January 21, 2009—February 1, 2013: Evidence suggests Clinton regularly keeps her BlackBerry stored inside a secure area against regulations, but she will later deny this.

While Clinton is secretary of state, she has an office on the seventh floor of State Department headquarters, in an area often referred to as “Mahogany Row.” Her office and the surrounding area is considered a Sensitive Compartmented Information Facility (SCIF). Mobile devices such as BlackBerrys are not allowed in SCIF rooms, because they can be taken over by hackers and used to record audio and video.

But according to a September 2016 FBI report, “Interviews of three former DS [Diplomatic Security] agents revealed Clinton stored her personal BlackBerry in a desk drawer in a [Diplomatic Security] post which was located within the SCIF on Mahogany Row. State personnel were not authorized to bring their mobile devices into [the post], as it was located within the SCIF.”

A view from the 8th floor balcony at the State Department. (Credit: Thomas V. Dembski)

A view from the 8th floor balcony at the State Department. (Credit: Thomas V. Dembski)

However, according to Clinton’s deputy chief of staff Huma Abedin, Clinton would leave the SCIF to use her BlackBerry, often visiting the eighth floor balcony to do so. Former Assistant Secretary of State for Diplomatic Security Eric Boswell will later tell the FBI that he never received any complaints about Clinton using her BlackBerry inside the SCIF.

In contrast to the above evidence, in her July 2016 FBI interview, Clinton will claim that after her first month as secretary of state, she never brought her BlackBerry into the SCIF area at all, because she had been clearly told not to do that. (Federal Bureau of Investigation, 9/2/2016)

January 21, 2009—February 1, 2013: Clinton’s mobile devices and private server are never approved by her department’s security officials.

The Diplomatic Security Service Logo (Credit: public domain)

The Diplomatic Security Service Logo (Credit: public domain)

According to a May 2016 State Department inspector general’s report, the department’s Diplomatic Security (DS) and Information Resources Management (IRM) security officials claim that Clinton never demonstrates to them that her private server or BlackBerry or iPad meets the minimum security requirements specified by the Federal Information Security Management Act and the Foreign Affairs Manual (FAM). (US Department of State, 5/25/2016)

March 6, 2009—March 15, 2009: Clinton says she “gets it” about BlackBerry security concerns, but she keeps on using her BlackBerry.

Eric Boswell (Credit: public domain)

Eric Boswell (Credit: public domain)

On March 6, 2009, Assistant Secretary for Diplomatic Security Eric Boswell emails an internal State Department memo with the subject line “Use of BlackBerrys in Mahogany Row.” (“Mahogany Row” is where the seventh floor offices of Clinton and her top aides are.) The memo states, “Our review reaffirms our belief that the vulnerabilities and risks associated with the use of BlackBerrys in the Mahogany Row [redacted] considerably outweigh the convenience their use can add. … Any unclassified BlackBerry is highly vulnerable in any setting to remotely and covertly monitoring conversations, retrieving emails, and exploiting calendars.”

According to an email by another security official nine days later on March 15, Clinton tells Boswell that she read his memo and “gets it.” That email adds, “Her attention was drawn to the sentence that indicates (Diplomatic Security) have intelligence concerning this vulnerability during her recent trip to Asia.”

However, Clinton continues to use her BlackBerry and private server without any apparent changes. (The Washington Post, 3/27/2016)

2010: Clinton appears in a cybersecurity video for State Department personnel.

It will remain publicly unknown until the video is leaked to Fox News in October 2016.

A photo capture of Clinton as she appears in the 2010 cybersecurity video. (Credit: Fox News)

A photo capture of Clinton as she appears in the 2010 cybersecurity video. (Credit: Fox News)

In the video, Clinton says that employees have a “special duty” to recognize the importance of cybersecurity. “The real key to cybersecurity rests with you. Complying with department computing policies and being alert to potential threats will help protect all of us.”

According to a later account by Fox News, “Clinton goes on in the video to underscore the important work the State Department Bureau of Diplomatic Security and IT department were doing to guard against cyber-attacks. She warns hackers try to ‘exploit’ vulnerabilities and penetrate department systems. She then urges staffers to log onto the internal cybersecurity awareness website or subscribe to their ‘cybersecurity awareness newsletter.’”

