Hillary Clinton's little email fuss: Beyond 'servers in the basement'

Did she do anything wrong? Were federal record-keeping laws broken? Was security compromised? Email expert and presidential scholar David Gewirtz deconstructs Hillary Clinton's emailgate.

hillary-clintons-little-email-fuss.jpg
Credit: AP
Let's start with the elephant in the room. Hillary Clinton could be America's next president.

According to PredictWise, she currently has a 74.9 percent chance of winning the Democratic nomination (the next closest is Elizabeth Warren, with a 9.3 percent chance and Joe Biden with a 3 percent chance). Of definite concern to the Republicans, she has a 44.7 percent chance compared to Jeb Bush with 15.9 percent, Scott Walker with 6.4 percent, and Marco Rubio with 6.3 percent.

The point is, a fuss about Hillary Clinton's email isn't going away. The stakes for all the parties are way too high.

But did she do anything wrong? Were federal record-keeping laws broken? Was security compromised?

UPDATE 3/10/2015: Former Secretary of State Hillary Clinton addressed email concerns in a statement followed by a question and answer segment with the press. We have the full video, plus analysis of her comments. Read Hillary Clinton: Yes, I did operate a private server.

No, she probably didn't have a server in her basement

As the update above shows, five days after this article was published, Mrs. Clinton acknowledged that she did have a private email server. Keep reading to see how my original, now clearly incorrect analysis was derived, and also for details that might shed light on more of her practices.

I'm basing this analysis on an aggregation of other press reports and public registry information because the sources who were so willing to provide information when I was investigating the Bush White House email situation are much less helpful when looking at a Clinton. That's not exactly a surprise. Politics is politics.

​Hillary Clinton takes shadow IT mainstream

Hillary Rodham Clinton is in one big email mess, but if you zoom out and look at her as any other employee you have a leading example of shadow IT at play.

Read More

As was the case with the Bush email controversy, the press reports are confusing. Also, many reports are making incorrect assertions, probably due to a surprising (in this day and age) lack of understanding about how the internet works.

I'll start with an Associated Press report claiming that Mrs. Clinton (or, presumably, a staffer) "ran [her] own computer system for her official emails" out of her family's home in Chappaqua, New York.

The AP report goes on to discuss the potential problems of running a home server, including "regulated temperatures, off-site backups, generators in case of power outages, fire-suppression systems and redundant communications lines."

Those are certainly concerns when operating a home server (I know, I've done it for years), but where the AP gets the story wrong is confusing domain names with servers.

Before I can delve into that, you need to know that AP had originally identified "a mysterious identity, Eric Hoteham." Apparently, the domain names for various Clinton domains were registered in this person's name. It turns out that Hoteham is a mistaken spelling for Hothem. There are some serious political and media credibility implications to that mistake, which I discuss in Emailgate: How media mythology created Hillary Clinton's fake, fake identity.

AP states, "Hoteham was listed as the customer at Clinton's $1.7 million home on Old House Lane in Chappaqua in records registering the internet address for her email server since August 2010." AP goes on to state, "The Hoteham personality also is associated with a separate email server, presidentclinton.com, and a non-functioning website, wjcoffice.com, all linked to the same residential internet account as Mrs. Clinton's email server."

Can you see where the confusion is? AP is describing "presidentclinton.com" as a "separate email server." The domain names clintonemail.com, presidentclinton.com, wjcoffice.com are all domain names, not servers.

Based on what's been described, we're most likely looking at domains where the billing or administrative contact was in Chappaqua. Many of us who own domain names work that way. My email service was operated by Microsoft and now Google, but my domain is registered to me, and my billing address is here in Florida, even though my mail is hosted God-knows-where on Google's network.

Could she have had a box in her house? While that's certainly possible, it's far more likely her emails were hosted elsewhere. AP continues: "In November 2012, without explanation, Clinton's private email account was reconfigured to use Google's servers as a backup in case her own personal email server failed, according to internet records."

That sounds a lot like MX records. The way internet mail works is it finds where to send mail based on an MX record that's part of the domain name record. If mail can't be delivered to one named server (if the server at the domain or IP address is unresponsive for too long), a mail transmission is attempted to the next lower priority IP or domain in the MX record stack.

