JRB - Fotolia

FBI says Hillary Clinton's email setup was irresponsible, not illegal

The FBI gave a scathing review of Hillary Clinton's email setup, using personal servers for sensitive federal information, but deemed her actions were not illegal.

The FBI investigation determined Hillary Clinton's actions were not illegal, but it was irresponsible to use private servers for email when she was secretary of state.

In a statement, FBI Director James Comey wrote, of the 30,000 Clinton email messages investigated, 110 messages in 52 chains contained classified information at the time they were sent or received. "Eight of those chains contained information that was top secret at the time they were sent; 36 chains contained secret information at the time; and eight contained confidential information, which is the lowest level of classification. Separate from those, about 2,000 additional emails were 'up-classified' to make them confidential; the information in those had not been classified at the time the emails were sent," Comey wrote.

Comey had harsh words for the risky way Hillary Clinton's email was handled: "There is evidence to support a conclusion that any reasonable person in Secretary Clinton's position, or in the position of those government employees with whom she was corresponding about these matters, should have known that an unclassified system was no place for that conversation."

Comey said the FBI had a very difficult time investigating the way Hillary Clinton's email was setup, because although no email messages were intentionally deleted when Secretary Clinton's original personal servers were decommissioned in 2013, the email software had been removed.

"Doing that didn't remove the email content, but it was like removing the frame from a huge, finished jigsaw puzzle and dumping the pieces on the floor," Comey wrote. "The effect was that millions of email fragments end up unsorted in the server's unused -- or slack -- space. We searched through all of it to see what was there, and what parts of the puzzle could be put back together."

Chris Wysopal, co-founder and CTO of Veracode, based in Burlington, Mass., told SearchSecurity that although this puzzle analogy sounds impressive, the job of sorting through those email fragments likely wasn't so difficult.

"Reconstructing deleted files or parts of deleted files in the slack space that haven't been overwritten is basic forensics. This should be simple," Wysopal said. "I think the difficulty comes in trying to ascertain if the system was compromised. Without remote logging, this is a challenge."

Comey also admitted the difficulty in determining if there had ever been a breach of Clinton's email system, and while no "direct evidence" was found, such evidence would be unlikely in any case.

"We do assess that hostile actors gained access to the private commercial email accounts of people with whom Secretary Clinton was in regular contact from her personal account. We also assess that Secretary Clinton's use of a personal email domain was both known by a large number of people and readily apparent. She also used her personal email extensively while outside the United States, including sending and receiving work-related emails in the territory of sophisticated adversaries," Comey wrote. "Given that combination of factors, we assess it is possible that hostile actors gained access to Secretary Clinton's personal email account."

Comey, a noted proponent of the going-dark theory, conspicuously did not mention encryption in his statement, but did suggest Clinton's email setup could have benefitted from better email governance.

"None of these emails should have been on any kind of unclassified system, but their presence is especially concerning because all of these emails were housed on unclassified personal servers not even supported by full-time security staff, like those found at departments and agencies of the U.S. Government -- or even with a commercial service, like Gmail," Comey wrote.

Previous investigations have suggested Clinton's email was not encrypted, and Wysopal said it would be difficult to determine the use of encryption at this point.

"It is not clear to me whether or not encryption was enforced at the mail transport level or at the client level. Having a certificate issued by a certificate authority does not tell us whether unencrypted connections were rejected. Most mail servers perform opportunistic encryption at the transport level," Wysopal said. "If a server sending or receiving mail from Clinton's server was not configured for encryption, the data would have gone in the clear. At the client level, unless clear text connections were turned off, there still could have been unencrypted connections."

However, Comey said it was a matter of intent in determining if laws had been broken.

"Our investigation looked at whether there is evidence classified information was improperly stored or transmitted on that personal system, in violation of a federal statute making it a felony to mishandle classified information either intentionally or in a grossly negligent way, or a second statute making it a misdemeanor to knowingly remove classified information from appropriate systems or storage facilities," Comey wrote.

Comey said the FBI decided Clinton had not intentionally mishandled classified information, and despite "evidence of potential violations," the FBI suggested charges should not be brought. The Department of Justice ultimately will determine if any charges or sanctions are levied against Clinton.

Wysopal noted on Twitter the common sanction in cases like this would be to ban Clinton from receiving security clearance in the future.

"I think the gist of it is intent. Did you intend to leak information, or did you behave in a way that it is likely it happened? In this case, it is the latter," Wysopal said. "To me, it seems there should be some punishment for the latter, even if it is not criminal. We will see if Comey's potential administrative sanctions ever happen."

Next Steps

Learn more about the Hillary Clinton email scandal and information governance.

Find out why Hillary Clinton can't mail.

Get info on how personal email and cloud services are changing corporate email access.

Dig Deeper on Government information security management