March 20, 2013: Gawker publishes an article that reveals Clinton’s use of a private email address and notes it “could be a major security breach.”

The article notes that the hacker nicknamed Guccifer broke into the email account of Clinton confidant Sid Blumenthal. “[W]hy was Clinton apparently receiving emails at a non-governmental email account? The address Blumenthal was writing to was hosted at the domain ‘clintonemail.com’, which is privately registered via Network Solutions. It is most certainly not a governmental account. […] And there seems to be little reason to use a different account other than an attempt to shield her communications with Blumenthal from the prying eyes of FOIA [Freedom of Information Act] requesters.

Neither the State Department nor the White House would immediately comment on whether the White House knew that Blumenthal was digitally whispering in Clinton’s ear, or if the emails were preserved as the law requires. And if, as it appears, Blumenthal’s emails contained information that was classified, or ought to have been treated as such, it could be a major security breach for Clinton to have allowed it to be sent to her on an open account, rather than through networks the government has specifically established for the transmission of classified material.” (Gawker, 3/20/2013)

May 31, 2013: Clinton hires the Colorado-based Platte River Networks to maintain her email server.

The Denver, Colorado, apartment building where Platte River was based until mid-2015. (Credit: Matthew Jones / The Daily Mail)

The Denver, Colorado, apartment building where Platte River was based until mid-2015. (Credit: Matthew Jones / The Daily Mail)

Platte River Networks (PRN) will begin managing the server in early June, with the management of Clinton’s aides Bryan Pagliano and Justin Cooper being phased out as a result. But the Service Level Agreement won’t be signed until July 18, 2013.

The original server is disconnected and shipped from Clinton’s house in Chappaqua, New York, to a data center in New Jersey. (Federal Bureau of Investigation, 9/2/2016) (The Associated Press, 10/7/2015) (McClatchy Newspapers, 10/6/2015)

This takes place three months after the hacker nicknamed Guccifer made public Clinton’s exact email address. However, the process of choosing the company began in January 2013, prior to the Guccifer hack, suggesting the change was at least partially due to Clinton’s time as secretary of state coming to an end in February 2013 instead. (The Washington Post, 9/5/2015)

Platte River will soon relocate Clinton’s server to New Jersey, then replace it with a new server, while keeping the old server running.

May 31, 2013—June 2013: A device is bought to make back-ups of Clinton’s private server, but a Clinton company makes clear it doesn’t want any back-up data stored remotely.

130531austinmcchorderiktraufmannhearstctmedia1

Datto Cloud engineer Charles Lundblad (left) chats with CEO and founder of Datto, Austin McChord, at the firm’s Norwalk, CT headquarters. (Credit: Erik Traufmann / Hearst Connecticut Media)

On May 31, 2013, Platte River Networks (PRN) takes over management of Clinton’s private server. On the same day, PRN buys a Datto SIRIS S2000 data storage device, which is made by Datto, Inc. Over the next month, this is attached to Clinton’s server to provide periodic back-up copies of the data on the server. PRN sends a bill for the device to Clinton Executive Service Corp. (CESC), which is a Clinton family company.

CESC employees work with PRN employees on how the Datto device is configured. Datto offers a local back-up and a remote back-up using the Internet “cloud.” CESC asks for a local back-up and specifically requests that no data be stored in the Internet cloud at any time.

However, due to an apparent misunderstanding, back-up copies of the server will be periodically made both locally and in the cloud. This will only be discovered by PRN as a whole in August 2015. (US Congress, 9/12/2016)

However, despite internal PRN emails from August 2015 indicating many PRN employees didn’t know about the Datto cloud back-up until that time, the FBI will later find evidence that an unknown PRN employee deleted data from the cloud back-up in March 2015, meaning that at least one PRN employee had to have known about the cloud back-up by that time.

Early June 2013—Early July 2013: Clinton’s server is relocated and then replaced by a new server, but the old server keeps running.

After Platte River Networks (PRN) is selected to manage Clinton’s private email server on May 31, 2013, the company decides to immediately relocate the server and then also replace it with a better one.

130601PlatteRiverFoundersPlatteRiverNetworks

The founders of Platte River Network: Brent Allshouse (left) and Treve Suavo (right). (Credit: Platte River Networks)

PRN assigns two employees to manage the new server (which will be the third server used by Clinton). The FBI will later redact the names of these two employees, but it is known that one of them works remotely from his home in some unnamed town and will handle the day-to-day administration of the server, and the other one works at PRN’s headquarters in Denver, Colorado, and handles all hardware installation and any required physical maintenance of the server. Media reports will later name the two employees as Paul Combetta, who works from Rhode Island, and Bill Thornton.

The employee at PRN’s headquarters (who logically would be Thorton) works with Clinton’s computer technician Bryan Pagliano to help with the transition. Around June 4, 2013, this person is granted administrator access to the server, as well as any accompanying services.

130601EquinixLogo

Equinix Logo (Credit: public domain)

On June 23, 2013, this person travels to Clinton’s house in Chappaqua, New York, shuts down the server, and transports it to a data center in Secaucus, New Jersey, run by Equinix, Inc. This older server will stay at the Equinix facility until it is given to the FBI on October 3, 2015.

The PRN headquarters employee (still likely to be Thornton) turns the old server back on in the Equinix data center so users can continue to access their email accounts. Then he spends a few days there setting up a new server. When he leaves, all the physical equipment for the new server is successfully installed except for an intrusion detection device, which Equinix installs later, once it gets shipped.

