Experts are divided over whether or not the disappearance of cellphone knowledge from across the time of the rebel is an indication of incompetence, an intentional coverup or some murky center floor. But the failure has raised suspicions in regards to the disposition of information whose preservation was mandated by federal legislation.
“This was the most singularly stressful day for the Secret Service since the attempted assassination of [Ronald] Reagan,” mentioned Paul Rosenzweig, a senior coverage official on the Department of Homeland Security throughout the George W. Bush administration who’s now a cybersecurity marketing consultant in Washington. “Why apparently was there no interest in preserving records for the purposes of doing an after-action review? It’s like we have a 9/11 attack and air traffic control wipes its records.”
Rosenzweig mentioned he polled 11 of his buddies with cybersecurity backgrounds, together with information-security chiefs at federal companies, on whether or not any of them had ever performed a migration with out a plan for backing up knowledge and restoring it. None of them had. “There’s a relatively high degree of skepticism about [the Secret Service] in the group,” he mentioned.
The Secret Service mentioned it started deleting knowledge from officers’ telephones in the identical month because the Capitol siege, when its brokers had been among the many closest eyewitnesses each to President Donald Trump, now underneath felony investigation for his push to overturn the election, and to Vice President Mike Pence, who had narrowly escaped the mob.
The company mentioned the deletions had been half of a preplanned “system migration,” that brokers had been instructed to again up their very own telephones, and that any “insinuation” of malicious intent is improper.
But tech experts mentioned such a migration is a process that smaller organizations routinely accomplish with out error. The company additionally went by with its reset of the telephones greater than every week after Jan. 16, 2021, when House committees told officers at DHS handy over all related “documents or materials” as half of their investigations into the lethal assault.
The error probably signifies that the information, which may reveal particulars essential to the Jan. 6 committee’s ongoing investigation, could also be extraordinarily difficult if not not possible to retrieve. Some of the info could stay on the telephones, even after deletion, however with choices for unlocking it which might be slim to none.
If the Secret Service had really wished to protect brokers’ messages, experts mentioned, it ought to have been nearly trivially simple to take action. Backups and exports are a fundamental function of almost each messaging service, and federal legislation requires such information to be safeguarded and submitted to the National Archives.
Several experts had been essential of the Secret Service’s clarification that it had requested brokers to add their very own cellphone knowledge to an company drive earlier than their telephones had been wiped. Cybersecurity professionals mentioned that coverage was “highly unusual,” “ludicrous,” a “failure of management” and “not something any other organization would ever do.”
The error is particularly notable as a result of of the Secret Service’s vaunted function within the federal forms. Besides defending America’s strongest folks, the company leads some of the federal government’s most technically refined investigations of monetary fraud, ransomware and cybercrime.
“Telling people to back up their stuff individually just sounds crazy,” mentioned one know-how chief interviewed by The Post, who spoke on the situation of anonymity to debate delicate information safety practices. “This is why you have IT people. Why not tell people to go buy their own ammunition?”
On Thursday, The Washington Post revealed that cellphone information from Trump’s performing homeland safety secretary, Chad Wolf, and performing deputy secretary Ken Cuccinelli within the days main as much as the Capitol riots additionally apparently vanished resulting from what inner emails urged was a “reset” of their telephones after they left their jobs in January 2021. Wolf has mentioned he gave his cellphone to DHS officers with all knowledge intact, and the reset seems to have been separate from the Secret Service’s migration.
Some experts mentioned they may see how such errors had been attainable. Both the DHS and Secret Service are recognized for a tradition of secrecy, a disdain for oversight and a desire for operational safety above all else. Among the potential technical issues, these experts mentioned, was the truth that DHS and Secret Service personnel can use iPhones and Apple’s iMessage for communications, which encrypts texts and shops them on the cellphone.
But a number of experts mentioned they may not perceive why the companies had not labored extra aggressively to safeguard cellphone information after Jan. 6 — not solely as a result of they had been legally required to, however as a result of the information may have helped them scrutinize how they’d carried out throughout an assault on the center of American democracy.
In a letter to the House select committee investigating the insurrection, Secret Service officials said they began planning in the fall of 2020 to move all devices onto Microsoft Intune, a “mobile device management” service, known as an MDM, that companies and other organizations can use to centrally manage their computers and phones.
The agency said it told its personnel on Jan. 25 to back up their phones’ data onto an internal drive, notably offering a “step-by-step” guide, but that employees were ultimately “responsible for appropriately preserving government records that may be created via text messaging.” The Secret Service said agents were told that enrolling their devices in the new system, via a “self-install,” was mandatory, although it was not clear that actually performing the backup was.
The migration, the agency said, began two days later, on Jan. 27 — 11 days after the committee had first instructed DHS officials to preserve their records. Some experts questioned why, even if the process had been preplanned, the agency did not pause the migration or assume a more direct role in preserving agents’ data during that 11-day span.
The Secret Service said that the migration process deleted “data resident on some phones” but that none of the texts that DHS Inspector General Joseph Cuffari had been seeking were lost.
The agency watchdog had requested all text messages sent and received by 24 Secret Service personnel between Dec. 7, 2020, and Jan. 8, 2021. The agency returned only one record — a text message conversation from a former U.S. Capitol Police chief to a former chief of the Secret Service’s Uniformed Division on Jan. 6, asking for help.
