«Testimony of The Honorable J. Russell George Treasury Inspector General for Tax Administration and Timothy P. Camus Deputy Inspector General for ...»
HEARING BEFORE THE
COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM
U.S. HOUSE OF RESPRESENTATIVES
“IRS E-mails: Part II”
The Honorable J. Russell George
Treasury Inspector General for Tax Administration
Timothy P. Camus
Deputy Inspector General for Investigations
Treasury Inspector General for Tax Administration
June 25, 2015
THE HONORABLE J. RUSSELL GEORGE
TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATIONand
TIMOTHY P. CAMUS
DEPUTY INSPECTOR GENERAL FOR INVESTIGATIONS
TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATIONbefore the
COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM
U.S. HOUSE OF REPRESENTATIVES
BACKGROUNDOn June 13, 2014, in a letter to the Senate Finance Committee, the IRS reported that as it was completing its document production for Congress concerning allegations that the IRS targeted certain 501(c)(4) applicants, it realized that the production of the emails of Lois Lerner had gaps. IRS officials reported that in their attempts to find missing e-mails, they determined that Ms. Lerner’s IRS laptop computer suffered a hard drive crash in June 2011, and therefore some of her e-mails could not be recovered.
The following Monday, June 16, 2014, the Treasury Inspector General for Tax Administration’s (TIGTA) Office of Investigations initiated an investigation into the circumstances surrounding the hard drive crash and the missing e-mails. One week later, on June 23, 2014, TIGTA received a letter from then-Chairman Ron Wyden and then-Ranking Member Orrin Hatch of the Senate Finance Committee requesting TIGTA to formally investigate the matter, including to “perform its own analysis of whether any data can be salvaged and produced to the committee.” Throughout our investigation, when appropriate, we have updated the tax-writing and oversight committees of Congress, including this Committee, concerning our progress in recovering the e-mails. However, during those updates, we did not discuss the investigation itself. As we are at the end of the investigative process, we are now in a position to provide information about our investigation.
TIGTA’s investigation included the interview of over 113 witnesses, some witnesses on multiple occasions, extensive document reviews, and the processing and analysis of over 20 terabytes of data. As a point of comparison, one terabyte of data is the equivalent of one million standard books.
There are six possible sources that were examined in an effort to recover the missing e-mails: Ms. Lerner’s crashed hard drive, the backup (disaster recovery) tapes, a decommissioned IRS e-mail server, the backup tapes for the decommissioned e-mail server, Ms. Lerner’s BlackBerry, and loaner computers that may have been assigned to Ms. Lerner while her laptop was being repaired.
Following a logical sequence, we will first provide our investigative findings about Ms. Lerner’s hard drive crash and the probable final disposition of the hard drive. Our investigation determined that on Saturday, June 11, 2011, between 5:00 pm and 7:00 pm, Ms. Lerner’s IRS issued laptop computer stopped communicating with the IRS server system. The IRS server system sends messages out to all of the networkconnected computers every two hours. The last communication between Ms. Lerner’s laptop and the server system occurred around 5:00 pm, and at that time, based on consistent network reporting for more than a week, the laptop computer was likely located in Ms. Lerner’s office. The laptop failed to respond to the server at 7:00 pm.
Computer Hard Drive
On Monday, June 13, 2011, Ms. Lerner reported that she found her computer inoperable when she entered her office, and the malfunction was reported to the IRS Information Technology (IT) staff. The assigned IT specialist determined the hard drive had crashed, and following standard protocol, he placed a new hard drive in Ms.
Lerner’s laptop. In addition to the hard drive, a Hewlett Packard (HP) contractor replaced the laptop’s keyboard, track pad, heat sink, and fan. When interviewed, both the IRS IT technician and the HP technician reported that they did not note any visible damage to the laptop computer itself. When asked about the possible cause of the hard drive failure, the HP technician opined that heat-related failures are not seen often, and based on the information provided to him, the hard drive more than likely crashed due to an impact of some sort. However, because the HP technician did not examine the hard drive as part of his work on the laptop, it could not be determined why it crashed.