Meanwhile, the PRN employee who works remotely (Combetta) does his remote work to get the new server online. Around June 30, 2013, this employee begins to transfer all the email accounts from the old server to the new one. After several days, all email accounts hosted on the presidentclinton.com, wjcoffice.com, and clintonemail.com domains are transferred. However, PRN keeps the old server online at the Equinix data center along with the new server to ensure email continues to be delivered. But the old server no longer hosts email services for the Clintons.

According to an FBI report made public in September 2016, “The new Clinton email server hosted email for [Hillary] Clinton, President Clinton, [redacted], and their respective staffs.”

130601DellPowerEdgeR620

The Dell PowerEdge R620 (Credit: public domain)

This same FBI report will explain that the new server consists of the following equipment: “a Dell PowerEdge R620 server hosting four virtual machines, including four separate virtual machines for Microsoft Exchange email hosting, a BES for the management of BlackBerry devices, a domain controller to authenticate password requests, and an administrative server to manage the other three virtual machines, a Datto SfRlS 2000 to store onsite and remote backups of the server system, a CloudJacket device for intrusion prevention, two Dell switches, and two Fortinet Fortigate 80C firewalls.” (Federal Bureau of Investigation, 9/2/2016)

The FBI report will not make entirely clear what happens to the data on the old server. But a September 2015 Washington Post article will assert that after PRN moved all the data onto a new server, everything on the original server was deleted until it is “blank.” However, it was not wiped, which means having the old files overwritten several times with new data until they can never be recovered. (The Washington Post, 9/12/2015)

June 24, 2013—August 2015: Another company stores the contents of Clinton’s email server on a cloud storage system; this could help the FBI recover deleted emails.

The Datto, Inc. office in Rochester, New York. (Credit: The New York Times)

The Datto, Inc. office in Rochester, New York. (Credit: The New York Times)

Shortly after taking over management of Clinton’s private email server, Platte River Networks (PRN) buys a device called the Datto SIRIS S2000 from another company called Datto, Inc. that frequently makes copies of all the server’s contents. They use this device on a copy of Clinton’s server, which has been moved to a data storage facility in New Jersey. Then, apparently without PRN asking or paying for it, or even being aware of it, Datto stores those copies of the server’s contents on a “cloud” storage system elsewhere. (McClatchy Newspapers, 10/6/2015)

A September 2016 FBI report will explain, “At the Clintons’ request, PRN only intended that the backup device store local copies of the backups. However, in August 2015, Datto informed PRN that, due to a technical oversight, [Clinton’s] server was also backing up the server to Datto’s secure cloud storage. After this notification, PRN instructed Datto to discontinue the secure cloud backups.”

The FBI report will also reveal that the first Datto back-up takes place on June 24, 2013. But a new server is still being set-up and data being transferred from the old server, so the June 29, 2013 back-up will later prove most useful to FBI investigators. the FBI will say the back-ups will stop on December 23, 2013, but it isn’t explained why. (Federal Bureau of Investigation, 9/2/2016)

In 2015, an unnamed source familiar with Datto’s account will say that PRN was billed for “private cloud” storage, and since PRN didn’t have a cloud storage node of its own, the data bounced to Datto’s cloud. This source says that even though nobody seemed to realize it, Datto was “managing the off-site storage throughout.”

When asked if the FBI might recover Clinton’s deleted emails from Datto’s storage, the source will say, “People don’t use Datto’s service for getting rid of data.” Apparently, the FBI will ask for and get the contents of Datto’s storage in September 2015. (McClatchy Newspapers, 10/6/2015)

Senator Ron Johnson (R), who will write a letter to Datto in late 2015 seeking more information, will say that “questions still remain as to whether Datto actually transferred the data from its off-site data center to the on-site server, what data was backed up, and whether Datto wiped the data after it was transferred.” It is also unknown if Datto employees have security clearances allowing them to view classified information. (CNN, 10/8/2015) 

A Datto official will later say that investigators may be able to recover Clinton’s deleted emails if the data was on the server at the time Datto’s service was first used in 2013. (The Washington Post, 10/7/2015)

The FBI will later confirm that Datto back-ups to the cloud will occur, but it isn’t clear if the FBI recovered any emails from this that they didn’t find through other means. It also isn’t clear if the June 29, 2013 back-up that the FBI finds useful is from the Datto SIRIS S2000, the cloud, or both. (Federal Bureau of Investigation, 9/2/2016)

Also, despite internal PRN emails from August 2015 indicating many PRN employees didn’t know about the Datto cloud back-up until that time, by November 2015, the FBI will find evidence that an unknown PRN employee deleted data from the cloud back-up in March 2015.

Late June 2013—October 2013: During this time, it appears that Clinton’s private server is wide open to hacking attempts.

On May 31, 2013, maintenance of the server was taken over by a small Colorado-based company called Platte River Networks (PRN), and the server is sent to a data center in New Jersey. PRN then pays to use threat monitoring software called CloudJacket SMB made by a company named SECNAP. SECNAP claims the software can foil “even the most determined hackers.”

Around June 30, 2013, PRN transfers all the email accounts from the old server to the new one. However, the new software doesn’t begin working until October 2013, apparently leaving the server vulnerable. It is known that the server is repeatedly attacked by hackers in the months from October 2013 on, but it is unknown if any attacks occur when the software is not yet installed. (The Associated Press, 10/7/2015) 

An FBI report will later obliquely confirm this by mentioning that when the new server is set up in June 2013, all the hardware is built up at the time, except for an “intrusion detection device” which has to be added later after it gets shipped to the server location. (Federal Bureau of Investigation, 9/2/2016)

Justin Harvey (Credit: Third Certainty)

Justin Harvey (Credit: Third Certainty)

Justin Harvey, chief security officer of a cybersecurity company, will later comment that Clinton “essentially circumvented millions of dollars’ worth of cybersecurity investment that the federal government puts within the State Department. […] She wouldn’t have had the infrastructure to detect or respond to cyber attacks from a nation-state. Those attacks are incredibly sophisticated, and very hard to detect and contain. And if you have a private server, it’s very likely that you would be compromised.” (The Associated Press, 10/7/2015) 

In March 2013, a Romanian hacker nicknamed Guccifer discovered Clinton’s private email address and the exact address was published in the media, which would have left the server especially vulnerable in the months after.

