Shortly After January 5, 2015: It can be deduced that the 31,830 emails that Clinton chose to delete may actually be deleted around this time.

David Kendall (Credit: The National Law Journal)

David Kendall (Credit: The National Law Journal)

Clinton’s personal lawyer David Kendall later claims that after Clinton turned over the 30,490 emails she deemed work-related, which took place on December 5, 2014, the settings on her private server were changed so that any email not sent within 60 days would be automatically deleted. But some news reports say the setting was for 30 days instead. If this is true, the deletions must take place after January 5, 2015, or February 5, 2015, depending on which setting is actually in place.

On March 4, 2015, the House Benghazi Committee issues a subpoena ordering Clinton to turn over any material related to Libya and/or Benghazi, which followed a more limited request in November 2014.

Trey Gowdy (R), head of the committee, will complain later in March 2015, “Not only was the secretary the sole arbiter of what was a public record, she also summarily decided to delete all emails from her server, ensuring no one could check behind her analysis in the public interest. […] The fact that she apparently deleted some emails after Congress initially requested documents raises serious concerns.”

Clinton’s staff has argued that all the emails relating to Libya and/or Benghazi have been turned over already. (The New York Times, 3/27/2015) (House Benghazi Committee, 3/19/2015) (McClatchy Newspapers, 10/6/2015)

A September 2016 FBI will reveal that the deletion of Clinton’s emails from her private server won’t actually take place until late March 2015. And while the employee is supposed to change the email retention policy so some of her emails will be deleted 60 days later, he actually will delete all of her emails and then use a computer program to wipe them so they won’t be recovered later. Why this happens is still unclear. (Federal Bureau of Investigation, 9/2/2016)

January 13, 2015: Clinton’s press secretary has “teed-up stories” for a New York Times reporter before and she has “never disappointed.”

Maggie Haberman (Credit: public domain)

Maggie Haberman (Credit: public domain)

Nick Merrill, Clinton’s campaign press secretary, writes an email memo to Clinton’s other core staffers (including John Podesta and Robby Mook) who are developing a strategy that is described as being “designed to plant stories on Clinton’s decision-making process about whether to run for president.”

The email names Maggie Haberman who at the time writes for Politico, but will switch to covering the election for the New York Times one month later. Merrill writes, “We have ha[d] a very good relationship with Maggie Haberman of Politico over the last year. We have had her tee up stories for us before and have never been disappointed. … [F]or this we think we can achieve our objective and do the most shaping by going to Maggie.”

According to a later article by the Intercept, “The following month, when she is at the Times, Haberman publishes two stories on Clinton’s vetting process.”

The Intercept will be given this email and others by the hacker known as Guccifer 2.0 in October 2016. The Intercept will comment that the email is just one of many “Internal strategy documents and emails among Clinton staffers” that “shed light on friendly and highly useful relationships between the campaign and various members of the US media, as well as the campaign’s strategies for manipulating those relationships. … At times, Clinton’s campaign staff not only internally drafted the stories they wanted published but even specified what should be quoted “on background” and what should be described as “on the record.” (The Intercept, 10/09/2016) (Wikileaks, 10/13/2016)

January 25, 2015: A lawsuit filed this day will result in the release of all of Clinton’s work emails.

Judge Rudolph Contreras (Credit: The National Law Journal)

Judge Rudolph Contreras (Credit: The National Law Journal)

Jason Leopold of Vice News files a lawsuit seeking all of Clinton’s emails during her time as secretary of state. (Politico, 3/28/2015) Leopold first requested the emails in a November 2014 Freedom of Information Act (FOIA) request. (Vice News, 2/29/2016

As a result of this lawsuit, in May 2015, US District Judge Rudolph Contreras will order rolling production and release of the work-related emails in the State Department’s possession in monthly batches. (Vice News, 5/19/2015)

February 1, 2015: Clinton’s staff asks the New York Times and Wall Street Journal to report Hillary’s economic policies in a “progressive” light.

Clinton campaign press secretary Nick Merrill writes an email to several Clinton staffers, describing two stories the Wall Street Journal and New York Times are preparing to publish that will be covering Clinton’s economic policies.

