January 2017 Email Metadata (Information Technology, Alaska)

Matt Chapman - Free Our Info, NFP filed this request with the Information Technology, Alaska of Anchorage, AK.
Due Jan. 15, 2019
Est. Completion None
Status
Awaiting Response

Communications

From: Matt Chapman - Free Our Info, NFP


To Whom It May Concern:

Pursuant to the Alaska Public Records Act, I hereby request the following records:

For all accounts managed by your department, please provide me the following information for all emails sent during January, 2017:

1. From address
2. To address
3. bcc addresses
4. cc addresses
5. Time
6. Date

Please note that I am not requesting the contents of each email.

I am more than happy to provide documentation or tips for extracting this information from your mail server if needed. Documentation that I have available include methods using excel, powershell, msaccess, Office 365 eDiscovery tools, and the direct extraction from an exchange database using forensic analysis tools.

The requested documents will be made available to the general public, and this request is not being made for commercial purposes.

In the event that there are fees, I would be grateful if you would inform me of the total charges in advance of fulfilling my request. I would prefer the request filled electronically, by e-mail attachment if available or CD-ROM if not.

Thank you in advance for your anticipated cooperation in this matter. I look forward to receiving your response to this request within 10 business days, as the statute requires.

Sincerely,

Matt Chapman

From: Information Technology, Alaska

Dear Matt Chapman,

From: Matt Chapman - Free Our Info, NFP

I would like to request that the processing of this request be handled with a little bit of extra prudential cleverness. For example, would your virus scan logs include the records responsive to my request?

That said, if there is absolutely no additional source of the records, then provide me with 30 days at the date of processing this request, whenever that may be.

From: Information Technology, Alaska

Mr. Chapman,

Please see the attached response.

[cid:AF62C38B-492F-466B-9133-0022180167D7]

Gail Turner
IT Business Manager
Municipality of Anchorage
Information Technology Department
Phone 907-343-6955
Email Turnerag@Muni.org<mailto:Turnerag@Muni.org>

From: Matt Chapman - Free Our Info, NFP

Pardon my very slow response. I would like to proceed with the request, given the costs will likely be around $200.

Many thanks -
Matt Chapman

From: Information Technology, Alaska

Dear Mr. Chapman,

This email is in response to your January , 2019 records request.

We have reviewed your request and after speaking with our Information Security Office, it has been determined that we are unable to disclose email logs or any information security records that contain information pertaining to internal systems, facilities or infrastructure pursuant to Alaska Statute 40.25.120 (a) (10)(A).

Thank you

[cid:AF62C38B-492F-466B-9133-0022180167D7]

Gail Turner
IT Business Manager
Municipality of Anchorage
Information Technology Department
Phone 907-343-6955
Email Turnerag@Muni.org<mailto:Turnerag@Muni.org>

From: Matt Chapman - Free Our Info, NFP

I'm confused. Could you please let me know further details for why that exemption is being used to deny the release of these records?

My previous email was simply giving an example of where and how the records could be stored. There are many other places that those records can be retrieved from - in particular, through the use of either powershell commands, or through Excel, which has the ability to export metadata records out of the box.

From: Information Technology, Alaska

Mr. Chapman,

In our previous response denying your request, we specifically referenced Alaska Statute 40.25.120(a)(10)(A) stating that:

"We have reviewed your request and after speaking with our Information Security Office, it has been determined that we are unable to disclose email logs or any information security records that contain information pertaining to internal systems, facilities or infrastructure pursuant to Alaska Statute 40.25.120 (a) (10)(A)."
In response you asked for further details regarding our reliance on this exemption.

Specifically, the cited statute says:

(a) Every person has a right to inspect a public record in the state, including public records in recorders' offices, except [:]

(10) records or information pertaining to a plan, program, or procedures for establishing, maintaining, or restoring security in the state, or to a detailed description or evaluation of systems, facilities, or infrastructure in the state, but only to the extent that the production of the records or information

(A) could reasonably be expected to interfere with the implementation or enforcement of the security plan, program, or procedures;
Alaska Stat. Ann. ยง 40.25.120 (West)

In your original request you asked for:
"

For all accounts managed by your department, please provide me the following information for all emails sent during January, 2017:

1. From address
2. To address
3. bcc addresses
4. cc addresses
5. Time
6. Date

Please note that I am not requesting the contents of each email.

We responded that we were unable to provide that information for the timeframe you requested, but that we only have information about all emails sent and received in a "30-day" window from the present time. You then requested the 30 days of all email sent to or from all Municipality of Anchorage email accounts. In essence you said you did not want the content of the emails, just the aforementioned email metadata which implies to us that you are requesting email header information. Generally speaking, we are not objecting to providing you with emails that show the To, From and Subject lines. It is the type of record you are seeking this information in that has caused us to assert the above-noted security exception.

Besides simply having To, From, bcc, cc, time and date information the email logs would also include internally protected system information that we do not provide to the public. That is what creates the security concern.

As I am sure you are aware, multiple State and Local governments within Alaska have recently fallen victim to ransomware attacks stemming from phishing attempts and social engineering efforts. Because of these attacks, organizations are hyper-sensitive when it comes to the classification of internal information and what is available for public consumption. The information in the format that you are requesting could be used by Nation States and other Actors who will now also have access to this information and could certainly use it to formulate social engineering strategies with the ending goal to cause harm to our state and public sector organizations to include extortion, ransomware, denial of service attacks, etc.

With that said, we are not able to fulfill your request for an "all inclusive" list of email header information due to the above concerns. However, if you wish to reduce the scope of this request limited to email discovery and include specific senders or recipient names, a range of dates and times, and perhaps additional keywords that might be helpful when performing the search, then we can certainly get back to you with the estimated cost and time that it will take to fulfill your request.

[cid:AF62C38B-492F-466B-9133-0022180167D7]

Gail Turner
IT Business Manager
Municipality of Anchorage
Information Technology Department
Phone 907-343-6955
Email Turnerag@Muni.org<mailto:Turnerag@Muni.org>

From: Matt Chapman - Free Our Info, NFP

Gail -

I'm very confused. What information could come from this request that could contain protected system information? As it stands, the rejection reason is rife with potential abuse towards many other classes of information and bears a chilling effect on transparency as a whole.

My only guess is that certain hosts are sending information from system accounts (eg, crontab emails), and those hostnames would then enumerable through the responsive records. If that's the case, then I would like to ask that this request be narrowed to not include those.

I'm very willing to work through this request to mitigate any security risks - please let me know how I can help. For what it's worth, I have a very technical background in systems administration in large infrastructures.

Regards -
Matt Chapman
Free Our Info, NFP

Files

pages

Close