DHS blocked from thousands of emails | News, Sports, Jobs
Thousands of state files dealing with child abuse investigations and other matters have been rendered unreadable due to a change in computer software at the Iowa Department of Social Services.
Recordings are emails that have been encrypted to protect their privacy. When DHS changed computer software in 2018, it reportedly lost the ability to decrypt almost all of the encrypted messages sent in the previous two years.
“It’s blatant,” said Roxanne Conlin, a Des Moines lawyer who seeks access to DHS emails linked to a 2017 child abuse investigation. Got it right, it’s worth two years – of emails that no one can access now. My god, this is a pretty horrible situation. And, of course, we’ll never know what’s in all those encrypted emails.
Conlin said the loss of the information had profound implications for agencies investigating DHS’s handling of child abuse complaints, as well as for Iowans suspected of abuse. Without access to internal written communications on cases prior to 2019, it will be more difficult for DHS to spot patterns involving people currently under investigation, she said.
“It matters, for example, in whether a person can be considered a sexual predator against children, for shouting out loud,” Conlin said.
DHS officials declined to comment on the matter.
Testimonial: New software could not open encrypted emails
On Thursday, a lawyer in Conlin’s office filed an information technology worker for DHS in an attempt to find out why the emails the agency delivered during the litigation were still encrypted, showing only lines seemingly random characters.
According to Conlin, the technician said agency emails were encrypted from 2017 to 2018 using software called Virtru. The software automatically encrypted all emails, throughout the DHS system, which included one of some 120,000 predefined words suggesting that the content dealt with confidential matters, such as child abuse. The recipients of these emails have been given a code to decrypt the emails and make them readable.
In 2018, DHS changed encryption programs from Virtru to a product made by Microsoft. Microsoft software was unable to decrypt emails already processed by Virtru. Moreover, when DHS decided to ditch Virtru, it did so without retaining the ability to decrypt emails already sent and received with the software.
As a result, DHS is now unable to read thousands of emails dealing with some of the most sensitive and controversial aspects of its work. Inter-departmental emails are often among the most sought-after documents by attorneys and state investigators who are called upon to review DHS’s response to child abuse complaints. In addition to these internal emails, DHS also shared public documents with reporters using the Virtru encrypted messaging system.
According to a 2017-18 training manual for Iowans who work as court-appointed lawyers in child abuse cases, DHS’s Virtru encryption system relied on a “private key” or code. that email recipients used to read each email after being routed to a website. All of those keys have since been lost or have expired, according to the DHS technician’s testimony, meaning the emails cannot be decrypted now, even though the state had access to the Virtru software.
With the help of IT technicians, DHS would have been able to decrypt around 10% of emails processed by Virtru, but less than half of this subset of emails can be decrypted without errors that could change the direction of communications.
On Thursday, the Iowa Capital Dispatch asked DHS spokesperson Alex Carfrae how many emails from the agency were lost due to the encryption issue, what impact it had on case management of the department, whether this resulted in the loss of documents that the agency is required to keep, and what impact the loss has had on DHS’s ability to respond to Open Records Law requests, subpoenas for information and discovery requests made in a civil court.
Carfrae said answering these questions would require data recovery from the agency’s IT team and take several days.
He declined to comment on why DHS did not retain the ability to read its own emails once it decided to sever ties with Virtru.
Lawsuit Alleges False Allegation Against Marshalltown Daycare Owner
The lawsuit that led to the disclosure of the encryption problem involves Marshalltown’s Alyson Rasmussen. She alleges that in 2017, she ran a home child care service and was wrongly blamed by DHS for injuries sustained by one of the children in her care.
She alleges that the child’s mother has repeatedly told state investigators that the child appeared to have been injured at home by the family’s dog, but DHS investigators said they were suffering pressure from their superiors to find someone to blame.
DHS eventually released a formal finding of abuse by Rasmussen through the denial of intensive care. After Rasmussen appealed that finding, DHS reportedly offered to vary her findings if she signed a form agreeing not to sue the state for her actions.
Rasmussen refused, and a day before the appeal hearing, DHS changed its findings to “perpetrator unknown.” But by then, says Conlin, Rasmussen had lost his daycare business. “She loved taking care of the kids,” Conlin said. “They just ruined his life.”
Conlin said she believes DHS has an obligation to keep its records and prevent their mass destruction through encryption.
“If we can’t access the emails of the investigator communicating with his supervisor – and obviously the supervisor communicating with his supervisor – how in the world can we prove what we have to prove,” Conlin asked. “By encrypting these emails and then being unable to decrypt them, they have prevented us from having a fair chance in the courts.”