I love this story from the New York Times about Hillary Clinton using her personal email account for official Secretary of State business because it points to a serious fracture in transparency’s goals, its implementations and IT policy in Government. Take this choice quote from Thomas Blanton, the Director of the National Security Archive:
“Personal emails are not secure,” he said. “Senior officials should not be using them.”
Are you serious? Let’s be clear, that personal email was probably far more secure than her state.gov email account. The State Department’s email system has been compromised for months. It’s highly likely that it’s been compromised since forever: remember, during her tenure, Wikileaks released the State Department’s classified communications.
A better question is: why would she use the State Department’s email system to conduct official business? In fact, if it’s demonstrably insecure, does she not have a responsibility not to use it? It’s probably the case that if Hillary Clinton was focusing solely on security, using her personal email with 2 Factor Authentication was probably way more secure than using the honeypot mess of IT that is the State Department’s email servers.
But more importantly, let’s talk about records. As the former director of Sunlight Labs at the Sunlight Foundation, it’s a cause I care about. That’s the important bit. I don’t believe Hillary Clinton was actively working to hide her communication from the public. I think she was looking for the easiest way to do her job. The one thing you have to understand about people in public service is people down to the lowest levels of public service understand open records laws, and they all know one thing: if you don’t want something on the record, don’t use email. Pick up the phone. Hillary Clinton knows that, too.
Hillary Clinton was trying to use what she wanted to use in order to do her job. As a former fed, I’m empathetic. When you start at the Federal Government, it’s often like stepping in a time machine. You’re handed technology from years ago and (especially at her level) you’re expected to do tomorrow’s work. Often faced with a choice: do I do the job I was hired to do, or do I uphold and obey the archiving laws. And usually (thankfully) “do the job” wins.
This is because the way our Federal IT shops tend to implement IT policy isn’t through service, it’s through the prescription of antiquated technology. Rather than investing in cloud managed solutions, the feds prefer you to carry around a laptop that can log into a virtual desktop computer that’s often located inside of the basement of an agency. Then, if you’re not in the office, as the Secretary of State often isn’t, you can crank up Outlook, and check your mail. Maybe. If you’ve got the right authentication token with you.
And so you sit there and go “golly, this person needs to hear from me right now, before I go into my next meeting,” and more often than not, you just pop open your gmail, and bang out your quick email because it’s easier and you need to get the job done. Often times, our political leaders are not kind enough to save them and turn them over to the public record as Hillary Clinton did. Sometimes they just delete the messages.
I hope as a result of this, a crackdown doesn’t happen (but it will). The right solution here isn’t to get more stringent on the archiving stuff, it’s to make the archiving and sunlight stuff in service to the job. The IT department should be saying “what tools do you need in order to do your job in the best way that you see fit” and working backwards from that in order to prevent this sort of thing from becoming as common as it actually is.
Instead of forcing people to use a 2010 blackberry and lotus notes to check their email through a VNC firewall that takes 10 minutes to log into (that, by the way, is demonstrably insecure anyway, compromising not only national security, but also the integrity of the archives in the first place), why not fix that policy, make it easy for people to use the tools they need to use in order to do their jobs, and use some archiving technology from, say, 2010 in order to handle it. The trick here isn’t “make people comply with strong authority,” it’s “make compliance easier, and of service to the people that need to do a job other than recordkeeping”
One final thought: I’d imagine Secretary Clinton at some point emailed the White House. I made the mistake of emailing the White House from my personal account once (!) during my term, and managed to get back a nastygram from Counsel about it. How or why didn’t the White House tell Hillary to use her official .gov email account?
It could be that they knew the entire classified and unclassified email system was compromised and decided that the smartest thing to do was for her to use her personal email instead.