State Department file photo

Hillary Clinton’s Tweet About Email Doesn’t Answer Security and Transparency Concerns

We don’t know if Russia or China hacked Clinton’s emails, and we may never know, security experts said.

Hillary Clinton pledged on Twitter late Wednesday to make public work-related emails from her time as secretary of State, but the vow does little to answer growing questions about the transparency or security of her communications.

Clinton's promise to release some 50,000 pages of emails—a process the State Department said will likely take "some time to complete"—does not assuage concerns that the presidential hopeful was keeping her messages beyond the reach of congressional and open-records inquiries, or that she may have skirted federal record-keeping laws. Her promise also does not quell fears that by relying on a private email server, Clinton recklessly endangered the security of her communications during her four-year tenure in Obama's Cabinet.

It is unlikely the public will ever be granted full assurances that the emails Clinton divulges constitute the entirety of her declassified communications. (The State Department has said Clinton did not convey classified information by email, an assertion her critics find improbable and beside the point.)

"There's no doubt that there will not be a way to fully validate the completeness of that production," Jason Straight, chief privacy officer and senior vice president of cybersecurity at UnitedLex, a global firm that provides legal services on electronic-data discovery.

Daniel Castro, vice president of the Information Technology & Innovation Foundation, said Clinton could, in a bid to silence her critics, turn over her entire server in addition to the emails. A digital forensics specialist would be able to audit the server's log files—which keeps a running record of a computer's activities—to verify whether the email trove Clinton provided was complete and not a self-selected sample.

"That assumes, of course, that the log files exist," Castro said, noting that it would depend on how the server was configured.

But even if investigators had access to "this mystery server sitting in the Clinton closet somewhere," Straight said, the log data would likely not include email content. Instead, it could potentially show if emails were missing from Clinton's public cache, but it would be unable to verify with certainty that everything visible amounted to everything that once existed.

"The hardest thing to do with forensics is to prove a negative," he said. "Absence of evidence is not the evidence of absence."

In addition to the transparency concerns, security experts are still scratching their heads about why Clinton would have taken the unusual step of setting up a home-managed email account, a move that potentially made her messages vulnerable to foreign hackers keen on spying on the U.S.'s top diplomat.

Clinton's decision to forgo an official State Department email account was seen as troubling to computer-security analysts, who warned that emails sent across separate servers—instead of delivered entirely within government servers—posed greater risk of being intercepted or spied on.

Clinton's other choice, to not use a commercial account like Gmail or Yahoo, has been viewed as recklessly confident, given the diligence required to keep the emails of a senior government official safe from foreign adversaries like Russia and China.

Part of the problem is that no system is considered impenetrable by dedicated hackers, which makes round-the-clock monitoring of breaches all the more important. But while government servers include first-rate monitoring software, it is unlikely that a private account was as alert to cyber intrusions.