Hillary Clinton’s Homemade System May Have Put Her Email at Risk

When she served as Secretary of State, Hillary Clinton was steeped in every imaginable foreign policy issue and regularly dealt with highly classified information. But not, apparently, over email.

Clinton “did not have a classified email system” at the State Department while she was in office, deputy spokesperson Marie Harf told The Daily Beast. Instead, Clinton used at least one personal email account for unclassified business and relied on “multiple other ways of communicating in a classified manner, including assistants printing documents for her, secure phone calls, and secure video conferences,” Harf said.

Now the question becomes how exactly Clinton kept that personal email secure—and what steps she took to ensure that she wasn’t spilling any secrets. Even information that’s technically unclassified could reveal the inner workings of American foreign policy. And Clinton, by dint of her position, would be an obvious target for spies, as would any other senior officials with whom she was communicating.

“The practice of using personal email accounts raises potential security concerns,” Steven Aftergood, a government secrecy expert with the Federation of American Scientists, told The Daily Beast. “It would be surprising if Secretary Clinton never dealt with classified matters via email. Were her email messages secured in any way against interception or monitoring?”

A Clinton aide, who asked not to be named, flatly denied that Clinton let slip any secrets through her personal email. “Using her own email account broke no laws, and… was used for communicating non-classified information only,” the aide told The Daily Beast.

But neither the aide nor State Department officials would comment on whether the department ever inspected Clinton’s personal email to see if she was using encryption, two-factor authentication, or other widely available tools to secure her correspondence. “We have no indication the account was hacked or compromised,” a senior State Department official said.

But Aftergood noted that no email system is entirely secure, and that even the State Department’s own unclassified system was hacked last year. “But at least government email receives some measure of dedicated security and counterintelligence attention. The email of the Secretary of State in intrinsically sensitive, even when it is not classified,” he said.

Clinton’s decision not to use a State Department email account of any kind was first reported by The New York Times Monday.

The Associated Press reported on Wednesday that Clinton's personal email system was actually run out of her and former President Clinton's home in Chappaqua, New York, using a "homebrew" type of configuration that is frequently not as secure as a commercially run email system. It could have been both more vulnerable to hackers if it wasn't running the latest anti-virus and security technologies, as well as to physical damage, such as from a flood.

Computer security experts said that Clinton's decision to use a potentially less secure system out of her home made her more vulnerable to foreign spies. "OK, this really was god's gift to Chinese or French intelligence," tweeted Nicholas Weaver a senior researcher at the International Computer Science Institute.

The Clinton's home email system was registered to an Eric Hoteham, a name who doesn't show up in public records database searches, adding further mystery to Clinton's decision to avoid using official email.

Sensitive correspondence bearing on Clinton’s duties as secretary have been exposed by others in her orbit who fell victim to hacking. In 2013, a Romanian hacker going by the name Guccifer broke into the email account of former Bill Clinton White House adviser Sidney Blumenthal and exposed memoranda that he’d sent to Hillary Clinton, at a personal account, regarding the attack on the U.S. consulate in Benghazi, Libya.

Blumenthal, who was not serving in the government at the time but to this day remains a close Clinton confidant as she contemplates a presidential bid, marked some of those emails “confidential,” indicating that they contained sensitive information meant for Clinton’s use. One of the messages contained what Blumenthal described as information from “sources with direct access to the Libyan National Transitional Council, as well as the highest levels of European Governments, and Western Intelligence and security services.” The email also detailed what Blumenthal said his sources told him were recruitment efforts by the CIA and the British intelligence services.

Blumenthal didn’t respond to a request for comment about the incident. And while it’s unclear that he had any access to information that the U.S. government considered classified, the hack proved that Clinton’s accounts were vulnerable, insofar as the people she was in touch with were, as well. They also gave an insight into the key issues and considerations put before her by a trusted ally and political confidant.

Guccifer has demonstrated his techniques on other political luminaries. He is perhaps most famous for hacking the emails of friends and families of former president George W. Bush and leaking photos of the president’s paintings, including a self-portrait of Bush in a bathtub.

On Tuesday, Rep. Trey Gowdy, who chairs a House committee investigating the Benghazi attacks, said the State Department didn’t have all of Clinton’s emails related to the matter.

“Only she has a complete record, and the committee is now going to have to go to her and her attorneys and her email providers to ensure we have the access to everything the American people are entitled to know,” Gowdy said during a press conference.

The committee “became aware” that Clinton was using “personal email accounts for official state business late last summer,” Gowdy said, adding that Clinton had “more than one private email account.”

