Take care with the public's records

-A A +A

Grayson County Commonwealth's Attorney Douglas Vaught appears to be a decent and caring person and — to his substantial credit — he does respond to his mail. Others in Grayson County governance, including Vaught's predecessor, refuse to put pencil to paper. I want to share an issue on which he and I disagree, as it forms an introduction to a much larger contemporary issue.

Vaught and I have debated whether personal e-mail accounts (Hotmail, Gmail, MyEmbarq and the like) are appropriate for conducting commonwealth business, particularly judicial and law enforcement communications. I have not been successful in convincing him to use government-supplied e-mail; if you read this in disbelief, then please ask for his business card.

Many opportunities for short-term harm exist. Because personal e-mail accounts are not secure and are not professionally managed, a person using "packet sniffer" software could simply print or archive the mail without Vaught's knowledge, or the sniffer could hijack the entire account. As an example, Paris Hilton and Sarah Palin have been victims of well-publicized hijacked personal accounts.

Additionally, Vaught's commonwealth data and passwords could be stolen via brute-force attacks, social-engineering attacks, cross-site scripting, embedded ActiveX objects, keystroke logging, etc. Although random exploits are common, specific people can be targeted. The necessary software may be purchased or specific attacks can be arranged on a fee-for-service basis.

(Interested readers may want to subscribe to the free "Security Now" Web casts by Steve Gibson.)

Because Yahoo!, etc., are used globally, the existing attack knowledge base is broader than for a secure, managed Virginia server. Imagine the mayhem that someone could cause with confidential law enforcement information.

Records integrity is a large, long-term issue that must be addressed. Former Commonwealth's Attorney Gordon Hannett Jr. of Floyd County is now under prosecution for failing to transfer his computer files to the commonwealth. At the end of Vaught's term, how will he transfer files for archival purposes? I rather doubt that the commonwealth has developed software to transfer Hotmail files to the archival standard.

It gets worse still: In the Hannett court case, missing physical assets, hard disk drives, are the matter at hand. With most personal e-mail accounts, however, there are no definable physical assets and no directed professional IT management, so public records can go poof without fuss.

As an example of high irony, Vaught is assigned the duty of prosecuting Hannett.

I have repeatedly updated the Grayson County administration regarding this issue, but they seek to hide from their own troubled history regarding public records. Constituent correspondence was ignored three years ago, resulting in lost rights for all those participating in an appeals process. This un-American behavior required no fewer than 28 cycles of correspondence and four FOIA filings to get to the bottom. The outcome was clear: Someone within Grayson discarded paper public records.

True to form, no e-mails were ever recovered in this case, although they were known to exist via non-FOIA sourcing.

Accepting governance in the shadows demonstrates a lack of respect for those who fought for our freedoms. I believe that the situations described above validate a few guiding principles for those who value transparency and seek to improve government:

1.Demand accountability and never give up;

2.Paper communications may favor the public interest because possession can be firmly established (handwriting, fingerprints, difficult to destroy all copies, etc.);

3.Electronic public records purposely kept on servers outside the control of government IT management make a mockery of open government laws.

A path for improvement exists. I suggest that localities in Virginia serve the public under this mandate: Constituents who report issues or request actions receive a serial number in return. A summary of the request is logged on a public Web site, along with the outcome or status; names are posted on an opt-in basis.

This system could protect the public from inaction or records destruction.

It would add a measure of accountability, too. Imagine the liability if several reports of a public health hazard spanning several years were ignored, resulting in harm. Consider the skullduggery that could have been uncovered if the SEC had such a system 10 years ago. As for mandating the use of secure networks for sensitive data, I am eager to learn why this is not in place already.

Why is transparency in governance important to Southwestern Virginia? Jobs and transparency are intricately intertwined because large employers purposely avoid investing in regions that are opaque (what are the rules?) or that don't follow their rules (what are the "real" rules?).

This opinion piece first appeared in The Roanoke Times.