Cuffari’s office said last week it has launched a criminal investigation into the missing data. But congressional Democrats have since pushed for Cuffari’s removal, saying the Trump appointee’s failure to promptly alert Congress has undermined the investigation and diminished the chances that lost evidence could be recovered. Cuffari’s office, they said, learned in December that messages had been erased but did not tell Congress until this month.
Cuffari mentioned earlier this month that “many” texts from Jan. 5 and 6 had been erased after he made his first request. Secret Service spokesman Anthony Guglielmi said in a press release that Cuffari’s workplace made its request for the primary time in February 2021, after the migration was underway.
Asked for comment Friday, the Secret Service provided a previously issued statement, saying it was cooperating with the investigation.
Data migrations of these sorts are not uncommon, experts said. One of the basic rules for conducting them is that devices should be backed up with redundant copies in such a way that the process can be reversed if something goes wrong. Microsoft Intune, specifically, offers guides for how to back up devices, restore saved data and move devices onto the service without deleting their data outright.
The baffling decision-making and the timing of the deletions have led some critics to question whether the agencies were seeking to conceal inconvenient facts. The messages, they pointed out, may have shed a negative light on the behavior of Trump, a man whom many in DHS and on the Secret Service had long fought — not just professionally, but personally and politically — to protect.
One former senior government official who served under Trump said they viewed the missing texts not as a conspiracy but as the inevitable result of an organizational failure by DHS to set up systems that would ensure proper data retention on employees’ devices.
“What they’re doing is they’re shifting the burden to the individual user to do the backup, and that’s a failure of policy and governance,” the former official said. “It’s the overarching program that was set up for failure.”
The former official added that it’s unclear how much, if any, sensitive communication Secret Service agents would have been doing via iMessage anyway. In many government agencies, employees carry personal devices as well as their work devices, and rules about keeping work communications on work devices are not always diligently followed.
The Secret Service blocks its phones from using Apple’s iCloud, a popular service for automatically saving copies of phone data to the web, according to an agency official who spoke on the condition of anonymity to discuss a sensitive matter under investigation.
Using iCloud backups could have ensured that copies of the messages would have been preserved even after a phone reset. But the system could have also been seen as a security risk because it made agents’ digital conversations more vulnerable to hackers or spies.
A former head of technology at another agency within DHS, speaking on condition of anonymity to describe security practices, told The Post that not using iCloud “does come with trade-offs” but could also reduce the need for security officials to “worry about very sensitive data” being exposed.
Agents could have copied data onto an agency backup drive, even without iCloud. But the Secret Service, more than other top security agencies, “tends to want to do their own thing and segment off their IT solutions as much as possible,” the person said. “They have good reason, and the security culture itself is fairly good because of the mission.”
Robert Osgood, director of the computer forensics program at George Mason University and a longtime forensics examiner for the FBI, said federal law enforcement agencies are typically “really good at storing data” and that, under normal circumstances, it would take “a comedy of errors” for an organization such as the Secret Service to delete data critical to a high-profile investigation.
But “a comedy of errors does happen in the government, unfortunately, and happens more times than people think,” Osgood said. Secret Service agents on the president’s security detail, he added, may also face unique incentives to avoid leaving data trails about sensitive matters.
“By the nature of what they do, they can’t be the eyes and ears of Congress or the inspector general or the DOJ, because that would actually interfere with their mission” to maintain the president’s trust and privacy, Osgood said.
Preserving the records could have also been complicated by officials’ choices on how they communicated. It’s unclear how many agents used messaging apps such as Signal or Wickr, which have become popular for their encryption and security protections, or carried personal phones on Jan. 6. One former government official said such behavior is common in DHS, especially within small or select groups such as the presidential and vice-presidential details.
As part of DHS, the Secret Service would have been required to use some form of “mobile device management” service even before the Intune migration, a former FBI cybersecurity agent told The Post.
But the agency has not specified what MDM it migrated from, and each system works in different ways. Some allow for complete access to phone contents by IT administrators, while others permit only a couple of actions, such as deleting or “wiping” data from a device after it has been discontinued. Some MDMs, including Intune, also allow organizations to restrict what apps employees can download to their devices, potentially limiting their options for messaging to officially approved apps.
If the agency had pursued a typical migration process, experts said it would be strange for the agency to have lost data for only some agents, or for more than a day. A veteran data forensics expert at a large consulting firm who was not authorized to speak publicly said it “does sound fishy” that so much data would go missing.
Leaving backups of critical data to individual employees would be an odd choice for an organization’s IT department if the top priority were to make sure nothing was lost, said Paul Bischoff, an online privacy expert at the security firm Comparitech.
“If individual staff members were responsible for backing up and resetting their own devices instead of trained IT staff, I can see a lot of opportunities for user error to crop up,” Bischoff said. “That might result in some data being accidentally lost, or it could just be a convenient alibi.”
It also remains unclear whether the data is gone forever. It is sometimes possible to retrieve data deleted in a factory reset of a phone, depending on how the data was stored, Bischoff said. “Until the old data is actually overwritten with new data, it can remain on disk even after a factory reset and in many cases be recovered using forensic software.” That may not be possible, however, if it was encrypted or overwritten before the reset.
Osgood said he takes the Secret Service at its word that it didn’t intentionally destroy what it should have known could be critical evidence in a historic investigation. But he said its explanations to date leave “more questions than answers.”
Carol D. Leonnig contributed to this report.