Caveat 3.23.23
Ep 165 | 3.23.23

The technology challenges of national archives regulations.


Bill Tolson: For vendors, you know, if you have zero trust and MFA and encryption and all that stuff, you want, you know, you want the government to know that. But also, you want to point at those federal acquisition regulations and say, "We meet those. These guys don't."

Dave Bittner: Hello, everyone, and welcome to "Caveat," the Cyberwire's privacy, surveillance, law, and policy podcast. I'm Dave Bittner, and joining me is my cohost Ben Yelin from the University of Maryland Center for Health and Homeland Security. Hello, Ben.

Ben Yelin: Hello, Dave.

Dave Bittner: Today, Ben shares a New York City court case about biometric surveillance at Amazon Go, their brick and mortar store chain. I look at new and potential regulatory moves from a pair of government agencies.

Dave Bittner: And later in the show, my conversation with Bill Tolson from Archive360. We're discussing the National Archives regulation for document management and the technology challenges for moving forward.

Dave Bittner: While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney.

Dave Bittner: Alright, Ben, we've got some good stories to share this week. Why don't you start things off for us here.

Ben Yelin: So, my story is about Amazon Go, the brick and mortar chain of Amazon Market that right now I believe are only in New York City. Have you ever been inside one of these Amazon Go markets? I have not.

Dave Bittner: I have not. I've only, I've seen video and photos, and I have a general idea for how they work, but why don't you explain it for our audience?

Ben Yelin: So, it's a market, a brick and mortar store without any employees. And you walk in.

Dave Bittner: Any visible employees.

Ben Yelin: Any visible employees, yeah. You walk in. It's just like any other market in that respect. You take things off the shelves, and Amazon collects information about what you have purchased and will charge it to your account. And they do that through various mechanisms, including deep learning algorithms, measuring people's movements, observing empty space on store shelves. Basically, a bunch of magic elves in a computer figuring out what you've done when you've walked into one of these stores.

Dave Bittner: Yeah, I have to say, I have done this sort of thing at the Apple store where Apple has an app that you can use in their retail stores. And so, let's say you want a cable or, you know, a new set of iPods or not iPods, AirPods, the headphones. And you can walk in, pull them off the shelf, scan them with the app, and leave.

Ben Yelin: It feels so weird. Saturday Night live did a skit on this.

Dave Bittner: Yeah.

Ben Yelin: Where, like, people are just shocked that they can just take something and leave and like.

Dave Bittner: Right. Right.

Ben Yelin: People aren't going to be suspicious that you're stealing an item?

Dave Bittner: Yeah.

Ben Yelin: I recommend the SNL skit. It's quite funny.

Dave Bittner: I keep waiting for the trap door to open up underneath me or a cage to drop out of the ceiling, you know, as I'm on my way out of the store.

Ben Yelin: It feels like a setup. It feels like a sting operation.

Dave Bittner: Right. Right.

Ben Yelin: But it's not. However, that doesn't absolve Amazon of legal problems related to its Amazon Go stores. So, in 2021, New York passed a city ordinance that required businesses to post signs if they are tracking customers' biometric information, such as facial scans or fingerprints.

Dave Bittner: Okay.

Ben Yelin: Now, Amazon Go stores do not use facial recognition software, so you can throw that out as a cause of action. But they do use various other kinds of biometric data collection. One of the ways you can enter the store is by having a machine read your palm print. So, that's obviously biometric data. It's collected securely, but then, at least according to this lawsuit that I'm going to talk about, Amazon is just kind of using a mishmash of biometric identifiers for the entirety of somebody's time inside the store.

Ben Yelin: So, beyond scanning palms, they are using sensor fusion that measures the shape and size of each customer's body to identify customers. They're tracking where customers are moving in the stores and determining what they've purchased. So, like I said, it's a good amount of biometric data.

Dave Bittner: Yeah.

Ben Yelin: So, this individual by the name of Alfredo Perez is suing Amazon Go saying that they didn't post adequate notice about this biometric data collection pursuant to that New York City law, and there's a class action lawsuit. So, Mr. Perez is joined by a bunch of other Amazon Go customers who say that they weren't properly warned ab this biometric data collection.

Ben Yelin: At least according to the complaint, Amazon, until very recently, did not put up any signs whatsoever within the store saying that biometric information was being collected. They finally did about two months ago, and at least according to the complaint, they were not very well placed. They weren't, it was in small type. It wasn't easy to read.

Ben Yelin: So, they didn't give proper warning that biometric data was being collected, and therefore, there wasn't proper notice given to customers so that they could make an informed decision about whether to enter the store.