Nick Merrill holds an umbrella for Clinton, as Jennifer Palmieri looks on, in Ashland, Ohio, on August 1, 2016. (Credit: Andrew Harnick / The Associated Press)

Merrill writes, “Both will have a dose of personnel name-gaming, and I’ve spoken to both to steer them towards progressive names, which they seem to both have on their own. I want to give both stories something on the record that addresses the core of the story, but also speaks some of the things we all felt needed a little proactive addressing, like inevitability and timing.”

Merrill then suggests the core of the stories will be about, “Increasing access to opportunity and fighting for upward mobility has been an uninterrupted pursuit of hers in every job she’s held. You heard it from her on the campaign trail last fall, where she laid out the challenges we face. She’s casting a wide net, talking to a wide range of people on a range of specific topics. There’s no red X on a calendar somewhere, but make no mistake, if she runs, she will take nothing for granted, she’ll present bold ideas, and she will fight for every vote.” (Wikileaks, 10/24/2016)

Amy Chozick (Credit: Google Plus)

Amy Chozick (Credit: Google Plus)

One week later, the New York Times publishes an article by Amy Chozick, entitled “Economic Plan is a Quandry for Hillary Clinton’s Campaign.” As hoped, the core of the story Merrill mentions in his email is covered in the article and is included as a quote by Bill Clinton’s previous treasury secretary:

“’It’s not enough to address upward mobility without addressing inequality,’ said Lawrence H. Summers, a Treasury secretary in the Clinton administration who is among those talking with Mrs. Clinton. ‘The challenge, though, is to address inequality without embracing a politics of envy.’”

Chozick then “steers” readers to several other “progressive names” and writes, “Several of Mr. Clinton’s former advisers, including Alan S. Blinder, Robert E. Rubin and Mr. Summers, maintain influence. But Mrs. Clinton has cast a wide net that also includes Joseph E. Stiglitz, a Nobel laureate in economics who has written extensively about inequality; Alan B. Krueger, a professor at Princeton and co-author of ‘Inequality in America’; and Peter R. Orszag, a former director of the Office of Management and Budget under President Obama. Teresa Ghilarducci, a labor economist who focuses on retirement issues, is also playing a prominent role.” (New York Times, 2/7/2015)

Laura Meckler (Credit: Tout)

Laura Meckler (Credit: Tout)

A few days after that, The Wall Street Journal publishes an article by Laura Meckler entitled, “Hillary Clinton Economic Plan to Chart Center-Left Course.” The article appears to be less “steered” by the Clinton campaign, it doesn’t include “a dose of personnel name-gaming” and offers a more balanced approach between what the liberal base of the Democratic party hopes for, as opposed to Clinton’s more centrist economic positions. (Wall Street Journal, 2/12/2015)

Because one of the recipients of this email is Clinton campaign chair John Podesta, it will be released by Wikileaks in October 2016.

February 2015: The State Department finally begins archiving the emails of its top officials.

The State Department begins using a system that automatically keeps the emails of high-ranking officials, such as deputy secretary of state, and under and assistant secretaries. Secretary of State John Kerry’s emails have been automatically retained since around the time he took office in 2013.

Patrice McDermott (Credit: Freedom of Information Summit)

Patrice McDermott (Credit: Freedom of Information Summit)

In 2012, an Obama administration directive mandated that departments must devise a system for retaining and preserving email records by the end of 2016, but some departments are slow to adapt.

Patrice McDermott, director of the transparency watchdog group OpenTheGovernment.org, says, “It really is chaos across the government in terms of what agencies do, what individuals do, and people understand that they can decide what they save and what they don’t. If you leave it up to the agency, some are going to behave properly and take it seriously, and some are going to see it as carte blanche to whitewash the record.” (The New York Times, 3/13/2015)

March 2015: A State Department official gives Clinton’s lawyer David Kendall written permission to retain copies of the emails Clinton turned over in December 2014.

The walls, floor, ceiling, and door of a SCIF room are made out of solid metal before an outer facade that looks like a normal room is added. (Credit: scifsolutions.com)

The walls, floor, ceiling, and door of a SCIF room are made out of solid metal before an outer facade that looks like a normal room is added. (Credit: scifsolutions.com)

However, that official, Under Secretary of State for Management Patrick Kennedy, says that decision might be revisited if it is determined that the emails contained classified information. It will later be determined that some of Clinton’s emails contained “top secret” information, and all such information needs to be kept in a special, purpose-built room called a Secure Compartmented Information Facility (SCIF), which Kendall does not have. Even with permission from Kennedy, Kendall would still be in violation of federal law for having top secret information outside a SCIF. (Politico, 8/25/2015) (John Schindler, 8/26/2015)

March 2, 2015: Clinton’s campaign chair privately says “we are going to have to dump all” of Clinton’s emails.

