After news surfaced that former Secretary of State Hillary Clinton used a private email server for communications related to her post, industry pundits immediately began to wrestle with the implications of the move, from both a security and transparency standpoint.
The New York Times revealed on Monday that, during her four-year tenure as secretary of state, Clinton exclusively used a personal email account, but more details about her team's IT practices came to light. The Associated Press discovered that Clinton used the personal account, hdr22@clintonemail[dot]com, in tandem with a private email server, which it traced back to Clinton's New York residence.
In response, Clinton took to Twitter on Wednesday and announced that she wanted the public to see her emails. At her request, the State Department will review the communications for release “as soon as possible,” Clinton said.
In the midst of continued dislosures regarding Clinton's emailing habits, some experts questioned the legality of the move.
In 2014, The Federal Records Act was updated to specifically address the “responsibilities of federal government officials when using non-government email systems,” but the rule went into effect well after Clinton's tenure as secretary of state ended in early 2013.
In a Thursday interview with SCMagazine.com, Mark Noel, an attorney and managing director of professional services at Catalyst Repository Systems, an e-discovery firm founded by legal-technology experts, said that, contrary to some opinions, there is a way to determine when emails may have been purposely “hidden” via private accounts or servers.
“In our line of work, people try to hide emails all the time, but often, once we have enough emails, we can see holes in [communication] patterns,” Noel said. “We might not be able to see exactly what is there, but we can see a hole through gap analysis…putting the emails on a timeline and visually seeing if there are any [disparities].”
He explained that the bring-your-own-device (BYOD) movement has made it commonplace for professionals to try to simplify their communication methods through one device or account, which doesn't necessarily suggest a motive to conceal information.
“What happens when someone goes the bring-your-own-device route, is it makes it more complicated to retrieve and reassemble that person's emails. The [email] copies probably exist on the servers, but they exist in different places which would make it harder to search and retrieve. It's not a matter of hiding the information or losing it. But when it comes time to respond to FOIA requests, for instance, or do searchers, it makes it more difficult,” Noel said of the government transparency issue.
John Ackerly, CEO of Virtru, an end-to-end encryption provider which implements email security services for Gmail, Outlook, and other popular email platforms, told SCMagazine.com on Thursday that the Clinton team's move was simply risky from a security standpoint, when weighed against its privacy or convenience allowances.
“To set up your own server and keep that secure is incredibly hard to do,” Ackerly said.
Even major providers, with all of their resources, have found it tough to fend off attacks from outsiders, he explained.
“Comcast itself was hacked last year and had 34 of its email servers compromised,” he continued. “Simply having your own server does not make you more secure, it actually increases risk.”