On July 19, 2011, Ms. Lerner requested IRS IT to attempt to recover data from her crashed hard drive because, according to her, she had “personal information” on the drive. The IRS IT management agreed and requested assistance from the Internal Revenue Service Criminal Investigation Division (IRS-CI). After receiving the hard drive from the IT technician, the IRS-CI technician attempted, but was unsuccessful in recovering data, so he returned the hard drive to the IT depot at the IRS headquarters building for its ultimate destruction. According to the IRS-CI technician, he noted some scoring on the top platter of the drive, and he believed there were additional steps that could have been taken to attempt to recover data. IRS IT management determined the extra effort to recover data from Ms. Lerner’s hard drive was not worth the expense. It is critically important to point out that we determined the IRS does not track individual hard drives by their serial number(s), nor was the serial number recorded by the IT technician or the IRS-CI technician when they handled and examined Ms. Lerner’s hard drive.
On August 8, 2011, the hard drive was received back at the IT depot, and placed into a box with other failed hard drives and electronic equipment that IRS IT was gathering, bundling and holding for destruction by an IRS vendor. After August 8, 2011, the next identified bulk shipment of materials to be destroyed was on April 13, 2012.
Following the timeline, Ms. Lerner’s hard drive would have been in the April 13, 2012 shipment of materials sent for destruction. TIGTA traced this bulk shipment to the Marianna Recycling Facility in Marianna, Florida. This facility is operated by the Federal Prison Industries, Incorporated, also known as UNICOR, a Federal Bureau of Prisons sponsored program. We determined by obtaining the certificate of destruction dated April 16, 2012, interviews with the facility manager, and a search of the facility, that this shipment of hard drives was destroyed using an AMERI-SHRED AMS-750HD shredder.
TIGTA agents observed the shredder in operation and noted that the shredder cut the inserted hard drives into quarter-sized pieces, and according to the facility manager, those pieces are then sold for scrap.
As the hard drive was likely destroyed at the UNICOR Recycling Facility in April 2012, it was not available for TIGTA’s e-mail recovery efforts or further examination of it to determine the cause of the hard drive failure. Attempts were made to determine if anyone entered Ms. Lerner’s office prior to the hard drive crash on June 11, 2011;
however, the entry logs that would have recorded any entry into the building were destroyed by the building security vendor after one year of retention, or sometime in
2012. The destruction of the logs after one year falls within the vendor’s standard operating procedures.
Backup (Disaster Recovery) Tapes
The IRS manages the e-mail for its approximate 91,000 employees by routing the e-mails through Microsoft Exchange Servers that are backed up periodically using backup tapes. These Microsoft Exchange Servers, save e-mail data to large data arrays, which consist of hundreds of hard drives that are placed into server racks. Until May 2011, the e-mail server that handled Lois Lerner’s e-mail traffic was located at the New Carrollton, Maryland, Federal Building. In May 2011, the IRS migrated its e-mail processing from the e-mail server at New Carrollton to a new e-mail server located at the IRS’s Martinsburg, West Virginia, Computing Center. After migrating its e-mail system to Martinsburg, the IRS turned off the e-mail server at New Carrollton, but left it in place. Early in the investigation, an interview with the IRS Director of Data Management Support and Services revealed that it was his team’s belief that the New Carrollton e-mail server hard drives and backup tapes had likely been destroyed.
On June 30, 2014, TIGTA demanded that the IRS provide all backup tapes used to back up Ms. Lerner’s IRS e-mail account, specifically all backup tapes used for emails during the time period of January 1, 2008 through December 31, 2011. These date ranges were selected to ensure that we obtained any overlapping e-mails or accounted for mid-year equipment changes. As a result of this demand, on July 1, 2014, the IRS identified 744 backup tapes that met this criterion and TIGTA took possession of all of them.
With regard to nine of the 744 backup tapes, based on how they were configured in the backup machine, the IRS was unable to determine the dates they were used. As a result, IRS technicians believed it was possible that the nine tapes had been untouched for years and thus could contain clear data relevant to the investigation. As TIGTA did not have the necessary unique hardware to examine the nine tapes, they were provided to the Federal Bureau of Investigation (FBI) for determination as to whether they contained any data and, if so, to retrieve it. After the FBI analyzed the nine tapes, they reported all nine contained no logical information. TIGTA then provided those same nine tapes to a recognized industry leader on electronic data recovery, and they confirmed the FBI’s findings.