Gowdy said the committee would send preservation letters today to ensure the emails that still exist would be “protected under the law.”

“You do not need a law degree to have an understanding how troubling this is,” he said.

“There are chain of custody issues, there are preservation of materials and documents issues…in addition to asking…what safeguards may have been in place to protect this information and one should also be concerned about the national security implications of former Secretary Clinton using exclusively personal email account for conducting official US foreign policy.”

In using non-official email for official communications, Clinton may have run afoul of regulations imposed by the National Archives and Records Administration, which maintains official communications for posterity.

“Since 2009, NARA’s regulations have stated that ‘Agencies that allow employees to send and receive official electronic mail messages using a system not operated by the agency must ensure that Federal records sent or received on such systems are preserved in the appropriate agency recordkeeping system,’” Paul M. Wester, Chief Records Officer for the U.S. Government, said in a statement.

After Clinton had left office, Congress amended two key records laws “to prohibit the use of private email accounts by government officials unless they copy or forward any such emails into their government account within 20 days,” Wester said.

The State Department, anticipating the new requirement, sent letters in October 2014 to the representatives of all former Secretaries of State going back to Madeleine Albright, requesting that they submit any records in their possession covered by the new law, a senior State Department official said.

“In response to that letter we received tens of thousands of pages of Secretary Clinton’s email in early December spanning her time at the State Department which are now part of the Department’s permanent records,” the official said.

The Clinton aide told The Daily Beast that “anything that pertained to her work” is in those 55,000 pages of emails. “So if she emailed with her daughter about flower arrangements for her wedding, that didn’t go in, but if she emailed one of the 100 State Department officials she regularly corresponded with, State had it in their servers already and HRC’s office replicated that to ensure it was all there.”

“9 out of 10 emails that she sent over the course of her tenure went to the State Department,” the aide added.

Clinton hasn’t said why she opted to use a personal account. But it’s conceivable she was trying to avoid unauthorized disclosures of her communications and classified information.

Mildly embarrassing emails from her time as First Lady have subsequently spilled into the public domain. More importantly, perhaps, “she was Secretary of State during the dawn of the age of Wikileaks, when during her tenure diplomatic cables and a ton of confidential email communication were released,” Clay Johnson, a technology expert who has worked for political campaigns and government agencies, told The Daily Beast. Johnson said he had no knowledge of Clinton’s decision-making, but that it was possible she decided the State Department’s own networks weren’t secure enough.

Wikileaks’ disclosure of classified State Department cables occurred well after Clinton took office. But at the time, there were already publicly known cases of foreign governments hacking senior U.S. officials.

During an official U.S. trip to Beijing in December 2007, for instance, spyware programs designed to siphon information were discovered on electronic devices used by Commerce Secretary Carlos Gutierrez, according to a computer-security expert with firsthand knowledge of the spyware used. The infected machines were brought back to Commerce Department headquarters and infected its internal network, according to one former official. The infection was so rampant, this former official said, that employees were instructed not to email any documents to the Secretary’s office, lest they contain hidden viruses. Instead, employees had to print documents  and deliver them by hand.

And just months before Clinton was sworn into office, the campaign email accounts of presidential candidate Obama as well as of Sen. John McCain, the Republican nominee, were also hacked by spies in China, according to U.S. officials. As Obama was preparing to take the oath of  office in 2009, his insistence on continuing to use his personal Blackberry sent intelligence and security officials into fits. In order to protect his communications, they fashioned a highly-secured Blackberry.

Not all recent senior U.S. officials have been as addicted to email as the president—which may have made their communications more secure. Secretary of Homeland Security Janet Napolitano, for instance, said she didn’t use email at all.

“It is our understanding that secretaries [of state] prior to Secretary Kerry didn’t regularly use an official State Department account,” the senior State Department official said. In part, that was because prior to the dawn of the 21st century, the department was using antiquated technology and email wasn’t widely available.

The official noted that former Secretary Colin Powell, who is credited with updating the department’s technology systems, wrote in his memoir that he “installed a personal laptop in his State Department office to use his personal email to connect with his principal assistants, ambassadors and foreign ministers. He also writes about how he would check embassies he visited across the world by darting into the first open office he could find to log in to his personal email account to test their email connectivity.”

Former Secretary Condoleezza Rice has also said that she didn’t regularly use email, the official said.

Compared to her peers, Clinton’s decision not to use official email wasn’t unusual. The impact of that choice, however, may be.

—with additional reporting by Jackie Kucinich and Noah Shachtman