How Secure Could Hillary Clinton’s Personal Email Be?

Beyond the transparency concerns, security experts wonder whether the former secretary of State’s emails were protected from foreign hackers.

Former Secretary of State Hillary Clinton delivers a keynote address during the Watermark Silicon Valley Conference for Women on February 24, 2015 in Santa Clara, California.
National Journal
March 3, 2015, 8:03 a.m.

Hil­lary Clin­ton’s use of a per­son­al email ac­count dur­ing her time as sec­ret­ary of State is rais­ing alarm over how se­cure her com­mu­nic­a­tions were from hack­ers and for­eign gov­ern­ments in­ter­ested in pry­ing in­to private files of the na­tion’s top dip­lo­mat.

Clin­ton, who is ex­pec­ted to be the Demo­crat­ic front-run­ner for pres­id­ent in 2016, ex­clus­ively re­lied on a per­son­al ac­count to con­duct of­fi­cial busi­ness dur­ing her four years run­ning the State De­part­ment, The New York Times first re­por­ted late Monday.

Oth­er high-pro­file politi­cians and of­fi­cials, ran­ging from former Alaska Gov. Sarah Pal­in to seni­or Bush ad­min­is­tra­tion ad­viser Karl Rove, have en­dured con­tro­versy for us­ing per­son­al email ser­vices in lieu of their gov­ern­ment ac­counts. But while cri­ti­cism in those epis­odes gen­er­ally in­volved con­cerns about trans­par­ency and ac­count­ab­il­ity—such emails would be harder to track down through Free­dom of In­form­a­tion Act re­quests—Clin­ton’s ex­clus­ive use of a per­son­al ac­count also presents ques­tions about the vul­ner­ab­il­ity of her data, se­cur­ity ex­perts said.

“The fo­cus here really needs to be on the in­form­a­tion-se­cur­ity piece,” said Chris Sog­hoi­an, prin­cip­al tech­no­lo­gist with the Amer­ic­an Civil Liber­ties Uni­on. “It’s ir­re­spons­ible to use a private email ac­count when you are the head of an agency that is go­ing to be tar­geted by for­eign in­tel­li­gence ser­vices.”

The State De­part­ment said Tues­day that Clin­ton did not trans­mit clas­si­fied in­form­a­tion via her per­son­al ac­count, but there could still be value in ac­cess­ing those elec­tron­ic com­mu­nic­a­tions—and re­cent his­tory sug­gests they may be easi­er to crack than gov­ern­ment emails. Sog­hoi­an noted that it was Ger­man Chan­cel­lor An­gela Merkel’s per­son­al cell phone that was tapped by the Na­tion­al Se­cur­ity Agency, ac­cord­ing to files dis­closed by Ed­ward Snowden in 2013.

“If the per­son­al com­mu­nic­a­tions of heads of state wer­en’t in­ter­est­ing, then gov­ern­ments wouldn’t mon­it­or them,” he said. “This is the easi­est thing for the in­tel­li­gence ser­vices to tar­get.”

The Times noted that it is “not clear wheth­er Mrs. Clin­ton’s private email ac­count in­cluded en­cryp­tion or oth­er se­cur­ity meas­ures, giv­en the sens­it­iv­ity of her dip­lo­mat­ic activ­ity.”

Email en­cryp­tion is a form of data se­cur­ity that makes it more dif­fi­cult for gov­ern­ment spies or any­one oth­er than the in­ten­ded re­cip­i­ent to read a mes­sage. But com­mer­cial ser­vices for years did little to de­ploy the se­cur­ity func­tion, leav­ing users vul­ner­able. En­cryp­tion has grown in ad­op­tion since the Snowden dis­clos­ures, however, fol­low­ing heavy scru­tiny of the NSA’s sweep­ing powers to mon­it­or both do­mest­ic and for­eign phone and In­ter­net com­mu­nic­a­tions.

Clin­ton has not said what email ser­vice she used, but she ap­pears to have re­gistered the do­main “clin­tone­” in Janu­ary 2009, around the time her Sen­ate con­firm­a­tion hear­ings began for sec­ret­ary of State.