Lanny Davis and Hillary Clinton (Credit: public domain)

Lanny Davis and Hillary Clinton (Credit: public domain)

Clinton’s campaign chair John Podesta emails Cheryl Mills, who is one of Clinton’s lawyers at the time, as well as being her former chief of staff. He writes, “On another matter….and not to sound like Lanny, but we are going to have to dump all those emails so better to do so sooner than later.”

Mills replies with a joke, “Think you just got your new nick name :).” (WikiLeaks, 11/1/2016)

This is in reference to the New York Times front-page story from earlier in the day, publicly revealing that Clinton exclusively used a private email account while secretary of state.

“Lanny” is a likely reference to Lanny Davis, who was a special counsel to President Bill Clinton, and is a longtime media surrogate for Bill and Hillary Clinton. Less than a week later, Davis will publicly advocate that Clinton should be transparent with her emails.

By saying “dump,” Podesta could mean dump them to the public, or he could mean get rid of them. Unfortunately, there are no more comments from him or Mills to help clarify his meaning.

These emails will be released by WikiLeaks in November 2016.

March 2, 2015: Clinton spokesperson Nick Merrill incorrectly claims that Clinton’s email practices followed “both the letter and spirit of the rules.”

Nick Merrill (Credit: Skidmore College)

Nick Merrill (Credit: Skidmore College)

Merrill’s comment appears in the March 2, 2015 New York Times story revealing that Clinton used a private email account when she was secertary of state. He won’t say why she did this. (The New York Times, 3/2/2015)

However, on March 12, 2015, Douglas Cox, a professor who focuses on records preservation laws, says: “While Clinton may have technical arguments for why she complied with [the various] rules that have been discussed in the news, the argument that Clinton complied with the letter and spirit of the law is unsustainable.” (Politifact, 3/12/2015)

In May 2016, the State Department’s inspector general will conclude that department officials “did not—and would not—approve her exclusive reliance on a personal email account to conduct Department business.” Her daily use of a private email account for work matters is also determined to be in violation of department rules. (US Department of State, 5/25/2016)

March 2, 2015: The company managing Clinton’s server tightens security on the server after its existence is exposed.

On the morning of March 2, 2015, a front-page New York Times article reveals Clinton’s use of her own private email server. Platte River Networks (PRN) is managing the server.

Bill Thornton (Credit: public domain)

Bill Thornton (Credit: public domain)

Later in the day, PRN employee Bill Thornton writes in an internal company email, “I spent some time in their firewall just now locking everything down (pretty tight).” (The New York Post, 9/18/2016)

However, on March 4, 2015, an analysis of the server’s publicly visible settings will show it has a misconfigured encryption system. Further articles the next day will expose more security vulnerabilities.

PRN will make more changes to improve the server’s security around March 7, 2015.

Shortly After March 2, 2015: A surge of hacking attempts follows the revelation of Clinton’s use of a private email server in the media.

On March 2, 2015, a New York Times article publicly reveals Clinton’s use of a personal email account and private server to conduct government business. The FBI’s Clinton email investigation will later identify an increased number of login attempts to her server and its associated domain controller just after this article comes out.

According to the FBI in September 2016, “Forensic analysis revealed none of the login attempts were successful. [The] FBI investigation also identified an increase in unauthorized login attempts into the Apple iCloud account likely associated with Clinton’s email address during this time period.” (Clinton’s email address, which had been publicly revealed in March 2013, was still used as the user name for the account.) “Investigation determined all potentially suspicious Apple iCloud login attempts were unsuccessful.”

Despite all this, Clinton does not simply turn the server off. Instead, Platte River Networks (PRN) employees, who are managing the server, make some security improvements around March 7, 2015.

PRN staff also discuss the possibility of conducting penetration testing against the server to highlight vulnerabilities, so they can be fixed. However, the penetration testing ultimately doesn’t happen. (Federal Bureau of Investigation, 9/2/2016)

Shortly After March 2, 2015: The company managing Clinton’s private server fails to fully test its security vulnerabilities.

