Skip to content ↓ | Skip to navigation ↓


It was revealed this evening that Hillary Clinton was using a personal email account while serving as the secretary of state. This has raised a number of issues with regards to both compliance and security.

Apparently, Clinton chose not to use a government-issued email address despite the Federal Records Act, which only applies to official email accounts created by the government, and are automatically retained.

Furthermore, Clinton allegedly used a private email account under a personally registered domain, which circumvents the automated retention of communications, even while these communications were part of official government business.

For the entire four-year tenure, Mrs. Clinton did not have a government email address while at the State Department. Her staff did not make backups of her personal email account or ensured there were archives made available as per the Federal Records Act.

What I also find hard to believe is that nobody else within the government would have stopped to ask.

Not only would such an activity circumvent record retainment requirements but also security requirements. For someone as high up as Hillary Clinton to be using a private email address for official government business, it raises a number of security concerns.

This is shadow IT at a grand scale. With no visibility into how the Clinton’s emails were being secured, it would be impossible for the government to ensure the communications were not compromised by espionage.

According to the Washington Post, the worst scenario may have come true when hacker “Guccifer” reportedly released several emails pertaining to Benghazi, which appear to be between Sidney Blumenthal and Hillary Clinton at the “” domain. The domain was registered January 2009 through Network Solutions.


Looking a bit deeper at the MX records for the domain they map to a service run by McAfee:


MX Logic was acquired by McAfee in June of 2009 and is now part of McAfee’s SaaS offerings. So, it looks like someone knew what they were doing at some level to modify the MX records to use McAfee’s service.

However, the risk of this email account being compromised is significant and one wonders who else aside from Guccifer may have had access to sensitive communications.

Before we pick on Hillary Clinton too much, we should evaluate how common this practice is. If the goal is to circumvent a regulatory requirement and is putting communications at risk, these shadow IT practices should be evaluated government-wide.


Tripwire CCM Express Free Trial
  • fedup

    Before we pick on her? You mean other than the fact that a government offical used unofficial communication channels to conduct official business and succeeded in bypassing all security mechanisms put in place so there would be no record? Nah, that can only lead to wonderful things such as rainbows and unicorns for everyone.

  • really!

    It sounds like Sydney Blumenthal's AOL account was hacked. Not Hillary's private account. If she used one account the entire time and has turned over 55,000 plus pages it doesn't sound as though she is hiding much. This is just another made up scandal for the media and breathless pundits to pontificate about for a while. Once again it will amount to nothing

  • tonyE

    This is a security breakdown at a very high level.

    From personal experience I can tell you that any emails that are classified MUST be routed via very specific networks.

    For the SecState to use a private network is a breakdown of security at the HIGHEST LEVEL.

    She is guilty of a very serious crime, there is simply no way for her to excuse herself.

    Also, how about all the people who were communicating with her? Surely they knew they were breaking the law… ( and I'm not talking about the records, I'm talking about a security breach at the highest level of our nation).

    • Coyote

      "From personal experience I can tell you that any emails that are classified MUST be routed via very specific networks. "

      I assume they have full disk encryption, they use starttls (or better), proper ingress and egress filtering, right? Also, because of full disk encryption, they store the mail on the server (or enforce full disk encryption on the computers), yes? In addition, they also use 2FA, don't share passwords, don't use passwords more than once, and follow other best practises, correct? (I'm pointing out these deliberately) Fine, the way it was done isn't legal but government security is an oxymoron in any case.

      As for the law – well yeah, you can't argue that; it is either legal or not. But trying to legitimatise a breach of law is very different from offering a reason for it. So while it might be illegitimate she could still answer for it.

      But it isn't like she's not in good company here, with government officials (and I refer not necessarily to the US although obviously it applies equally). As for others communicating with her, I find that rather … difficult to enforce. Besides email is a global thing, which means anyone not on US soil or otherwise anyone not under the law of the US, isn't going to have a problem (with US law[with perhaps some exceptions]), there really isn't any law ruling email (and those with disclaimers, telling others they can't copy/share/etc. are fooling themselves only – once you send it to another server, it out there and already shared[1]) – and certainly it won't be prevented (that's simply not how the Internet works). Even the US CANSPAM act (or whatever) isn't exactly successful, is it? So even if it (communicating with her personal email) is/was technically illegal, good luck enforcing it. Fine, she can be punished but I'd actually like to see them try punishing each and everyone she communicated with. It would amuse me greatly (although I imagine many taxpayers would be quite angry).

      [1] That means as much as, yes, the author of it is the owner and has 'copyright', but to suggest someone can't copy/paste it (say forward), is absurd. Anyone claiming otherwise should stop sending email; the mail servers involved are forwarding it, too, and sorry to tell you this, but if I were to have illegal content on my server, I would be breaking the law. This also goes if I allow illegal content to pass through my mail server (say between two ends). That means if you don't want your email out there, don't send it (similar is if you were to forward something illegal to someone, and didn't know they were setting a trap – say they were actually trying to catch you break the law – they would report it – if you didn't want it out there, you shouldn't have sent it).

      I will only offer one view on the issue itself: I hate politicians and politics, and consequently, I only brought up the above (technical) things; politicians will do whatever they do, and that includes make many mistakes and the most extreme mistake at that – not learning from the past (mistakes and otherwise). There isn't a thing I can do about that, either (nor would I try).

  • Pete

    If there was a crime, I guess Colin Powell is guilty of it too.

  • Suzy

    No, he isn’t. He did use a personal email at the White House but the difference is that is was on the White House server not Hillary’s private server in her bathroom at her home.