Along similar lines, AP describes an additional change in her configuration: "Then, in July 2013, five months after she resigned as secretary of state, Clinton's private email server was reconfigured again to use a Denver-based commercial email provider, MX Logic, which is now owned by McAfee Inc., a top internet security company."

Except MX Logic isn't a "commercial email provider," it's a service that offers spam and virus filtering for email, very similar to Google's own Postini service. One of my friends who runs an ISP offers both Postini and MX Logic to customers but recommends MX Logic because he says the spam management is better.

Stanford Ph.D candidate Jonathan Mayer did some tracing on IP addresses. He believes an old IP address running on Optimum Online pointed to the Clinton residence, but like me, thinks it could have been used as a billing address. He also identifies the server routed to and from mail.clintonemail.com as a " Windows Server 2008 R2 with a valid SSL certificate," but that server, according to Mayer, is located at managed services company Internap.

Let's review: Clinton is clearly using two cloud services for at least some of her email management: Google and MX Logic. A physical server associated with her MX records is being operated by a managed services firm. Therefore, the premise that she's trying to lock down all her email, protected physically inside her own house so posterity can't get to it, seems unlikely.

However, one possible concern might, in fact, be based on the opposite scenario. If Mrs. Clinton's email is running through the same anti-spam and antivirus filtering service you and I can use, how secure, then, is her email?

Let's take a look...

Secretary Clinton's use of a non-governmental email address

I have advocated many times against allowing senior government officials to use personal email accounts and this applies to Secretary Clinton as much as anyone else. It is not secure enough.

However, Al Jazeera (not exactly an impartial media outlet when it comes to U.S. foreign policy) contends that State Department email systems were insecure as well. They quote a former presidential innovation fellow, Clay Johnson, as saying that State Department official email was compromised as part of the WikiLeaks/Chelsea Manning debacle. Therefore, he contends, she might have been advised to use her personal email.

There is some limited plausibility to that claim, at least in that no clintonemail.com messages were included in the Manning dump, unlike thousands of emails from State Department servers.

Another explanation for Clinton's use of a personal email rather than government email address can be found in Business Insider, which reports two unnamed former State Department officials who claim, "At the time, State Department policy would not have allowed her to have multiple email addresses on her Blackberry. Because of this, the officials said, she opted to have one address for both personal and governmental communications."

There is some plausibility here. As far back as 2009, I was covering President-elect Barack Obama's struggle to keep his own BlackBerry. The compromise was that Mr. Obama got a secured phone for official use and a tweaked-out BlackBerry for communications with a select group of personal friends.

The idea that Mrs. Clinton didn't want to manage two devices and used staffers for secure communications is well within the realm of possibility, especially when you're looking at communication coming from a senior executive.

The Federal Records Act

Key in this discussion is the question of whether, as The New York Times reported, Mrs. Clinton's use of personal email broke the records archiving rules of the Federal Records Act.

To properly understand this issue, you need to understand that the Federal Records Act (FRA) and the Presidential Records Act (PRA) are odd, anachronistic beasts.

Until very recently, the government's interpretation of "records" meant pieces of paper, regardless of whether the actual item being recorded began in digital form. That's why, as Bush White House Deputy Press Secretary Dana Perino stated in 2007, "So you would either print it off, or you would forward it to another email, to your personal account -- I'm sorry, to your White House account, in some way keep that so that in the future, if the Counsel's Office needed to look back at those records, that they would have access to that."

In addition, not all documents are considered "official records." If Mrs. Clinton sent a note asking Bill to pick up some milk, that's not considered an official record. As such, any delivery to the National Archives of email messages as records would have been filtered and sorted, a process designed to remove any non-relevant documents, protect incidental privacy, and quite non-incidentally, give the delivering parties the unlawful opportunity to selectively forget to disclose any incriminating records.

It's a very flawed system. In fact, back in President Reagan's day, email was not considered a record by the National Archives at all. It took an adventurous techie who argued that Reagan Administration email should be preserved before the courts ruled Reagan-era email should be saved.

Speaking of the Clintons, though: Once it became apparent that some National Security Council information was going to be subject to Federal Records Act rules, and therefore subject to potential Freedom of Information Act disclosure -- rules which govern government entities known as agencies -- President Clinton went so far as to redefine the National Security Council to not be an agency.

