TIME politics

It’s 1815 All Over Again: The Troubling Tale of the Chappaqua Email Server

Congress of Vienna
Culture Club / Getty Images Congress of Vienna, 1814, after painting by J B Isabey

There are protestations that the HRC files were unclassified. But, the history of the Congress of Vienna shows, every bit can be exploited

History News Network

This post is in partnership with the History News Network, the website that puts the news into historical perspective. The article below was originally published at HNN.

Keyboards are aflutter over the revelation that former U.S. Secretary of State and presumed Democratic presidential candidate Hillary Rodham Clinton (HRC) bypassed the State Department and outsourced her email management to a server located at the Clinton family home in Chappaqua, NY. It is a brewing storm in search of a scandalous name. Hillar-email-ageddon? Chappaqua-servergate?

Put aside for the moment the propriety of a Cabinet official engaging in these practices and let us explore why this cyber kerfuffle created potentially easy pickings for determined nation-state actors and put national security at risk.

Does anyone care about seemingly uninteresting tidbits from the world’s most powerful foreign minister? After all, as HRC has noted, the emails were not classified. Simple. Countries want to know the plans and intentions of friends and enemies, and they will take any scraps they can get.

To illustrate, let us wind the clock back to a time when one world power had no compunction about breaching protocol and spying on everyone’s diplomatic correspondence in a concerted effort to protect the security of the state and further its own political agenda.

Exactly two hundred years ago, the European powers gathered at the Congress of Vienna to redraw the map of the Continent. The French Revolution had collapsed after a head-chopping reign of terror. Napoleon’s gallivanting across Europe was over. The aristocrats were back in the catbird seat and they were ready to party. For nine months from the official opening in October 1814 until June 1815, greater and lesser powers jockeyed for position as territories changed hands.

The secret police of the Austro-Hungarian Empire had been preparing for months for the delegates’ arrival. As the diplomats negotiated at the Congress or whiled away the evenings at fancy dinners and galas, the Austrian surveillance state was hard at work, following their every move. Secret police transcripts from the time run in the thousands of pages. No grain of information, however mundane, escaped notice and was dutifully transmitted to the Emperor’s desk.

The backbone of the Austrian spying program was reading diplomatic correspondence as delegates reported progress back to their countries (and threw in the odd bit of palace gossip and intrigue.)

Some diplomats tried to take precautions by sealing the envelopes with distinctive wax seals bearing their royal crests. Today we might call this using a weak password because the Austrian secret police could break the seals without leaving a trace. In secret bureaus, operatives employed special smokeless candles to pry loose the seals and, using metal putty, create perfect counterfeit replicas. The mail could be read, a new seal put in place, and the mail sent on its way as if it had traveled unmolested. Just like a man-in-the-middle attack works today for third parties who want to read your email and leave you none the wiser.

This worked until the nobles used new seals, which would be like changing your password to something easily guessable, and presented only a minor inconvenience to Austrian intelligence until new fake seals could be fabricated.

Some royals were too clever by half. Princess Theresa of Saxony tried to fool the watchers by giving the major diplomatic players nicknames in her letters home. The French foreign minister became “Krumpholz” and the Austrian was “Krautfeld”. Let’s call this very weak encryption, because with a little bit of work, a trained eye could engage in word substitution and figure out the puzzle.

Others went farther, writing in invisible ink between the lines of more innocuous letters. This is like strong encryption, but can still be broken with enough technical know-how. Prepared as ever, the secret police had chemical solutions to reveal the hidden text.

The Secretary of State’s email is like the diplomatic correspondence of two hundred years ago. As the Austrians had figured out, the connection of many innocuous seeming details could tell a story and provide indicators of an adversary’s intentions.

Imagine you intercepted a one-line HRC email to a staff aide: “Purchase Urdu phrase book by Fri” (not a real example). Might this indicate that a trip to Pakistan was imminent, signaling a change in U.S. foreign policy? India would certainly care about this, as would others with interests in the region.

Back at the Congress of Vienna, closely watching friend and foe soon overwhelmed the secret police. In addition to the four major political powers of the day, hundreds of advisors, courtesans, hangers-on and special interest groups had descended on the capital.

