The Inspector General’s report on e-mail records management and cybersecurity in the State Department since 1997 makes me one touch gladder that I voted for Bernie Sanders in our Presidential primary and more than a touch more nervous about having to defend the vote I may have to cast for Hillary Clinton in November to save democracy and the free world from Il Duce Trump.
“Office of the Secretary: Evaluation of Email Records Management and Cybersecurity Requirements,” issued by the State Department’s Office of the Inspector General [OIG] this week, offers the following alarming findings:
…OIG interviewed Secretary Kerry and former Secretaries Albright, Powell, and Rice. Through her counsel, Secretary Clinton declined OIG’s request for an interview [p. 2].
The Clinton campaign contends that her practices didn’t differ from the lax practices of her predecessors. But Clinton was the only one who refused to open up to the Inspector General. Additionally, out of the ten other individuals who either explicitly refused or did not respond to OIG requests for interviews, nine were Clinton people [p. 2].
In December 2014, in response to Department requests, Secretary Clinton produced to the Department from her personal email account approximately 55,000 hard-copy pages, representing approximately 30,000 emails that she believed related to official business. In a letter to the Department, her representative stated that it was the Secretary’s practice to email Department officials at their government email accounts on matters pertaining to the conduct of government business. Accordingly, the representative asserted, to the extent that the Department retained records of government email accounts, the Department already had records of the Secretary’s email preserved within its recordkeeping systems.
The requirement to manage and preserve emails containing Federal records has remained consistent since at least 1995, though specific policies and guidance related to retention methods have evolved over time. In general, the Federal Records Act requires appropriate management, including preservation, of records containing adequate and proper documentation of the “organization, functions, policies, decisions, procedures, and essential transactions of the agency.” Although emails were not explicitly mentioned in the Federal Records Act or FAM until the mid-1990s, the law has stated since 1943 that a document can constitute a record “regardless of physical form or characteristics” [p. 4].
Three problems here:
- Instead of providing the government with the most convenient form of her records, Clinton dropped 110 reams of paper, tedious for any inspector or researcher to index, search, and reproduce, on the desk. That’s both wasteful and obstructive.
- Clinton suggests that being able to comb through hundreds, maybe thousands of other government e-mail accounts to find her assorted e-mails ought to satisfy any record-keeping obligation. Again, that sounds obstructive and wasteful of government official’s time compared to simply handing over one’s inbox on a flash drive.
- The OIG concludes that e-mails are pretty clearly included in the dictates of the Federal Records Act. Clinton appears to have failed to follow that law by not turning over her records upon leaving office.
We can perhaps blame State Department policy for all that printing, but the OIG appears to agree that Clinton violated the Federal Records Act:
As previously discussed, however, sending emails from a personal account to other employees at their Department accounts is not an appropriate method of preserving any such emails that would constitute a Federal record. Therefore, Secretary Clinton should have preserved any Federal records she created and received on her personal account by printing and filing those records with the related files in the Office of the Secretary.* At a minimum, Secretary Clinton should have surrendered all emails dealing with Department business before leaving government service and, because she did not do so, she did not comply with the Department’s policies that were implemented in accordance with the Federal Records Act [p. 23].
*To support that statement, OIG cites 5 FAM 443.3, a guideline established in 1995.
It wasn’t just Clinton breaking this law; her staff held onto all sorts of improperly secured e-mails as well:
With regard to Secretary Clinton’s immediate staff, OIG received limited responses to its questionnaires, though two of Secretary Clinton’s staff acknowledged occasional use of personal email accounts for official business. However, OIG learned of extensive use of personal email accounts by four immediate staff members (none of whom responded to the questionnaire). During the summer of 2015, their representatives produced Federal records in response to a request from the Department, portions of which included material sent and received via their personal email accounts. The material consists of nearly 72,000 pages in hard copy and more than 7.5 gigabytes of electronic data. One of the staff submitted 9,585 emails spanning January 22, 2009, to February 24, 2013, averaging 9 emails per workday sent on a personal email account. In this material, there are instances where the four individuals sent or received emails regarding Department business using only their personal web-based email accounts. Accordingly, these staff failed to comply with Department policies intended to implement NARA [National Archives and Records Administration] regulations, because none of these emails were preserved in Department recordkeeping systems prior to their production in 2015. As noted above, NARA has concluded that these subsequent productions mitigated their failure to properly preserve emails that qualified as Federal records during their service as Department employees [pp. 24–25].
With regard to encryption, Secretary Clinton’s website states that “robust protections were put in place and additional upgrades and techniques employed over time as they became available, including consulting and employing third party experts.” Although this report does not address the safety or security of her system, DS [Bureau of Diplomatic Security] and IRM [Information Resource Management] reported to OIG that Secretary Clinton never demonstrated to them that her private server or mobile device met minimum information security requirements specified by FISMA [Federal Information Security Management Act] and the FAM [Foreign Affairs Manual] [p. 37].
In other words, Clinton tells us she kept her—wait, our—information secure, but we have no independent evidence to confirm that claim.
Making excuses for Hillary Clinton’s failure to follow information management rules is not as hard as making excuses for Donald Trump’s fascism. But I don’t want to have to spend the rest of this campaign making those excuses. Democratic National Convention delegates, you can spare us that trouble by nominating Bernie Sanders.