DoIT – Granite Grok

BE BREITBART: DoIT Right To Know Request : Outbound Internet traffic summarizations – Update 1

Last week, we sent in our second RSA 91-A Right To Know request concerning the Government records that summarized the websites that State of NH employees had gone to:

We hereby request, in electronic digital form (in order to minimize time and cost on behalf of DES and DoIT), those records bolded in the above paragraph and to which the State has now admitted to possessing. Further, we also request the file / record layout description of the resulting file (fixed or variable field lengths, data types, et al). As computer consultants, our expertise will allow us to examine the data once received (we have several projects in mind for that data).

This request is asking for those records from January 1, 2005 to the present time (i.e., April 20, 2012), inclusive.

Well, 5 Business days have passed – the exact number of days in which we expected to have the State of NH send us the records. After all, they already have admitted that have the records. And as far as being “exempt” from RSA 91-A, well, we did not ask in terms of any personnel policies – all we want to see is URLs. Well, in that time, we received nada for results; not even a <cough>. Far different than our first RTK concerning Richard de Seve.

So, I emailed Gretchen Hamel, Administrator of the DES Legal Unit:

Subject:    Re: Your RSA 91-A request dated April 20, 2012
Date:          Fri, 27 Apr 2012 10:39:19 -0400
From:        Skip Murphy <Skip@GraniteGrok.com>
Reply-To:    Skip@GraniteGrok.com
To:             Hamel, Gretchen <Gretchen.Hamel@des.nh.gov>
CC:             Grokcrew

Good morning, Ms. Hamel

Will we be receiving our requested information before the close of normal business hours as provided by RSA 91-A (5 business days, and verified by your PDF Letter)?

It seems that we have to ask because, unlike your predecessor, we have not had any interim communication from you during this time period with respect to any updated status of our request. Do you have the FTP site and credentials available for us to download that outbound traffic summarization information?

Kindest regards,

-Skip

(Skip Murphy for himself, Steve Mac Donald, and Ed Naile)

And then the wait began…and were unsurprised at the answer (emphasis mine).

BE BREITBART: DoIT Right To Know Request : State of NH Internet Filtering policies

by Skip

You know, we are still trying to find out the root reasons why folks like Richard de Seve and “GAIA” (and others like them) were allowed to comment and blog at the Concord Monitor so often during normal work hours. So, we continue to think of what we need from the State that would be “non-exempt” that would be available. We just sent this latest RSA 91-A request on the filtering policies that have been put into place by the State of NH:

what is blocked?
who requested it (Department) that it be blocked?

Here is the request:

Right to Know Request
as per
RSA 91-A
April 26, 2012

To:

Stanley “Bill” Rogers, Commissioner and CIO, Department of Information Technology, State of New Hampshire

Thomas S. Burack, C, Department of Environmental Services, State of New Hampshire

In light of the final response of April 19th concerning our first Right To Know request (re: political postings by State Employee Richard de Seve during regularly scheduled work hours contra to the policies of both the Department of Environmental Services (“DES”) and the Department of Information Technology (“DoIT”) filed on March 11, 2012), we are making the following RSA 91-A request.

As noted in that final response:

That software categorizes web sites based on historical content. Agencies establish filter policies that determine which categories are accessible or blocked. Based on a user’s login information, the software is able to associate a user with his or her IP address and based on the policy assigned to that user, determines whether the requested page is allowed or blocked. If allowed, the software permits the requested web page to be sent from the requested server to the user for viewing.

Although we were fairly sure that web sensing / filtering software was part of the State’s network, we now have further requests knowing that such filtering software is actually used by the State. We hereby request, in electronic digital form, those electronic Governmental records of existing (and to the extent possible, retired or disabled) filtering policies that:

BE BREITBART: DoIT Right To Know Request : Outbound Internet traffic summarizations – Update 3

by Skip

Well, a quick update on setting up the Commish meeting: Got a call yesterday afternoon from the “DES Commish Lady” (Commish Burak Administrative Assistant, but DCL sound more bloggish) – the tentative meeting with Commishs Burack and Rogers (DES and DoIT) this Friday at 6 pm is out of the question – somehow, I was not surprised. Here’s how the [admittedly paraphrased] conversation went (hmm, next time I should just flip on the sound board on and record such conversations):

She asked – how about next week? SURE!