Around July 2013: Clinton’s emails still are not encrypted.

According to an unnamed Platte River Networks (PRN) employee, Clinton’s server has encryption protection to combat hackers, but the individual emails have not been protected with encryption. With PRN taking over management of the server in June 2013, this employee will later tell the FBI that “the Clintons originally requested that email on [Clinton’s] server be encrypted such that no one but the users could read the content. However, PRN ultimately did not configure the email settings this way, to allow system administrators to troubleshoot problems occurring within user accounts.” (Federal Bureau of Investigation, 9/2/2016)

July 2013: Clinton’s private server is reconfigured to use a commercial email provider.

The MX Logic logo (Credit: MX Logic)

The MX Logic logo (Credit: MX Logic)

The Colorado-based provider, MX Logic, is owned by McAfee Inc., a top Internet security company. This comes one month after Clinton hired the Colorado-based Platte River Networks to maintain her email server, and four months after a hacker named Guccifer publicly exposed Clinton’s private email address for the first time. (The Associated Press, 3/4/2015) 

Computer security expert Matt Devost will later comment: “The timing makes sense. When she left office and was no longer worried as much about control over her emails, she moved to a system that was easier to administer.” (Bloomberg News, 3/4/2015)

October 2013: Clinton’s server gets anti-hacking protection after going several months without any.

The CloudJacket Logo (Credit: public domain)

The CloudJacket Logo (Credit: public domain)

From late June 2013 until October 2013, Platte River Networks (PRN) is managing the server, apparently without any anti-hacking software. In October 2013, the software they have been waiting for arrives and is installed. This is an intrusion detection and prevention system called CloudJacket from SECNAP Network Security.

According to a later FBI report, it “had pre-configured settings that blocked or blacklisted certain email traffic identified as potentially harmful and provided real-time monitoring, alerting, and incident response services. SECNAP personnel would receive notifications when certain activity on the network triggered an alert. These notifications were reviewed by SECNAP personnel and, at times, additional follow-up was conducted with PRN in order to ascertain whether specific activity on the network was normal or anomalous. Occasionally, SECNAP would send email notifications to [an unnamed PRN employee], prompting him to block certain IP addresses. [This employee] described these notifications as normal and did not recall any serious security incident or intrusion attempt.”

Additionally, “PRN also implemented two firewalls for additional protection of the network. [This PRN employee] stated that he put two firewalls in place for redundancy in case one went down.”

The FBI report will also conclude, “Forensic analysis of alert email records automatically generated by CloudJacket revealed multiple instances of potential malicious actors attempting to exploit vulnerabilities on the PRN Server. FBI determined none of the activity, however, was successful against the server.” (Federal Bureau of Investigation, 9/2/2016)

 

October 2013—February 2014: Clinton’s private email server is the subject of repeated attempted cyber attacks, originating from China, South Korea, and Germany.

The attempts are foiled due to threat monitoring software installed in October 2013. However, from June to October 2013, her server is not protected by this software, and there is no way of knowing if there are successful attacks during that time.

A 2014 email from an employee of SECNAP, the company that makes the threat monitoring software, describes four attacks. But investigators will later find evidence of a fifth attack from around this time. Three are linked to China, one to South Korea, and one to Germany. It is not known if foreign governments are involved or how sophisticated the attacks are.

Clinton had ended her term as secretary of state in February 2013, but more than 60,000 of her emails remained on her server. (The Associated Press, 10/7/2015) 

In March 2013, a Romanian hacker nicknamed Guccifer discovered Clinton’s private email address and the exact address was published in the media.

December 2013: Clinton’s old server, no longer being used, is turned off.

In June 2013, Platte River Networks (PRN) took over the management of Clinton’s private server. They immediately moved her server to an Equinix data center in Secaucus, New Jersey, and then transferred the data to a new server. The old server remained turned on next to the new one, apparently to assist with the delivery of incoming emails.

According to a September 2015 FBI interview with Paul Combetta, the PRN employee who does most of the active management of the server, around December 2013, PRN decides that email delivery on the new server is working well. As a result, the old server is turned off. It, along with a NAS back-up hard drive attached to it, will remain disconnected until the FBI picks it up on August 12, 2015. (Federal Bureau of Investigation, 9/23/2016)

December 4, 2013: Some Bill Clinton doodles are made public due to the hacker Guccifer.

One of Bill Clinton's doodles. Guccifer added his name to it. (Credit: Guccifer / Gawker)

One of Bill Clinton’s doodles. Guccifer added his name to it. (Credit: Guccifer / Gawker)

Gawker publishes some doodles made by Bill Clinton when he was US president. Gawker claims the doodles come from the Romanian hacker nicknamed Guccifer. It is not clear where or how Guccifer got the doodles, except they come from a folder called “Wjcdrawings.” It is probable the doodles were stored either on The Clinton Library’s server (which has a .gov address) or The Clinton Foundation’s server. (Gawker, 12/4/2013) If it’s the latter, that would help verify Guccifer’s later claim that he looked into Clinton’s private email server, because it apparently was also The Clinton Foundation’s server until early 2015.