After confirming the initial nine tapes contained no logical information, and fearing that the remaining 735 tapes were overwritten, TIGTA interviewed the IRS executive in charge of the IRS e-mail backup program, his staff identified the specific backup tapes that would contain the earliest copies of Lois Lerner’s e-mail box. The backup tapes consist of five sets of tapes. These five sets were created in sequential weeks from November 20, 2012 through December 25, 2012.
We hand carried the backup tapes to the recognized industry expert for data recovery and extraction. After their examination and extraction of data, they provided TIGTA with Exchange Database files from these tapes. On November 13, 2014, TIGTA searched the database files and identified the first Lois Lerner e-mail box. As expected, the backup sets contained one Lerner e-mail box per set for a total of five mailboxes. At the conclusion of the process, TIGTA identified 79,840 Lois Lerner e-mails, of which nearly 60 percent were duplicates. Our removing of the duplicates resulted in approximately 32,774 Lois Lerner unique e-mails.
In order to determine if any of the e-mails had not been previously produced to the Congress, and were therefore new information, TIGTA compared the recovered emails to the e-mails the IRS produced to Congress. This proved to be a significant technological challenge even using state-of-the-art software. When the IRS produced its e-mails to Congress, the process they used to prepare the e-mails modified some of the necessary data elements to an extent that made the possibility of a discreet comparison infeasible. TIGTA agents created a specialized programming script and initially identified as many as 6,400 e-mails that appeared to have not been provided to the Congress. We provided these 6,400 e-mails to the requesting Committees of Congress with authority to receive return information under section 6103 of Title 26, the Department of Justice (DOJ) for their review in their ongoing investigation, and the IRS.
We are currently reviewing them and redacting return information for production to the non-tax writing committees. In addition, we manually compared the 6,400 e-mails to the e-mails that were previously produced by the IRS to Congress and we removed the obvious spam e-mails. At the conclusion of this manual review process, we determined that over 1,000 e-mails that were recovered by TIGTA were not previously provided to Congress, DOJ, or TIGTA. A review of these new e-mails did not provide additional information for the purposes of our investigation.
Decommissioned E-mail Server
On July 11, 2014, TIGTA agents were informed by IRS management at the Martinsburg Computing Center that they had located the hard drives from the decommissioned New Carrollton e-mail server and that they were not destroyed as previously reported. On the same day, TIGTA secured the 760 hard drives that are believed to have been part of the old, decommissioned New Carrollton e-mail server.
We conducted a preliminary examination of a limited selection of the hard drives and determined, based on information that could be seen from these hard drives, that more than likely, these were from the e-mail server that processed Ms. Lerner’s e-mails from mid-2011 and prior.
The e-mail servers process and keep copies of e-mail traffic on the hundreds of drives that are specifically positioned in server racks; however, the IRS did not retain a record of the layout indicating where each of the specific hard drives was positioned in the racks. Without understanding the exact order in which the hard drives were placed in the server racks, finding any complete and relevant e-mails would be very difficult and labor-intensive. In addition, if any of the hard drives are damaged, it could potentially be near-impossible to recover any usable e-mails. We determined that due to the nature of the technological challenge and the sheer number of server drives to be examined, we needed to use a recognized industry expert on data recovery to examine and recover data from the server drives. The expert was able to recover a portion of the e-mail data from some of the hard drives. The expert did not find Lois Lerner e-mail boxes, but they did find e-mail boxes for four of the identified information custodians and one other individual who had a significant amount of e-mail traffic with Ms. Lerner. Examination of these mailboxes resulted in the identification of 58 new e-mails not previously produced to Congress.
On June 13, 2013, TIGTA took possession of Ms. Lerner’s BlackBerry and although the forensic recovery of the BlackBerry produced 2,972 e-mails. After performing a comparison to the e-mails the IRS previously produced to Congress, the examination of the BlackBerry produced 190 new e-mails, of which 169 are from after 8:30 am on May 16, 2013. Six of the 190 e-mails mentioned Exempt Organizations business matters, but they were not otherwise pertinent to the investigation. The investigation determined that Ms. Lerner was issued the BlackBerry on February 14,
2012. TIGTA’s records research and interviews indicate that the BlackBerrys issued to Ms. Lerner prior to February 14, 2012, were more than likely destroyed in conformance with IRS policy.
TIGTA forensic agents located and examined the 10 laptops that were used as loaners when IRS employees in the Washington, D.C., area suffered laptop failures.