Many people have at least two email addresses: There’s the one you get for work, then there’s the one you use for personal business. And you might even have one to give all the companies who will send you junk mail until the world ends.
But these accounts don’t physically exist in your office, home, or city dump, respectively. They’re typically off someplace in the cloud — unless, like former Secretary of State Hillary Clinton, you decide to host your own email service in your home. While heading up Foggy Bottom, the potential presidential hopeful exclusively used an email server registered to her home in Chappaqua, New York, according to the Associated Press and New York Times.
The situation has quickly became problematic for Clinton. Public officials are supposed to be archiving their correspondence under open records rules, so the revelations have raised questions over why Clinton opted to use a private email setup rather than the State Department’s service.
While Clinton’s move to use a private email solution might seem like an unusual choice, it’s technologically easy enough for most people to set one up — check out this explainer from Ars Technica for the wonky details. But few people bother with a private email server. Why not?
“The big caveat is that you must know what you’re doing in terms of setting it up securely, and that’s a fairly difficult, non-trivial problem for most people,” says Katie Moussouris, chief policy officer for San Francisco-based HackerOne, a company that works with friendly hackers to help organizations like Yahoo, Twitter, and even government agencies detect vulnerabilities in their own technology.
An outgoing email generally follows this route: It’s stored in a server, sent by a client (software ranging from Microsoft Outlook on your computer to the Mail app on your smartphone), and traverses various networks en route to its destination, where it’s received by the recipient’s client and stored by their email server. (And vice versa for incoming email.) Setting up your own email service lets you control the two closest parts of this path — your local server and client. That can help make your data safer, especially if you encrypt the data stored on your server and the messages you send.
But doing all this still means three-fifths of your email’s path runs through areas over which you have no control. In fact, the only way that emails sent to or from Clinton’s account would remain truly secure would be if they went to or came from accounts that were similarly locked down. Then “you would have all of the infrastructure under your direct control,” says Moussouris, who has more than 15 years experience in Internet security and has also worked as a hacker-for-hire.
Despite these security holes, there are still reasons that a person would want to set up their own email service. As that Ars explainer points out, if your email is hosted in the cloud —say, by Gmail — “it’s not yours.” If you control the servers, you own the content — though governmental policies surrounding transparency and police search and seizure rules certainly weigh in here.
But most people aren’t trying to protect sensitive State Department data. Instead, one reason people run their own email services is so they can use their own domain name in their email address. If this was a reason for Clinton, it was a foolhardy one, argues Moussouris. If being a high-value target for hackers is a reason for using an (allegedly) more secure private email service, choosing an domain name like clintonemail.com, as Clinton did, only gave her a higher profile.
“Such an obvious name would make it an interesting target for a hacker,” says Moussouris. “People with that high of a profile, whether it’s a politician, celebrity, or high-level executive, they should already be operating with that in mind.”
Besides, consumer-based services not only allow users to use their own domain name while hosting their emails in the cloud, they also provide end-to-end encryption, ensuring that their messages stay safe while traveling through the web.
But if you still want to email like Hillary Clinton, Moussouris recommends relying on an expert — if you can find one. “Qualified security people are very rare,” she says. And that’s one of the problems with this setup for Clinton.
“I couldn’t imagine a top-notch security person going to work for anyone in Washington, let alone an individual in, essentially, a non-technical function,” Moussouris says. “We have a scarcity of talent in the security industry, and we see this when we try to hire good people all the time.”
As a result, Moussouris assumes whoever set up Clinton’s private email server was a staffer, unless they were very well paid. And if that’s the case, the best way to email like Hillary Clinton is to spend a lot of money.