Shortly After January 5, 2015: It can be deduced that the 31,830 emails that Clinton chose to delete may actually be deleted around this time.

David Kendall (Credit: The National Law Journal)

David Kendall (Credit: The National Law Journal)

Clinton’s personal lawyer David Kendall later claims that after Clinton turned over the 30,490 emails she deemed work-related, which took place on December 5, 2014, the settings on her private server were changed so that any email not sent within 60 days would be automatically deleted. But some news reports say the setting was for 30 days instead. If this is true, the deletions must take place after January 5, 2015, or February 5, 2015, depending on which setting is actually in place.

On March 4, 2015, the House Benghazi Committee issues a subpoena ordering Clinton to turn over any material related to Libya and/or Benghazi, which followed a more limited request in November 2014.

Trey Gowdy (R), head of the committee, will complain later in March 2015, “Not only was the secretary the sole arbiter of what was a public record, she also summarily decided to delete all emails from her server, ensuring no one could check behind her analysis in the public interest. […] The fact that she apparently deleted some emails after Congress initially requested documents raises serious concerns.”

Clinton’s staff has argued that all the emails relating to Libya and/or Benghazi have been turned over already. (The New York Times, 3/27/2015) (House Benghazi Committee, 3/19/2015) (McClatchy Newspapers, 10/6/2015)

A September 2016 FBI will reveal that the deletion of Clinton’s emails from her private server won’t actually take place until late March 2015. And while the employee is supposed to change the email retention policy so some of her emails will be deleted 60 days later, he actually will delete all of her emails and then use a computer program to wipe them so they won’t be recovered later. Why this happens is still unclear. (Federal Bureau of Investigation, 9/2/2016)

March 2, 2015: The company managing Clinton’s server tightens security on the server after its existence is exposed.

On the morning of March 2, 2015, a front-page New York Times article reveals Clinton’s use of her own private email server. Platte River Networks (PRN) is managing the server.

Bill Thornton (Credit: public domain)

Bill Thornton (Credit: public domain)

Later in the day, PRN employee Bill Thornton writes in an internal company email, “I spent some time in their firewall just now locking everything down (pretty tight).” (The New York Post, 9/18/2016)

However, on March 4, 2015, an analysis of the server’s publicly visible settings will show it has a misconfigured encryption system. Further articles the next day will expose more security vulnerabilities.

PRN will make more changes to improve the server’s security around March 7, 2015.

Shortly After March 2, 2015: A surge of hacking attempts follows the revelation of Clinton’s use of a private email server in the media.

On March 2, 2015, a New York Times article publicly reveals Clinton’s use of a personal email account and private server to conduct government business. The FBI’s Clinton email investigation will later identify an increased number of login attempts to her server and its associated domain controller just after this article comes out.

According to the FBI in September 2016, “Forensic analysis revealed none of the login attempts were successful. [The] FBI investigation also identified an increase in unauthorized login attempts into the Apple iCloud account likely associated with Clinton’s email address during this time period.” (Clinton’s email address, which had been publicly revealed in March 2013, was still used as the user name for the account.) “Investigation determined all potentially suspicious Apple iCloud login attempts were unsuccessful.”

Despite all this, Clinton does not simply turn the server off. Instead, Platte River Networks (PRN) employees, who are managing the server, make some security improvements around March 7, 2015.

PRN staff also discuss the possibility of conducting penetration testing against the server to highlight vulnerabilities, so they can be fixed. However, the penetration testing ultimately doesn’t happen. (Federal Bureau of Investigation, 9/2/2016)

Shortly After March 2, 2015: The company managing Clinton’s private server fails to fully test its security vulnerabilities.

Johannes Ullrich (Credit: LinkedIn)

Johannes Ullrich (Credit: LinkedIn)

Platte River Networks (PRN) is the company managing Clinton’s private server. Due to a wave of hacking attacks on the server following the public revelation of the server on March 2, 2015, PRN considers doing penetration testing. That  means hiring someone to try to hack the server in order to expose its vulnerabilities so they can be fixed.

Cybersecurity expert Johannes Ullrich will later comment, “It’s a good idea, and it’s also commonly done.”

However, the penetration testing never happens. It isn’t clear why. (The New York Post, 9/18/2016) (Federal Bureau of Investigation, 9/2/2016)

Shortly After March 2, 2015: Cheryl Mills has a computer company check on the condition of Clinton’s private server after the media makes Clinton’s use of the server front-page news.

On March 2, 2015, the New York Times publishes a front-page story about Clinton’s emails practices and her use of a private email server.

The Equinix data center in Secaucus, NY. (Credit: public domain)

In the days following the publication of the article, Cheryl Mills, who is one of Clinton’s lawyers as well as her former chief of staff, requests that Platte River Networks (PRN), the computer company managing Clinton’s server, conduct a complete inventory of all equipment related to the server.

In response to this request, an unnamed PRN employee travels to the Equinix data center in Secaucus, New Jersey, where the server is located, to conduct an onsite review of the equipment. At the same time, another unnamed PRN employee logs in to the server remotely to check on it.

This will result in some changes to the security settings of the server  around March 7, 2015. Additionally, many emails (other than Clinton’s) are deleted from the server on March 8, 2015. (Federal Bureau of Investigation, 9/2/2016)

March 3, 2015: An unnamed State Department technology expert complains that he and others tried to warn that Clinton’s use of a private email account was a security risk.