And then I aGAIN explained we all work full time day jobs – we’re located all over the state and I said I’ll have to check schedules – several of us travel for biz and that can mean country-wide rather than just state-wide.

Hesitation on her part: “Er, well, the only days he REALLY has is Wed or Friday.”

Well, that will be OK – still at 6pm, though? Remember, we’re working stiffs. And being computer folk, we REALLY want to ask some questions (yes, I made a point to say it that way to make it PERFECTLY clear what our intent is).

Another hesitation moment. “Um, that could be a problem – you see, he has a lot of work appointments – like ground breaking ceremonies and the like”

Yes, you REALLY read that right- she REALLY did say ground breaking ceremonies.

OK, I just hate to be cynical (watch for a post a bit later this evening – you’ll understand why my outlook would be a bit “shaded”), but methinks I be getting a sniff that perhaps he’s not all that willing to make time after his working hours even as we are after ours – having dealt with politicians personally for a while, the “is it a ‘for show’ deal meter” is starting to twitch a tad.

I reiterated: I’ll ask about Groksters schedules

Her parting words “Commissioner Burack remains committed to meeting with you”
Read more

BE BREITBART: DoIT Right To Know Request : Outbound Internet traffic summarizations – Update 2

by Skip

I almost forgot! I got a call – last Friday. Well, that’s what TMEW told me when I returned from an appointment on Friday afternoon. It seems that NH DES Commish Tom Burack called to invite me / GraniteGrok to a meeting on this coming Friday at 3pm to meet with him and the Dept … Read more

BE BREITBART: DoIT Right To Know Request : Outbound Internet traffic summarizations

by Skip

We are a persistent bunch here at the ‘Grok:

Good morning,

We, as taxpayers in the State of NH, are requesting certain electronic records concerning the outbound Internet traffic emanating from the State of NH’s computer network.

Please review the following RSA 91-A request; we stand ready to work with you concerning this issue. Please find a copy of the request below as well as two attachments (the same request, in Microsoft WORD and OpenOffice formats)

Kindest Regards,

-Skip

David “Skip” Murphy for myself, Steve Mac Donald, and Ed Naile (citizens of the State of New Hampshire)

**********

Right to Know Request
as per
RSA 91-A
April 20, 2012

To: Stanley “Bill” Rodgers, Commissioner and CIO, Department of Information Technology, State of NH
Thomas S. Burack, C, Department of Environmental Services, State of NH

As noted in that final response:

When a user enters a URL or IP address for a particular web page, the outbound request passes through the state’s internal network until it reaches the internal firewall. There, the request is routed through DOIT’s web filtering software. That software categorizes web sites based on historical content. Agencies establish filter policies that determine which categories are accessible or blocked. Based on a user’s login information, the software is able to associate a user with his or her IP address and based on the policy assigned to that user, determines whether the requested page is allowed or blocked. If allowed, the software permits the requested web page to be sent from the requested server to the user for viewing. The date, time, and destination of the outgoing request, as well as all IP information sent to the user from the destination web page, are recorded by the web filtering software. The actual content of what was either sent or received is not recorded.

We hereby request,

BE BREITBART: Update 10: DES Right To Know Update : DOIT and DES – a “gentle” (eh?) response

by Skip

Well, my first reaction to the “final response” was this quick note fired off to the RTK Dude:

Sidebar: slightly edited here as it turned out the copy outbound had a few less words than here – brain saying the words and the fingers went partially deaf.