“For all we know, she could have been us­ing TOR,” said Peter Sing­er, a strategist and seni­or fel­low at the New Amer­ica Found­a­tion, re­fer­ring to the com­mu­nic­a­tions ser­vice that of­fers strin­gent se­cur­ity and pri­vacy pro­tec­tions. “She could have had the top private-sec­tor en­cryp­tion ex­perts in the world and everything be­ing routed through TOR, and we would con­clude, wow, this was a lot safer.”

But it is un­usu­al for com­mer­cial email ser­vices to have “the same re­sources that the U.S. gov­ern­ment would have on the se­cur­ity side,” Sing­er ad­ded.

Sog­hoi­an said it was “quite pos­sible” Clin­ton’s emails were “be­ing sent over a net­work that didn’t have any en­cryp­tion.” Only with­in the past couple of years have most com­mer­cial ser­vices, such as Ya­hoo and AOL, star­ted of­fer­ing a se­cur­ity fea­ture known as STARTTLS, a pro­tocol that al­lows send­ing en­cryp­ted emails across serv­ers. The State De­part­ment does de­ploy this en­cryp­tion stand­ard, though Sog­hoi­an was un­sure of how long it has been in use. Oth­er fed­er­al agen­cies, such as the FBI, do not use STARTTLS.

“If Clin­ton’s pro­vider didn’t have that turned on, then email between her and many, many people would not be pro­tec­ted over the In­ter­net,” Sog­hoi­an ad­ded.

But it is un­clear wheth­er the State De­part­ment could have ac­tu­ally provided stronger pro­tec­tions, as the agency has not been ex­empt from cy­ber vul­ner­ab­il­it­ies. Late last year, the agency was forced to shut down its email sys­tem after hack­ers ap­par­ently in­filt­rated the net­work. And in 2010, Wikileaks re­leased hun­dreds of thou­sands of clas­si­fied cables that had been sent to the State De­part­ment from its dip­lo­mat­ic mis­sions around the world. That leak, which oc­curred un­der Clin­ton’s watch, is widely con­sidered the largest ex­pos­ure of clas­si­fied doc­u­ments in his­tory.

Though Clin­ton’s re­li­ance on per­son­al email has raised eye­brows, it is far from un­pre­ced­en­ted. Former Sec­ret­ary of State Colin Pow­ell has said he of­ten used per­son­al email when he ran the de­part­ment dur­ing the first term of the George W. Bush ad­min­is­tra­tion. John Kerry, the cur­rent sec­ret­ary, is the first to primar­ily use his of­fi­cial gov­ern­ment email ad­dress, ac­cord­ing to The Times.

The ques­tions about the se­cur­ity of Clin­ton’s emails ar­rive as the Obama ad­min­is­tra­tion has been ag­gress­ively push­ing a cy­ber­se­cur­ity agenda in the wake of dev­ast­at­ing data breaches like the one that crippled Sony Pic­tures late last year. Law­makers in both parties routinely point to cy­ber­se­cur­ity in both parties as one of a few policy areas where sub­stant­ive agree­ment can be real­ist­ic­ally achieved this year—but, so far, Pres­id­ent Obama’s road map has gained little trac­tion on Cap­it­ol Hill.

Fed­er­al of­fi­cials and se­cur­ity ex­perts alike, however, stress the im­port­ance of one’s own “di­git­al hy­giene” in keep­ing com­mu­nic­a­tions se­cure. Data breaches are largely seen as pre­vent­able if com­pan­ies and in­di­vidu­als are di­li­gent about pro­tect­ing their in­form­a­tion.

So how good was Clin­ton’s di­git­al hy­giene? Bet­ter than Merkel’s, her al­lies hope.

What We're Following See More »
Mueller Reportedly Reports
2 hours ago
Trump Cancels North Korea Sanctions Just After They're Announced
4 hours ago
Shanahan Says Caliphate Has Been Eliminated
6 hours ago
Interior Reverses Stand on Connecticut Casinos
6 hours ago

"The Interior Department is reversing course on an initial decision to ban two Native American tribes from building a casino, an issue at the core of an ethics investigation into former Secretary Ryan Zinke. The Bureau of Indian Affairs is now granting the Mashantucket Pequot and Mohegan tribes the right to build an off-reservation casino in Connecticut, a complete flip from a previous decision by Zinke in September 2017 to deny the permits."

Trump Considering Stephen Moore for Fed
8 hours ago

Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.