Ben Yelin: So, Mr. Perez is represented by the Surveillance Technology Oversight Project, which is a legal advocacy group devoted to this new privacy law. And I think they're using this as a test case to see whether a state court system can hold a giant tech company accountable for violating local privacy laws.

Dave Bittner: Interesting.

Ben Yelin: So, I just think this is a really interesting, novel case, and I'm curious to see where it goes.

Dave Bittner: I'm curious. Amazon being Amazon, and I suppose you need some kind of an app to make this work. Again, you know, in my experience with this sort of thing coming from the Apple store where you do need an app to do this. This seems like the kind of thing that Amazon would have buried in the ULA, right. For the app. To say, "and if you use this app in one of our stores, you agree that we'll be using biometric information to track you around the store."

Ben Yelin: So, they definitely do do that, and you have to opt in to use your palm as a biometric indicator, so.

Dave Bittner: Okay.

Ben Yelin: They've covered their bases on that. But whatever you put in the ULA, I think the 2021 law is quite clear. You're required to post signs if you are tracking customers' biometric information, such as facial scans or fingerprints. Now, I don't know how far that statute extends in terms of what counts as biometric data. I suspect it would certainly include palm prints, but then, everything else that they're measuring, people's movements, body shapes.

Dave Bittner: Yeah.

Ben Yelin: That seems very biometric to me and is probably covered under the law. So, whether it's contracted away in the ULA or not, according to this law, it's still Amazon's responsibility to put up this clear signage. And at least for a period of a couple of years after the law was enacted and went into effect, they weren't doing that. Meaning that people who were entering these stores didn't have proper notice of everything that was being collected.

Ben Yelin: There's also kind of an interesting procedural history here where a couple of the plaintiffs that are involved in this lawsuit notified Amazon in writing that they had visited a store, that the store was collecting biometric information, and that Amazon had not posted the sign. And Amazon, at least allegedly, ignored these requests. They didn't send this person any sort of written statement, and seemingly just did not comply with the provisions of the biometric identifier information law.

Ben Yelin: So, according to the complaint here, Amazon, not until very recently, posted its first sign outside Amazon Go stores. And that just simply wasn't adequate in terms of providing the proper notice required under the statute.

Dave Bittner: That's interesting. I mean, the palm scanning is kind of self-evident, right. You walk in, we ask you to scan your palm for entry. That's, I guess what they're saying is that's not notice enough. The fact that you have to do that isn't notice enough. Not letter of the law.

Ben Yelin: Yeah. I mean, it's also the palm print is optional. I don't know what the other ways to gain entry is. Maybe it's like passcode or something. I'm sure people are listening to this banging their heads on the wall being why didn't you guys visit an Amazon Go store.

Dave Bittner: Right. Do a field trip to New York.

Ben Yelin: Do a little research. Yeah. So, if anybody wants to support a fact finding mission to these stores, I would love to see all of the possible avenues to gain entry. But yeah, the palm read is strictly voluntary, but the allegation here is that even beyond the palm print, they are constantly collecting biometric information without the type of fair warning that's required in New York City.

Dave Bittner: How do you think this plays out here? I mean, is this a slap on the wrist to Amazon and kind of giving everyone else notice that they're going to take this seriously?

Ben Yelin: Probably. So, the plaintiff is seeking declaratory relief. Some sort of declaration that Amazon has violated the law and an order requiring Amazon to comply with the law. The class of plaintiffs is also suing for monetary damages, claiming that their rights were violated by Amazon. I don't think this is the type of case where you would see any sort of significant amount of monetary damages. I mean, I just don't know what the concrete injury here is necessarily.

Dave Bittner: Right.

Ben Yelin: That would lead to a large amount of damages. I'm sure they completed their case in court. Maybe they've suffered some type of emotional distress, and they're going to request punitive damages.

Ben Yelin: I think what's more likely is that they end up settling. Amazon admits that it hadn't been properly complying with the law. Maybe they pay some type of nominal damages and Amazon puts up very obvious, conspicuous signs saying, "Hey, notice. Under the 2021 statute, we are required to tell you that you are being monitored through by all these biometric identifiers."

Ben Yelin: I, personally, hope they don't settle, because I would love to see what this lawsuit looks like. I mean, I think in a courtroom talking about the nitty gritty of the type of surveillance that exists here and what counts as proper notice. And what level of biometric data collection is sufficient to trigger the necessary warning and the statute. That would all seem very interesting to me. But I don't think this is the type of thing that will end up in court. Amazon certainly has the resources where they could probably just make this go away.

Dave Bittner: Yeah.