He says, “We tried. We told people in her office that it wasn’t a good idea. They were so uninterested that I doubt the secretary was ever informed.” He was a member of the department’s cybersecurity team. He says it was well known amongst the team that Clinton’s private account was at greater risk of being hacked or monitored, but their warnings were ignored. (Al Jazeera America, 3/3/2015)

March 4, 2015: It is reported for the first time that Clinton’s private email address was hosted on a private server.

On March 2, 2015, the New York Times revealed that Clinton exclusively used a private email acccount while she was secretary of state. However, that article made no mention of private servers. On this day, the Associated Press reveals that account was registered to a private server located at Clinton’s house in Chappaqua, New York. This was discovered by searching Internet records. For instance, someone named Eric Hoteham used Clinton’s Chappaqua physical address to register an Internet address for her email server since August 2010. (This may be a misspelling of Clinton aide Eric Hothem.)

The Associated Press reports, “Operating her own server would have afforded Clinton additional legal opportunities to block government or private subpoenas in criminal, administrative or civil cases because her lawyers could object in court before being forced to turn over any emails. And since the Secret Service was guarding Clinton’s home, an email server there would have been well protected from theft or a physical hacking.”

The article continues, “But homemade email servers are generally not as reliable, secure from hackers or protected from fires or floods as those in commercial data centers. Those professional facilities provide monitoring for viruses or hacking attempts, regulated temperatures, off-site backups, generators in case of power outages, fire-suppression systems, and redundant communications lines.”

The article mentions that it is unclear Clinton’s server is still physically located in Chappaqua.  (The Associated Press, 3/4/2015) It will later be revealed that it was moved to a data center in New Jersey in June 2013.

 

March 4, 2015: Clinton’s private server used a misconfigured encryption system.

Alex McGeorge (Credit: CNBC)

Alex McGeorge (Credit: CNBC)

Alex McGeorge, head of threat intelligence at Immunity Inc., a digital security firm, investigates what can be learned about Clinton’s still-operating server. He says, “There are tons of disadvantages of not having teams of government people to make sure that mail server isn’t compromised. It’s just inherently less secure.” He is encouraged to learn the server is using a commercial encryption product from Fortinet. However, he discovers it uses the factory default encryption “certificate,” instead of one purchased specifically for Clinton.

Bloomberg News reports: “Encryption certificates are like digital security badges, which websites use to signal to incoming browsers that they are legitimate. […] Those defaults would normally be replaced by a unique certificate purchased for a few hundred dollars. By not taking that step, the system was vulnerable to hacking.”

McGeorge comments, “It’s bewildering to me. We should have a much better standard of security for the secretary of state.” (Bloomberg News, 3/4/2015)

March 4, 2015: Clinton’s emails could have been read by the company that filtered them for spam.

McAfee Logo (Credit: McAfee)

McAfee Logo (Credit: McAfee)

In July 2013, Clinton’s private server was reconfigured to use a commercial email provider, MX Logic, which is owned by McAfee, Inc. (The Associated Press, 3/4/2015) 

Cybersecurity expert Brian Reid analyzed public records about the server and found that Clinton’s emails were routed to McAfee for spam and virus filtering. He says, “The email traces all end at McAfee. If nothing else, they have and had the technical ability to read her email. This does not mean they did, only that they could have.” (McClatchy Newspapers, 3/4/2015)

March 4, 2015: A cybersecurity expert says that Clinton’s privately managed email communications “obviously would have been targeted when she stepped outside of the secure State Department networks.”

Tom Kellerman (Credit: Cyber Risk Summit 2015)

Tom Kellerman (Credit: Cyber Risk Summit 2015)

This comment is made by Tom Kellermann. He adds that leaving the State Department’s security protocols and systems would have been similar to leaving her bodyguards while in a dangerous place. The result is that she may have “undermined State Department security.” (The New York Times, 3/4/2015)

March 5, 2015: Key questions about Clinton’s email scandal go unanswered.

Politico reports, “State Department officials and Clinton aides have offered no response to questions in recent days about how her private email system was set up, what security measures it used, and whether anyone at the agency approved the arrangement. It’s unclear how such a system, run off an Internet domain apparently purchased by the Clinton family, could have won approval if the department’s policies were as the [State Department’s] inspector general’s report describes them.” (Politico, 3/3/2015

According to State Department regulations in effect at the time, the use of a home computer was permitted, but only if the computer was officially certified as secure, and no evidence has emerged that Clinton’s server was given such a certification. Additionally, the department’s Foreign Affairs Manual (FAM) states, “Only Department-issued or approved systems are authorized to connect to Department enterprise networks.” (US Department of State) 

An April 2016 article will indicate that many of the same questions still remain unanswered. (The Hill, 3/4/2016)

March 5, 2015: Clinton’s private server is active and shows obvious security vulnerabilities.

A screenshot of the sslvpn.clintonemail.com log-in on March 4, 2015. (Credit: Gawker)

A screenshot of the sslvpn.clintonemail.com log-in on March 4, 2015. (Credit: Gawker)

Gawker reports that Clinton’s private email server is still active and shows signs of poor security. If one goes to the web address clintonemail.com, one gets a blank page. But if one goes to the subdomain sslvpn.clintonemail.com, a log-in page appears. That means anyone in the world who puts in the correct user name and password could log in.

Furthermore, the server has an invalid SSL certificate. That means the encryption is not confirmed by a trusted third party. Gawker notes, “The government typically uses military-grade certificates and encryption schemes for its internal communications that designed with spying from foreign intelligence agencies in mind,” and Clinton’s server clearly is not up to that standard.

It also opens the server to what is called a “man in the middle” hacker attack, which means someone could copy the security certificate being used and thus scoop up all the data without leaving a trace. The invalid certificate also leaves the server vulnerable to widespread Internet bugs that can let hackers copy the entire contents of a servers’ memory.

