Thirty-six agencies asked to adjudicate users of adultery website; most activity in higher ed
Can the South Caroina inspector general turn state agency heads into moral police?
We’re about to find out.
Culminating a two-month investigation, state IG Patrick Maley has handed information over to 36 agency heads to conduct internal investigations into and mete out discipline for employees found to have used the adultery website Ashley Madison, The Nerve has learned.
In an email sent Friday evening to leadership and human resource personnel at agencies found to have potential users of the site, Maley “requests Agency Heads to initiate administrative inquiries based on lead information that employees within your agency used a state email account or IP address to access open Ashley Madison accounts on an ‘adult’ website designed to facilitate extramarital affairs,” calling the incidents a “potential misuse of state assets.”
The criminal cyber attack in July from hackers who called themselves the “Impact Team” resulted in the release of data in August revealing the identities of 33 million Ashley Madison users’ first and last names, street and email addresses and an estimated 9.6 million credit card transactions.
Several states, including South Carolina, took action immediately following the August data dump, which included approximately 15,000 email addresses nationwide ending either in .gov or .mil.
In California, state government responded quickly to the leak, launching an investigation into 50 current and former state workers also on the basis of misuse of government resources. In Michigan, 17 state employees were found to have utilized the service based on the providing of an email account ending in ‘michigan.gov,’ while Arizona was believed to have the highest number of state employees with email accounts linked to the site at 19. Other states, such as Alabama, launched investigations that either are ongoing or ended quietly.
Maley wrote that in its just-concluded review, the Department of Administration’s Division of Technology identified “36 state agencies having 534 state email accounts (526 Higher Ed; 8 Non-Higher Ed) accessing open Ashley Madison accounts.”
“Additionally, 85 private email addresses (27 Higher Ed, 58 Non-Higher Ed) used 44 state IP addresses to access open Ashley Madison accounts.”
The findings indicate that the vast majority – 526 of 534 – state email accounts are associated with an institution of higher education such as the University of South Carolina or Clemson, students and faculty of which are supplied with a free school email accounts. Maley leaves the schools themselves to investigate whether the addresses belong to students, faculty or staff.
“The data was stratified between Higher Ed and Non-Higher Ed inasmuch as the SIG is requesting administrative inquiries on state employees only and not students for obvious reasons,” Maley wrote. “All data on students is left to the discretion of the higher education Agency Head for any action deemed appropriate.”
Media law attorney Jay Bender said no one using a state-hosted email account, whether a student or employee, has a reasonable expectation of privacy.
“There is no expectation of privacy using a government computer or email address,” Bender said. ‘None.”
Where it can get tricky, Bender said, is if the state pursues the claim that using a government IP address or internet connection on a personal computer or device constitutes a forfeiture of privacy.
“I think that if you use a government or state IP address but are using your own computer, there is definitely an expectation of privacy. I would argue the point that what’s on the computer I bring to work or a student brings to class and acesses the internet with is private.”
At USC as with colleges, students generally have their own laptops and log on using the free wifi available to them. In state government, some state agencies provide free wifi accesible by the public. An additional issue clouding the issue of whether having an email account is proof someone used the site is that Ashley Madison users could establish a free account providing any email address without it having to be certified, meaning anyone could start an account using an “sc.gov” email address without it being a state employee.
For government watchdogs like John Crangle of Common Cause, however, even the potential abuse of state resources for a sexually oriented activity is worth scrutiny.
“I definitely think it’s worth investigating,” Crangle said. “Any time you get employees using government resources for private activities you question whether it’s appropriate.
“Sure, I can use the phone to call my wife, and it’s understood that people will check their bank account or something from time to time, but those things generally are permissible. I don’t think any supervisor would give permission for someone to contact an adultery service, and some agencies may have language that use for a sexually related activity may be prohibited or punishable.”
With the email and IP addresses in hand, it’s now up to the agencies themselves to investigate them internally to determine whether employees have used the site and what, if any, disciplinary measures to take if misconduct is found. Agencies are then directed to submit their investigative findings in a “non-attributable summary format” back to the inspector general “to allow the SIG to summarize the final results of this effort, as well to follow-up to leads provided,” Maley wrote.
Another gray area in this investigation is the danger of names becoming public. Any publication or distribution of the names of private citizens in a shaming context can bring about legal consequences. Two separate settlements were reached in September between attorneys representing former Ashley Madison members and defendants accused of being in possession of the stolen data for purposes of exploitation, including GoDaddy.com, Amazon Web Services and sites that sprang up with easily searchable databases such as AshleyMadisonInvestigations.com, ashleymadisoncheating.info and hackedashleymadison.com, all of which now list only an apology to victims of the data theft on their pages.
To ensure at least a degree of privacy, each state agency received only those email and IP addresses belonging to it, and that information was sent separately via encrypted email to agency human resources personnel, though invariably information technology staff will be brought in to aid investigations into IP use.
Among the state agencies originally identified in August as having addresses associated with the site are the Department of Health and Environmental Control and the Department of Education. A message left Tuesday afternoon with the University of South Carolina was not returned.
“As distasteful as this effort may be to execute by those involved and to be involved, it is necessary to address this potential misconduct issue undermining the public’s confidence in state government,” Maley said.
One state official reached by The Nerve who did not wish to be identified was less enthusiastic about the investigation’s ability to restore faith in government and found the investigation itself in bad taste.
“You look at the state government statistics provided, and only 44 IP addresses and eight email accounts were non higher-ed related,” the official said. “Let’s assume that all of them had an active account, which isn’t likely at all especially since some agencies have internet access used by the public. In state government you have something like 50,000 people employed, so that’s a two-month investigation using the IG’s resources and now 36 agencies’ resources for less than half a percent of the workforce who you can’t prove did anything wrong in the first place other than register an email account. Maybe.”
“That seems like a far bigger misuse of state resources than what they’re going after to begin with. We’re not the moral police.”
Reach Aiken at 803-254-4411 or email firstname.lastname@example.org. Follow him on Twitter @RonAiken and @TheNerveSC.