The surveillance net had grown too wide. It was impossible to shadow everyone and the decryption bureau was getting behind in transcribing letters, leading higher-ups to complain that the mail was being delayed. The intelligence service had what we might call a Big Data problem, and they had not yet evolved the analytical capabilities to make sense of all the information that poured in daily. Modern governments have many more resources at their disposal and can leverage technology to separate the wheat from the chaff, quickly doing the work that legions of clerks once did by hand, so vacuuming up all the data doesn’t necessarily create an undue burden.

Not everyone had his proverbial pockets picked at the Congress. One shining beacon of good information security practices emerges. The British Foreign Secretary, Viscount Castlereagh, though under the watchful eye of the Austrian surveillance state, frustrated their efforts to penetrate his information cocoon. In their internal reports the secret police privately complain that they cannot obtain any useful information. Castlereagh hired his own household servants, thwarting efforts to infiltrate his milieu with local agents. He further had his diplomatic correspondence hand-carried back to London and he ensured that all notes were completely burned in the fireplace.

Castlereagh’s good example from two hundred years ago shows us how these common-sense practices can still resonate today in the digital age, notably not sending sensitive information via unprotected channels and using electronic document shredding to erase proprietary information.

It is doubtful that the Chappaqua server had encryption to the standards of State Department diplomatic security. Yes, the HRC email server was behind a locked door. But information flowed in and out. As SecState, HRC was a million-plus mile flyer. Thus, of the tens of thousands of emails she penned while in office, we must reasonably assume that a significant number were sent from overseas before being routed via Chappaqua. From the WiFi hotspot at the airport VIP lounge in Beijing or Moscow perhaps? Who sits atop these access points to the information highway and sniffs the messages passing through? Answer: whoever wants to.

There are protestations that the HRC files were unclassified. But, as has been shown from the point of view of a two-century-old intelligence service (that didn’t even have the benefit of electricity), every bit can be part of a larger mosaic and exploited for all the wrong reasons. This tale of snooping during the Congress of Vienna would be an amusing bit of waltz-till-dawn diplomatic history if it weren’t such a stark reminder that in the digital age a country with enough resources and ill intent can use time-honored practices to exploit weaknesses in communications practices, read the mail, and make calculated adjustments based on what it learns. And that is why this episode has such disturbing implications.

Greg Cullison is an independent researcher and Founder & CEO of ProVerity, Inc., a security and risk analysis firm headquartered near Washington, D.C.

TIME Know Right Now

Know Right Now: Hillary Clinton Wants Emails Made Public

The former Secretary of State wants to release some of her emails to the public

Hillary Clinton said late Wednesday that she wanted her emails to be made available to the public, after coming under fire for exclusively using a personal email address while U.S. Secretary of State. Watch Know Right Now to catch up on the latest in this story.

TIME 2016 Election

Hillary Clinton Asks for Some of Her Emails to be Released

The former Secretary of State looks to get ahead of a brewing controversy

Hillary Clinton, embroiled in a controversy over her use of personal email during her time as Secretary of State, said late Wednesday that she’s asked the State Department to release her some of her correspondence.

“I want the public to see my email,” Clinton said in a tweet Wednesday evening. “I asked State to release them. They said they will review them for release as soon as possible.”

The likely 2016 presidential candidate’s aides reportedly turned over more than 50,000 pages of emails over to the State Department in compliance with new rules passed late last year. But it was subsequently revealed by the Associated Press that Clinton also used a private email server registered to her family home in Chappaqua, N.Y., which would make it more difficult for her online correspondence to be accessed by court orders or public requests. And her tweet made no mention of releasing emails her aides reviewed and then declined to hand over to the State Department.

“The State Department will review for public release the emails provided by Secretary Clinton to the Department, using a normal process that guides such releases,” State Department spokeswoman Marie Harf said in a statement. “We will undertake this review as quickly as possible; given the sheer volume of the document set, this review will take some time to complete.”

TIME 2016 Election

Hillary Clinton Ran Email Server Out of New York Home

Clinton is under fire for using a personal email address for official State Department business

(WASHINGTON) — The computer server that transmitted and received Hillary Clinton’s emails — on a private account she used exclusively for official business when she was secretary of state — traced back to an Internet service registered to her family’s home in Chappaqua, New York, according to Internet records reviewed by The Associated Press.

