thank you for saying so clearly what all of us in the industry have been screaming at the television.
LikeLike
bburney said:
Craig, I understand that many of the e-mails originally turned over by the Clinton campaign a year or two ago were printed pages. So how will they hash-compare what is new?
LikeLike
craigball said:
It depends upon how complete the content of the printouts were. Did they include all the header data, such that OCR of message IDs and other fields is feasible?
If you follow what I’ve been hammering home for ages, you know that I regard it as a big mistake for e-mail content and productivity files to be supplied in other than their native and near-native forms. The protocols I’ve promoted for years make this inexpensive and easy, including practical provisions for redaction and Bates numbering. Several government agencies have production protocols that mirror my own with respect to native and near-native productions. I suggest that what happened is that someone failed to intelligently address forms of production for these things and thus ended up getting degraded forms that make their work difficult. This could be entirely the fault of the requesting party. Congress? Justice? FBI? I don’t know. Who sought the mail?
In the world of e-discovery, if requesting parties don’t pay close attention to forms of production from the very start and don’t fight to get complete, utile forms, they can expect to get degraded productions like printouts and TIFF+. The other side isn’t going to carry your water for you. That’s as true in politics as it is in litigation.
LikeLike
Bill Speros said:
Obviously, what happens in the FBI remains within the FBI, at least until it leaks out.
But even if the MessageIDs were not provided for the pre-existing, paper-based e-mails, sufficient details (e.g., To, From, Date, Subject Line, etc.) could be accumulated from them–and by probably by now should have been–via normalized, objective coding.
Those fields’ data can be concatenated easily to form an imperfect but still helpful keys against which to compare newly recovered e-mails to identify new e-mails.
LikeLike
Bill Dimm said:
“Assuming the Bureau had the same metavalues (like Message IDs) from the tens of thousands of messages they’ve had for months…”
Not a good assumption. Clinton turned over her emails on PAPER (with very little header data), so they would have to near-dupe against OCR to find out what they already have. From Clinton’s website:
“In fact, more than 90% of those emails should have already been captured in the State Department’s email system before she provided them with paper copies.”
https://www.hillaryclinton.com/briefing/factsheets/2015/07/13/email-facts/
LikeLike
craigball said:
Dear Bill:
If they had 90% as ESI, that’s still a huge collection against which to de-dupe. I addressed the printout issue in my earlier response to Brett Burney: viz.,
LikeLike
Bill Dimm said:
The 90% number was provided by Clinton, and I believe is claimed to be vastly too high because State Dept. systems didn’t automatically retain everything that went through a state.gov address.
LikeLike
Michele Lane said:
I am very grateful for this post. I can trust the information and begin the understand what is going on.
Thanks you, Craig.
Michele
[Pennsylvania Bar Institute]
Michele Lane
Assistant Director
Pennsylvania Bar Institute
http://www.pbi.org
LikeLike
Doug Austin said:
Thanks, as always, Craig, for an interesting and thought provoking post. No surprise there are a ton of comments on this one. Two (non-political) thoughts come to mind from the post and the follow-up comments from your readers:
1. My experience with the 80/20 rule (or, in this case the 90/10 rule) is that 80% of the effort is spent on that last 20% of the result. So, while the “more than 90%” were captured in the State Department’s email system (according to Clinton), there is still quite a bit of effort required on that last 10% or less to determine whether anything is new in the Weiner/Abedin emails (and, to Craig’s point, should be gone through before going public).
2. The fact sheet from Clinton’s site (thanks, Bill Dimm, for providing a link) shows how our government is just as behind as the rest of the legal profession (if not more) with regard to production formats with this statement as to why the State Department was given printed copies: “That is the requirement. The instructions regarding electronic mail in the Foreign Affairs Manual (the Department’s policy manual) require that ‘until technology allowing archival capabilities for long-term electronic storage and retrieval of email messages is available and installed, those messages warranting preservation as records (for periods longer than current E-mail systems routinely maintain them) must be printed out and filed with related records.’ [5 FAM 443.3].” Awesome.
LikeLike
SLPerry said:
The forensics and “spin” have been a joke since this first began. You of all people should know this data was available to anyone with a decent skill set and proper tools. Why do you choose NOW (to paint you with your own brush) to start a technical dialog which should have been ongoing for years. Neither of these candidates speaks binary, you do. Shame. You have a voice, where was it months ago! I have no dog in this fight except the governmental ugliness that twists the capabilities of real technology. Sorry, do not know you, just venting.
LikeLike
craigball said:
Well, what do so say to this? Sorry? Except what do you think I do with my days except fight battles for transparency and competence? This story broke and I wrote on it as soon as I could. If it had emerged earlier, I would have written earlier. When and how did I miss your articles on this???
LikeLike
SLPerry said:
My apologies. I do not generally engage in commentary. I’m just an old nerd lawyer. As for articles I have no audience. I have great respect for what you have done – I use the information and opinion daily.
LikeLike
craigball said:
No sweat. One nerd lawyer to another, these are touchy times for evreyone. I will be glad when Tuesday is behind us.
