March 4, 2015: It is reported for the first time that Clinton’s private email address was hosted on a private server.

On March 2, 2015, the New York Times revealed that Clinton exclusively used a private email acccount while she was secretary of state. However, that article made no mention of private servers. On this day, the Associated Press reveals that account was registered to a private server located at Clinton’s house in Chappaqua, New York. This was discovered by searching Internet records. For instance, someone named Eric Hoteham used Clinton’s Chappaqua physical address to register an Internet address for her email server since August 2010. (This may be a misspelling of Clinton aide Eric Hothem.)

The Associated Press reports, “Operating her own server would have afforded Clinton additional legal opportunities to block government or private subpoenas in criminal, administrative or civil cases because her lawyers could object in court before being forced to turn over any emails. And since the Secret Service was guarding Clinton’s home, an email server there would have been well protected from theft or a physical hacking.”

The article continues, “But homemade email servers are generally not as reliable, secure from hackers or protected from fires or floods as those in commercial data centers. Those professional facilities provide monitoring for viruses or hacking attempts, regulated temperatures, off-site backups, generators in case of power outages, fire-suppression systems, and redundant communications lines.”

The article mentions that it is unclear Clinton’s server is still physically located in Chappaqua.  (The Associated Press, 3/4/2015) It will later be revealed that it was moved to a data center in New Jersey in June 2013.

 

March 4, 2015: A non-profit watchdog suggests Clinton hid her emails because her government work and Clinton Foundation work was intertwined.

John Wonderlich (Credit: Personal Democracy Media)

John Wonderlich (Credit: Personal Democracy Media)

The New York Times reports that a Clinton spokesperson has declined to comment on Clinton’s “use of clintonemail.com for matters related to the Clinton Foundation, which has received millions of dollars in donations from foreign governments.”

However, John Wonderlich, policy director of the Sunlight Foundation, a non-profit organization that advocates transparency in government, comments, “It seems her intent was to create a system where she could personally manage access to her communications” both relating to her secretary of state work and the Clinton Foundation. “Given all the power she had as secretary of state, a lot of that work would be jumbled together. Her presidential ambitions and the family foundation would be wrapped up technically in email.” (The New York Times, 3/4/2015)

March 4, 2015: Clinton’s private server used a misconfigured encryption system.

Alex McGeorge (Credit: CNBC)

Alex McGeorge (Credit: CNBC)

Alex McGeorge, head of threat intelligence at Immunity Inc., a digital security firm, investigates what can be learned about Clinton’s still-operating server. He says, “There are tons of disadvantages of not having teams of government people to make sure that mail server isn’t compromised. It’s just inherently less secure.” He is encouraged to learn the server is using a commercial encryption product from Fortinet. However, he discovers it uses the factory default encryption “certificate,” instead of one purchased specifically for Clinton.

Bloomberg News reports: “Encryption certificates are like digital security badges, which websites use to signal to incoming browsers that they are legitimate. […] Those defaults would normally be replaced by a unique certificate purchased for a few hundred dollars. By not taking that step, the system was vulnerable to hacking.”

McGeorge comments, “It’s bewildering to me. We should have a much better standard of security for the secretary of state.” (Bloomberg News, 3/4/2015)

March 4, 2015: Clinton’s emails could have been read by the company that filtered them for spam.

McAfee Logo (Credit: McAfee)

McAfee Logo (Credit: McAfee)

In July 2013, Clinton’s private server was reconfigured to use a commercial email provider, MX Logic, which is owned by McAfee, Inc. (The Associated Press, 3/4/2015) 

Cybersecurity expert Brian Reid analyzed public records about the server and found that Clinton’s emails were routed to McAfee for spam and virus filtering. He says, “The email traces all end at McAfee. If nothing else, they have and had the technical ability to read her email. This does not mean they did, only that they could have.” (McClatchy Newspapers, 3/4/2015)

March 4, 2015: A cybersecurity expert says that Clinton’s privately managed email communications “obviously would have been targeted when she stepped outside of the secure State Department networks.”

Tom Kellerman (Credit: Cyber Risk Summit 2015)

Tom Kellerman (Credit: Cyber Risk Summit 2015)

This comment is made by Tom Kellermann. He adds that leaving the State Department’s security protocols and systems would have been similar to leaving her bodyguards while in a dangerous place. The result is that she may have “undermined State Department security.” (The New York Times, 3/4/2015)