The revelations have set off a firestorm for the potential 2016 presidential candidate among open-records advocates who question whether Clinton took this approach to circumvent the normal archiving process for a position of that level. But cybersecurity experts were equally galled by the myriad ways the emails of the nation’s top diplomat could have been compromised.
“That’s reason for serious concern because the State Department’s email system is presumably secured and monitored for threats to national security to a level that whatever Hillary Clinton was using that she set up herself likely is not,” said J. Alex Halderman, a University of Michigan cybersecurity expert whose most recent paper demonstrated how easily hacked and deceived certain airport body scanners are. “It’s possible she had some kind of special protection in place, but in the absence of any other information, I would be very worried.”
The State Department did not respond to questions about its security efforts on behalf of Clinton’s private email service. State Department deputy spokeswoman Marie Harf insisted that Clinton didn’t use email to transmit any classified material.
“We have no indication that Secretary Clinton used her personal email account for anything but unclassified purposes,” Harf wrote to Al Jazeera via email. “While Secretary Clinton did not have a classified email system, she did have multiple other ways of communicating in a classified manner, including assistants printing documents for her, secure phone calls and secure video conferences.”
Yet not all sensitive correspondence is classified, and Clinton could not control what others sent her way. The Smoking Gun, a website that often publishes leaked documents, pointed Tuesday to an email sent to her by Sidney Blumenthal, a former campaign adviser and longtime confidant, with attached memos regarding important security issues around the world. One of those emails, the site reported, included this all-caps warning: “THE FOLLOWING INFORMATION COMES FROM EXTREMELY SENSITIVE SOURCES AND SHOULD BE HANDLED WITH CARE.” Blumenthal’s AOL email was hacked in early 2013, which is when that message was leaked.
The Blumenthal hack also revealed that Clinton was using for at least some of her email the domain clintonemail.com, which, online records show, was registered on Jan. 13, 2009, the day she testified before the Senate as the nominee for secretary of state.
Clinton’s ongoing interaction with email services outside the State Department without the department’s cybersecurity defenses is especially troubling to Halderman.
“The question is [whether] whatever provider she’s using gives her anywhere near the same level of protection for the confidentiality and the authenticity of the communications as she would be getting from her State Department email,” he said. “If she’s using it from her main work machine to send and receive her mail, then people could be intercepting the mail she’s sending and receiving, possibly even changing its content.”
Ed Felten, the chairman of the computer science department at Princeton University and director of the center for Information Technology Policy, was baffled Clinton would even be permitted to forgo using an official email address.
“Any email exchanges between her and other State Department people would be at much higher risk of a compromise,” he said. “For a person who works in government agency, one of the advantages of using the agency’s email is that email exchanged within the agency stay within the agency’s own network. There’s less security risk when that’s the case … Mixing work and personal email increases risks. A lot of people do that but not people who are handling important government secrets.”
But Clay Johnson, a former presidential innovation fellow and a former director of the open-government technology nonprofit Sunlight Labs, suggested Clinton may have used private email because she was advised the state.gov email service wasn’t secure enough. In 2010, during the second year of her tenure, thousands of state.gov emails were posted online as part of the WikiLeaks revelations. He noted that no Clintonemail.com messages were among them.
“It’s very plausible to me that someone walked up to Hillary Clinton and said, ‘The State Department’s mail server is compromised. It has been for years. For right now, use your email address for communications,’” said Johnson, now CEO of the Department of Better Technology, a company that provides software to government agencies.
Regardless, he said he was surprised that anyone in the White House counsel’s office didn’t raise a fuss if Clinton sent even innocuous emails to whitehouse.gov from her personal account. When he was at the White House, he recalled, he and many others were recipients of “a very sternly worded and kind of scary email from the counsel’s office” warning them not to use private email addresses for government business.
“There are two plausible explanations for no one saying anything about it,” Johnson said. “One is that Hillary Clinton is such a towering person and incredibly intimidating and so people were afraid to say something because of her gravitas. Or, two, everyone knew that the State Department’s email was insecure and they came up with a solution that Hillary should use her private email account.”
Harf said it wasn’t until September 2013 that the National Archives and Records Administration issued “guidance on personal email use.” That guidance “included instructions that generally employees should not use personal email for the transaction of government business, but that in the very limited circumstances when it is necessary, all records must be forwarded to a government account or otherwise preserved in the Department’s electronic records systems.”
Clinton’s successor, John Kerry, “is the first secretary of state to rely primarily on a state.gov email account,” she added.
Clinton’s last day as secretary of state was Feb. 1, 2013.
Issues of computer security have dogged public officials since the dawn of the Internet age. President Bill Clinton, for instance, saved his former CIA director, John Deutch, from prosecution by pardoning him for having classified materials on his laptops and relabeling them as unclassified.