DHS can’t read thousands of its own emails, including those about child abuse
(Photo by Matt Cardy/Getty Images)
Thousands of state records dealing with child abuse investigations and other matters have been rendered unreadable due to a change in computer software at the Iowa Department of Human Services.
The records are emails that were encrypted to protect their confidentiality. When DHS changed computer software in 2018, it reportedly lost the ability to decrypt virtually all of the encrypted messages sent over the previous two years.
“This is egregious,” said Roxanne Conlin, a Des Moines attorney who is seeking access to DHS emails related to a 2017 child abuse investigation. “There is a huge swath – as I understand, it’s two years’ worth – of emails that no one can access now. My god, that’s a pretty horrible situation. And, of course, we’re never going to know what is in all those encrypted emails.”
Conlin said the loss of the information has profound implications for agencies that investigate DHS’ handling of child-abuse complaints, as well as Iowans suspected of abuse. Without access to the internal, written communications about pre-2019 cases, it will be harder for DHS to spot patterns involving individuals currently under investigation, she said.
“That matters, for example, in terms of whether a person can be found to be sexual predator against children, for crying out loud,” Conlin said.
DHS officials declined to comment on the matter.
Testimony: New software couldn’t open encrypted emails
On Thursday, an attorney with Conlin’s office deposed an information technology worker for DHS in an effort to find out why emails the agency had turned over during litigation were still encrypted, displaying nothing but lines of seemingly randomized characters.
According to Conlin, the tech testified that agency emails were encrypted from 2017 to 2018 using software called Virtru. The software automatically encrypted any emails, within the entire DHS system, that happened to include one of roughly 120,000 predefined words that would suggest the contents dealt with confidential matters, such as child abuse. The recipients of those emails received a code to decrypt the emails and make them readable.
In 2018, DHS switched encryption programs from Virtru to a product made by Microsoft. The Microsoft software couldn’t decrypt the emails already processed by Virtru. What’s more, when DHS decided to drop Virtru, it did so without retaining the ability to decrypt the emails already sent and received with the software.
As a result, DHS is now unable to read thousands of emails dealing with some of the most sensitive and controversial aspects of its work. Interoffice emails are often among the records most sought by lawyers and state investigators who are called upon to examine DHS’ response to child-abuse complaints. In addition to those internal emails, DHS also shared public documents with reporters using the Virtru-encrypted email system.
According to a 2017-18 training manual for Iowans who work as court-appointed advocates in child-abuse cases, the Virtru encryption system at DHS relied on “a private key,” or code, that email recipients used to read each individual email after being routed to a website. All of those keys have since been lost, or they have expired, according to the testimony of the DHS tech, which means the emails can’t be decrypted now even if the state had access to the Virtru software.
With the assistance of computer techs, DHS has allegedly been able to decrypt about 10% of the emails that were processed by Virtru, but fewer than half of that subset of emails can be decrypted without errors that could potentially alter the meaning of the communications.
GET THE MORNING HEADLINES DELIVERED TO YOUR INBOX
The Iowa Capital Dispatch asked DHS spokesman Alex Carfrae on Thursday how many agency emails were lost due to the encryption issue, what impact it had on the department’s case management, whether it resulted in the loss of documents the agency is required to maintain, and what impact the loss has had on DHS’ ability to respond to Open Records Law requests, subpoenas for information and discovery requests made in civil court.
Carfrae said answering those questions would require the retrieval of data from the agency’s information-technology team and would take several days.
He declined to say why DHS didn’t retain the ability to read its own emails once it decided to sever ties with Virtru.
Lawsuit alleges false allegation against day care owner
The lawsuit that led to the disclosure of the encryption problem involves Alyson Rasmusson of Marshalltown. She alleges that in 2017, she ran an in-home day care service and was wrongly blamed by DHS for injuries sustained by one of the children in her care.
She alleges the child’s mother repeatedly told state investigators the child appeared to have been injured at home by the family’s dog, but that DHS investigators said they were under pressure from their superiors to find someone to blame.
DHS eventually issued a formal finding of abuse by Rasmusson through the denial of critical care. After Rasmussen appealed that finding, DHS allegedly offered to alter its conclusions if she signed a form agreeing not to sue the state for its actions.
Rasmussen refused, and one day before the appeal hearing, DHS changed its findings to “perpetrator unknown.” But by that time, Conlin says, Rasmusson had lost her day care business. “She loved caring for children,” Conlin said. “They just ruined her life.”
Conlin said she believes DHS has an obligation to retain its records and prevent their wholesale destruction through encryption.
“If we cannot get access to emails of the investigator communicating with his supervisor – and, obviously, the supervisor communicating with her supervisor – how in the world can we prove what we need to prove,” Conlin asked. “By encrypting these emails, and then being unable to decrypt them, they have prevented us from having a fair chance in court.”
She noted that under Iowa law, litigants are barred from spoliation – the destruction of evidence – and said she intends to pursue that issue, as well.
Correction: An earlier version of this story misspelled the name of the plaintiff in the lawsuit, Alyson Rasmusson.
SUPPORT NEWS YOU TRUST.
Our stories may be republished online or in print under Creative Commons license CC BY-NC-ND 4.0. We ask that you edit only for style or to shorten, provide proper attribution and link to our web site. Please see our republishing guidelines for use of photos and graphics.