Ben Yelin: Yeah. It's just a local lawsuit. Amazon has a lot of money.

Dave Bittner: Right. I think it's fascinating that this notion of not having to use facial ID if you can recognize someone's size, shape, and gait. Right. You know, the way someone moves is unique, and how you could identify someone with a security camera, perhaps even at a greater distance. Because your body is such a larger target than just your face.

Ben Yelin: Yeah. I mean, I haven't actually read most of the research on this, and it must be at least close to enough of an exact science that you can really figure out who a person is by measuring their shape and size. You know, there are a lot of very clear identifying features on our face. That's why there is facial recognition. There are very clear identifying, you know, when you're doing a palm read or a fingerprint, that's obviously you have a one in trillion chance of getting that wrong.

Dave Bittner: Yeah.

Ben Yelin: I don't know how that works with bodies. I mean, what about, my wife is an identical twin. What would happen if her twin was in one of these Amazon Go stores and had the exact same body type. And.

Dave Bittner: Well, identical twins are always the pesky little edge case, right, for so many things.

Ben Yelin: Right.

Dave Bittner: When you shared your DNA with someone.

Ben Yelin: I mean, try going to law school, because every hypothetical is, "Well, what if it was their identical twin?"

Dave Bittner: Right.

Ben Yelin: And they were arrested.

Dave Bittner: Exactly.

Ben Yelin: Yeah. So, yes. That is an edge case, but I do think, like, and again, I don't know the exact research on this. It seems like there's a greater chance that two people in New York City have extremely similar body type shapes and sizes and series of movement.

Dave Bittner: Yeah.

Ben Yelin: Than it is that two people have identical biometric indicators in their face or palm or fingerprint.

Dave Bittner: Well, I don't want to put you on the spot here, Ben, but your, can you tell your wife and her sister apart from a distance?

Ben Yelin: Yes, I can. But that's mostly, although I did meet them around the same time because we were in college. But you know, and when you're with one of them every single day for a great number of years now, eventually, you learn.

Dave Bittner: Yeah. I just remember a time when, you know, this was just a couple of years ago. I was seeing an old friend, a childhood friend who I'd not seen in several years, and we were meeting up down in Washington, D.C. to get together and just, you know, have a meal together and just kind of see each other after not having seen each other for years.

Dave Bittner: And I saw him coming down the street from a distance, and before I could. He was too far away to recognize his face, but I knew it was him by the way he moved. You know, there was a certain bounce in his step and the way that he carried himself that, having known him as long I did, I knew that was him.

Dave Bittner: And I wonder if that's a similar sort of thing. How much is the way we move unique, and is that something that can be tracked?

Ben Yelin: So, I think what we need to do is hire some method actors who study people's movements.

Dave Bittner: Right.

Ben Yelin: And then, the scan is you'd go into an Amazon Go store. Now, granted, you'd have to have an identical body type as that person. But try and move exactly like an Amazon Go customer and see if their account gets charged.

Dave Bittner: Right. See if we can fool the system.

Ben Yelin: Yeah. I think we got a good idea for a Netflix series.

Dave Bittner: There we go. Sure. Sure. Alright. Well, it's an interesting story. We'll have a link to that in the show notes.

Dave Bittner: I actually have two stories this week because they're both kind of short. But they're not completely unrelated from each other, so I thought I'd connect them together, see if we can connect some dots here. The first one here comes from Reuters, and it's titled "Wall Street Regulator Proposes New Hacking Data and Market Resiliency Rules." This is from the folks from the Securities and Exchange Commission, and this story points out that with some dissents from Republican members, five members voted at a public meeting to propose rules on protecting consumer financial data, preventing hacking at stock exchanges and broker dealers and buttressing the resiliency of market infrastructure part of continuing concern with modernizing regulations to match advancing technological threats.

Dave Bittner: So, the proposed regulations here would affect notification. They would require that if there's an unauthorized data access that they notify customers within 30 days. That seems like a lot to me, still. But they would more, perhaps more interesting, they would be required to notify the SEC, and this is in air quotes, "immediately," and again in air quotes, "of significant incidents." Now, I know this has your lawyer Spidey sense tingling here, Ben, because those are two very fuzzy words, aren't they?

Ben Yelin: They are quite I'll-defined. And I'm sure when they get into the detail of this rule making, which is supposed to take place over the next couple months. I'm sure they will try to figure out what a proper definition of "immediately" is and what "significant" is. If they take the very lawyerly route, what they'll do is say, "Immediately means what's customary in the industry," or "what a reasonable company similarly situated would have done." There's a lot of pushback from a lot of the big brokerage firms.

Dave Bittner: Yeah.

