What Hillary Clinton’s private email account tells us about secrecy, security and transparency

In 2009, a confirmed secretary of state enters the office on the first day and is offered a State Department email address. Why in the world would Hillary Clinton not use it, given the context of millions of emails gone missing from the previous administration?

Or, if she chose to intentionally follow the practice of former Secretary of State Colin Powell in using a personal email address for government business and registered clintonmail.com, would she not ensure that all email related to government business was forwarded and preserved? Using Occam’s Razor, it’s hard not to conclude that Secretary Clinton was intentionally not complying with the Federal Records Act, as the headline by New York Times suggests

It goes without saying that the Secretary of State of the United States conducts some of the most sensitive diplomatic communications imaginable, although one would presume that the most sensitive of those would not flow over email. Security is an issue. And it’s worth noting that Clinton’s use of a personal email account was known in 2013. What the public didn’t know that no state.gov email account was used, although presumably hdr22@clintonemail.com ended up in a few diplomats inboxes.

Window_and_Hillary_Clinton_Not_Alone_in_Using_Private_Emails_to_Govern_-_Tech_-_GovExec_comWhile the former Secretary of State may have the highest profile, Hillary Clinton is not alone among federal workers in using a private email account:

“A new survey of high-level agency executives from Government Executive Media Group’s research arm shows that the practice appears relatively common, even though it likely violates the 1950 Federal Records Act, as updated to reflect the digital age.

Thirty-three percent of 412 respondents to the mid-February online survey by the Government Business Council confirmed that personnel in their agency use personal email for government business at least sometimes, 15 percent said employees use it always or often and 48 percent said colleagues use it rarely or never.”

This isn’t a partisan issue, though it will be made into one in the days and, presumably, campaign ahead. It’s worth noting at this point the use of personal email accounts or mobile devices to avoid public records retention is an issue at all levels of government, in both major parties in the USA and beyond. Comments about other politicians doing this don’t excuse the practice.

At minimum, not ensuring that the email archived would seem to display a basic lack of respect for preserving the record of business done on the public’s behalf. At worst, it’s deliberate avoidance of discoverability of communications with foreign world leaders and private entities from Freedom of Information Act requests and Congressional investigations. Update: On Wednesday, the New York Times reported that using this personal email account led to thwarted public records requests, with an additional detail: the State Department had no access to Secretary Clinton’s emails. There is no question, in other words, that not preserving the emails on state.gov servers under the Federal Records Act led to less accountability.

Was it illegal? On the one hand, the presidential records law Congress passed and President Obama signed didn’t come into force until after Secretary Clinton left office. On the other,  Laura Diachenko, a spokesperson for the National Archives and Records Administration, told the New York Times that federal regulations have stated since 2009 that “agencies that allow employees to send and receive official electronic mail messages using a system not operated by the agency must ensure that federal records sent or received on such systems are preserved in the appropriate agency record-keeping system.”

White House spokesman Josh Earnest also said that “when there are situations where personal email accounts are used, it is important for those records to be preserved consistent with the Federal Records Act.”

There’s at least five more questions that deserve answers.

All that said, I find it hard to fathom how her staff, the rest of the State Department, and White House officials did not raise red flags about the use of this email address or ask about how the messages were being preserved.

While there may be good reasons not to archive every email, call, note, txt, tweet, Whatsapp or Snapchat sent by a government official, I find it difficult not to argue that the primary email account used by a Secretary of State to conduct business should not be archived in its entirety for the historic record.

One solution to “transparency theater:” If the deliberations or diplomacy shared electronically or otherwise are sufficiently sensitive to raise concerns, let them be held for 5 or 10 or 20 or even 50 years before they are released in un-redacted form. Personal notes, jokes and mundane messages will also offer insight for the historic record.

On security

Putting adherence to public records laws and open government aside, the integrity of these communications bears scrutiny of its own. “The focus here really needs to be on the information-security piece,” said Chris Soghoian, principal technologist with the American Civil Liberties Union, told National Journal.