As a result, independent security expert Nic Cubrilovic concludes, “It is almost certain that at least some of the emails hosted at clintonemails.com were intercepted.” (Gawker, 3/5/2015)

Clinton still doesn’t shut the server down. However, about two days later, the security settings are changed.

March 5, 2015: Clinton’s private server shows more obvious security vulnerabilities.

A screenshot of the mail.clintonemail.com Outlook log-in on March 4, 2015. (Credit: Gawker)

A screenshot of the mail.clintonemail.com Outlook log-in on March 4, 2015. (Credit: Gawker)

Gawker reports that in addition to the security problems shown by the subdomain to Clinton’s private email server sslvpn.clintonemail.com, there is another subdomain that reveals even more security issues. If one goes to various web addresses of the server’s mail host mail.clintonemail.com, one is presented with a log-in for Microsoft Outlook webmail.

Gawker notes that the “mere existence” of this log-in “is troubling enough: there have been five separate security vulnerabilities identified with Outlook Web Access since clintonemail.com was registered in 2009.”

Furthermore, security expert Robert Hansen says having a public log-in page for a private server is “pretty much the worst thing you can do. […] Even if [Clinton] had a particularly strong password,” simply trying a huge number of passwords will “either work eventually – foreign militaries are very good at trying a lot – or it’ll fail and block her from accessing her own email.” He says that the server shows so many vulnerabilities that “any joe hacker” could break in with enough time and effort.

Independent security expert Nic Cubrilovic says, “With your own email hosting you’re almost certainly going to be vulnerable to Chinese government style spearphishing attacks – which government departments have enough trouble stopping – but the task would be near impossible for an IT [information technology] naive self-hosted setup.” (Gawker, 3/5/2015)

Around March 7, 2015: Changes are made to the security settings of Clinton’s private server after its existence was revealed in the media.

In the days following a New York Times article revealing Clinton’s use of her private server, Cheryl Mills, who is one of Clinton’s lawyers as well as her former chief of staff, requests that Platte River Networks (PRN), the computer company managing Clinton’s server, conduct a complete inventory of all equipment related to the server. Two unnamed PRN employees do so.

This results in some changes to the server’s security settings around March 7, 2015. According to a September 2016 FBI report, these changes “include disabling the server’s public-facing VPN page and switching from SSL protocol to TLS to increase security.”

The FBI will explain: “TLS is a protocol that ensures privacy between communicating applications, such as web browsing, email, and instant-messaging, with their users on the Internet. TLS ensures that no third-party eavesdrops on the two-way conummication. TLS is the successor to SSL and is considered more secure.” (Federal Bureau of Investigation, 9/2/2016)

March 10, 2015: Clinton falsely claims that her private server had “no security breaches.”

Clinton answers questions at a United Nations press conference on March 10, 2015. (Credit: The Associated Press)

Clinton answers questions at a United Nations press conference on March 10, 2015. (Credit: The Associated Press)

During her United Nations press conference, Clinton says about her private email server at her Chappaqua, New York, house: “The system we used was set up for President Clinton’s office. And it had numerous safeguards. It was on property guarded by the Secret Service. And there were no security breaches.”

However, in May 2016, a State Department inspector general’s report will detail hacking attempts on Clinton’s emails housed in the server. In January 2011, Justin Cooper, who helped manage the server, wrote in an email that he shut down the server because he suspected “someone was trying to hack us…” Later that day, he wrote, “We were attacked again so I shut (the server) down for a few min [minutes].” And in May 2011, Clinton told her aides that someone was “hacking into her email.”

Additionally, the Associated Press will later comment that “it’s unclear what protection her email system might have achieved from having the Secret Service guard the property. Digital security breaches tend to come from computer networks, not over a fence.” (The Associated Press, 5/27/2016)

March 18, 2015: Clinton’s private server was not protected against hackers who might impersonate her identity.

A security evaluation of Clinton's server. (Credit: Bloomberg View)

A security evaluation of Clinton’s server. (Credit: Bloomberg View)

Bloomberg News reports, “According to publicly available information, whoever administrated [Clinton’s private server] didn’t enable what’s called a Sender Policy Framework, or SPF, a simple setting that would prevent hackers sending emails that appear to be from clintonemail.com. SPF is a basic and highly recommended security precaution for people who set up their own servers.”

Bob Gourley, who was the chief technology officer at the DIA [Defense Intelligence Agency] and is the founder of his own cybersecurity consulting firm, says: “If [an SPF] was not in use, [hackers] could send an email that looks like it comes from her to, say, the ambassador of France that says, ‘leave the back door open to the residence a package is coming.’ Or a malicious person could send an email to a foreign dignitary meant to cause an international incident or confuse US foreign policy.” This also would have made it easy for hackers to launch “spear phishing” attacks from Clinton’s account. Other government officials could have thought they were getting a real email from Clinton and then be tricked into having their own accounts breached.

Clinton’s spokesperson claims there is no evidence her account was ever successfully exploited in this manner. But Bloomberg News points out, “The problem with such confidence is that if hackers exploited the SPF vulnerability, Clinton’s office would likely never have known her domain name…was being used surreptitiously.” (Bloomberg News, 3/18/2015)

March 18, 2015: Clinton’s team won’t answer basic questions about the security of her private server.

John A. Lewis (Credit: John Hopkins University)

John A. Lewis (Credit: John Hopkins University)

Clinton spokesperson Nick Merrill claims that when Clinton set up her private email server, “Robust protections were put in place and additional upgrades and techniques were employed over time as they became available. There was never evidence of a breach, nor any unauthorized intrusions.”