Ben Yelin: Because these would seem to be pretty onerous regulations, and from the perspective of these firms, I don't think this is completely unreasonable. Immediately after an incident, you would want to be focusing on ameliorating the incident, protecting your data, getting the hackers out of your system, and not necessarily on reporting to the SEC.

Dave Bittner: Yeah.

Ben Yelin: So, that seems to be the nature of the opposition, and I wonder if that opposition is persuasive enough that it affects the rule making process here.

Dave Bittner: My take on this is that as long as the SEC is open to having the reporting be something along the lines of, hey, something happened. We're not 100% sure what's going on, but we know something happened, and we're just putting you on notice that something happened and we're looking into it. Like, to me, that's a reasonable notice with immediately, right. And they're saying less than 48 hours here is what they're, they seem to be proposing here. To me, that seems like a good compromise between the need to notify them that you're aware that something has happened to your systems, and then, you know, you'll be able to flesh it out later. But you're marking that time and saying, okay. It's been this amount of time since we discovered something. And then, maybe later, you know, if it turns out to not be such a big deal or whatever, you can follow up with the SEC. But I think my take on this is that the spirit of this is that they don't want organizations to be able to sweep things under the rug.

Ben Yelin: Right.

Dave Bittner: And say, oh, this wasn't such a big deal or we were able to mitigate this.

Ben Yelin: So, you don't need to know about it.

Dave Bittner: Why tell the SEC if this turned out to not be a big deal? And I get why the companies might want it to play out that way. But what do you think of my attempt to sus this out?

Ben Yelin: I think it's a good hypothesis. I mean, you're right that the companies feel like they would both be over burdened by these regulations, and they'd be worried about taking a reputational hit. I mean, ultimately, they want the confidence of their customers. So, there might be kind of a disincentive if something's a borderline hack or you're not exactly sure if your system has been compromised. You know, the company might just want to sweep that under the rug, and maybe this is a way to prevent that from happening so that as the public we have a broader understanding of the threat landscape in the financial sector.

Dave Bittner: Yeah.

Ben Yelin: So, yeah. I mean, I think that sounds like a reasonable perspective. I'm not sure if there's that much value added. I mean, I get it, but its there that much value added if the requirement is just, hey, we think something happened. We're not sure exactly what it is. We're not sure the extent of the intrusion onto our device or our networks. Stand by. I mean, is that that valuable in terms of a piece of information? I think it's valuable because if a bunch of companies do that at the same time, maybe there's, you know, some type of malign actor out there.

Dave Bittner: Yeah. I think it's useful for documenting the timeline.

Ben Yelin: Right.

Dave Bittner: So, I think it has value there. Alright. So, we will have a link to that story in the show notes. My second story here is from the CFPB, the Consumer Financial Protection Bureau. They have put out notice that they're looking for public input to help them with some planned rule making under the Fair Credit Reporting Act. Now, the Fair Credit Reporting Act, my understanding is that that was put in place to help with the credit reporting agencies, right. Which we all.

Ben Yelin: The big three that we unfortunately have to deal with anytime we purchase anything of great significance.

Dave Bittner: Right. And the notion being that most people don't have a choice as to whether or not they interact with these three organizations. They collect information whether you like it or not, and they share it whether you like it or not. And you know, the case can be made that that's a necessary good thing for our system. The case can be made that it's not. But in this case, what the Consumer Financial Protection Bureau is doing is they're using that act, they're using their authority under that act to try to go after data brokers, which I think is very interesting. What do you make of this, Ben? Is this a warning to data brokers out there that they have a new spotlight on them?

Ben Yelin: It is. I mean, this is a very preliminary step. So, this inquiry is only seeking information about business practices employed in the market so that the Consumer Financial Protection Bureau's efforts to administer the law can form to what's actually happening in the real world. So, the CFPB wants to hear about business models and practices of the data broker market, including details about the types of data that brokers collect and sell and the sources they rely upon. So, with this preliminary fact finding, they'll be able to have a better understanding of what actual business practices are and where they need to, specifically where they need to tailor their regulations.

Ben Yelin: So, this is, I think, the beginning of a longer process of introducing some regulation into the wild west of data broker collection, and I think they're leveraging the authority that they have under the Fair Credit Reporting Act to take this initial action. So, they are requesting comment, meaning interested businesses or individuals can publish or go onto the federal register and read the notice of public rule making and issue their comments to have input on this process. I'm wondering how cooperative businesses will be at contributing in this notice and comment period because they might be sowing the seeds of their own demise.

Dave Bittner: Right. Right.