We don't yet know what machinations President Obama will try, but if he's like all of his predecessors, he is going to do his level best to keep records out of the public archive. If you'd like to read the gory details of how presidents from Reagan to George W. Bush tried to slither around records act requirements, read the "Historical Perspective" chapter of my book, "Where Have All The Emails Gone?" It's a free download. No administration is without blame.

This brings us back to The New York Times article, where author Micheal S. Schmidt reports that some 55,000 email messages were gathered by Mrs. Clinton's State Department staff and turned over to the National Archives.

Additionally, Business Insider quotes Clinton spokesman Nick Merrill, "Like Secretaries of State before her, she used her own email account when engaging with any Department officials. For government business, she emailed them on their Department accounts, with every expectation they would be retained."

This is certainly in keeping with commonly accepted record disclosure practices by other departments and agencies. It also shows just how porous government record-keeping requirements really are.

The Hatch Act rears its ugly head again

Another criticism levied against Mrs. Clinton was that the use of personal email was designed to give her a way to avoid turning over email messages. It should be noted that many in the Bush Administration used personal email, as did former secretaries of state, including Colin Powell. In fact, modern interpretations of the Hatch Act (a 1939 ruling that's now imposing itself on electronic record-keeping) requires that any non-governmental or politically-related email use personal email accounts.

A problem-solving approach IT workers should learn from robotics engineers

Sometimes the most profound solution is to change the entire problem.

Read More

Without a doubt, much of Mrs. Clinton's correspondence would have been, by nature, political and thereby subject to the Hatch Act's ban on using federal resources.

This would account for the use of hdr22@clintonemail.com by Clinton friend Sidney Blumenthal, who worked in the Bill Clinton White House. According to a breathless report in The Smoking Gun back in 2013, Blumenthal had been sending email to Mrs. Clinton using the hdr@clintonemail.com account.

This became public knowledge when unemployed Romanian taxi driver Marcel Lazăr Lehel (aka "Guccifer") posted hacked emails from Blumenthal's email account.

Those emails contained, according to another Smoking Gun article, what appeared to be confidential and even sensitive information about American foreign policy with headlines like "Comprehensive Intel Report on Libya" and warnings presented in shouting caps, like "THE FOLLOWING INFORMATION COMES FROM EXTREMELY SENSITIVE SOURCES AND SHOULD BE HANDLED WITH CARE."

But here's the question. Is Clinton violating the law or regulations because she received messages like this? It's important to realize that Blumenthal hasn't held a federal government post since 2001, so email sent by him would not have been via a government server. So whether or not it was advisable on the part of Blumenthal to communicate this information to Clinton over the internet, we can't use that behavior on the part of an old FoB (Friend of Bill) to roast Hillary for her email practices.

How bad is this?

"How bad is this?" can be asked in two ways: How bad is this in terms of national security and preservation of public history, and how bad is this from the point of view of Mrs. Clinton's possible presidential aspirations?

In both cases, the answer is "not so much."

As we've seen, it's unlikely that Mrs. Clinton housed an email server in her house and more likely her home address was used as the official address for domain name registration. That's odd, but not unusual.

What about the use of a personal email address through her term as Secretary of State? Could she have possibly done her job and remain secure? Let's remember that Karl Rove when he was in the Bush White House had a number of personal email addresses and President George W. Bush had the enviable privilege of not using email for his entire eight years in office.

It is certainly plausible then, that Mrs. Clinton used her personal email account mostly for political-ish communications and used assistants and the entire State Department diplomatic infrastructure for official communication.

It is also plausible that mistakes were made and sensitive information was sent through her personal email address. I detailed that risk in my book on the Bush emails, and it's a very scary possibility to this day.

In terms of records act violations, Clinton has clearly turned in a mass of records. It would be virtually impossible for anyone to determine if they are complete or not, but that is the case with every administration and agency and has been for quite some time.

That brings us to the political component of this discussion. Will this email fuss impact Mrs. Clinton's presidential prospects? Nope. Mrs. Clinton is probably the most criticized prospective candidate in the history of prospective candidates, comes with an entire circus train of baggage, and has managed to keep her head above the muck for all of her recent career.

Next to everything else she has to fight off, a little email fuss won't even register on the meter.

By the way, I'm doing more updates on Twitter and Facebook than ever before. Be sure to follow me on Twitter at @DavidGewirtz and on Facebook at Facebook.com/DavidGewirtz.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All