LikeLike
Melinda F. Levitt said:
Thank you, Craig. As an attorney who regularly works on complex ediscovery matters, this whole Clinton email saga has been both amazing and perplexing. I hope that there comes a time when we all can have enough information from the various federal agencies so that we can examine what really happened, how and when in terms of ediscovery analysis of the data. Anyway, thanks for tackling the subject now — and I have a feeling that we all will be talking about this for a long, long time.
LikeLike
Eric said:
There is no precident on cases similar to the Clinton email investigation where a case is declared closed and then reopened before an election.
If Comey was silent on reopening the investigation, and clinton wins the election, and if she’s then found guilty, there would be an out cry from the other side claiming election rigging and politicizing the FBI…
Warrants are public information, the FBI can’t seek one to look at the emails without a warrant. They also need an active investigation to get a warrant…
LikeLike
Tom Dwyer said:
Thanks again for a wonderful article and great insight. The one thing we can all agree on is that the gov’t has mis-handled the whole email situation from the very beginning.
How the highest levels in our gov’t can get away with practices that most of us consider basic is beyond belief. Allowing productions in paper format, letting high ranking officials create their own server networks not keeping an archive of all communications of those same officials.
Our gov’t requires industries (think Dodd Frank and Sarbanes Oxley) to preserve data and adhere to specific protocols but doesn’t think twice when it comes to keeping their own house in order.
I won’t even go into the impropriety of the actions of the Secretary, Attorney General and Director. Transparency is a long, long ways away.
LikeLike
Adrian Skinner said:
While I respect the idea you put forth about avoiding partisanship, I must agree with Mr. Barnes – there’s a clear partisan tone to your post.
As prior military and a discovery professional (one who also lives and works in Austin, Texas) I’m deeply distrustful of the Clinton camp and find numerous faults in the handling of responses to discovery related to the Clinton personal email server.
Where was the legal hold notice?
Why were 33,000 messages deleted from the system when there was a clear duty to preserve?
This action alone constitutes spoliation and ought to be enough to bring prejudice against Clinton for mishandling confidential secret, top secret, and special program documents while Secretary of State – an offense that carries loss of security clearance and potential felony charges for the offender.
Indeed, military court case law (which has precedence here) shows little leniency for mishandling classified information. David Petraeus was fined $100,000 and sentenced to two years probation after providing his hand-written and classified “black books” about Relentless warfare to Paula Broadwell.
In a recent article for the Wall Street Journal, former Attorney General Michael Mukasey highlights how Loretta Lynch and the Justice Department have abdicated their duties and placed Comey in a no win situation. Americans don’t trust the Justice Department and why should they when Lynch is having special meetings with Bill Clinton on an airport runway?
There was clear evidence of wrongdoing and cover up on the part of Hillary Clinton and her staff while she served as Secretary of State. Justice has an obligation to convene a Grand Jury to review evidence collected by FBI investigators in order to determine if charges should be brought. This is how our legal system is supposed to work whether you’re a sailor on a submarine or the Secretary of State.
LikeLike
graytabbyblog said:
Thank you for writing this. I’ve been lecturing the television for days. I’m curious as to how the FBI is handling ediscovery, because as you, and many of the other commenters on this post, have pointed out, there are many ways in which to (reasonably) quickly verify whether or not the emails are new, and if so to then have a reasonable idea whether they are cause for further investigation.
LikeLike
Marc Hirschfeld said:
The wall street journal reported that there were 650,000 emails on weiner’s machine. It wouldn’t have been necessary to do the hashing and comparison that you suggested and yet they would still know that there is new material on this machine. The fact that they didn’t do a comparison with the old data was likely because they didn’t have a search warrant to do that yet.
LikeLike
craigball said:
That 650,000 number gives me pause as I question whether it reflects a recursive count of items in the collection versus a count of top level messages. The tools that process e-mail typically count items recursively, so that big number may include attachments or individual calendar entries and contacts. I don’t know the particulars as I write this, but an assertion of 650,000 discrete top-level messages is one I would want broken down a bit before I accepted it as an accurate count of receipts and transmittals. But, taking your point as an observation that 650,000 is a much bigger number than, say, 45,000, I can’t disagree. It’s apples and oranges here. The scope of the investigation and any warrant won’t be communications to and from the world. The scope for the Weiner investigation will presumambly go to the underage sexting charge, and the scope of the Clinton investiagtion will presumably go to whether there is evidence of knowing mishandling of classified information via the Clinton e-mail server. Within that limited scope, the 650,000 number is a red herring. A domain and addressee filter will tell an analyst a lot, and that requires little sophistication or time to complete. If they don’t already have those counts or relevant items and some insight into replication, we should be loudly asking WHY NOT?
LikeLike
Melinda F. Levitt said:
Well, given the news that broke this Sunday afternoon, maybe the FBI discovered that it too can use the types of e-discovery tools that all of us reading and commenting on this post have used for years.
LikeLike