However, Merrill declines to say who exactly was in charge of maintaining the server and ensuring its security. Furthermore, it’s unclear what sort of security vetting that person or persons received, if any. Additionally, Merrill won’t reveal if other departments that protect government communications, such as the FBI or the NSA, were ever told of the server’s existence, and if so, if they helped provide security for it.

James A. Lewis, who held senior technology posts at the White House and State Department, comments that emails “that run on commercial services are vulnerable to collection. […] I don’t think people realize how much of this information is available to foreign intelligence services.” (Bloomberg News, 3/18/2015)

Contrary to Merrill’s claim, a May 2016 State Department inspector general report will reveal that there were hacker attacks on Clinton’s server.

March 20, 2015: The House Benghazi Committee formally requests that Clinton turn over her private email server.

In a letter to Clinton’s lawyer David Kendall, the committee says Clinton should give her server to the State Department’s inspector general or to a neutral party in order to determine which of her emails were work-related and which ones were personal. (The New York Times, 3/20/2015) Several day later, Kendall replies that turning over the server would be pointless since no emails remain on it. (The New York Times, 3/31/2015)

Clinton will keep her server until a copy is given to the FBI in August 2015. It will later be reported that the FBI recovers most if not all of the deleted emails on the server.

March 27, 2015: Clinton is not willing to hand over her private server to see if emails were improperly deleted.

Clinton’s personal lawyer David Kendall reveals this in a letter to the House Benghazi Committee. On March 20, 2015, the committee had suggested that an independent party could review it to see if any work-related emails remained. Kendall states, “There is no basis to support the proposed third-party review of the server… To avoid prolonging a discussion that would be academic, I have confirmed with the secretary’s IT [information technology] support that no emails… for the time period January 21, 2009 through February 1, 2013 reside on the server or on any back-up systems associated with the server.” (Politico, 3/27/2015) 

Clinton will give the server to the FBI in August 2015. (The Washington Post, 8/12/2015) One month later, it will be reported that deleted emails have been recovered from the server, and some of them are work-related. (Bloomberg News, 9/2/2015)

March 27, 2015: It is unclear if Clinton still has copies of her deleted emails.

Clinton speaks during a news conference in New York, March 10, 2015. (Credit: Mike Segar / Reuters)

Clinton speaks during a news conference in New York, March 10, 2015. (Credit: Mike Segar / Reuters)

The New York Times reports that while it is known Clinton deleted over 31,000 emails from her server due to alleged personal content, it is unknown if she still retains copies of them elsewhere. “At a news conference this month, Mrs. Clinton appeared to provide two answers about whether she still had copies of her emails. First, she said that she ‘chose not to keep’ her private personal emails after her lawyers had examined the account and determined on their own which ones were personal and which were State Department records. But later, she said that the [contents of the] server… ‘will remain private.’” (The New York Times, 3/27/2015)

April 15, 2015: A computer expert privately advises the Clinton campaign to hire a company to investigate if Clinton’s private server was hacked.

Barbara Simons (Credit: public domain)

Barbara Simons (Credit: public domain)

Barbara Simons, a renowned computer expert, writes Clinton campaign chair John Podesta in an email, “I am following up on our very brief discussion, held as you were leaving the DA meeting, about Hillary Clinton’s emails.  I’ve included a summary of the issues and a precautionary step that I think should be taken.”

Simons attaches a short document to the email, which is entitled, “Hillary Clinton’s emails and what to do about them.” In it, she writes, “I believe that this is a more serious situation than perhaps Secretary Clinton and her aides realize. … There is a very real risk that the system was broken into, possibly by Republican operatives (or China or some other country or organization).  If this has happened and if there is anything that might appear problematic in those emails, whether or not it actually is, the relevant emails might be released to the press shortly before the election.  Even if the system was not broken into, there is the threat that opponents might release forged emails that are difficult to impossible to distinguish from real ones.”

Jeremy Epstein a program manager with I2O, took his official photo on March 8, 2016 at DARPA in Arlington, Va. (Photo By: Sun L. Vega)

Jeremy Epstein (Credit: Sun L. Vega)

As a result, she and a prominent computer security expert Jeremy Epstein suggest that the Clinton campaign hire a cybersecurity company called Mandiant. They are said to be competent and discrete in dealing with major corporate hacks. They will try to determine if Clinton’s private server was hacked. However, Simons notes that “if nothing serious is uncovered by a forensics examination, that does not prove that nothing happened.  Regrettably, the absence of proof of a break-in is not proof of the absence of a break-in.” (WikiLeaks, 10/23/2016)

Whatever reply Podesta gives is unknown. It is also unknown if Mandiant or any other company is ever hired. However, the FBI’s Clinton email investigation final report will make no mention of any evidence of such a forensic examination.

August 2015: A company recommends improving security for Clinton’s server, which is still in use, but the FBI wants no changes.

At some point in August 2015, employees at Datto, Inc., a company that specializes in backing up computer data, realize that a private server they have been backing up belongs to Clinton. The server is being managed by Platte River Networks (PRN), and Datto made the connection after media reports revealed PRN’s role.

According to an unnamed Datto official, due to worries about the “sensitive high profile nature of the data,” Datto then recommends that PRN should upgrade security by adding sophisticated encryption technology to its backup systems.

150801AndyBoianFoxNews

Andy Boian (Credit: Fox News)

PRN spokesperson Andy Boian later acknowledges receiving upgrade requests from Datto, but he says, “It’s not that we ignored them, but the FBI had told us not to change or adjust anything.”

Boian adds, however, the company did not take Datto’s concerns to the FBI.