Ben Yelin: If they're not going to be able to be engaged in this type of data collection going forward. So, why would they want to be honest in the federal rule making process about how they're going about collecting data. So, I think there's going to be a major role for consumer advocacy organizations to step in and say, "Here's what the companies are not telling you about what type of data is collected."

Dave Bittner: I mean, do we suspect with something like this they'll also get an avalanche of submissions from lobbyists for industry here?

Ben Yelin: Yeah. So, way notice and comment usually works is I would say 90% of the comments, once you look at the file for a proposed rule, 90% of the comments are from industry or lobbyists. Five percent of the comments are from other interested parties. This is a very gross, inexact calculation, by the way.

Dave Bittner: Okay.

Ben Yelin: This is just an anecdotal estimate. And then, 5% of comments are just from crazy people who live in the woods and randomly search out.

Dave Bittner: Right. Right. Right.

Ben Yelin: Administrative rules to try and comment on.

Dave Bittner: Right.

Ben Yelin: So, it is an issue. It tends to be dominated by lobbyists. They're the ones who know about these rule making processes. They know when to submit comments. It's nice that in the space there are consumer groups and also a lot of privacy oriented organizations in Washington, D.C. Think tanks. You know, an organization like EPIC or EFF might get involved in this notice and comment process. But yeah, I mean, that would be the concern that it would be a rule making process dominated by the interests of these companies and their lobbyists and that wouldn't end up working in favor of consumers. Which is why, I mean, if you are a consumer that's been affected by data brokers, I think it would be incumbent upon you, in any way you can, to participate in this process so that it's not just the comments from industry that the regulators are seeing here.

Dave Bittner: Yeah. Yeah. Alright. Well, we'll have a link to that story in the show notes as well so that something you think interests you, the information is there for you to submit. We would love to hear from you if there's something you'd like us to consider for the show. You can email us. It's Ben, I recently had the pleasure of speaking with Bill Tolson. He is from an organization called Archive360, and we're discussing some regulations from the National Archives when it comes to government agencies having to digitize and submit their documents to the National Archives. It's been kind of a moving target, and really fascinating conversation here. Here's my conversation with Bill Tolson.

Bill Tolson: Basically, the M1921 is a directive to all U.S. federal agencies that directed them to basically digitize all of their hard copy records that they're storing all over the place. Now, and that's, you know, it's going to be paper and stuff like that, but also, you know, microfiche. I mean, some of these agency records go back, you know, decades and decades.

Bill Tolson: And basically, what the federal government is trying to do is number one save costs by digitizing other records and closing all of each agency's physical hard copy repositories. So, many of the agencies have their own basically warehouse records storage places, and then other ones utilize third parties like Iron Mountain and so forth. But as you can imagine, it comes up, it adds up to a great deal of money because we are talking about a lot of records.

Bill Tolson: I've had a couple people within various agencies as well as some other consultants tell me that the estimation for all agencies across the federal government is they're looking at anywhere from 50 to 60 billion records, hard copy records that needs to be digitized and have something done with.

Bill Tolson: And part of this whole process is when you get into the National Archive requirements for records, they talk about temporary records and permanent records. Permanent records are those records that, based on various policies within the government, eventually get shipped off to the NARA warehouses for or servers for safekeeping for, you know, decades or even centuries.

Bill Tolson: The temporary ones, which is most of the day-to-day work that the agencies do don't necessarily get shipped off to NARA, but they got to be kept for certain periods of time for FOIA response and things like that.

Bill Tolson: So, basically, the M1921 is an overall direct order that tells agencies get rid of your hard copy. Documents, get rid of the storage locations and convert everything to digital.

Dave Bittner: I can't help but picturing in my mind the closing scene from "Raiders of the Lost Ark," you know. Right.

Bill Tolson: One of my blogs, I used that graphic.

Dave Bittner: Is this generally being accepted as a good idea, the getting rid of paper copies of things and, you know, trusting in digits?

Bill Tolson: Well, yes. You can find arguments on both sides. Like I said, it's a cost cutting process mostly because all of these different hard copy storage repositories do cost money. But it also adds to the complexity, the timeframe, everything else to respond to Freedom of Information Act requests by citizens like us. And you can imagine if, you know, an agency has a billion documents, you know, sitting in a warehouse somewhere and a FOIA request comes through and says, you know, "I want you to give me all the information on this subject." Rounding that up, number one, takes a lot of time, but also it takes a lot of manpower to respond.

Bill Tolson: And as you may or may not know, federal agencies are just being absolutely deluged with FOIA requests since the pandemic started.

Dave Bittner: By the way, I think it might be just because the requesting citizens don't have anything else to do.