The highly unusual practice of a Cabinet-level official physically running her own email would have given Clinton, the presumptive Democratic presidential candidate, impressive control over limiting access to her message archives. It also would distinguish Clinton’s secretive email practices as far more sophisticated than some politicians, including Mitt Romney and Sarah Palin, who were caught conducting official business using free email services operated by Microsoft Corp. and Yahoo Inc.

Most Internet users rely on professional outside companies, such as Google Inc. or their own employers, for the behind-the-scenes complexities of managing their email communications. Government employees generally use servers run by federal agencies where they work.

In most cases, individuals who operate their own email servers are technical experts or users so concerned about issues of privacy and surveillance they take matters into their own hands.

Clinton has not described her motivation for using a private email account — hdr22@clintonemail.com, which traced back to her own private email server registered under an apparent pseudonym — for official State Department business.

Operating her own server would have afforded Clinton additional legal opportunities to block government or private subpoenas in criminal, administrative or civil cases because her lawyers could object in court before being forced to turn over any emails. And since the Secret Service was guarding Clinton’s home, an email server there would have been well protected from theft or a physical hacking.

But homebrew email servers are generally not as reliable, secure from hackers or protected from fires or floods as those in commercial data centers. Those professional facilities provide monitoring for viruses or hacking attempts, regulated temperatures, off-site backups, generators in case of power outages, fire-suppression systems and redundant communications lines.

A spokesman for Clinton did not respond to requests seeking comment from the AP on Tuesday. Clinton ignored the issue during a speech Tuesday night at the 30th anniversary gala of EMILY’s List, which works to elect Democratic women who support abortion rights.

It was unclear whom Clinton hired to set up or maintain her private email server, which the AP traced to a mysterious identity, Eric Hoteham. That name does not appear in public records databases, campaign contribution records or Internet background searches. Hoteham was listed as the customer at Clinton’s $1.7 million home on Old House Lane in Chappaqua in records registering the Internet address for her email server since August 2010.

The Hoteham personality also is associated with a separate email server, presidentclinton.com, and a non-functioning website, wjcoffice.com, all linked to the same residential Internet account as Mrs. Clinton’s email server. The former president’s full name is William Jefferson Clinton.

In November 2012, without explanation, Clinton’s private email account was reconfigured to use Google’s servers as a backup in case her own personal email server failed, according to Internet records. That is significant because Clinton publicly supported Google’s accusations in June 2011 that China’s government had tried to break into the Google mail accounts of senior U.S. government officials. It was one of the first instances of a major American corporation openly accusing a foreign government of hacking.

Then, in July 2013, five months after she resigned as secretary of state, Clinton’s private email server was reconfigured again to use a Denver-based commercial email provider, MX Logic, which is now owned by McAfee Inc., a top Internet security company.

The New York Times reported Monday that Clinton exclusively used a personal email account it did not specify to conduct State Department business. The disclosure raised questions about whether she took actions to preserve copies of her old work-related emails, as required by the Federal Records Act. A Clinton spokesman, Nick Merrill, told the newspaper that Clinton complied with the letter and spirit of the law because her advisers reviewed tens of thousands of pages of her personal emails to decide which ones to turn over to the State Department after the agency asked for them.

In theory but not in practice, Clinton’s official emails would be accessible to anyone who requested copies under the U.S. Freedom of Information Act. Under the law, citizens and foreigners can compel the government to turn over copies of federal records for zero or little cost. Since Clinton effectively retained control over emails in her private account even after she resigned in 2013, the government would have to negotiate with Clinton to turn over messages it can’t already retrieve from the inboxes of federal employees she emailed.

The AP has waited more than a year under the open records law for the State Department to turn over some emails covering Clinton’s tenure as the nation’s top diplomat, although the agency has never suggested that it didn’t possess all her emails.

Clinton’s private email account surfaced publicly in March 2013 after a convicted Romanian hacker known as Guccifer published emails stolen from former White House adviser Sidney Blumenthal. The Internet domain was registered around the time of her secretary of state nomination.

Rep. Trey Gowdy, R-S.C., chairman of the special House committee investigating the Benghazi attacks, said the committee learned last summer — when agency documents were turned over to the committee — that Clinton had used a private email account while secretary of state. More recently the committee learned that she used private email accounts exclusively and had more than one, Gowdy said.