Johannes Ullrich (Credit: LinkedIn)

Johannes Ullrich (Credit: LinkedIn)

Platte River Networks (PRN) is the company managing Clinton’s private server. Due to a wave of hacking attacks on the server following the public revelation of the server on March 2, 2015, PRN considers doing penetration testing. That  means hiring someone to try to hack the server in order to expose its vulnerabilities so they can be fixed.

Cybersecurity expert Johannes Ullrich will later comment, “It’s a good idea, and it’s also commonly done.”

However, the penetration testing never happens. It isn’t clear why. (The New York Post, 9/18/2016) (Federal Bureau of Investigation, 9/2/2016)

Shortly After March 2, 2015: Cheryl Mills has a computer company check on the condition of Clinton’s private server after the media makes Clinton’s use of the server front-page news.

On March 2, 2015, the New York Times publishes a front-page story about Clinton’s emails practices and her use of a private email server.

The Equinix data center in Secaucus, NY. (Credit: public domain)

In the days following the publication of the article, Cheryl Mills, who is one of Clinton’s lawyers as well as her former chief of staff, requests that Platte River Networks (PRN), the computer company managing Clinton’s server, conduct a complete inventory of all equipment related to the server.

In response to this request, an unnamed PRN employee travels to the Equinix data center in Secaucus, New Jersey, where the server is located, to conduct an onsite review of the equipment. At the same time, another unnamed PRN employee logs in to the server remotely to check on it.

This will result in some changes to the security settings of the server  around March 7, 2015. Additionally, many emails (other than Clinton’s) are deleted from the server on March 8, 2015. (Federal Bureau of Investigation, 9/2/2016)

March 3, 2015: The head of the company managing Clinton’s private server makes a curious political comment; he also wonders what Clinton emails might have to turn over.

David DeCamillis (Credit: Twitter)

David DeCamillis (Credit: Twitter)

David DeCamillis, the vice president of sales for Platte River Networks (PRN), emails other PRN employees about the news reported in the New York Times the day before revealing Clinton’s exclusive use of a private email address hosted on her private server. He writes, “I’m sure the Republicans are giving each other high fives; especially Jeb Bush.”

PRN is the company that has been managing the server since June 2013. There will later be suggestions that PRN was chosen by Clinton or her employees to manage the server at least in part due to the company’s political preference for Democrats, and this email seems to fit with such a preference.

DeCamillis also wonders what emails the company might be asked to turn over. PRN employee Paul  Combetta will send a reply detailing what work he’s done on Clinton’s server. (The New York Post, 9/18/2016)

At the time, Jeb Bush, the former Republican governor of Florida, is seen as the Republican frontrunner for the November 2016 presidential election, though he will ultimately fail to win the Republican nomination.

March 3, 2015: Republican National Committee (RNC) chair Reince Priebus suggests Clinton could have mixed diplomacy and private fundraising in her emails.

Reince Priebus (Credit: Win McNamee / Getty Images)

Reince Priebus (Credit: Win McNamee / Getty Images)

Responding to news reports that Clinton used only a private email and private server while secretary of state, Priebus attempts to tie them into previous reports scrutinizing the Clinton Foundation and its fundraising from foreign governments. “It makes you wonder: Did she use the private emails so she could conduct diplomacy and fundraising at the same time?” (Politico, 3/3/2015)

March 3, 2015: The State Department falsely asserts Clinton’s email practices were not prohibited.

Marie Harf (Credit: public domain)

Marie Harf (Credit: public domain)

State Department spokesperson Marie Harf defends Clinton’s email arrangement, saying that she “was following what had been the practice of previous secretaries.” She claims “it was not prohibited at the time, [and] is not prohibited now.” She also says, “I was a little surprised—although maybe I shouldn’t have been—by some of the breathless reporting coming out last night.” (US Department of State, 3/3/2015) 

Some of Harf’s comments are clearly untrue, as the department’s former chief legal adviser John Bellinger points out in an email to department officials later in the same day. (US Department of State, 5/31/2016) (The Daily Caller, 6/7/2016) 

Not until a State Department inspector general’s report in May 2016 will it be revealed that Clinton’s email practices were clearly prohibited at the time and differed significantly from the practices of previous secretaries. (US Department of State, 5/25/2016)

March 3, 2015: The State Department’s former chief legal adviser wants the department to clarify that Clinton never had legal approval for her email practices, but the department keeps this secret.