Bill Tolson: It's fair enough. But those numbers of requests have skyrocketed, and I did some research, oh, about a year ago on one of the articles I was writing. And it said that every single federal agency that responds to FOIA requests. Usually, a FOIA request is anywhere from 30 to 45 days you have to respond to it. Otherwise, you're in breech of the regulation, and they could sue you and all kinds of stuff. I saw that every federal agency is well beyond the 30 to 45 days. Usually in the 12 to 15 month range.

Dave Bittner: So, the deadline for this was the end of 2022, and agencies couldn't make that deadline. So, where do we stand now?

Bill Tolson: Great question. In December of last year, 2022, OMB and NARA put out a new directive. And I apologize for all these, you know, numbers and letters and stuff like that. But the directive was called M-23-07, and what that did is that extended the deadline for all agencies having to have completed this digitization 18 more months. So, June 30, 2024 now is the new deadline. And they did that, obviously, because they saw that most, many agencies were not going to make the original deadline. Some of them hadn't even started yet.

Bill Tolson: In fact, in me talking to various agencies, many of them have said they put this on us, but they didn't give us budget to do it. Therefore, we haven't had the money to actually fulfill these requirements.

Dave Bittner: That was going to be my next question. This was, you know, one of those infamous unfunded mandates.

Bill Tolson: Yes. And this is not a cheap thing, either. I mean, you're talking about billions upon billions of records. The actual digitization process is one thing which is not inexpensive in itself, but also what do you do with the billions of records that have been turned into electronically stored information. What do you do with them? And that's the other part of why I've been looking into this. Because that's the bigger question.

Bill Tolson: You know, there are companies out there that will digitize very rapidly. I mean, they have automated systems that can digitize, you know, hundreds of thousands of pages an hour. And index them and do all kinds of neat stuff. But then, what?

Bill Tolson: And that's the other part of that funding thing is do they have to go out and buy new information management, new records management systems to handle this kind of stuff? Because most agencies have some form of records management software, either on-prem or in the cloud they've been using. But number one, it's expensive to utilize, so if you're going from, you know, 200 million records in your records management system to five or ten billion, the cost is going to go nuts because these records management systems are not inexpensive. They charge you based on how much data you have in it and how many records they're managing. All that stuff. So, again, you get into the unfunded liability part of this as well.

Dave Bittner: Have the National Archives come up with some kind of flexible standard for how to submit these?

Bill Tolson: Well, there are already policies, requirements, all kinds of things. The National Archives is very efficient in most things, and they've had policies, you know, set up for years or even decades now.

Bill Tolson: And I, originally, I mentioned when we first started talking, there's a difference between temporary records and permanent records. Permanent records are going to be a smaller subset of all of the records. But still, the National Archives, based on, for example, capstone requirements. If you've ever heard that. It's a specific regulation within the federal agencies that says people at or above these titles automatically all their stuff gets eventually funneled into the NARA servers, and then everything else mostly is just going to have retention disposition placed on it. And at the end of its retention period, it gets disposed of.

Bill Tolson: And they do that in, like I mentioned, because of FOIA requirements. And you know, it makes a lot of sense. But no, NARA is very good about telling agencies what they should and should not do, what they have to do and don't need to do. The problem is that, you know, agencies, federal agencies don't tend to stand up and jump when NARA says something.

Bill Tolson: By the way, it's a great organization, great managers and stuff in there. They really do a phenomenal job on collecting and protecting a lot of the country's data. But it, you know, it's one of those things that you got to keep prodding.

Bill Tolson: Now, the other thing, and I'm not sure if you wanted to get into this. But I'll at least mention it. A complicating factor for this digitization, and like I mentioned, what do you do with it after the fact, after you've digitized it?

Bill Tolson: In May of 2021, President Biden put out an Executive Order, EO or Executive Order 14028 titled "Improving the Nation's Cybersecurity." Now, what that.

Dave Bittner: That was my next question.

Bill Tolson: Oh. Wow. We're in sync here. We're in sync.

Dave Bittner: Well, I was going to say, like, what about privacy and security? I mean, it's one thing to have, you know, again, that Indiana Jones warehouse where it's locked up and you have a certain amount of obscurity. But once, you and I both know, once you digitize something, that's a different ballgame.

Bill Tolson: In today's cyber environment, and I write a lot about, you know, malware, cybersecurity, data security, but also ransomware and extortion ware. Basically, this Executive Order, with a much more compressed timeline, basically directed all federal agencies to improve. Do two things. 14028 first and foremost says agencies you will move to the cloud and quit dragging your feet. And that's a complete move 99% of the time. So, move to the cloud. But also, as you move to the cloud, increased cyber requirements are now part of the law. And I'll give you another directive, M2218, which points at the Executive Order from NARA and says do that. So, basically, what the cyber, what the new cyber requirements include are all agency systems must include multifactor authentication.