The newest version of the server is still in use by the Clintons’ personal office at the time, despite being in news headlines since March 2015. (The Washington Post, 10/7/2015)

On August 12, 2015, the FBI takes an older version of the server from PRN’s control. The FBI doesn’t realize Clinton’s emails were moved from the old server to the new one. They eventually will figure this out and take the new server away as well, on October 3, 2015.

August 8, 2015: Clinton writes under oath that she has provided the State Department all of her work-related emails that were on her personal email account she used while secretary of state.

Her short statement includes this sentence: “I have directed that all my emails on clintonemail.com in my custody that were or potentially were federal records be provided to the Department of State, and on information and belief, this has been done.”

150808HillaryOath

A sample of the document Clinton signed on August 8, 2015. (Credit: Politico)

That statement is a result of a Freedom of Information Act (FOIA) lawsuit brought by Judicial Watch against the State Department. Additionally, Clinton mentions in her statement that her top aide Huma Abedin also had an email account on her clintonemail.com server that “was used at times for government business,” but another top aide, Cheryl Mills, did not. (The New York Times, 8/10/2015) (Politico, 8/8/2015)

One month later, some more of Clinton’s work emails from her time as secretary of state will be discovered by the Defense Department. (The New York Times, 9/25/2015)

August 11, 2015: Clinton finally agrees to allow the Justice Department to investigate her private server, as well as thumb drives housing her work emails.

This comes after months of her refusing to hand it over. (The New York Times, 8/11/2015The old server is picked up by the FBI from the management of Platte River Networks (PRN) one day later. It is being kept at an Equinix data center in Secaucus, New Jersey, and it is picked up there.

However, the company transferred Clinton’s data to a new server, which is also being managed by PRN and is kept at the same data center. The FBI won’t pick up that one until October 2015.

August 12, 2015: The company managing Clinton’s private server is worried they will be blamed for a change of policy that results in the deletion of Clinton’s emails.

Platte River Networks (PRN) has been managing Clinton’s private email server. According to a New York Post article in September 2016, around August 2015, PRN wants to double check their behavior after media reports that the FBI is investigating Clinton’s server. “Company execs scrambled to find proof that Clinton’s reps had months earlier asked to cut the retention of emails from 60 days to 30 days.”

Paul Combetta (left) Bill Thornton (right) (Credit: AP)

Paul Combetta (left) Bill Thornton (right) (Credit: AP)

On August 12, 2015, PRN employee Bill Thornton writes, “OK, we may want to work with our attorneys to draft up something that absolves us of that question. I can only assume that will be the first and last question for us, ‘Why did we have backups of the system since the time of inception, then decide to cut them back to just 60 or 30 days?’ If we can get that from them in writing, I would feel a whole lot better about this.”

The other PRN employee who has been actively managing the Clinton account with Thornton, Bill Combetta, responds that he believes the request was made to PRN by phone.

An email exchange between the two on the same topic several days later will make clear that the Clinton representatives are employees of Clinton Executive Services Corp. (CESC) the Clinton family company that has been paying PRN. (The New York Post, 9/18/2016)

August 12, 2015: The FBI picks up one of Clinton’s private email servers, as well as thumb drives containing copies of her emails.

An inside look at one Equinix’s many data centers across the United States. (Credit: Equinix)

The Washington Post reports that Clinton’s old server, which was in a New Jersey data center, had all its data deleted some time earlier.

A lawyer for Platte River Networks, the company that managed the server, says, “To my knowledge, the data on the old server is not available now on any servers or devices in Platte River Network’s control.”

Investigators also take thumb drives from Clinton’s lawyer David Kendall containing copies of Clinton’s emails. (The Washington Post, 8/12/2015) 

There are two Clinton servers in existence at the time, and both the old and new ones are located at the Equinix data center in Secaucus, New Jersey.

However, a September 2016 FBI report will explain that Clinton’s lawyers never revealed that Clinton’s emails had once been transferred from the old server to the new server, so the FBI only picks up the old server. The FBI will later learn on its own about the transfer and then pick up the new server as well, on October 3, 2015. (Federal Bureau of Investigation, 9/2/2016)

After August 12, 2015: The FBI recovers some of Clinton’s deleted emails.

In March 2016, the Los Angeles Times will report that some time after the FBI took possession of Clinton’s private server on August 12, 2015, the FBI “has since recovered most, if not all, of the deleted correspondence, said a person familiar with the investigation.” Clinton deleted 31,830 emails, claiming they were not work-related. (The Los Angeles Times, 3/27/2016)

In a September 2016 FBI report, it will turn out that the FBI was able to recover about 17,500 of the deleted emails.

August 14, 2015: The FBI is trying to find out if foreign countries, especially China or Russia, broke into Clinton’s private server.

The New York Times reports that according to several unnamed US officials, “specially trained cybersecurity investigators will seek to determine whether Russian, Chinese, or other hackers breached the account or tried to transfer any of Mrs. Clinton’s emails…” (The New York Times, 8/14/2015)

August 17, 2015: The company that recently managed Clinton’s private server, says it is “highly likely” that a backup copy of the server was made.

The Datto logo (Credit: Datto, Inc.)

The Datto logo (Credit: Datto, Inc.)

That company is Platte River Networks (PRN), which managed her server from mid-2013 until early August 2015. The company is cooperating with the FBI.

That means that any emails Clinton deleted before she handed the server over to investigators may still be accessible. (Business Insider, 8/17/2015)

The mention of a backup copy of the server could be a reference to Datto, Inc., a company that made backups of Clinton’s server while it was in Platte River’s possession. (McClatchy Newspapers, 10/6/2015)