John Bellinger (Credit: public domain)

John Bellinger (Credit: public domain)

John Bellinger, who had been the State Department’s Legal Adviser during the George W. Bush administration, emails the department’s deputy legal advisers Mary McLeod and Richard Visek of the State Department’s office of legal affairs after hearing department spokesperson Marie Harf defend Clinton’s email practices one day after the email scandal was first reported in the media.

Bellinger, who still serves as former secretary of state Condoleezza Rice’s personal legal counsel, writes, “Please make sure that [Harf] doesn’t keep saying that Secretary Rice did the same thing. As you know, that is not correct, and Secretary Rice has corrected the record.”

He adds, “I’m getting calls from people (press and former USG [US government] lawyers) asking whether State lawyers actually approved letting Secretary Clinton use a State [BlackBerry] for official business using a personal email account, and then to keep the emails.” He then repeatedly mentions “L,” which refers to the State Department’s Office of the Legal Adviser that he formerly headed. “[Harf] is implying that State approved this practice (and this suggests that L approved it, though she didn’t say so specifically). As someone who wants to defend L’s reputation, I would urge you to defend the credibility of L as good and careful administrative lawyers, and don’t let [her] give L a bad name. I can’t believe that L would have approved this, and you shouldn’t let [her] imply that you did.”

Visek responds to Bellinger in an email: “Thanks for the heads up. I’ll reach out to PA [The department’s Bureau of Public Affairs] and try to make sure they understand.” These emails will be made public in June 2016 due to a Freedom of Information Act (FOIA) request by the Daily Caller. (US Department of State, 5/31/2016) (The Daily Caller, 6/7/2016) 

However, the department will not follow Bellinger’s advice and will not reveal to the public that Clinton’s email practices were never approved by the department’s lawyers. That will finally be revealed in a State Department inspector general’s report in May 2016. (US Department of State, 5/25/2016)

March 3, 2015: An unnamed State Department technology expert complains that he and others tried to warn that Clinton’s use of a private email account was a security risk.

He says, “We tried. We told people in her office that it wasn’t a good idea. They were so uninterested that I doubt the secretary was ever informed.” He was a member of the department’s cybersecurity team. He says it was well known amongst the team that Clinton’s private account was at greater risk of being hacked or monitored, but their warnings were ignored. (Al Jazeera America, 3/3/2015)

March 3, 2015 or Shortly Thereafter: The employee who will later delete all of Clinton’s emails is asked about what Clinton emails might be turned over.

On March 3, 2015, David DeCamillis, the vice president of sales for Platte River Networks (PRN), wonders what emails the company might be asked to turn over in an email to other PRN employees. This is because of a New York Times article on March 2, 2015 revealing Clinton’s exclusive use of a private email address hosted on her private server, and PRN has been managing that server since June 2013.

Paul Combetta (Credit: CSpan)

Paul Combetta (Credit: CSpan)

PRN employee Paul Combetta replies to the email, although the date of the reply hasn’t been specified. “I’ve done quite a bit already in the last few months related to this. Her [Clinton’s] team had me do a bunch of exports and email filters and cleanup to provide a .pst [personal storage file] of all of HRC’s [Hillary Rodham Clinton’s] emails to/from any .gov addresses. … I billed probably close to 10 hours in on-call tickets with CSEC related to it :).”

CSEC is a likely reference to Clinton Executive Services Corp. (CESC), a Clinton family company paying for PRN’s services. Combetta will delete and then wipe all of Clinton’s emails later in March 2015. His mention of sending Clinton’s emails likely refers to when PRN sent those emails to two of Clinton’s lawyers in late July 2014. (The New York Post, 9/18/2016)

It is not clear if this is all of Combetta’s reply. But if it is, it is notable that he doesn’t mention that he deleted and then wiped all of Clinton’s emails off the laptops of two lawyers working for Clinton by this time, and allegedly was told to change the settings on Clinton’s server so her emails would be deleted over time as well.

March 4, 2015: It is reported for the first time that Clinton’s private email address was hosted on a private server.

