Future Tense

Did Hillary Clinton Compromise Her Email Security or Make It Stronger?

Then–Secretary of State Hillary Clinton (right) in November 2009.

Photo by Abdelhak Senna/AFP/Getty Images

On Monday night, the New York Times unleashed a new controversy about Hillary Clinton’s four years as secretary of state. It seems that Clinton exclusively used a nongovernment email address for professional correspondence during her tenure—apparently she didn’t even have a state.gov address. The whole situation basically just seems like a perfect storm of HR screw-ups and shady communication practices. But maybe it was for the best.

Let’s put aside the question of whether Clinton violated the Federal Records Act, which says that public officials should store written communications on federal servers—they’re government records that must be available for review, with various exceptions for classified communications. (For more on the legal questions, read my colleague Josh Voorhees’ post on the Slatest.) Did Clinton’s email habit make her vulnerable to hackers?

It seems that Clinton did all of her emailing through a domain called “clintonemail.com.” As the Washington Post points out, this address was created on Jan. 13, 2009, which was the first day of Clinton’s Senate confirmation hearings. It’s not clear who set it up, but the domain was renewed in 2013 and is paid for through 2017.

In 2008, Farhad Manjoo wrote on Slate that “it’s not a good idea for politicians to use personal e-mail accounts,” because of the security risks. And in light of revelations about Clinton’s practices, this view is circulating again. American Civil Liberties Union principal technologist Christopher Soghoian tweeted on Tuesday, “While the American public didn’t know about Hillary’s private email account, it probably wasn’t a secret to foreign intelligence agencies.” And Nate Cardozo, a staff attorney with the Electronic Frontier Foundation, told Motherboard:

I don’t actually have any less faith in Google than I do in the government to secure those emails, but it’s still a terrible idea. Let’s assume for the sake of argument she was using Gmail. If she was using Gmail, it means Google was scanning all of the email to present her with targeted advertising … Do we want a private company doing profiling on our Secretary of State?

It’s not clear whether Clinton actually used Gmail or some other commercially available service. But could Clinton have actually been smart to go outside the .gov email system? (Again, this is just about the security, not legality or ethics.) After all, U.S. government email systems are frequent targets for hackers, whether state-sponsored or freelance. In November, the unclassified State Department email system was compromised by hackers and was temporarily shut down. This incident occurred long after Clinton’s departure, but does call the State Department’s cyberdefenses into question.

Joe Loomis, the founder and CEO of the security group CyberSponse, said that though there are risks, he can also see how there could be security benefits to setting up a personal email account for State Department work. He says that hackers looking to target Clinton’s communications would normally have attempted to infiltrate her State Department email address and might have had knowledge about how the account was configured, making it an easier target.

“It’s one way that you can almost kind of mask yourself from being targeted by using off-channel communication,” he said. “[Hackers] have to guess what the email is against all the email providers, Yahoo, Outlook, MSN, Google, whatever.” Loomis says that though the accountability issue is important, he has heard about a lot of people in government using personal email accounts to make their communication channel more difficult to guess. John Kerry is actually the first secretary of state to solely use a state.gov email account.

If Clinton and her advisers were savvy in setting up her personal account, it could have offered more protection than the unclassified government email system. If they implemented rigorous end-to-end encryption (in which a message is encrypted at every stage of its movement from server to server across the Internet and can only be locally decrypted by the recipient on the other end), and especially if Clinton’s account only communicated internally via intranet with other government employees, her messages might have been highly secure. But using a standard consumer email service like Gmail or Yahoo wouldn’t have been very secure at all.

Christopher Peikert, a cryptography researcher at the Georgia Institute of Technology, explained:

The majority of email … travels unencrypted “in the clear” across a wide variety of networks (and even countries) as it goes from sender and receiver. It’s fair to say that anyone with a computer on any one of those networks can read any of the email that passes through—there are easily available tools that make this possible.

Basically a personal email account would give Clinton the element of surprise—hackers might not have been able to find her account to target it. But once hackers had her clintonemail.com address in their sights, it might be easier to crack unless she and her team knew a lot about creating a secure email environment. And then again, the State Department email doesn’t seem to have been so secure, either. It feels like a no-win.

Evidence of Clinton’s use of a personal email account surfaced a couple of years ago. In March 2013, Gawker reported that Clinton had been corresponding with former Bill Clinton aide Sidney Blumenthal on a personal account. Gawker’s John Cook wrote at the time, “And why was Clinton apparently receiving emails at a non-governmental email account? The address Blumenthal was writing to was hosted at the domain ‘clintonemail.com,’ … which is privately registered via Network Solutions. It is most certainly not a governmental account.”

Clinton is certainly not the first official to skirt rules about government email. Before Gina McCarthy was approved as administrator for the Environmental Protection Agency in 2013, a Senate panel questioned her on the agency’s known use of personal email accounts for business. In a hearing McCarthy openly admitted that she used her personal email address to send herself attachments so she could print them in her Boston home. As Bloomberg’s Brendan Greeley noted at the time, “Either the EPA doesn’t have a cloud-based system to read and print documents at home, or it does, and it doesn’t work very well. Regardless, the problem is so universal that McCarthy felt perfectly justified telling a Senate panel she does it.”

Meanwhile, during hearings in June 2014 about how the Internal Revenue Service had lost emails relevant to a political targeting probe, Texas Republican Blake Farenthold made a suggestion: “I went on Amazon and found you could buy a terabyte hard drive for $59. Buy two of them, so $120.”

Though the State Department’s email security may need work, the agency hasn’t been completely out to lunch since the rise of email. In 2004, it was the first agency to “transfer electronic textual records” to the National Archives and Records Administration. And its Foreign Affairs Manual contains an extensive section on “Electronic Records, Facsimile Records, and Electronic Mail Records,” which notes:

The Department’s Records Management Office (OIS/RA/RD) conducts periodic reviews of the records management practices both at headquarters and at overseas posts … These periodic reviews now will include monitoring of the implementation of the Department’s E-mail policy.

It would seem that Clinton was never subject to a “periodic review.” State Department deputy spokesperson Marie Harf did tell Bloomberg on Tuesday, “We have no indication that Secretary Clinton used her personal e-mail account for anything but unclassified purposes.”

It’s hard to imagine that Clinton was never even assigned a state.gov email address, but the situation is sort of understandable when you think about Clinton’s rank. With so many aides to brief her on what was going on, she probably didn’t need her work email to find out when there was cake in the break room.