Dave Bittner: Yeah.

Bill Tolson: Makes sense. The next one is all sensitive data, all agency sensitive data must be encrypted in transit and at rest. Which kind of makes you wonder why isn't it already.

Dave Bittner: Right.

Bill Tolson: But it's not. And then, thirdly, they say all systems that process, hold, store data must be designed and built on zero trust architectures. Now, that's a relatively new thing for a lot of people, especially for the federal government. Maybe outside of the intelligence agencies, but basically, the problem with this is that all of their, I shouldn't say all. Much of their legacy data applications that they have either on-prem or in the cloud are not built on zero trust. They're you know, zero trust has only been around for a couple of years. Many of these records management information management systems are 15, 20 years old. So, this is also the problem.

Bill Tolson: So, going back to my original statement on M1921, what do you do with all the data that you're digitizing? If your current legacy systems are not up to the task and you have to wait for them to either be redesigned or you have to wait before you go out and purchase different ones that do meet the new cybersecurity requirements, you could potentially be having, you know, hundreds of terabytes or even petabytes of data with nothing, nowhere to put it. Plus, with no real decent security around it.

Bill Tolson: And both the Executive Order as well as the NARA directive that points back at the cybersecurity order both referenced the NIST secure software development framework and the NIST software supply chain security guidance framework. Which adds additional complexity for vendors. So, vendors must be able to self-attest that they meet these requirements. And eventually, they'll be checked up on.

Bill Tolson: But even for agencies who have existing applications, they have to attest to those. And by the way, if those existing applications don't meet the new cyber requirements, they must be retired very quickly and their existing data migrated somewhere where it can be protected per the new cybersecurity requirements.

Dave Bittner: So, we missed the 2022 deadline. Now, we have this deadline for June 2024. Does that deadline have any teeth, or is it aspirational?

Bill Tolson: It probably is, it probably has baby teeth and it's aspirational.

Dave Bittner: Okay.

Bill Tolson: You know, federal government requirements, you know, for you and I are set in stone. For agencies.

Dave Bittner: Try not paying your taxes, yeah.

Bill Tolson: It's like, well, you know, we don't have the budge, or we need an extension. How many times they'll give an extension. Which, you know, you just mentioned the one extension. And by the way, the Executive Order on cybersecurity has not had an extension, and that was supposed to be accomplished by May 2022. And here we are, you know, approaching a full year beyond that. And you know, in the background, we hear agencies and consultants say, "Well, you know, they're getting an application by application or an agency by agency extension." Those kinds of things. And it's not being publicized.

Bill Tolson: But I think these combined are probably going to number one, force the final move to the cloud but also the digitization as well as the cyber requirements. Whether it's complete in June 30 of 2024 or whether it goes into another extension, I don't think it'll go far beyond that. Because this is because of the cyber environment we're in now, that Executive Order must be followed eventually. Otherwise, all of our data's at stake. So, I think that combined with pointing back toward the digitization requirement is probably going to be, probably end up pulling the agencies, you know, kicking and screaming into being compliant.

Dave Bittner: You know, I think about situations that I've heard of where, you know, folks I've heard of are trying to research their family history or something like that. And they'll come against, you know, a warehouse burned down or City Hall burned down. All the census records. I think there's one, there's one year of census records that many of them were lost because of a fire.

Dave Bittner: The direction we're heading in with this, and I'm asking, you know, for you as someone who's steeped in this stuff, who works with it every day, is this sort of move reasonable protection against those sort of holes, that physical vulnerability of paper records and microfiches and all that good stuff?

Bill Tolson: I believe so. If the basic standards are followed and they make sense, you know, with, if you're eventually digitizing all the records and moving it into a cloud repository of some sort and having it be managed with very good security. What that also will do is most, you probably know this. Most cloud platforms, you know, you could do, you know, replication from geo to geo to geo so that, you know, at any one time, you have two or three backups of all the data. Not backups but fail oversights so that, you know, if the one in Salt Lake City, you know, gets destroyed in a fire, then the one in Alabama can take over. Then, the one in, you know, New York can take over that.

Bill Tolson: So, I think intrinsically, clouds offer better fail over protection of the data because if a paper warehouse gets burned down, it's gone. But, you know, if a cloud data center, you know, goes away for some whatever reason, there are usually going to be, you know, two or three full kind of fail over sites of all the data that can be drawn on very, very quickly.

