Right at close of business last Friday, the Department of Public Instruction released the results of its investigation into how the department came to have the personal text messages of retired K-3 Literacy Director Carolyn Guthrie.
But a number of gaping holes in DPI’s findings call into question how serious the department actually is about getting to the truth.
First, here’s a little background:
Carolyn Guthrie retired from DPI in September 2017. According to sworn testimony she gave in the Istation case, upon her departure she neglected to log her two DPI-issued Apple devices–a MacBook Air laptop and an iMac desktop computer–out of her personal iCloud account.
Unbeknownst to Guthrie, her personal text messages continued to sync to those devices long after her retirement.
One of those text messages, sent in January 2019, included confidential information about North Carolina’s K-3 reading assessment procurement process. The message was used by Superintendent Mark Johnson to cancel the procurement on the grounds of a confidentiality breach at a moment when it was very much going mClass’s way. He later awarded an $8.3 million contract to Istation.
The entire procurement process is under investigation by the Department of Information Technology (DIT), and DIT is expected to rule soon on whether or not it will be thrown out.
In his own sworn deposition, Johnson claimed the text message was obtained when an unknown whistleblower slid a paper copy of it under the door of Deputy Superintendent Pam Shue’s door. (Shue was responsible for supervising the K-3 Literacy department until her departure in summer of 2019.) Johnson said in his deposition that DPI was investigating the origin of the text message.
Fast forward to last Friday afternoon, when DPI released the following statement about the results of its investigation:
A Statement from the North Carolina Department of Public Instruction
The agency has completed its investigation into a former employee’s allegations that her personal text messages were accessed via a DPI-issued device. The former employee admitted that she connected her DPI-issued devices to her personal text messaging accounts in violation of the state’s acceptable use and internet security policy. The investigation concluded that after the former employee retired in October 2017, her former agency-issued desktop computer remained connected to her personal accounts and was transferred to her successor. This individual was a social friend of the former employee and viewed the text messages as a source of entertainment and information on personal matters. The individual shared the former employee’s text messages with at least one other career employee in the K-3 literacy division.
Upon that individual’s retirement, the desktop was transferred to the career K-3 literacy employee. That employee continued to view the former employee’s personal text messages and admitted to providing a screenshot of a text message conversation to her supervisor in February 2019. The supervisor informed DPI leadership that the screenshot had been slipped under her door by an unknown individual. Shortly thereafter, the employee disconnected the desktop from the text messaging account. DPI has examined each device that was assigned to the former employee and has determined that they are no longer connected to any personal email or messaging accounts. The investigation concluded that knowledge of access to the personal account was limited to the K-3 literacy office.
There are some problems with DPI’s findings which deserve attention.
When Carolyn Guthrie retired on September 1, 2017, she was succeeded by an interim director who has no relevance to this matter whatsoever because she retired in July 2018. The text message which used to cancel the procurement was sent and intercepted in January 2019.
The DPI statement claims Guthrie’s desktop computer was eventually transferred to an employee in K-3 Literacy who admitted to viewing Guthrie’s personal text messages and screenshotting the one that was used as evidence of a confidentiality breach serious enough to warrant cancelling the RFP process.
It doesn’t mention whether this employee still works at DPI. Nor does it explain whether there were any repercussions for that individual knowingly violating North Carolina’s wiretapping statute, which could constitute a class H felony.
But there’s another obvious flaw with DPI’s findings that calls the veracity of the whole investigation into question. Notice that the statement only mentions a desktop computer and makes no reference at all to Guthrie’s MacBook Air laptop.
Guthrie was made aware that someone at the Department of Public Instruction was reading her personal text messages in February 2019. She quickly pulled up her FindMy app and saw that one computer physically located at DPI was still actively syncing to her personal iCloud account.
Here’s a closeup of her screenshot:
That’s not a desktop computer, it’s a MacBook. The two icons are completely different on the FindMy app, as you can easily see in this example:
So in the wake of the Department of Public Instruction’s investigation, the most crucial question remains unanswered: Who had Carolyn Guthrie’s former laptop in January 2019?
Numerous public records requests have been filed with DPI for computer inventory logs that would answer that question. Director of Communications Graham Wilson denied those requests, claiming the logs were confidential personnel records and could not be released.
DPI’s findings engage in some really gross victim blaming in the name of standing up for state policy on “acceptable use and internet security.” However, they don’t explain why DPI’s own policy on wiping computers of departing employees to remove “any personal information you may have left on the machine such as passwords” wasn’t followed with either of Ms. Guthrie’s computers.
(You can read that policy here).
But perhaps the most troubling thing about the DPI statement is simply the dismissive manner in which the department acknowledges that one of its employees engaged in potentially criminal behavior while on the clock.
Those actions deserve to be taken seriously–especially when the information obtained through surveillance was used to cancel a multimillion dollar contract.
Is the Attorney General able to take over the investigation?
The Attorney General’s office says they don’t have jurisdiction and also that they could be in a position of having to defend DPI on the matter.