Mr. Demas,

I am in receipt of your alleged final response – I can assure you it will not be a final communication. I find the logic contained herein to be very convoluted and tortured to conflate computer communication data packets with a personnel policy. While such a policy depends entirely on having such data records available, it is not a fact that those records are, in whole, subservient to that single purpose. Indeed, while the personnel policy is entirely dependent on those records, there are many other functions that those records could service as well and thus should not be considered exempt from our Right To Know request.

In fact, I thought of a half dozen in the space of 2 seconds – and I wasn’t trying hard.

In fact, we have already proven that the stated written policies of both DES and DoIT have not been followed either in respect to their letter of such nor their spirit. In fact, it is clear that your personnel policy does not even require using those records to take action in this case; I find with no small amount of irony that it is our records (where Mr. de Seve admitted his guilt to GraniteGrok and not to the State) that are serving as the bulwark of any actions that DES takes in dealing with Mr. de Seve. If it were not for GraniteGrok, he still would be breaking both DES and DoIT’s policies with impunity.

BE BREITBART: Update 9: DES Right To Know Update : DOIT and DES – convoluted hiding

by Skip

OK – still catching up here. Late on Friday, I received the latest update from the DES RTK dude – and to be honest, my reaction was two-fold:

turning on all the burners and the ovens of a commercial kitchen range had nothing on me.
And as Steve posted: Game On

April 13, 2012

David “Skip” Murphy

9 Gilford Glen Road

Gilford, NH 03249

RE: Request for Records Pursuant to RSA 91-A – Final Response

Dear Mr. Murphy

I am writing to provide you additional information in order to conclude DES’s and DOIT’s response to your request for records pursuant to RSA 91-A. The first and second preliminary responses issued by DES and DOIT on March 27, 2012 and April 5, 2012, respectively, addressed all of your specific requests except Request 7.c., relative to web traffic data. That request is the subject of this letter.

You requested “[a]ny and all electronic records that show outbound traffic to any and all non-State related websites from the IT department[‘]s proxy servers, outbound routers / designated Internet gateways emanating from the use of Mr. de Seve’s computer usage” and packet level records what will contain…[t]he [destination] IP address of such traffic generated by Mr. de Seve.” As previously discussed, DOIT’s system do not log capture, or otherwise retain packet level details or content of inbound or outbound internet traffic. However, DOIT systems do capture information about internet traffic initiated by users of state computers systems.

Your request for production of that internet traffic information is one of first impression. Therefore, DES and DOIT carefully examined how that information is generated, recorded, and used in order to determine 1) whether the requested information meets the definition of any governmental record under RSA 91-A:1-a, III, and 2) whether such information is subject to any exemptions set forth in RSA 91-A:5.

BE BREITBART: Update 8: DES Right To Know Update : DOIT and DES – living up to their own policies (#FAIL)

by Skip

The last post on this topic (GraniteGrok’s Right To Know to the State of NH on the non-State biz use of the State’s network: political commenting) effectively ended on these notes:

“what did they know and when did they know it?“

and “they did know it all and they knew it when the packets went through the system.”

Which leads up to the next important question:“…can the State live up to its own personnel policies in this area?”

This actually breaks down into two parts:

Can the State technically actually do what the policies say imply based on the results sent to us from our Right To Know request?

And if the State can technically support its policies – are they actually using those technical tools and if not, why not?

Now, I would be remiss to not point out that part of RTK for our calculus is still outstanding – Mr. Richard de Seve’s outbound (of the NH State domain) emails which the DES RTK guy has told me, multiple times now, is in process:

Request 5:

5. Any and all of Mr. de Seve’s emails that were outbound of the NH State’s domain and whose destination were other than for another NH State employee.

Response to 5:

All known emails have been collected and are currently being reviewed to determine 1) whether they are responsive to your request and 2) whether they are subject to any privilege or statutory exemption under RSA 91-4. Responsive, non-exempt emails will be provided upon completion of this review.

So, this needs to be fit into the picture when they arrive. In the mean time, there is more to review and our interim conclusion at the end…