The Volokh Conspiracy
Mostly law professors | Sometimes contrarian | Often libertarian | Always independent
I continue to be fascinated by the very early chapters of the Hillary Clinton homebrew email saga. For one simple reason: the clintonemail.com server apparently didn't have the digital certificate needed to encrypt communications until late March 2009—more than two months after the server was up and running, and after Secretary Clinton's swearing-in on January 22.
Two questions are raised by this timing: First, why didn't the server have encryption from the start? And second, why did it get encryption in March, at a time when Clinton should have been extraordinarily busy getting up to speed at State, not messing with computer security protocols?
The simplest answer to the first question is that the lack of a certificate was just a mistake. But what about the second? What inspired the Secretary to get an encryption certificate in March when her team hadn't bothered to get one in January or February?
The likely answer to that question is pretty troubling. There now seems to be a very real probability that Hillary Clinton rushed to install an encryption certificate in March 2009 because the U.S. intelligence community caught another country reading Clinton's unencrypted messages during her February 16-21, 2009, trip to China, Indonesia, Japan, and S. Korea.
Thanks to FOIA lawsuits, the State Department has released a few documents from this early period. They show that Clinton began using the clintonemail.com server as early as January 28, 2009, just after her inauguration. Other messages from Cheryl Mills used the server in early February.
Even as she kept her homebrew server, Clinton and her staff were fighting to hang on to their Blackberries, just like President Obama. That provoked resistance from the State Department's top security official, Assistant Secretary Eric Boswell. On March 2, he sent the Secretary a memo—"Use of Blackberries on Mahogany Row"—declaring that "the vulnerabilities and risks associated with the use of Blackberries in Mahogany Row [the State Department's seventh floor executive offices] considerably outweigh their convenience."
On March 11, at a staff meeting, Clinton seemed to throw in the towel on her Blackberry, telling Boswell that she had read the memo and "gets it." We know this from correspondence among Boswell's staff.
But what's fascinating and troubling is something else in the correspondence. One staff message says that during Clinton's conversation with Boswell, "her attention was drawn to a sentence that indicates we [the diplomatic security office] have intelligence concerning this vulnerability during her recent trip to Asia."
I am struck by the mix of delicacy and insistence in that phrasing. It seems likely that Clinton's attention was drawn to that sentence because the intelligence was about Secretary Clinton's own communications security, something a discreet diplomat would not want to say directly in written communications. Clinton certainly acted like the intelligence concerned her. She asked Boswell to get her "the information." On March 11, Boswell is told by his staff that the report is already on the classified system, and he is reminded that he had already been briefed on it. Presumably he conveyed it to Clinton soon after March 11.
Eighteen days later, Clinton's server acquires a digital certificate supporting TLS encryption, closing the biggest security hole in her server.
I suppose this could all be coincidence, but the most likely scenario is that the Secretary's Asia trip produced an intelligence report that was directly relevant to the security of Clinton's communications. And that the report was sufficiently dramatic that it spurred Clinton to make immediate security changes on her homebrew server.
Did our agencies see Clinton's unencrypted messages transiting foreign networks? Did they spot foreign agencies intercepting those messages? It's hard to say, but either answer is bad, and the quick addition of encryption to the server suggests that Clinton saw it that way too.
If that's what happened, it would raise more questions. Getting a digital certificate to support encryption is hardly a comprehensive response to the server's security vulnerabilities. So who decided that that was all the security it needed? How pointed was the warning about her Asia trip? Does it expand the circle of officials who should have known about and addressed the server's insecurity? And why, despite evidence that Clinton was using the server in connection with work in January and February, did Clinton turn over no emails before March 18?
We don't know the answers to those questions, and they may have perfectly good answers. But they do suggest that the investigation should be focusing heavily on who did what to clintonemail.com in January through March of 2009.