On March 2, 2015, the New York Times revealed that Clinton exclusively used a private email acccount while she was secretary of state. However, that article made no mention of private servers. On this day, the Associated Press reveals that account was registered to a private server located at Clinton’s house in Chappaqua, New York. This was discovered by searching Internet records. For instance, someone named Eric Hoteham used Clinton’s Chappaqua physical address to register an Internet address for her email server since August 2010. (This may be a misspelling of Clinton aide Eric Hothem.)

The Associated Press reports, “Operating her own server would have afforded Clinton additional legal opportunities to block government or private subpoenas in criminal, administrative or civil cases because her lawyers could object in court before being forced to turn over any emails. And since the Secret Service was guarding Clinton’s home, an email server there would have been well protected from theft or a physical hacking.”

The article continues, “But homemade email servers are generally not as reliable, secure from hackers or protected from fires or floods as those in commercial data centers. Those professional facilities provide monitoring for viruses or hacking attempts, regulated temperatures, off-site backups, generators in case of power outages, fire-suppression systems, and redundant communications lines.”

The article mentions that it is unclear Clinton’s server is still physically located in Chappaqua.  (The Associated Press, 3/4/2015) It will later be revealed that it was moved to a data center in New Jersey in June 2013.

 

March 4, 2015: A non-profit watchdog suggests Clinton hid her emails because her government work and Clinton Foundation work was intertwined.

John Wonderlich (Credit: Personal Democracy Media)

John Wonderlich (Credit: Personal Democracy Media)

The New York Times reports that a Clinton spokesperson has declined to comment on Clinton’s “use of clintonemail.com for matters related to the Clinton Foundation, which has received millions of dollars in donations from foreign governments.”

However, John Wonderlich, policy director of the Sunlight Foundation, a non-profit organization that advocates transparency in government, comments, “It seems her intent was to create a system where she could personally manage access to her communications” both relating to her secretary of state work and the Clinton Foundation. “Given all the power she had as secretary of state, a lot of that work would be jumbled together. Her presidential ambitions and the family foundation would be wrapped up technically in email.” (The New York Times, 3/4/2015)

March 4, 2015: Clinton’s private server used a misconfigured encryption system.

Alex McGeorge (Credit: CNBC)

Alex McGeorge (Credit: CNBC)

Alex McGeorge, head of threat intelligence at Immunity Inc., a digital security firm, investigates what can be learned about Clinton’s still-operating server. He says, “There are tons of disadvantages of not having teams of government people to make sure that mail server isn’t compromised. It’s just inherently less secure.” He is encouraged to learn the server is using a commercial encryption product from Fortinet. However, he discovers it uses the factory default encryption “certificate,” instead of one purchased specifically for Clinton.

Bloomberg News reports: “Encryption certificates are like digital security badges, which websites use to signal to incoming browsers that they are legitimate. […] Those defaults would normally be replaced by a unique certificate purchased for a few hundred dollars. By not taking that step, the system was vulnerable to hacking.”

McGeorge comments, “It’s bewildering to me. We should have a much better standard of security for the secretary of state.” (Bloomberg News, 3/4/2015)

March 4, 2015: Clinton’s emails could have been read by the company that filtered them for spam.

McAfee Logo (Credit: McAfee)

McAfee Logo (Credit: McAfee)

In July 2013, Clinton’s private server was reconfigured to use a commercial email provider, MX Logic, which is owned by McAfee, Inc. (The Associated Press, 3/4/2015) 

Cybersecurity expert Brian Reid analyzed public records about the server and found that Clinton’s emails were routed to McAfee for spam and virus filtering. He says, “The email traces all end at McAfee. If nothing else, they have and had the technical ability to read her email. This does not mean they did, only that they could have.” (McClatchy Newspapers, 3/4/2015)

March 4, 2015: A cybersecurity expert says that Clinton’s privately managed email communications “obviously would have been targeted when she stepped outside of the secure State Department networks.”

Tom Kellerman (Credit: Cyber Risk Summit 2015)

Tom Kellerman (Credit: Cyber Risk Summit 2015)

This comment is made by Tom Kellermann. He adds that leaving the State Department’s security protocols and systems would have been similar to leaving her bodyguards while in a dangerous place. The result is that she may have “undermined State Department security.” (The New York Times, 3/4/2015)

March 5, 2015: Questions surround Clinton’s possible use of instant messages on her unsecure BlackBerry.

