The State Department says Clinton didn't divulge classified information from her personal email account, but it's still a security nightmare.
Hillary Clinton, in her time as Secretary of State, never used an official government email address. Instead she relied on her own, probably unencrypted, personal account, the New York Times reported and Motherboard confirmed with the State Department.
That's a problem, on many levels. Official government emails from .gov addresses are subject to certain archiving rules, so that they can be reviewed and obtained by the news media later. And official .gov emails, especially those of high-level officials at the State Department, are subject to security precautions that run-of-the-mill email providers don't offer.
The Federal Government has three separate email systems—one unclassified and two classified. The unclassified one is considered relatively insecure.
"Do we want a private company doing profiling on our Secretary of State?"
"I don't actually have any less faith in Google than I do in the government to secure those emails," Nate Cardozo, a staff attorney with the Electronic Frontier Foundation, told me. "But, it's still a terrible idea. Let's assume for the sake of argument she was using Gmail. If she was using Gmail, it means Google was scanning all of the email to present her with targeted advertising about it. Is that something we want as a nation? Do we want a private company doing profiling on our Secretary of State?"
Clinton has been reported to have been using an address, in the past, at the "clintonemail.com" domain, and it's unclear who the actual service provider is there. Gmail or not, the point stands—a private company is handling the official email of the Secretary of State.
The Federal Government operates its own servers, at least, and many high-level officials have constantly-changing passwords and can only access email from specific, government-cleared devices. The Department of Homeland Security has a series of protocols, managed under the Federal Information Security Management Act, governing this kind of thing.
That the Secretary of State was using her own email provider with its own security precautions—or lackthereof—is highly concerning.
Though we're just now learning about Clinton using the email address for official business, security experts say foreign intelligence agencies probably already knew about it.
The State Department told me that it has "no indication that [Clinton's] emails were compromised," and added that, in past interviews, Clinton "referenced an awareness of security protocols for her email use." The State Department would not tell me what email service provider Clinton used, but said that Clinton did not use her email for classified documents.
"We have no indication that Secretary Clinton used her personal email account for anything but unclassified purposes," a State Department representative told me. "While Secretary Clinton did not have a classified email system, she did have multiple other ways of communicating in a classified manner (assistants printing documents for her, secure phone calls, secure video conferences)."
"If she ever did reference classified information, that's what we charged Snowden with"
Motherboard has filed a series of Freedom of Information Act requests with the State Department seeking more information about her email procedures. A Clinton spokesperson would not speak to me about security, instead saying that her conduct complied with both the "letter and the spirit of the rules."
"It strikes me as not particularly credible that in her entire tenure as Secretary of State, she never sent any classified material in any email ever," Cardozo said. "And, if she ever did reference classified information in an email that wasn't part of the classified email system, that's the same level of mishandling classified documents, although to a different scale, than what we charged [Edward] Snowden with."
Cardozo added that it would be impossible for the State Department to know whether or not Clinton's personal email was hacked or monitored.
"How would the State Department know if the Chinese or Russians has been monitoring Secretary Clinton's emails?" he said. "That statement was not authored who knew the tech involved. It's not grounded in any technical knowledge or know how."
Without specifics, it's difficult to say how secure Clinton's personal emails were, and, given that the State Department didn't specifically oversee her email account, it seems impossible for it to know whether or not her emails were actually subject to surveillance or whether the provider she used followed proper security procedures. Even if she didn't share classified information—and without a full record of her emails, it's impossible to know that—it's still a security concern.
"The risk of this email account being compromised is significant"
In fact, "shadow IT" is a major problem for corporations of all sizes. When employees use their personal email or personal devices for official company business, the company loses control of security. That's why even low-level employees at corporations that don't deal with national secrets are often forbidden from using their personal email accounts to conduct work business.
Hacked emails of Clinton's have been released before. In March of 2013, Sidney Blumenthal, an adviser to Clinton, was hacked by, and his emails, sent to " email@example.com," were leaked. Those emails were not encrypted, meaning they could be read by a hacker who intercepted them in transit, by her email provider, or, in this case, by someone who hacked a person she corresponded with.
Ken Westin, a security researcher who writes for State of Security, says that his look at the mail servers used by clintonemail.com suggests that domain isn't necessarily secure.
"The risk of this email account being compromised is significant," he wrote. "With no visibility into how the Clinton's emails were being secured, it would be impossible for the government to ensure the communications were not compromised by espionage."
The State Department says that Clinton was mainly emailing her State Department colleagues at their official addresses, and that the emails were therefore preserved on their end. The agency is defending her from a transparency angle, but it is ignoring security. As Blumenthal's hacked emails show, one insecure link in the chain can compromise the whole thread of communication.
We don't know at the moment whether or not Clinton continued to use clintonemail.com as her main email provider, but Westin's point stands nonetheless. He called her use of a person account "shadow IT on a grand scale."
Even more surprising is that Clinton's use of her personal email is, apparently, not rare. The State Department says that John Kerry is the "first Secretary of State to rely primarily on a state.gov email account;" all predecessors used their personal email (if any).
"Secretary Powell wrote in his book about his efforts to bring the State Department into the email age," a State Department spokesperson told me. "He writes about how he installed a personal laptop in his State Department office to use his personal email to connect with his principal assistants, ambassadors and foreign ministers."
So, it's plausible that Clinton wasn't necessarily doing anything "wrong," as far as the State Department is concerned. Instead, it seems more likely that the Federal Government has never taken email security as seriously as it should be.