Unanswered questions that remain after the Coutts prosecution email search
Joel Dryden | CBC News | Posted: Friday, March 17th, 2023 12:37 AM | Last Updated: March 17th
Keywords, deleted email policy and other details are typical considerations, says digital forensics expert
Alberta Premier Danielle Smith continued to face pressure this week from the Opposition NDP in connection to a January story from CBC News.
Based on information from well-placed sources, CBC reported in January that a staff member in Smith's office sent a series of emails to the Alberta Crown Prosecution Service that challenged prosecutors' assessment of and direction on cases tied to last winter's border protests at Coutts, Alta.
CBC News has not seen the emails.
"Why is it that this premier is held to a lower ethical standard than that which was applied to Minister [Kaycee] Madu, after he engaged in what was found to be interference with the administration of justice?" Opposition Leader Rachel Notley asked Tuesday.
Smith, in response, said such interference "never occurred."
"We did a major investigation by the independent public service over the course of a weekend where they did a full review of all of the emails that had been sent and received out of my office as well as to Crown prosecutors and found nothing," Smith said.
The premier's office described the original reporting as "defamatory" and said it contained "baseless allegations."
CBC News stands by the reporting. CBC News knows the names of the confidential sources, knows where they work, and has carefully assessed the credibility of the information offered.
Days after the story was published, the provincial government conducted a search over the course of a weekend. The province's justice ministry said the search of nearly a million emails had "not generated any records of contact."
Nearly two months after that review, the scope of that search, and what it may have left behind, leaves questions unanswered.
CBC News reached out to Alberta Justice communications director Charles Mainville for answers on these questions on Wednesday, with a deadline for a response by the end of the day.
Receiving no response, CBC News reached out on Thursday to the premier's press secretary, Rebecca Polak, and Jonah Mozeson, executive director of communications and planning in the premier's office, with another deadline for the end of the day. No response was received by publication time.
1. Could the search have found deleted emails?
The province has said it has a retention period of 30 days for deleted emails. However, it also says that once an email is deleted by a user, it would still be accessible for 30 additional days. That's a total of 60 days.
The government's email search took place Jan. 20-22.
That means that any emails that were deleted before Nov. 21, 2022, would not have been accessible during the government's search. The province told the Toronto Star in January it would also require the recipient of the email to delete it.
According to sources, the emails were sent before Nov. 10, 2022.
2. How does the government handle its deleted emails?
This case raises interesting questions about provincial management of email inboxes, said William Ellwood, forensic lead with the Toronto-based Ellwood Evidence Inc., a digital forensics firm.
The Alberta government has a guide for retention of records posted online, which lists four reasons why records should be retained: for administrative value, legal value, fiscal value and for research or historical value.
A list provided in that document provides suggestions for lengths of time that records of various types should be retained, with some ranging up to 12 years.
"Transitory records" — those which have "short-term, immediate or no value" — can be disposed of.
"What is interesting is that these users have the discretionary power to delete email communications, and these are allowed to disappear unrecoverably after only 60 days," Ellwood said in an email.
"In the case of civil investigations, mature corporations generally don't allow their employees this kind of latitude so that information is recoverable after-the-fact if an incident is uncovered."
3. What search terms were used?
When asked what exact search terms were used, the government said those terms were part of an investigatory process and were confidential.
Knowing what search terms were used is critical to understanding the scope of what the search would have turned up or what it could have missed, industry experts say.
"You may exclude stuff if you're just searching for common search terms," Ellwood said in an interview.
"If you're just running search terms — which is, practically speaking, I think what any industry practitioner would say is probably what was done — you're going to run the risk of missing things."
That's because internal communication is often done with casual language, Ellwood said, which means it could be missed if the search terms don't precisely match.
Making targeted searches over such a short time-frame would pose challenges, Ellwood said.
"Searching for that kind of thing is kind of a needle in a haystack when you don't really know what the needle looks like. It's a challenge," Ellwood said.
4. Were additional search tools used?
Beyond not understanding the scope of the search terms themselves, there's been recognition for more than a decade in electronic discovery that a singular reliance on keywords and search terms alone is inadequate when attempting to find information.
Electronic discovery refers to the process of retrieving electronically stored information for a legal case or an investigation.
Other search tools, which are widely available, should also be employed, experts say.
High-profile cases in Canada have revolved around the use of such search methods, including in the 2019 case of Vice-Admiral Mark Norman, accused of leaking cabinet secrets in relation to a shipbuilding deal.
In that instance, defence lawyers for Norman presented the court with evidence, alleging that officials may have avoided using his name while using code phrases to make the search for documents about him more difficult.
"It is important to note that codenames, abbreviations, typos and synonyms are commonplace within all organizations, and that this is not an isolated incident," wrote the Toronto-based Heuristica Discovery Counsel in a 2019 blog focused on the case.
"While keyword searching is a good starting place to identify relevant documents, it is literal and will miss responsive documents that contain unidentified codewords, jargon, abbreviations and typos."
Take, for example, Microsoft Office 365, and a program like Microsoft Outlook. Electronic discovery experts largely view sole usage of such a program as an incomplete strategy to search for electronic information.
Electronic discovery firms often use more powerful analytics tools when conducting such an analysis. Platforms such as RelativityOne often use analytics that include machine learning and keyword expansion, among other tools.
The government did not say if such software was employed in the electronic search.
5. What about personal emails?
On Jan. 23, the government said it searched Alberta Crown Prosecution Service mailboxes for the period of Sept. 1 to Dec. 31, 2022. Premier Danielle Smith's office mailboxes were searched from Oct. 6 to Dec. 31, 2022.
In total, approximately 900 mailboxes were searched, the government said, including both incoming and outgoing emails.
The government also said the search involved "relevant prosecutors" who worked on files related to the Coutts blockade or in the same office as those working on these files.
It did not provide more information to a followup question asking for more details on whether that would include everyone in the Crown prosecution service or just those working in the Calgary office, or whether it would involve all or just a portion of the premier's staff, writing that disclosing those details would compromise the confidentiality of investigatory processes.
CBC News asked if the search just looked at correspondence between government email addresses, or whether emails sent from a personal address on one end would also be captured by the search.
The government said its search hit internal mailboxes but would have caught emails sent from or to a non-Government of Alberta email address.
If personal emails were involved, the Government of Alberta address would need to be either a sender or a receiver of the email — for instance, a personal Gmail account on one end, the government email on the other.
But that goes back to one of the main questions: whether any emails would still exist to be found in the first place.
6. What about the audit logs?
There's also the open question on whether the government searched the emails themselves, or whether they searched the "audit logs" — referring to a set of records that detail who communicated with whom, but not the details of those conversations.
"For many of these systems, they will not only have record retention, but they'll also have audit log retention. So 'X' person did 'Y' on this day," Ellwood said. "If that was evidence that exists, did they look at it?"
If and when the UCP government provides answers to some of the unanswered questions we explored here, CBC News will report on their responses.