What Clinton's Email Habits Reveal About Federal Records Laws

Bebeto Matthews/AP

Federal regulations don’t outright ban the use of personal email accounts to conduct official government business.

Since Monday night, former Secretary of State Hillary Clinton has received a barrage of negative press thanks to The New York Times report detailing her exclusive use of a personal email to conduct government business during her four years as the nation’s top diplomat, raising concerns about everything from transparency to security.

As more details continue to be revealed, there are three things you should know about federal records keeping -- and what's actually allowed. 

1. This is not the first time a government official has opted for a personal account.

A survey of federal employees conducted by Government Executive Media Group’s research arm revealed 33 percent of respondents said personnel at their agency used personal for government business at least sometimes.

And though she may be the highest-profile, Clinton is far from the first government official to be ensnared in flap over storing email records.  

In 2010, for example, then-Deputy U.S. Chief Technology Officer and former Google exec Andrew McLaughlin was discovered using his Gmail account to conduct official White House business. A few years later, Gary Gensler, chairman of the Commodity Futures Trading Commission, came under scrutiny for using his personal account to send some 11,000 business-related emails.

Lisa Jackson, the former administrator of the Environmental Protection Agency, landed in hot water after it was revealed she was conducting official business using an official email account -- but under an alias. The agency said emails sent from Jackson’s “Richard Windsor” nom-de-plume account were captured for record-keeping purposes.

2.  Federal regulations don’t outright ban the use of personal accounts.

The National Archives and Records Administration has discouraged the use of personal email to conduct official business. But government regulations do not outright forbid the practice. As long as agency officials make sure emails they send from and to their personal accounts can be “captured” for record-keeping purposes, they’re in the clear.

Last November, Congress approved an update to the Federal Records Act, which bans the use of personal email accounts by agency officials unless messages are copied or forwarded to official government accounts within 20 days.

And not all emails rise to the level of an official record.

Here’s how a 2013 NARA bulletin put it: “Federal records are documentary materials that agencies create and receive while conducting business that provide evidence of the agency's organization, functions, policies, decisions, procedures and operations, or that contain information of value.”

A September 2014 follow-up bulletin from NARA further stipulates that any email that fits in the aforementioned category “must be filed in an agency record-keeping system” and retained on a certain schedule depending on the nature of its content.

These rules are slightly more stringent than those in place during Clinton’s tenure.

3) Would a State-run email account really be more secure?

Some media reports have wondered whether Clinton jeopardized state secrets by using a personal email account.

State Department spokeswoman Marie Harf told reporters there’s no indication Clinton used the personal account for classified information.

And while we do not yet know what security measures were taken with Clinton’s personal account, the fact of the matter is that the official State email system is not a locked fortress, either.

Last month, media reports revealed the State Department is still battling hackers on its unclassified networks – more than five months after first detecting suspicious activity.

During Clinton’s term, thousands of the agency’s sensitive diplomatic cables were published by WikiLeaks.

“Let’s be clear, that personal email was probably far more secure than her State.gov email account,” stated Clay Johnson, former director of Sunlight Labs and a former presidential innovation fellow, in a commentary published on Medium.

The State Department has not set its staff up with malware detection when they receive emails remotely, according to the annual Federal Information Security Management Act report, a scorecard of agencies’ cybersecurity measures.

None of the agency’s email traffic is connected to an encryption standard, known as FIPS 140-2. And State’s systems do not support the capability to digitally sign email.

Perhaps most damningly, the department doesn’t require users to log in with a two-factor personal-identity verification card.

Johnson speculated that Clinton’s use of her personal account was no secret in the federal sphere.

“It could be that they knew the entire classified and unclassified email system was compromised and decided that the smartest thing to do was for her to use her personal email instead,” he wrote.