A week before becoming Secretary of State, Hillary Clinton set up a private e-mail system that gave her a high level of control over communications, including the ability to erase messages completely, according to security experts who have examined Internet records.
“You erase it and everything’s gone,” Matt Devost, a security expert who has had his own private e-mail for years. Commercial services like those from Google Inc. and Yahoo! Inc. retain copies even after users erase them from their in-box.
Although Clinton worked hard to secure the private system, her consultants appear to have set it up with a misconfigured encryption system, something that left it vulnerable to hacking, said Alex McGeorge, head of threat intelligence at Immunity Inc., a Miami Beach-based digital security firm.
The e-mail flap has political significance because Clinton is preparing to announce a bid for the Democratic nomination for president as soon as April. It also reminds voters of allegations of secrecy that surrounded Bill Clinton’s White House. In those years, First Lady Hillary Clinton fought efforts by some White House advisers to turn over information to Whitewater investigators and, later, sought to keep secret records of her task force on health-care reform.
Representative Trey Gowdy, a South Carolina Republican who leads a special committee looking into the events surrounding the 2012 terrorist attack at a U.S. diplomatic facility in Benghazi, Libya, said he will subpoena Clinton’s e-mails.
“We’re going to use every bit of legal recourse at our disposal,” Gowdy said Wednesday during an interview on CNN.
The committee also said Wednesday that it has discovered two e-mail addresses used by Clinton while secretary of state.
Nick Merrill, a Clinton spokesman, didn’t immediately respond to a request for comment, though he said in a statement Tuesday that her practices followed “both the letter and spirit of the rules.”
Setting up a private e-mail service was once onerous and rare. Now, it’s relatively easy, said Devost, president of FusionX LLC, based in Arlington, Virginia.
“There are tons of disadvantages of not having teams of government people to make sure that mail server isn’t compromised,” McGeorge said. “It’s just inherently less secure.”
Former Florida Governor and likely 2016 Republican presidential candidate Jeb Bush used a personal e-mail while he was governor and has done so since, according to his spokeswoman, Kristy Campbell. He kept a server he owned in his state office and didn’t have a private server at home, Campbell said in a phone interview.
Bush differed from Clinton in that it was known he was using a personal e-mail, his aides had regular access to the server and “his office consistently throughout his term complied with Florida’s public records laws,” Campbell said.
In order to ensure her e-mails were private, Clinton’s system appeared to use a commercial encryption product from Fortinet -- a good step, McGeorge said.
However, when McGeorge examined the set-up this week he found it used a default encryption “certificate,” instead of one purchased specifically for Clinton’s service. Encryption certificates are like digital security badges, which websites use to signal to incoming browsers that they are legitimate.
“It’s bewildering to me,” he said. “We should have a much better standard of security for the secretary of state.”
Clinton’s private e-mail -- firstname.lastname@example.org -- was on a domain set up Jan. 13, 2009, the same day a Senate committee held her confirmation hearing. She was confirmed and sworn in on Jan. 21 as President Barack Obama’s first Secretary of State.
It’s entirely possible that Clinton had a private e-mail system set up at her home as a way to maintain administrative and legal control over her communications, said Tim “T.K.” Keanini, chief technology officer for network security company Lancope Inc. based in Atlanta.
“What we know is that she cared about that communication channel so much that she went out of her way,” and likely hired an expert to configure it for her, Keanini said in a phone interview.
Even so, there’s no guarantee she had complete control over what happened to the e-mails, Keanini said.
Keanini searched Internet records to determine that the computer server supporting Clinton’s e-mail was located in her hometown of Chappaqua, New York. An exact physical address could not be determined. The Internet Protocol address for the server was registered to a person by the name of Eric Hoteham, according to the records.
Supporters note that e-mails sent to State Department employees would have been retained on the government’s system.
However, the e-mail system was also used by at least some close staff, including Huma Abedin, Clinton’s deputy chief of staff at the State Department.
Clinton has yet to speak publicly about her motivation for setting up the system or what discussions she had with her advisers at the time.
Secretary of State John Kerry is the first in his position to rely primarily on a state.gov e-mail account, Deputy Press Secretary Marie Harf said. Harf said that the State Department has “no indication that Secretary Clinton used her personal e-mail account for anything but unclassified purposes.”
While Clinton didn’t have a classified e-mail system, she had multiple ways of communicating in a classified manner, including assistants printing documents for her, secure phone calls and secure video conferences.
Clinton’s top aide during that period, Cheryl Mills, is a respected scandal-defense lawyer. As a member of the White House counsel’s office, Mills helped guide President Bill Clinton through a series of investigations in the 1990s and won praise for her performance in successfully defending him when the Senate voted not to remove him from office in 1999.
Mills would go on to combine two of the most powerful posts at the State Department -- chief of staff and counselor -- under Hillary Clinton. In that job, she spoke for Clinton on management matters within the department.
Mills didn’t reply to an e-mail seeking comment.
Not long after resigning as secretary of state, Clinton’s private e-mail service was transferred to a commercial provider, MX Logic, Devost said.
“The timing makes sense,” Devost said. “When she left office and was no longer worried as much about control over her e-mails, she moved to a system that was easier to administer.”
It took less than a day for researchers to find potential problems with the Clinton’s system.
Using a scanning tool called Fierce that he developed, Robert Hansen, a web-application security specialist, found what he said were the addresses for Microsoft Outlook Web access server used by Clinton’s e-mail service, and the virtual private network used to download e-mail over an encrypted connection. If hackers located those links, they could search for weaknesses and intercept traffic, according to security experts.
Using those addresses, McGeorge discovered that the certificate appearing on the site Tuesday appeared to be the factory default for the security appliance, made by Fortinet Inc., running the service.
Those defaults would normally be replaced by a unique certificate purchased for a few hundred dollars. By not taking that step, the system was vulnerable to hacking.
It’s unclear whether the site’s settings were the same before news of the private e-mail account emerged this week.
Fortinet issued a statement saying it wasn’t aware the company’s technologies were used by Clinton.
“If they were, our recommendation is to replace provided self-signed certificates with valid digital certificates for the protected domains,” said Andrea Cousens, a Fortinet spokeswoman.
“It may have fallen in the realm of acceptable risk,” Devost said. “They wanted to make sure that when she was in Egypt all of the traffic from her phone to the mail server was encrypted and that was their priority.”