Former U.S. Secretary of State Hillary Clinton spoke out today about her email woes, goaded smugly by fellow prenominee Jeb Bush, who emailed reporters reminding them that he’d released his email records. As if that was a good thing.
Well, it should have been. But I’m getting ahead of myself. Let’s start with the basics. If you follow political news, you know that former U.S. Secretary of State Hillary Clinton used a private email account, rather than a Federal one, as she conducted U.S. diplomacy; and that she was, in fact, adhering to the letter of the law (the “spirit” of the law being rather vaguer); and that she has offered a data dump of emails she deems relevant from her personal servers to pass on to Federal officials, and urged them in turn to pass those on to reporters and the public. But neither of America’s prenominees have proven themselves visionary leaders when it comes to navigating the syclla, charybdis, and Blue Book of security, privacy, and legal policy when it comes to encrypting and archiving sensitive government emails.
Oh — prenominee? That’s the term I use for former Senator and Secretary of State – and, yes, First Lady – Clinton; and for former Florida Governor Jeb Bush, the latter of whom commanded $100,000 per plate for appearing at a fundraiser before he actually has announced his candidacy for president. (In other words, to be read in a pharma-ad-speedy voice: “Disclaimer- – `prenominee’ denotes being the front-runner in a race which hasn’t officially started. It is not a presumption of actual victory.”)
So what are we to make of the digital hygiene of the prenominees, and the outraged-slash-befuddled coverage of it? New York-based technical architect Max Whitney is familiar with email protocol, having run email for a large private university. “Let’s break the issues here into two pieces,” she says. “One: should people [specifically public officials] be running their own email servers? And two: should they have been sending unencrypted emails?”
Secretary Clinton was using a private email server that reportedly was registered to, but not necessarily housed in, Chappaqua, New York,where the Clintons own a home. Whitney says that it’s unlikely that Clinton — or Bush, who also ran his own server, registered in Texas— “made the decision to both identify a [qualified] mail administrator and pay them what they would be paid.”
Of course, not every mail system is the same. Sendmail, which encompasses the widely used SMTP mail protocol, is notoriously eager-to-please in matching email-to-receiver, says Whitney. “Sendmail was not created to be a secure information exchange method. Sendmail was created to survive a nuclear holocaust.” In other words: upside: robust. Downside: the birth of spam. And a Microsoft Exchange-based system needs two admins minimum, no matter how many users are on the system, because as Whitney puts it simply, “Everyone’s gotta sleep sometime, and when email stops, everything stops.” The average pay for an Exchange admin is $68,000/year, according to Payscale.com. And following secure encryption protocols (or should that be secure-ish?) takes both knowledge and time — time that not everyone is willing to spend.
“Anything unencrypted that Hillary Clinton sent as Secretary of State, anyone on the internet could have picked it up,” says Whitney. “People who were motivated could have picked it up [right away], but people could have picked it up and not even known what they were looking for until now,” when the email addresses that Secretary Clinton was using were revealed. (Gawker did publish the Clinton address email@example.com in 2013.) “Anything sent unencrypted via email,” Whitney adds, “is available to anyone.”
That brings us to the question of “the server under the desk,” which is the nickname for a home or private server, regardless of whether it’s on a kitchen counter or a closet or in a garage. Whitney has a couple different takes on this. Regarding encryption and security, “The server under the desk, if not well-run, is dangerous. Are the encryption keys in plaintext next to the files? Is there a likelihood that security protocols were open to question?”
But then there’s the point about the delays, inefficiency, and general kludginess of Federal secure mail servers raised by Clay Johnson of Blue State Digital in Medium. “I’d imagine Secretary Clinton at some point emailed the White House,” Johnson says. “I made the mistake of emailing the White House from my personal account once (!) during my term, and managed to get back a nastygram from Counsel about it. How or why didn’t the White House tell Hillary to use her official .gov email account? It could be that they knew the entire classified and unclassified email system was compromised and decided that the smartest thing to do was for her to use her personal email instead.”
