BE BREITBART: Update 9: DES Right To Know Update : DOIT and DES - convoluted hiding - Granite Grok

BE BREITBART: Update 9: DES Right To Know Update : DOIT and DES – convoluted hiding

OK – still catching up here.  Late on Friday, I received the latest update from the DES RTK dude – and to be honest, my reaction was two-fold:

  • turning on all the burners and the ovens of a commercial kitchen range had nothing on me.
  • And as Steve posted: Game On

                                                                                                                              April 13, 2012

David “Skip” Murphy

9 Gilford Glen Road

Gilford, NH 03249

RE: Request for Records Pursuant to RSA 91-A – Final Response

 Dear Mr. Murphy

I am writing to provide you additional information in order to conclude DES’s and DOIT’s response to your request for records pursuant to RSA 91-A. The first and second preliminary responses issued by DES and DOIT on March 27, 2012 and April 5, 2012, respectively, addressed all of your specific requests except Request 7.c., relative to web traffic data. That request is the subject of this letter.

You requested “[a]ny and all electronic records that show outbound traffic to any and all non-State related websites from the IT department[‘]s proxy servers, outbound routers / designated Internet gateways emanating from the use of Mr. de Seve’s computer usage” and packet level records what will contain…[t]he [destination] IP address of such traffic generated by Mr. de Seve.” As previously discussed, DOIT’s system do not log capture, or otherwise retain packet level details or content of inbound or outbound internet traffic. However, DOIT systems do capture information about internet traffic initiated by users of state computers systems.

Your request for production of that internet traffic information is one of first impression. Therefore, DES and DOIT carefully examined how that information is generated, recorded, and used in order to determine 1) whether the requested information meets the definition of any governmental record under RSA 91-A:1-a, III, and 2) whether such information is subject to any exemptions set forth in RSA 91-A:5.

When a user enters a URL or IP address for a particular web page, the outbound request passes through the state’s internal network until it reaches the internal firewall. There, the request is routed through DOIT’s web filtering software. That software categorizes web sites based on historical content. Agencies establish filter policies that determine which categories are accessible or blocked. Based on a user’s login information, the software is able to associate a user with his or her IP address and based on the policy assigned to that user, determines whether the requested page is allowed or blocked. If allowed, the software permits the requested web page to be sent from the requested server to the user for viewing. The date, time, an destination of the outgoing request, as well as all IP information sent to the user from the destination web page, are recorded by the web filtering software. The actual content of what was either sent or received is not recorded.

The IP and URL address information recorded by the web filtering software is not viewed or actively monitored by any employee of an agency or DOIT. Furthermore, DOIT administrator policies do not permit DOIT staff to access the recorded URL / IP address information except in furtherance of a personnel-related investigation. The only circumstance in which the recorded web traffic information is used in furtherance of any official function is when an agency requests such information from DOIT in order to determine whether an employee has improperly used a state computer. The only reason that web traffic information is recorded in the first instance is to enable state agencies to properly execute such personnel-related investigations. Moreover, DOIT does not authorize any access to web traffic information unless an agency division director submits a request through the agency’s human resources office. All such requests submitted to DOIT must be approved by the Director of Technical Support Services.

As discussed in greater detail in previous correspondence, RSA 91-A:1-a, III defines a governmental record “as any information created, accepted, or obtained by, or on behalf of, any public body, or a quorum or majority thereof, or any public agency in furtherance of its official function”. You will also recall that RSA 91-A:5, IV sets forth specific exemptions to disclosure, including an exemption for “records pertaining to internal personnel practices.” In determining whether web traffic data can be provided under RSA 91-A, DES and DOIT must apply the same analysis use for other document or data, which is to determine 1) whether the information sought exists, 2) if so, whether the information sought is a governmental record, and 3) I so, whether the record is subject to an exemption under RSA 91-A:5.

As explained above, in the case of web traffic data, the URL/IP information is not logged by DES. The first location at which the web traffic data are recorded is at the firewall by DOIT’s web filtering software. The web traffic data you requested exists because is it recorded by DOIT using DOIT’s systems. This information is logged and retained by DoIT in furtherance of its function of providing technology support services to state agencies. Therefore, DES and DOIT believe that the web traffic information you have requested is a governmental record within the meaning of RSA 91-A:1-a, III because it is accepted or obtained by DOIT, on behalf of DES, in furtherance of DOIT’s official function.

However, as illustrated above, DOIT’s use of such data is strictly limited to supporting the personnel-related needs of state agencies arising from use of state computer systems. When web traffic are provided to a requesting agency, they are received by that agency in furtherance of its official function of enforcing its own internal personnel policies. Thus, DOIT retains the web traffic data only for personnel-related purposes and authorizes the release of such data to an agency for no other purposes. Therefore, while the web traffic information you requested is a governmental record, it is exempt from disclosure pursuant to RSA 91-A:5, IV, because all such records pertain only to internal personnel practices.

As was stated in the previous response, DES and DOIT believe strongly that the overarching purpose of RSA 91-A, of providing “openness in the conduct of public business” and “accountability to the people” must be observed. However, as stated above, RSA 91-A does not compel disclosure in this instance. Therefore, while the web traffic data you requested are exempt from disclosure, DES can, and hereby does, inform you that there appears to be a correlation between Mr. de Seve’s computer use and the web posting activity you identified in your request. This is based partly on the admissions of Mr. de Seve. Accordingly, based on the information you provided, together with that discovered in responding to your request, this matter is currently being addressed by DES’s Human Resources office. Again, DES cannot disclose the nature or outcome of any action that may be pursued.

As we discussed, Commissioner Burack and Commissioner Rogers are willing to meet with you to discuss your concerns further. Commissioner Burack will contact you shortly regarding such a meeting.

Thank you for your continued cooperation. Please contact me directly if you have any questions.

                                                                                                                                         Sincerely

                                                                                                                                     “DES RTK Dude”

cc: Thomas S. Burack, Commissioner, DES

Stanley W. Rogers, Commissioner / Chief Information Officer, DOIT

Susan A. Carlson, Chief Operations Officer, DES

Harry T. Steward, Director, Water Division, DES

Sally A. Gallerani, Director, Technical Support Services, DOIT

 

I sent a response back to the DES RTK Dude just as fast as I had taken in the highlights of the “final response”.  That will be the next post I do.

Sidebar: normally the PDFs that the RTK Dude have been ‘text PDFs” that could be scraped and posted (after redoing some formatting).  Given the activities of the weekend, last night and today were the first chances I had to retype the entire document – he sent it as an “image PDF” and my scanner was done (so no OCR’ing it).  Sorry for the delay!

>