I try to avoid addressing specifically political issues on this blog too often, since I could easily get carried away with them to no useful purpose. This post is an extended reply to a couple of Twitter responses from a friend; discussing anything complicated on Twitter just doesn’t work. Also, it relates to issues where I have a bit of knowledge.
While she was Secretary of State, Hillary Clinton used a private server for the large majority of her official email. According to the New York Times, she didn’t even have a .gov email address. This doesn’t appear to have violated any laws, but legal isn’t the same thing as reasonable and prudent.
An article on Gizmodo discusses the security risks that may come with a less than expert setup of an email server. She used the domain clintonemail.com, managed by a company called Perfect Privacy, LLC. Perfect privacy sounds good, but names are easy. It’s hardly likely that its security was as good as the State Department’s. (Although, perhaps … she had reasons to think that hostile spy agencies had completely compromised the State Department’s email and she escaped to a private server? These days you can’t be too paranoid, but it isn’t clear how her course would have helped much. Future news developments might yet surprise us.)
The problems with such a system include lack of credible authenticity (If you got a message from “clintonemail.com,” would you think it was from the Secretary of State?), easy confusion with other domains, an uncertain level of security, and a far too convenient ability to delete anything she didn’t want known. Whether President Obama knew she was using this server is very confusing. A Guardian article says, “Barack Obama emailed Hillary Clinton several times at her personal email address, the White House said on Monday, while insisting the US president did not realise his secretary of state was operating an independent email system detached from government servers.” How is that even possible? Whatever Obama is, he isn’t stupid. Would he accept email from any old address that claimed to be his Secretary of State, without even wondering about it?
Maybe I’m just underestimating how tech-stupid most people, even intelligent ones, are. Some email clients, like the inexplicably popular Outlook, do their best to hide the address from which you got any email, showing only the name. When I had to use Outlook at a previous employer, even I found it hard to tell what address a message really came from. (Which isn’t to say that an email address authenticates anything. They’re trivial to forge.) This affair has me wondering just how vulnerable high-level government email communications are. Maybe it isn’t so unreasonable that Obama would be oblivious to an unfamiliar address. There must be clever technical people in Washington constantly begging high-level officials not to do stupid things, and I don’t envy them; who’d want to tell someone at the White House or Cabinet level, “Don’t do that, you idiot” for a living?
When caught, Clinton blustered; that’s a normal politician’s reflex. It only made her look more stupid to me, but not that many people understand the technical issues. I know how to read email headers; most people don’t know anything more than “From” and “To.” I’m regularly surprised when people don’t know things I consider common knowledge, like that Linux is an operating system or that Lenovo shipped Superfish with many of its computers. There are as many things I don’t know that other people take for granted. But somebody, in all that time, should have noticed that Clinton was engaging in seriously bad security and accountability practices. I suppose no one dared raise the issue.