Hillary Clinton’s use of a personal email account during her time as secretary of State is raising alarm over how secure her communications were from hackers and foreign governments interested in prying into private files of the nation’s top diplomat.
Clinton, who is expected to be the Democratic front-runner for president in 2016, exclusively relied on a personal account to conduct official business during her four years running the State Department, The New York Times first reported late Monday.
Other high-profile politicians and officials, ranging from former Alaska Gov. Sarah Palin to senior Bush administration adviser Karl Rove, have endured controversy for using personal email services in lieu of their government accounts. But while criticism in those episodes generally involved concerns about transparency and accountability—such emails would be harder to track down through Freedom of Information Act requests—Clinton’s exclusive use of a personal account also presents questions about the vulnerability of her data, security experts said.
“The focus here really needs to be on the information-security piece,” said Chris Soghoian, principal technologist with the American Civil Liberties Union. “It’s irresponsible to use a private email account when you are the head of an agency that is going to be targeted by foreign intelligence services.”
The State Department said Tuesday that Clinton did not transmit classified information via her personal account, but there could still be value in accessing those electronic communications—and recent history suggests they may be easier to crack than government emails. Soghoian noted that it was German Chancellor Angela Merkel’s personal cell phone that was tapped by the National Security Agency, according to files disclosed by Edward Snowden in 2013.
“If the personal communications of heads of state weren’t interesting, then governments wouldn’t monitor them,” he said. “This is the easiest thing for the intelligence services to target.”
The Times noted that it is “not clear whether Mrs. Clinton’s private email account included encryption or other security measures, given the sensitivity of her diplomatic activity.”
Email encryption is a form of data security that makes it more difficult for government spies or anyone other than the intended recipient to read a message. But commercial services for years did little to deploy the security function, leaving users vulnerable. Encryption has grown in adoption since the Snowden disclosures, however, following heavy scrutiny of the NSA’s sweeping powers to monitor both domestic and foreign phone and Internet communications.
Clinton has not said what email service she used, but she appears to have registered the domain “clintonemail.com” in January 2009, around the time her Senate confirmation hearings began for secretary of State.
“For all we know, she could have been using TOR,” said Peter Singer, a strategist and senior fellow at the New America Foundation, referring to the communications service that offers stringent security and privacy protections. “She could have had the top private-sector encryption experts in the world and everything being routed through TOR, and we would conclude, wow, this was a lot safer.”
But it is unusual for commercial email services to have “the same resources that the U.S. government would have on the security side,” Singer added.
Soghoian said it was “quite possible” Clinton’s emails were “being sent over a network that didn’t have any encryption.” Only within the past couple of years have most commercial services, such as Yahoo and AOL, started offering a security feature known as STARTTLS, a protocol that allows sending encrypted emails across servers. The State Department does deploy this encryption standard, though Soghoian was unsure of how long it has been in use. Other federal agencies, such as the FBI, do not use STARTTLS.
“If Clinton’s provider didn’t have that turned on, then email between her and many, many people would not be protected over the Internet,” Soghoian added.
But it is unclear whether the State Department could have actually provided stronger protections, as the agency has not been exempt from cyber vulnerabilities. Late last year, the agency was forced to shut down its email system after hackers apparently infiltrated the network. And in 2010, Wikileaks released hundreds of thousands of classified cables that had been sent to the State Department from its diplomatic missions around the world. That leak, which occurred under Clinton’s watch, is widely considered the largest exposure of classified documents in history.
Though Clinton’s reliance on personal email has raised eyebrows, it is far from unprecedented. Former Secretary of State Colin Powell has said he often used personal email when he ran the department during the first term of the George W. Bush administration. John Kerry, the current secretary, is the first to primarily use his official government email address, according to The Times.
The questions about the security of Clinton’s emails arrive as the Obama administration has been aggressively pushing a cybersecurity agenda in the wake of devastating data breaches like the one that crippled Sony Pictures late last year. Lawmakers in both parties routinely point to cybersecurity in both parties as one of a few policy areas where substantive agreement can be realistically achieved this year—but, so far, President Obama’s road map has gained little traction on Capitol Hill.
Federal officials and security experts alike, however, stress the importance of one’s own “digital hygiene” in keeping communications secure. Data breaches are largely seen as preventable if companies and individuals are diligent about protecting their information.
So how good was Clinton’s digital hygiene? Better than Merkel’s, her allies hope.