So Whitney adds, “The State Department has to balance between being able to communicate quickly and effectively, and being able to communicate securely. The most secure way is to have face to face communication in room you know is not bugged with a translator you know is trustworthy.” She adds, “It’s a bad idea to have everyone in the world listening in on signals between state leaders, but this was not a problem created by email.” So just as the Kennedy-Krushchev hotline got the two Cold War-era leaders beyond “signaling in big ways, but they couldn’t [clearly] communicate; I think [modern] statecraft is advanced tremendously by being able to give high fidelity signals to who you are opposing or negotiating with in a timely manner,” says Whitney. “Security should not make that impossible.”
Although Secretary Clinton currently has the spotlight, let’s not forget about the inauspicious digital debut of Republican prenominee Jeb Bush, who took a bold lead in disclosing emails from his years as governor of Florida as part of his pre-campaign. But that didn’t turn out quite as expected. Governor Bush used a personal account for constituent services while in office. As proto-candidate of his party, he released a dump of selected emails, many of them seeming to depict him as attuned to the human suffering of his constituents. Of course, he then published the suffering of his constituents in full, not seeming to care if their personal tragedies became a political sideshow…or if their identity was compromised, as it was in cases when people included their social security numbers and other markers ripe for identity theft in the emails. In one case, which I will summarize so as to not to publicly re-identify the individual, a woman appeals to Governor Bush based on, in order:
2) struggles with addiction
3) past criminal conviction and desire to avoid future ones
4) Christian faith
5) terminally ill husband
And that’s just for starters. The email goes on to detail several more personal tragedies and medical conditions; appeals for the Governor’s help; and ends with the petitioner’s social security number and full name.
How did this information go public? And make no mistake: it’s still public on many servers, even though the former Governor’s team has since ordered the files redacted.
Perhaps the better question is: in a world where the distinction between the public and private email accounts of officeholders is blurred at best, how should an officeholder have acted responsibly with some of the most private revelations and identifiers of private individuals?
Richard Cardran is a digital strategist based in Los Angeles. He identifies a series of steps that Governor Bush’s camp could have taken to truly protect constituents while still dealing with the need for disclosure and transparency. “Strategic redaction is an imperative for anyone in [Governor Bush’s] position. However redaction needs to be done by a third party to have any credibility–otherwise all redacted information is suspect by one’s enemies,” Cardran says. That deals with the data dump of information to the public after the fact. But what about inbound missives? “You can’t protect people from themselves, but you can protect yourself [as a politician],” he adds. “Make all public email submissions happen through a contact form with explicit warnings about public visibility. Or have staff destroy suspect emails when received with an auto-responder to alert emailers to resend minus the personal information.”
Governor Bush’s email did have a signature which read: “Please note: Florida has a very broad public records law. Most written communications to or from state officials regarding state business are public records available to the public and media upon request. Your e-mail communications may therefore be subject to public disclosure.” That’s not nothing, granted.
Imagine if the disclaimer said: “If you just emailed us your social security number, we must destroy this email to protect you from possible identity theft, because this email may become public record. Please re-send your email, and remember that even if you remove your social security number, you may end up publicly humiliated if your email is later published in the newspaper. Do you want your Mom reading this?”
Despite revealing far too much of his constituents’ personal lives, did Governor Jeb Bush show a pattern of helping them? Did his family’s deep political ties manifest in his electronic correspondence, in ways benign or noteworthy? Did Secretary Clinton, despite the complexities of this digital era, manage to keep a clean house in terms of sorting digital correspondence related to her personal life; U.S. Diplomacy; and the Clinton Foundation — and more importantly, were her emails revelatory about the separation or blending of those roles? (She says she deleted emails related to family deaths and weddings. Anything else?)
Given the way these emails were managed, it will be extremely hard to generate anything close to a definitive record. That’s a real detriment to the public’s knowledge.