JRB - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

FBI says Hillary Clinton's email setup was irresponsible, not illegal

The FBI gave a scathing review of Hillary Clinton's email setup, using personal servers for sensitive federal information, but deemed her actions were not illegal.

The FBI investigation determined Hillary Clinton's actions were not illegal, but it was irresponsible to use private servers for email when she was secretary of state.

In a statement, FBI Director James Comey wrote, of the 30,000 Clinton email messages investigated, 110 messages in 52 chains contained classified information at the time they were sent or received. "Eight of those chains contained information that was top secret at the time they were sent; 36 chains contained secret information at the time; and eight contained confidential information, which is the lowest level of classification. Separate from those, about 2,000 additional emails were 'up-classified' to make them confidential; the information in those had not been classified at the time the emails were sent," Comey wrote.

Comey had harsh words for the risky way Hillary Clinton's email was handled: "There is evidence to support a conclusion that any reasonable person in Secretary Clinton's position, or in the position of those government employees with whom she was corresponding about these matters, should have known that an unclassified system was no place for that conversation."

Comey said the FBI had a very difficult time investigating the way Hillary Clinton's email was setup, because although no email messages were intentionally deleted when Secretary Clinton's original personal servers were decommissioned in 2013, the email software had been removed.

"Doing that didn't remove the email content, but it was like removing the frame from a huge, finished jigsaw puzzle and dumping the pieces on the floor," Comey wrote. "The effect was that millions of email fragments end up unsorted in the server's unused -- or slack -- space. We searched through all of it to see what was there, and what parts of the puzzle could be put back together."

Chris Wysopal, co-founder and CTO of Veracode, based in Burlington, Mass., told SearchSecurity that although this puzzle analogy sounds impressive, the job of sorting through those email fragments likely wasn't so difficult.

"Reconstructing deleted files or parts of deleted files in the slack space that haven't been overwritten is basic forensics. This should be simple," Wysopal said. "I think the difficulty comes in trying to ascertain if the system was compromised. Without remote logging, this is a challenge."

Comey also admitted the difficulty in determining if there had ever been a breach of Clinton's email system, and while no "direct evidence" was found, such evidence would be unlikely in any case.

"We do assess that hostile actors gained access to the private commercial email accounts of people with whom Secretary Clinton was in regular contact from her personal account. We also assess that Secretary Clinton's use of a personal email domain was both known by a large number of people and readily apparent. She also used her personal email extensively while outside the United States, including sending and receiving work-related emails in the territory of sophisticated adversaries," Comey wrote. "Given that combination of factors, we assess it is possible that hostile actors gained access to Secretary Clinton's personal email account."

Comey, a noted proponent of the going-dark theory, conspicuously did not mention encryption in his statement, but did suggest Clinton's email setup could have benefitted from better email governance.

"None of these emails should have been on any kind of unclassified system, but their presence is especially concerning because all of these emails were housed on unclassified personal servers not even supported by full-time security staff, like those found at departments and agencies of the U.S. Government -- or even with a commercial service, like Gmail," Comey wrote.

Previous investigations have suggested Clinton's email was not encrypted, and Wysopal said it would be difficult to determine the use of encryption at this point.

"It is not clear to me whether or not encryption was enforced at the mail transport level or at the client level. Having a certificate issued by a certificate authority does not tell us whether unencrypted connections were rejected. Most mail servers perform opportunistic encryption at the transport level," Wysopal said. "If a server sending or receiving mail from Clinton's server was not configured for encryption, the data would have gone in the clear. At the client level, unless clear text connections were turned off, there still could have been unencrypted connections."

However, Comey said it was a matter of intent in determining if laws had been broken.

"Our investigation looked at whether there is evidence classified information was improperly stored or transmitted on that personal system, in violation of a federal statute making it a felony to mishandle classified information either intentionally or in a grossly negligent way, or a second statute making it a misdemeanor to knowingly remove classified information from appropriate systems or storage facilities," Comey wrote.

Comey said the FBI decided Clinton had not intentionally mishandled classified information, and despite "evidence of potential violations," the FBI suggested charges should not be brought. The Department of Justice ultimately will determine if any charges or sanctions are levied against Clinton.

Wysopal noted on Twitter the common sanction in cases like this would be to ban Clinton from receiving security clearance in the future.

"I think the gist of it is intent. Did you intend to leak information, or did you behave in a way that it is likely it happened? In this case, it is the latter," Wysopal said. "To me, it seems there should be some punishment for the latter, even if it is not criminal. We will see if Comey's potential administrative sanctions ever happen."

Next Steps

Learn more about the Hillary Clinton email scandal and information governance.

Find out why Hillary Clinton can't mail.

Get info on how personal email and cloud services are changing corporate email access.

Dig Deeper on Government information security management

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What do you think about the FBI determining Hillary Clinton's email setup was not illegal?
It's not trivial to prove that someone knowingly and intentionally did something. Especially, in retrospect, and in the context of ever evolving software technologies and cyber threats.
Ms. Clinton was Secretary of State. If she didn't know the meaning of the various levels of information classification, the protocols involved in ensuring that security and the degree of responsibility and accountability involved who else should. The whole discussion is specious. The woman knowingly put herself above her office and perhaps her actions are not criminal they do demonstrate arrogance and poor judgement.  
"Grossly negligent" IS illegal in regards to Federal Government record keeping. Over 100 emails were known to be classified at the time they were on her server, and there's plenty of rules describing what constitutes proper storage for them. Yet somehow, she managed to "not get" the briefing ALL State Department employees are REQUIRED to get regarding proper handling of sensitive and classified information. If HRC didn't know when she set the system up, any reasonable person would have snagged a clue when the State Department systems spammed her unofficial address. The State Department was forced to compromise its own security in order to accommodate her server. She continued to use mobile devices that were not secure even after being warned of how easily hackers could eavesdrop on them in many of the countries she was in.

And it's come out that the main reason she used a private server was so that she could ILLEGALLY destroy/withhold emails she didn't want getting public under FOIA requests.