A digital forensics expert says that people usually think about keywords, how emails are deleted, and other details
This week, the NDP, which is the opposition party in Alberta, kept putting pressure on Premier Danielle Smith over a CBC News story from January.
Based on information from reliable sources, CBC reported in January that a staff member in Smith’s office sent a series of emails to the Alberta Crown Prosecution Service that questioned the prosecutors’ assessment and direction of cases related to the border protests at Coutts, Alta, last winter.
The emails have not been seen by CBC News.
“Why is this premier held to a lower moral standard than Minister Kaycee Madu, who was found to have interfered with the administration of justice?” Rachel Notley, the leader of the opposition, asked on Tuesday.
Smith said that this kind of interference “never happened.”
Smith said, “We did a big investigation by the independent public service over the course of a weekend. They looked at all the emails sent and received by and from my office and by Crown prosecutors and found nothing.”
The office of the prime minister said that the original story was “defamatory” and made “baseless allegations.”
CBC News stands behind what it said. CBC News knows who the confidential sources are and where they work. They have also carefully looked at how reliable the information they gave is.
A search was done by the provincial government over a weekend, a few days after the story came out. The province’s justice ministry said that “no records of contact” were found when they looked through nearly a million emails.
Almost two months after that review, we still don’t know how big that search was or what it might have missed.
CBC News asked Charles Mainville, who is the director of communications for Alberta Justice, these questions on Wednesday. He had until the end of the day to answer.
CBC News reached out to Rebecca Polak, the premier’s press secretary, and Jonah Mozeson, the executive director of communications and planning in the premier’s office, on Thursday and gave them until the end of the day to respond. They did not. At the time of publication, no answer had been received.
1. Could the search have turned up emails that were deleted
The province has said that it keeps emails for 30 days after they have been deleted. But it also says that even after a user deletes an email, it will still be available for 30 more days. All together, that’s 60 days.
The government looked through emails from January 20 to 22.
That means that the government would not have been able to find any emails that were deleted before November 21, 2022. In January, the province told the Toronto Star that the person who got the email would also have to delete it.
The emails were sent before November 10, 2022, sources say.
2. What does the government do with the emails it deletes
William Ellwood, forensic lead at Toronto-based digital forensics company Ellwood Evidence Inc., said that this case raises interesting questions about how provinces handle email inboxes.
The Alberta government has an online guide for keeping records that lists four reasons why records should be kept: for administrative purposes, for legal purposes, for financial purposes, and for research or historical purposes.
In that document, there is a list of suggestions for how long different kinds of records should be kept, with some going up to 12 years.
“Transitory records” can be thrown away. These are records that have “short-term, immediate, or no value.”
“It’s interesting that these users can delete email messages at their own will, and that after only 60 days, these messages are gone for good,” Ellwood said in an email.
“In civil investigations, most mature companies don’t give their employees this kind of freedom, so that information can be found after the fact if something goes wrong.”
3. What were the search terms
When asked what search terms were used, the government said they were part of an investigation and could not be talked about.
Experts in the field say that it’s important to know what search terms were used in order to understand what the search would have turned up and what it might have missed.
Ellwood said in an interview, “You might leave out things if all you do is look for common search terms.”
“If you just run search terms, which, practically speaking, is probably what was done, you risk missing things.”
Ellwood said that’s because informal language is often used for internal communication, so it could be missed if the search terms don’t match exactly.
Ellwood said that it would be hard to do targeted searches in such a short amount of time.
“When you don’t know what the thing you’re looking for looks like, it’s like trying to find a needle in a haystack. It’s hard to do, “Ellwood said.
4. Were additional search tools used
In electronic discovery, people have known for more than a decade that keywords and search terms alone are not enough to find information. This is because people don’t understand the scope of the search terms themselves.
Electronic discovery is the process of getting information stored on a computer and used in a court case or investigation.
Experts say that you should also use other search tools that are easy to find.
In Canada, the use of these kinds of search methods has been at the center of high-profile cases. In 2019, Vice-Admiral Mark Norman was accused of leaking cabinet secrets about a shipbuilding deal.
In that case, Norman’s lawyers brought evidence to court to show that officials may have avoided using his name and instead used code phrases to make it harder to find documents about him.
“It is important to remember that codenames, abbreviations, typos, and synonyms are common in all organizations and that this is not an isolated incident,” the Toronto-based Heuristica Discovery Counsel wrote in a 2019 blog post about the case.
“Keyword searching is a good place to start to find relevant documents, but it is literal and will miss responsive documents that contain codewords, jargon, abbreviations, and typos that can’t be identified.”
Take Microsoft Office 365 or a program like Microsoft Outlook as an example. Most electronic discovery experts think that only using a program like this is not a good way to look for electronic information.
When doing this kind of analysis, electronic discovery firms often use more powerful tools for analysis. Analytics tools like machine learning and keyword expansion are often used by platforms like RelativityOne.
The government did not say whether or not this kind of software was used in the electronic search.
5. What about emails between people
On January 23, the government said that it looked through the mail at the Alberta Crown Prosecution Service from September 1, 2022, to December 31, 2022. From October 6 to December 31, 2022, Danielle Smith’s office mailboxes were searched.
The government said that about 900 mailboxes were searched, and both incoming and outgoing emails were read.
The government also said that “relevant prosecutors” who worked on files about the Coutts blockade or in the same office as those who worked on these files were involved in the search.
It didn’t answer a follow-up question asking if that would include everyone in the Crown Prosecution Service or just those who work in the Calgary office, or if it would include all or just some of the premier’s staff, because it said that doing so would compromise the privacy of the investigation process.
CBC News asked if the search only looked at emails sent between government email addresses or if it would also look at emails sent from a personal address on one end.
The government said that its search hit internal mailboxes and would have found emails sent from or to an email address that was not part of the Government of Alberta.
If personal emails were involved, the Government of Alberta address would need to be either a sender or a receiver of the email. For example, a personal Gmail account on one end and the government email on the other.
But that brings us back to one of the most important questions, which is whether or not there are any emails left to find in the first place.
6. What about the audit logs
There is also the question of whether the government looked at the emails themselves or at the “audit logs,” which are a set of records that show who talked to whom but not the details of the conversations.
“Many of these systems will not only keep their records, but they will also keep their audit logs. So on this day, person “X” did “Y,” “Ellwood said. “Did they look at that evidence, if it was there?”
When and if the UCP government gives answers to some of the unanswered questions we looked at in this article, CBC News will report on them.