“It’s irresponsible to use a private email account when you are the head of an agency that is going to be targeted by foreign intelligence services.”

How safe were Clinton’s emails? The short answer is that we don’t know yet.

Update: The Associated Press reported on March 5 that clintonemail.com was hosted and run in Mrs. Clinton’s home in Chappaqua, New York. If so, choice would have positive and negative consequences for security:

Operating her own server would have afforded Clinton additional legal opportunities to block government or private subpoenas in criminal, administrative or civil cases because her lawyers could object in court before being forced to turn over any emails. And since the Secret Service was guarding Clinton’s home, an email server there would have been well protected from theft or a physical hacking.

But homemade email servers are generally not as reliable, secure from hackers or protected from fires or floods as those in commercial data centers. Those professional facilities provide monitoring for viruses or hacking attempts, regulated temperatures, off-site backups, generators in case of power outages, fire-suppression systems and redundant communications lines.

According to the AP, Clinton’s private email account was reconfigured in November 2012 to use Google’s servers as a backup, and then reconfigured again to use MX Logic until July 2013.

The New York Times repeated the same assertion in a followup story, reporting that “In earlier years, Mrs. Clinton’s account at clintonemail.com was connected to a server registered to the Clintons’ Chappaqua home in the name of Eric P. Hothem.”

Update: David Gewirtz, however, argued that Clinton probably did not have an email server in her basement. His hypothesis is that the AP and the New York Times somehow mistook the address in related to the clintoenmail.com domain registry for the physical location of the server and then reported it as a “homebrew” server.

Today, “Clinton is clearly using two cloud services for at least some of her email management: Google and MX Logic,” wrote Gewirtz. “A physical server associated with her MX records is being operated by a managed services firm. Therefore, the premise that she’s trying to lock down all her email, protected physically inside her own house so posterity can’t get to it, seems unlikely.”

As Gewirtz noted in a followup post on “EmailGate,” that would create a myth that “Clinton was running her private email account on equipment in her home in New York” which will live on, particularly as it is repeated in subsequent media accounts.

Update: While a statement subsequently released by Clinton’s office after a press conference regarding her email practices only confirmed that it was on her property, an anonymous source identified as a “Clinton ally” who was “familiar with her e-mail practices” confirmed to the Washington Post that she “used a server housed at her private home in Chappaqua, N.Y.”

The State Department told Vice Media that it has “no indication that [Clinton’s] emails were compromised,” and added that, in past interviews, Clinton “referenced an awareness of security protocols for her email use.”

“We have no indication that Secretary Clinton used her personal email account for anything but unclassified purposes,” a State Department representative told Jason Koebler. “While Secretary Clinton did not have a classified email system, she did have multiple other ways of communicating in a classified manner (assistants printing documents for her, secure phone calls, secure video conferences).

We don’t know that much about the security behind clintonemail.com, other than the apparent involvement of MX Logic, a managed email provider, or whether the former secretary of state used encryption.

Clay Johnson suggested that the private account may well have been more secure than the State Department’s system for unclassified email, which has been compromised for an unclear length of time.

According to a Stanford computer science researcher Jonathan Mayer, however, “this personal address couldn’t securely receive email,” and neither could a State Department address:

Why this stuff matters, however, isn’t hard to understand:

“If the personal communications of heads of state weren’t interesting, then governments wouldn’t monitor them,” said Soghoian. “This is the easiest thing for the intelligence services to target.”

Update: According to a security expert consulted by Bloomberg News, Clinton’s personal email system appeared to use a commercial encryption product from Fortinet, but “when examined it used a default encryption certificate instead of one purchased specifically for Clinton’s service.” it’s worth keeping that this examination is occurring now, not from 2009-2012, when she was Secretary of State.

It’s worth noting that Bloomberg Business erred on the headline regarding Hillary Clinton’s personal email system, although the details regarding encryption are interesting. Insecure email is by definition not private, certainly when you’re talking about the capabilities intelligence services of nation states.

Gawker also published the opinions of several IT security experts regarding the safety of Clinton’s email, based upon the current state of the systems.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s