You've probably heard: Hillary Clinton used a private, personal email address for all of her official business as Secretary of State. She didn't even have a State Department email address. As a result, her email was far from secure — and that is a big problem, but it's not the only one.
The security issue is just one of many disconcerting things about Clinton's secretive email habits. Perhaps more importantly, it's politically problematic that Clinton kept all of her work emails off the books, on a private server. That means she blatantly violated President Obama's promise for better transparency in the government. (She's hardly the first Obama-appointed official to break this promise, but oh well.)
But, transparency aside, the main problem is that Clinton seems to have done a pretty shitty job securing her private email server — and endangered national security as a result.
I talked to security experts at Kaspersky Lab about how Clinton made herself vulnerable to hackers by exclusively using a homebrew email system, and their answer was basically, how didn't she make herself vulnerable.
"From a technical perspective, a cabinet member using a homemade solution means adding an array of technologies and middlemen through whom the United States government can effectively be severely compromised," Researcher Patrick Nielsen said.
That doesn't sound good at all. Clinton's private email system added third parties into the equation, meaning that a hacker could effectively snoop on US government mail without directly hacking US government servers. Nielsen explained that the domain Clinton used for her private email service — clintonemail.com — is owned by a Florida company called "Perfect Privacy, LLC" and registered to another private company called Network Solutions. The relationship between the two companies is unclear since some details have been masked.
Those are just two third parties in a long line of private companies involved in Clinton sending an email to German Chancellor Angela Merkel, or whomever. According to Nielsen, that email would also probably pass through the DNS servers of worldnic.com, another company owned by Network Solutions, and through a security system owned by McAfee called MX Logic.
How much encryption Clinton was using is unknonw, but McAfee does support it. Inevitably, each of these companies are potential targets that could give a hacker access to the Secretary of State's email system, again without directly attacking the US government.
Unsurprisingly, there are far fewer gates into Uncle Sam's security system. The US government email servers are crucial resources for a secretary of state — or any public official, really — who is interacting with world leaders and attempting to keep us safe from nuclear war. The State Department's state.gov domain is owned by the federal government and sends traffic through servers used exclusively by the US government, says Nielsen.
The researcher went on to list other ways that Clinton's email service could've been compromised, like typosquatting.
He pointed out that there is another valid domain, clintonmail.com, owned by somebody else with the last name Clinton since 2002 (note the lack of an "e," which is the only difference between it and Hillary Clinton's domain). "How many emails meant for the Secretary of State has the owner of clintonmail.com received?" Nielsen asked, adding that this isn't a problem with .gov domains since only the government can register them.
"In short, from a security perspective, using your own email address to conduct official business is a very bad idea." As Nate Cardozo, a staff attorney with the Electronic Frontier Foundation, put it: "Clinton's decision to forgo the State Department's servers is inexplicable and inexcusable."
Nielsen isn't the only one coming to these conclusions. A team of security researchers spotted gaping security gaps according to a Bloomberg Investigation. Meanwhile, Wired's Andy Greenberg points out how Clinton turned to the private sector for email when NSA-level security like the Einstein Project have been in place to protect intrusions on government networks since 2008.
What makes it even more problematic is that McAfee, one of the private companies involved in Clinton's homebrew email system, might be responsible for a vulnerability that enables man-in-the-middle attacks. Stanford researcher Jonathan Mayer told Wired that "a misconfiguration" led to Clinton's team using a relatively hackable TLS certificate.
But to return to the transparency issue again, some say the system was also specifically designed to enable Clinton and her aides to erase emails completely. Because she owned the email server, she controlled what was saved and what was deleted. Emails sent through an official State Department account, however, would be kept by the National Archives, a federal requirement that Clinton may have violated.
Maintaining the ability to nuke correspondence is a great way to keep secrets, though.
And this is where we get into the real political implications of Clinton's shady email habits. Armchair pundits are attempting to frame this news as a "hit job," especially since Clinton will reportedly announce a presidential run as early as next month. Activists are dissecting ongoing controversies like the Keystone XL Pipeline, wondering what Hillary was doing behind closed doors. Fox News is having a field day, as are Hillary's GOP opponents in the 2016 race.
It remains entirely unclear if this will torpedo Clinton's next campaign before it starts or get swallowed by the white noise of the impending election cycle. But Clinton has responded to the uproar by saying she wants the public to read all those emails and will release them.
I want the public to see my email. I asked State to release them. They said they will review them for release as soon as possible.
— Hillary Clinton (@HillaryClinton) March 5, 2015
Nevertheless, you should be mad. America's security is bad enough, we don't need the nation's highest ranking officials building private email servers — leaving the door open to attackers, but also to corruption.