Bill Tolson: Also, and I do a lot with data security and stuff. Usually, the more well-known cloud platforms like, you know, Azure, like AWS, like Google, you know, they are, have very, very. They have great security. Much better than on-prem systems. Because on-prem systems, you got to wait a period of time. You got to do patches, all kinds of stuff. The, you know, an Azure and AWS, I mean, they got thousands of people just working on data security. So, not that this is a commercial for them, but generally speaking, cloud systems tend to be safer for data loss. But also safer for data security as well.

Bill Tolson: And then, you know, like we kind of alluded to. If you're indexing all of these paper documents into electronically stored information, then you can search them. You know, you're building an index. As you add new stuff into it, you can search them for FOIA, for eDiscovery, for all of those things, instead of, you know, sending a team of people over into a dusty warehouse for a year looking for something.

Dave Bittner: Right. Right.

Bill Tolson: And one other real quick point. These, all these Executive Orders as well as these NARA and OMB directives all reference that federal agencies now, I think at the end of last year. But they might have given it a slight extension. Basically, the Office of Management Budget, OMB, has rewritten the Federal Acquisition Regulations, FAR. And what they've done is they've basically codified into the regulations, into the Federal Acquisition Regulations that an agency cannot buy software applications, storage, whatever, that does not meet the new guidelines. So, once that's written into the Federal Acquisition Regulations, I mean, that is the law, and a federal agency cannot, will not get an extension to go around it.

Bill Tolson: So, for vendors, you know, if you have zero trust and MFA and encryption and all that kind of stuff, you want, you know, you want the government to know that. But also, you want to point at those Federal Acquisition Regulations and say, "We meet those. These guys don't."

Dave Bittner: Yeah, you know, I see all of the utility of it and certainly for both citizens and the government agencies themselves. There's so many advantages to this. I just can't, I guess, help having a little bit of nostalgia for the, you know, sending the librarian or the archivist or whoever it may be back into the stacks to find that little nugget of information you were hoping to find.

Bill Tolson: Oh, yeah. Yeah. I mean, I've been around a long time. Back in the decades ago I worked for the defense industry. You know, and we were, you know, building satellites and missile systems and all kinds of neat stuff. And you know, with that kind of work, you know, where you're doing defense work, everything is a record. Everything gets stored forever.

Bill Tolson: And I remember, we'd have Air Force, they called them Tiger Teams come in every once in a while unannounced and say, "We want to see all the records on this project." And it was all paper. So, you'd have to contact your outside repository and say, you know, "Bring me over the records on this." And it could be, you know, 1500 bankers boxes.

Bill Tolson: And you know, sort of a horror story. You'd start opening these boxes and there'd be, you know, a dead rat in one and you know, a petrified sandwich in another one. You know, and all kinds of objects that you'd rather never see. As well as the records. And the other thing with paper records is, you know, it's like the old saying, you know, you put something in, it never comes out again. Very few companies actually dispose of paper records if they're sitting in, you know, a third party repository. They've been there for 15 or 20 years. Nobody thinks, well, you know, I got to go through and do a little cleanup. They move on. So, you end up with more and more and more hard copy records, and it makes it so much harder to find anything.

Dave Bittner: Ben, what do you think?

Ben Yelin: It was a really interesting conversation. I have to admit, I was not familiar with the world of digitizing documents in federal agencies and.

Dave Bittner: Right.

Ben Yelin: How cumbersome it is and how costly it is for these agencies. Usually, when we hear about the National Archives, it's about former Presidents, current Presidents, former Vice Presidents.

Dave Bittner: Yeah, lately anyway.

Ben Yelin: Who have improperly retained documents.

Dave Bittner: Right.

Ben Yelin: So, it's just a really interesting view into this world.

Dave Bittner: Yeah.

Ben Yelin: And something that I just didn't know very much about.

Dave Bittner: No, it's fascinating to talk with someone as knowledgeable as Bill, whose, you know, been in this space for as long as he has. You can clearly hear that, you know, he's been around the block. He knows what's going on. And so, he can kind of, you know, cut through the gobley gook and let you know what you really need to know. So, we appreciate Bill joining us again. He's from an organization called Archive360, and our thanks to him for spending the time with us. That is our show. We want to thank all of you for listening. the Caveat podcast is proudly produced in Maryland at the startup studios of DataTribe where they're co-building the next generation of cybersecurity teams and technologies. Our Senior Producer is Jennifer Eiben. Our Executive Editor is Peter Kilpe. I'm Dave Bittner.

Ben Yelin: And I'm Ben Yelin.

Dave Bittner: Thanks for listening.