Long before the leak of a draft opinion reversing Roe v. Wade, some Supreme Court justices often used personal email accounts for sensitive transmissions instead of secure servers set up to guard such information, among other security lapses not made public in the court’s report on the investigation last month.
New details revealed to CNN by multiple sources familiar with the court’s operations offer an even more detailed picture of yearslong lax internal procedures that could have endangered security, led to the leak and hindered an investigation into the culprit.
Supreme Court employees also used printers that didn’t produce logs – or were able to print sensitive documents off-site without tracking – and “burn bags” meant to ensure the safe destruction of materials were left open and unattended in hallways.
“This has been going on for years,” one former employee said.
The problem with the justices’ use of emails persisted in part because some justices were slow to adopt to the technology and some court employees were nervous about confronting them to urge them to take precautions, one person said. Such behavior meant that justices weren’t setting an example to take security seriously.
The justices were “not masters of information security protocol,” one former court employee told CNN.
In a statement attached to the final report, the court called the leak a “grave assault” on the court’s legitimacy and the marshal of the court issued a road map to improve security.
The report and the new revelations of weak protocols come as the court is trying to protect its own legitimacy after an embarrassing leak and allegations (prompted by the recent rash of high profile cases breaking along familiar ideological lines) that it has simply become another political branch. The 20-page report and its still secret “Annex A” raised some questions as to whether the entire investigation should have been outsourced to someone without close ties to the court.
Former Secretary of Homeland Security Michael Chertoff reviewed and endorsed the Supreme Court’s internal investigation into the leak. However, the court did not disclose Chertoff had been paid at least $1 million in recent years to perform security assessments for the court.
The court declined to comment.
Open ‘burn bags’ left lying around
In her report last month, Supreme Court Marshal Gail Curley noted that the “court’s current method of destroying court sensitive documents has vulnerabilities that should be addressed.”
Three former employees told CNN of loose security around burn bags that are supplied to chambers to deal with sensitive documents. A burn bag is a security bag that holds sensitive documents which will ultimately be destroyed by fire or shredding.
There was no uniform rule that established a procedure for these paper bags with red stripes. Instead, the justices each have their own protocols. According to a source familiar with the court’s security practices, employees have the option to use the burn bags which are later taken to the basement of the building and emptied into locked bins so that they can be retrieved by a shredding company.
Another source questioned how the burn bags were handled before they were collected. The source said some colleagues would staple a burn bag shut. Others simply filled them to capacity and left them near their desks. But some burn bags were simply left in the hallway outside of chambers, presumably so that they could be taken to the basement. It would not have been difficult, the source suggested, for someone with access to the non-public area of the court to access sensitive documents.
Remote access let employees print docs from anywhere
Another vulnerability outlined by Curley was printer logs meant to track document production. A former employee highlights something that Curley did not detail: employees who had VPN access could print documents from any computer, making it difficult to track copies. Curley made an important concession in the report that some locally connected printers only logged the last 60 documents printed.
A look at the timeline of the leak reveals how such a system would be problematic for investigators.
That’s because the initial draft was distributed internally on February 10, 2022. But the leak investigation only started in May when Politico published the draft opinion. Some of those print logs would almost surely no longer exist because the 60-document threshold had been reached.
Curley did not go into great detail, but she did suggest the court “institute tracking mechanisms” in the future.
Another potential problem revolved – especially during Covid – around the possibility that opinions could leave the building. According to the report, Court Information System User Guidelines prohibit “attempting to leave facilities with Court Sensitive Information (hard copy or electronic) without proper authorization.”
But during Covid many such regulations were necessarily relaxed. And even with the rule in place, one source said, there were no mechanisms to check what was actually being taken from the court. To be sure, the hallways in the areas of the court that are closed to the public were guarded and protected by doors with a numerical code necessary to enter, but the code wasn’t necessarily changed very often.