Representative Jason Chaffetz (R), chair of the House Oversight and Government Reform Committee, will later find the video ironic, given Clinton’s own security issues with her private email server. He will say, “Hillary Clinton needs only to look into the mirror to find the biggest cybersecurity risk.”

Clinton spokesperson Brian Fallon will say, “This is not new. It has been widely reported that during Clinton’s tenure the State Department issued these kinds of warnings about possible cybersecurity to employees. These warnings were more than appropriate given that it was subsequently confirmed that State’s email was hacked.” (Fox News, 10/22/2016)

July 25, 2010: Clinton invites a US diplomat to discuss communications with foreign ministers with her using her private email address.

100725Montage

Italian Foreign Minister Franco Frattini (top left) (Credit: European Press Agency), Greek Prime Minister George Papandreou (top right) (Credit: Greek Reporter), Spanish foreign minister Miguel Angel Moratinos (lower left) (Credit: 525-gi gazet), Israeli Prime Minister Benjamin Netanyahu (lower right) (Credit: Israel Ministry of Foreign Affairs)

Clinton writes an email to former senator George J. Mitchell (D), who is the US Special Envoy for Middle East Peace at the time. The subject heading is “Here’s my personal email,” and the entire message is “Pls [Please] use this for reply–HRC [Hillary Rodham Clinton].” (US Department of State, 9/30/2015) 

Mitchell replies, “I talked with Frattini again and went over the point again. He said he understands and agrees.” The rest of his email is later redacted because it contains “foreign government information.” “Frattini” is a likely reference to Italian Foreign Minister Franco Frattini.

Clinton replies, “I told Papandreou the same.” “Papandreou” is a likely reference to Greek Prime Minister George Papandreou. (US Department of State, 9/30/2015) 

Mitchell then discusses communicating with “Moratinos,” a likely reference to Spanish foreign minister Miguel Angel Moratinos.

Clinton replies by mentioning a plan to call “Ashton,” a likely reference to the European Union foreign policy chief Catherine Ashton, and “Bibi,” the nickname of Israeli Prime Minister Benjamin Netanyahu. (US Department of State, 9/30/2015) 

It is not clear why Clinton invites Mitchell to discuss such high-level diplomatic communications via her unsecure personal email address. In 2015, J. William Leonard, former director of the US Information Security Oversight Office, will make the general comment, “If a foreign minister just told the secretary of state something in confidence, by US rules that is classified at the moment it’s in US channels and US possession. […] It’s born classified.” (Reuters, 8/21/2015)

2011: Clinton misses a cybersecurity presentation meant just for her.

Julia Frifield (Credit: The Department of State Archives)

Julia Frifield (Credit: The Department of State Archives)

State Department diplomatic security staff give a cybersecurity PowerPoint presentation meant for Clinton. However, she doesn’t attend it. According to a 2016 letter by Julia Frifield, the department’s assistant secretary for legislative affairs, “although the PowerPoint indicates the briefing was for former Secretary Clinton, we understand from the testimony of the briefers that she was not in attendance.” The PowerPoint presentation has not yet been declassified so it can be publicly released. (US Senate Judiciary Committee, 3/3/2016)

June 2011—August 2012: A US ambassador is warned not to use private email for daily work matters, but Clinton’s identical behavior does not result in any warnings.

Scott Gration (Credit: New Republic)

Scott Gration (Credit: New Republic)

In June 2011, shortly after Scott Gration becomes the new US ambassador to Kenya, the State Department’s Bureau of Diplomatic Security (DS) learns that he has sent out a revised policy allowing himself and other personnel in his embassy to use private email addresses for the daily communication of official government business.

Gration’s new policy happens to take place the same month the department sends out a cable warning all embassies to “avoid conducting official department business from your personal email accounts” due to a surge in hacking attacks of the personal emails of government employees. DS warns Gration they will be sending an experienced computer security officer to Kenya to reestablish proper communications procedures. DS officials also email him that this visit will be “especially timely in the wake of recent headlines concerning a significant hacking effort directed against the private, web-based email accounts of dozens of senior [government] officials…”

However, Gration continues to use his private email for work matters. Then, on July 20, 2011, a DS cable quotes from the department’s Foreign Affairs Manual (FAM): “it is the department’s general policy that normal day-to-day operations be conducted on an authorized [system].” The cable then warns, “Given the threats that have emerged since 2005, especially in regard to phishing and spoofing of certain web-based email accounts, we cannot allow the proliferation of this practice beyond maintaining contact during emergencies,” and there is nothing in his situation that would warrant an exception.