BlackBerrys from Clinton’s time as secretary of state can be used for instant messages as well as emails. Bloomberg reports that Clinton’s “top aides frequently used instant text messages to talk with each other, a form of communication that isn’t captured or archived by the State Department. It is not clear whether Clinton herself used her BlackBerry’s instant message service, as her aides did.” (Bloomberg News, 3/5/2015)

March 5, 2015: Key questions about Clinton’s email scandal go unanswered.

Politico reports, “State Department officials and Clinton aides have offered no response to questions in recent days about how her private email system was set up, what security measures it used, and whether anyone at the agency approved the arrangement. It’s unclear how such a system, run off an Internet domain apparently purchased by the Clinton family, could have won approval if the department’s policies were as the [State Department’s] inspector general’s report describes them.” (Politico, 3/3/2015

According to State Department regulations in effect at the time, the use of a home computer was permitted, but only if the computer was officially certified as secure, and no evidence has emerged that Clinton’s server was given such a certification. Additionally, the department’s Foreign Affairs Manual (FAM) states, “Only Department-issued or approved systems are authorized to connect to Department enterprise networks.” (US Department of State) 

An April 2016 article will indicate that many of the same questions still remain unanswered. (The Hill, 3/4/2016)

March 5, 2015: Clinton’s private server is active and shows obvious security vulnerabilities.

A screenshot of the sslvpn.clintonemail.com log-in on March 4, 2015. (Credit: Gawker)

A screenshot of the sslvpn.clintonemail.com log-in on March 4, 2015. (Credit: Gawker)

Gawker reports that Clinton’s private email server is still active and shows signs of poor security. If one goes to the web address clintonemail.com, one gets a blank page. But if one goes to the subdomain sslvpn.clintonemail.com, a log-in page appears. That means anyone in the world who puts in the correct user name and password could log in.

Furthermore, the server has an invalid SSL certificate. That means the encryption is not confirmed by a trusted third party. Gawker notes, “The government typically uses military-grade certificates and encryption schemes for its internal communications that designed with spying from foreign intelligence agencies in mind,” and Clinton’s server clearly is not up to that standard.

It also opens the server to what is called a “man in the middle” hacker attack, which means someone could copy the security certificate being used and thus scoop up all the data without leaving a trace. The invalid certificate also leaves the server vulnerable to widespread Internet bugs that can let hackers copy the entire contents of a servers’ memory.

As a result, independent security expert Nic Cubrilovic concludes, “It is almost certain that at least some of the emails hosted at clintonemails.com were intercepted.” (Gawker, 3/5/2015)

Clinton still doesn’t shut the server down. However, about two days later, the security settings are changed.

March 5, 2015: Clinton’s private server shows more obvious security vulnerabilities.

A screenshot of the mail.clintonemail.com Outlook log-in on March 4, 2015. (Credit: Gawker)

A screenshot of the mail.clintonemail.com Outlook log-in on March 4, 2015. (Credit: Gawker)

Gawker reports that in addition to the security problems shown by the subdomain to Clinton’s private email server sslvpn.clintonemail.com, there is another subdomain that reveals even more security issues. If one goes to various web addresses of the server’s mail host mail.clintonemail.com, one is presented with a log-in for Microsoft Outlook webmail.

Gawker notes that the “mere existence” of this log-in “is troubling enough: there have been five separate security vulnerabilities identified with Outlook Web Access since clintonemail.com was registered in 2009.”

Furthermore, security expert Robert Hansen says having a public log-in page for a private server is “pretty much the worst thing you can do. […] Even if [Clinton] had a particularly strong password,” simply trying a huge number of passwords will “either work eventually – foreign militaries are very good at trying a lot – or it’ll fail and block her from accessing her own email.” He says that the server shows so many vulnerabilities that “any joe hacker” could break in with enough time and effort.

Independent security expert Nic Cubrilovic says, “With your own email hosting you’re almost certainly going to be vulnerable to Chinese government style spearphishing attacks – which government departments have enough trouble stopping – but the task would be near impossible for an IT [information technology] naive self-hosted setup.” (Gawker, 3/5/2015)