President Barack Obama signed a bill last year that bans the use of private email accounts by government officials unless they retain copies of messages in their official account or forward copies to their government accounts within 20 days. The bill did not become law until more than one year after Clinton left the State Department.

___

Associated Press writer Stephen Braun contributed to this report.

TIME Security

What’s More Secure: Gmail or Government Email?

Ministers Attend The London Conference On Libya
WPA Pool—Getty Images U.S. Secretary of State Hillary Clinton checks her phone at the opening of the Libyan Conference, a meeting of international allies to discuss the next steps for Libya on March 29, 2011 in London, England.

Consider this before emailing your Social Security number — or State Department business

From a lone entrepreneur in Nigeria to the U.S. Secretary of State, email security is a major issue that impacts everyone. While third-party email providers like Apple, Google, Microsoft and Yahoo claim their services are safe and secure, sometimes it seems smarter to use your work address instead.

But Hillary Clinton opted to use a personal account instead of a government account while serving as Secretary of State, according to the New York Times. That revelation is causing headaches for the potential presidential candidate because she may have violated rules requiring public officials’ correspondence to be archived.

It’s still unclear why Clinton chose to use a personal email account instead of a State Department-supplied one (or which email service she used). Some observers, however, say it was a security risk for Clinton to go off the government grid. But when it comes to hacks and brass tacks, which email service is actually more secure: Consumer services like Gmail or government email?

“Neither,” says Justin White, a former director of information security compliance for the state of Colorado, who has also worked as an information security consultant with Microsoft, Costco, Wells Fargo, and the state of Washington. When asked which service he would use to send sensitive information, White, a graduate of the FBI Citizens Academy, begins to answer one way, then another.

And then he pauses and says: “You’d have to torture me to force me to do it.”

There are several reasons for White’s wavering response. First, while some governmental email systems are highly secure, that’s not true for every department. For instance, he says, if you were going to send some sensitive information to another agency, if that department has poor security on its servers, your data is put at risk of being intercepted — even if the other office is located just next door.

Secondly, there’s no way of knowing which governmental agency has good email security and which doesn’t, because, for security purposes, they don’t typically reveal their protocols.

“Some people are woefully unprepared at securing their own email servers at an agency level, so for all you know, people could already be intercepting emails,” says White.

Still, the State Department probably has very good email security for classified messages — security that Clinton apparently opted out of using.

But on the other hand, consumer services like Gmail aren’t hacker-proof, either. They often tout the exact measures they use to keep messages secure as a means of marketing — but by doing so, they’re also helping hackers untangle their safety measures. From unencrypted data to servers that aren’t protected and breaches that haven’t been fixed yet, hackers catalog security deficiencies to find ways to break in.

“You could go on any forum as well, and see what other people have researched about any of the different cloud or (email) solutions,” says White.

Is email encryption a magic bullet solution? The disappointing reality is that between the senders’ and receivers’ servers, there are many opportunities for intercepting or hacking into emails. It’s enough to make a person go all Janet Napolitano (the former Secretary of Homeland Security once said she doesn’t use email).

But that’s not to say we should all revert to the digital dark ages — we just need to be conscious about how secure our email services really are. For Clinton’s part, she might have just opted for more secure methods than email for truly sensitive communications. A State Department spokeswoman said Tuesday Clinton could have used secure voice and video chats instead, or opted for something truly old fashioned: printed documents.

TIME 2016 Election

Hillary Clinton Only Used a Personal Email Account While Secretary of State, Report Says

Hillary Clinton Addresses National Council for Behavioral Health Conference
Patrick Smith—Getty Images Former Secretary of State Hillary Rodham Clinton delivers remarks during the National Council for Behavioral Health's Annual Conference in National Harbor, Md., on May 6, 2014

Federal law stipulates that her emails should have been kept on departmental and not private servers

Hillary Clinton exclusively used a personal email account while she was Secretary of State, the New York Times reports, possibly breaching a federal law mandating the archiving of all correspondence by State Department officials.

Clinton’s aides allegedly made no effort to upload her personal emails to the department’s servers during her four-year tenure, as stipulated under the the Federal Records Act, the Times says.