But Gration ignores these warnings and continues to use his personal email account.

The department then initiates disciplinary proceedings against him for this and several other infractions, but he resigns in August 2012, just weeks before any disciplinary measures are due to be imposed.

However, even though Clinton uses only a private email account for all her emailed work matters, she is not warned or disciplined like Gration. Furthermore, Clinton doesn’t change her email habits after the measures taken against Gration’s email habits are reported internally and in the press.  (US Department of State, 5/25/2016) (US Department of State, 3/5/2015) (The New Republic, 6/20/2012)

February 3, 2016: A State Department official claims someone tried to hack her private email account two years earlier, in early 2014.

Wendy Sherman (Credit: Alex Wong / Getty Images)

Wendy Sherman (Credit: Alex Wong / Getty Images)

Wendy Sherman is interviewed by the FBI. Sherman served as deputy secretary of state under Clinton (the third highest ranking post), and as under secretary of state for political affairs. Her name will later be redacted in the FBI summary of the interview, but the Daily Caller will identify the interviewee as Sherman due to details mentioned elsewhere in the interview.

Sherman served as chief negotiator on a nuclear deal between the US and Iran, which was agreed to in 2014. In the FBI summary of her interview, she said that she was not aware of any specific instances where she was notified of a potential hack of her State Department or personal email accounts or those of other department employees. However, she “explained [she] was sure people tried to hack into [her] personal email account and the accounts of [redacted] team approximately two years ago during [redacted] in the Iran negotiations. Specifically, [redacted] received a similar email. [She] reported the incident to [State Department] Diplomatic Security who reportedly traced the emails back to a [redacted].”

Elsewhere in the interview, she said that it “was not uncommon for [her] to have to use [her] personal Gmail account to communicate while on travel, because there were often times [she] could not access her [State Department] unclassified account.”

The Daily Caller will later comment, “While it is no surprise that hackers would attempt to infiltrate the negotiating teams’ email accounts — the US government has robust spy operations that try to do the same thing — Sherman’s use of a personal account while overseas likely increased her chances of being hacked.” (The Daily Caller, 9/24/2016) (Federal Bureau of Investigation, 9/23/2016)

March 2, 2016–March 3, 2016: The FBI’s Clinton investigation could conclude by May 2016.

The New York Times reports, “A federal law enforcement official said that barring any unforeseen changes, the FBI investigation [into Clinton’s emails] could conclude by early May. Then the Justice Department will decide whether to file criminal charges and, if so, against whom.”

In addition to the FBI investigation, there are continuing inquiries by the State Department inspector general, the Intelligence Community inspector general, the State Department’s Bureau of Diplomatic Security, and the House Benghazi Committee. There are also numerous on-going lawsuits that could reveal more information to the public. (The New York Times, 3/2/2016)

May 25, 2016: The State Department’s top two security officials say they would never have approved Clinton’s exclusive use of a personal email account.

Left: Gregory Starr Right: Steven C. Taylor (Credit: public domain)

Left: Gregory Starr Right: Steven C. Taylor (Credit: public domain)

A new State Department inspector general report determines that department rules required Clinton to get official approval to conduct official business using a personal email account on her private server, but she did not do so. 

In the words of the report, Steven C. Taylor, current head of Information Resources Management (IRM) and Gregory Starr, current head of Diplomatic Security (DS), jointly claim that Clinton “had an obligation to discuss using her personal email account to conduct official business with their offices, who in turn would have attempted to provide her with approved and secured means that met her business needs. However, according to these officials, DS and IRM did not—and would not—approve her exclusive reliance on a personal email account to conduct department business, because of the restrictions in the FAM [Foreign Affairs Manual] and the security risks in doing so.” (US Department of State, 5/25/2016)