There has been a lot of information – and misinformation – floating around the Interwebs about the fact that Hillary Clinton, as Secretary of State, exclusively used a personal email address linked to a “homebrew” server.
Partisans on both sides have spread much of this misinformation. Based on what we now know (and the situation can change) here are a few of the myths about the use of personal email by the former Secretary of State.
1. A Homebrew System is not secure
Kentucky Senator Rand Paul excoriated Secretary Clinton for putting “convenience” above National Security by using a homebrew server and a .com email domain, as if this means that the account was not secure. The domain suffix at the end, whether it is .mil, .com, .net or .ru means nothing in terms of the security of the system. In fact many .com domains are more secure than many .gov accounts.
In many ways, it’s easier to secure a dedicated homebrew system (with only a few users) than it is to secure a domain with tens of thousands of users who may have diverse needs. With a domain that is only used for web browsing and email, an administrator can close unneeded ports and features, and lock it down. Key word here is “can.”
Reports have been floating around the web that the domain certificates on her server were invalid, and other potential security problems existed, but this illustrates the point. A homebrew system can be as secure or more secure than a .gov system – if managed properly. Right now, we don’t know how it was managed, and we may never know, so from a risk perspective we should assume a lack of security rather than the existence of security, but the fact that it was a .com domain doesn’t in itself mean that is wasn’t secure.
2. The State Department Rules Prohibited Personal Email for Government Mail
Again, not true. The FAM encourages State Department employees to use government email for government business, but from conversations with various State Department employees, this is followed more in the breach. In practice, when a FSO stationed abroad is transferred to a new posting, the State Department kills their email address, and they have to get a new one.
For continuity purposes (e.g., convenience) it seems that State Department personnel use their personal email accounts as a “backup” or adjunct to their State.gov accounts – even for official communications. It also seems that previous Secretaries of State similarly used personal accounts (on public and less secure servers) for government business. It’s not a great idea, or a great practice, but it happens.
3. The FARA Records Law Requires the Use of Government Email and Systems
Nope. Wrong again. FARA requires official records to be kept, stored, archived, etc. Doesn’t matter if they are created on a .gov account, a private domain, a Google mail account, or on prodigy.net. It similarly doesn’t matter if they are handwritten notes scrawled on a napkin in the back of an Uber.
If they relate to official business (e.g., Henry Kissinger’s appointment books) they are official government records. So, despite the domain used, it’s the obligation of the employee to go through their records (emails, papers, etc.) and ensure that the government is provided with all things that are considered to be official records. According to the Secretary of State, that’s exactly what she had her counsel do.
The only FARA violation could be under 44 U.S. Code § 3102 which requires “The head of each Federal agency [to] establish and maintain an active, continuing program for the economical and efficient management of the records of the agency [which includes] effective controls over the creation and over the maintenance and use of records in the conduct of current business.”
You can argue that the use of personal email isn’t an “effective control” over the creation of [federal] records, but then you would have to apply that to the actions of previous Secretaries of State.
4. Employees Can’t Decide for Themselves What Are “Official” Records and What Are Not.
Um… yeah, they can. And they do. In fact, in almost all cases, the employees are the only ones who make those decisions. Imagine if Hillary Clinton did what most people (including me) think she should have done, and had two email addresses with two separate devices.
One for “official” business and the other for “personal” business. With every email sent, she would be deciding whether she felt the subject matter was “official” or “unofficial.” With respect to the emails she sent over her personal account, she would still have to review them under FARA to ensure that these were not “official” records. If not, she is free to delete, wipe, destroy or do whatever she wants with them. Just like anyone else can. So the decision about whether a document is official or not lies almost exclusively with the employee.
A government official could not ordinarily go to a government employee’s home and rummage through their files just to see whether any official documents were there. Same holds true for corporate documents. An employee – through the use of corporate or personal email accounts or a personal or corporate phone, computer or tablet decides what’s official and what’s not.
I frequently kept a tablet or personal phone on my desk with a separate Internet connection for personal communications, even at work. Nothing nefarious there. And in Hillary’s case, she has stated that her attorney’s did the review and that they were directed to err on the side of disclosure.
5. Two Email Accounts Doesn’t Mean Two Devices
This one is a toss up. Sure, many of us have multiple email accounts on a single device. Now. But that wasn’t always the case. While there are no technical restrictions, many employers prohibit employees from accessing “personal” email on a corporate or government provided device (phones or computers) and actively block such accounts.
Similarly, many companies and agencies do not permit access to official email, VPN’s or other network resources from non corporate or non government devices. So for years I carried two phones – a personal iPhone and a corporate Blackberry. The BYOD movement, coupled with things like Good Technology and virtualization are slowly eliminating this problem, but in many enterprises, the only way to get email on two domains is to have two devices.
There are plenty of myths the other way as well. Like the myth that the system was never hacked, or that the use of personal email like this was “commonplace.” It was clearly an exceptional event. It’s not clear whether the State Department CISO knew of or approved this arrangement, and it’s likely that he or she did not. Same with the General Counsel or the Inspector General. So there’s a lot to criticize. But a lot of mythology all around.