Instead, they reportedly went through thousands of emails two months ago, selecting which to submit as part of a renewed compliance effort from the State Department.

Attorney Jason R. Baron, a former director of litigation at the National Archives and Records Administration, told the Times that it was “very difficult to conceive of a scenario — short of nuclear winter — where an agency would be justified in allowing its Cabinet-level head officer to solely use a private email communications channel.”

Read more at the Times

TIME Innovation

Five Best Ideas of the Day: February 26

The Aspen Institute is an educational and policy studies organization based in Washington, D.C.

1. It’s time to break up the NSA.

By Bruce Schneier at CNN

2. By prescribing appearances, sororities are contributing to a culture of segregation.

By Clio Chang in U.S. News and World Report

3. In Egypt, the U.S. still values security over human rights.

By the Editorial Board of the Washington Post

4. Bartering for eggs is saving giant turtles in Cambodia.

By Yoeung Sun at Conservation International

5. How does Internet slang work its way into American Sign Language?

By Mike Sheffield, Antwan Duncan and Andrew Strasser in Hopes and Fears

The Aspen Institute is an educational and policy studies organization based in Washington, D.C.

TIME Ideas hosts the world's leading voices, providing commentary and expertise on the most compelling events in news, society, and culture. We welcome outside contributions. To submit a piece, email ideas@time.com.

TIME LGBT

The U.S. Has Appointed Its First Ever Special Envoy for LGBT Rights

The former U.S. consul general in the Netherlands has been named in the role

The U.S. appointed its first-ever special envoy on Monday to defend and promote the rights of lesbian, gay, bisexual and transgender (LGBT) people.

The State Department named Randy Berry, a gay senior diplomat who previously served as U.S. consul general in the Netherlands, to the role, reports Reuters.

In his new role, Berry will work to reduce violence and discrimination against LGBT people around the world, including those in some 75 countries where homosexuality and same-sex relationships are criminalized.

“Defending and promoting the human rights of LGBT persons is at the core of our commitment to advancing human rights globally — the heart and conscience of our diplomacy,” U.S. Secretary of State John Kerry said in a statement.

[Reuters]

TIME Drones

U.S. Will Allow Export of Armed Drones

Export requests will be evaluated on a case-by-case basis

The State Department announced new policies Tuesday stipulating that U.S. drones can only be exported through government programs and that the receiving country needs to agree to certain conditions about what the drone will be used for.

Under the new rules, exports of armed military drones must be made through government entities and the nations receiving the devices must agree to “end-use assurances,” according to the State Department.

“The new U.S. UAS [unmanned aerial systems] export policy provides a disciplined and rigorous framework within which the United States will exercise restraint in sales and transfers and advance its national security and foreign policy interests,” says a State Department fact sheet.

These new proposals come amid increasing controversy and uncertainty over the use of drones, after one crashed onto the White House lawn last month.

TIME Pakistan

Pakistan Executes Seven Militants During John Kerry’s Visit

John Kerry Sartaj Aziz
Anjum Naveed — AP U.S. Secretary of State John Kerry speaks as Pakistani Prime Minister's Adviser on Foreign Affairs Sartaj Aziz looks on during their joint press conference in Islamabad, Pakistan on Jan. 13, 2015.

The secretary of state’s trip to the country comes a month after the Peshawar school massacre

Pakistani officials oversaw the execution of seven convicted militants across the country on Tuesday morning, as U.S. Secretary of State John Kerry began the second day of his trip to the South Asian nation aimed at ramping up security and intelligence cooperation.

Prime Minister Nawaz Sharif rescinded the country’s moratorium on capital punishment in the wake of the Taliban’s savage assault on a school in Peshawar last month, which left at least 147 dead, including 130 children.

Those executed Tuesday included militants convicted of launching deadly sectarian assaults and foiled assassination plots, according to AFP. Kerry has yet to comment publicly on their fate.

Earlier this week, Kerry unveiled a plan to provide $250 million in emergency aid to Pakistanis displaced by Islamabad’s ongoing military operations targeting Islamic militants by the country’s restive northwest frontier, according to the New York Times.

[AFP]

Your browser is out of date. Please update your browser at http://update.microsoft.com