by Rob Pegoraro
Before concluding that “no reasonable prosecutor” would file criminal charges against Hillary Clinton for using a private email system as secretary of state, FBI Director James Comey called her communications habits–which on rare occasions included sending classified information via this unofficial channel—“extremely careless.”
Comey scolded the email practice of Clinton and her colleagues, criticizing the State Department’s entire security culture as “generally lacking in the kind of care for classified information found elsewhere in the government.”
But his harshest critique may have come towards the end of the remarks he delivered Tuesday morning, when the FBI director mentioned Clinton’s international email use.
“She also used her personal email extensively while outside the United States, including sending and receiving work-related emails in the territory of sophisticated adversaries,” Comey said. “It is possible that hostile actors gained access to Secretary Clinton’s personal email account.”
Tech-travel advice for the paranoid
Security experts agree: When you visit countries with a habit of snooping on their citizens and visiting Americans, you can’t use your devices and your apps as you would at home.
“I use the most secure devices I can, only bring the most absolutely necessary data and access with me, and wipe everything when I’m done,” said Rich Mogull, CEO of Securosis, when I asked him for advice before a business trip to China I made in April.
For one recent international trip, that amounted to taking only an iPad and iPhone. He wiped each device clean before traveling, then set them up with a subset of his usual apps that included virtual private networking (VPN) software to create a secure connection to U.S. sites.
He also used a prepaid SIM card for the iPhone instead of his regular SIM, which could otherwise be reprogrammed over the air.
Chris Soghoian, chief technologist with the American Civil Liberties Union, said he takes a Chromebook—he called it “a great, secure burner” device—for international travel. He endorsed a useful Chrome OS feature if you fear an inspection of your device by U.S. customs and immigration officials: “an easy-to-use ‘reset to factory defaults’ button in the settings.”
In certain destinations, it may be safer not to use your devices. That’s the plan Greg Nojeim, senior counsel at the Center for Democracy & Technology, settled on before a trip to Russia in May followed by more overseas travel—he’d keep his iPad off while in the country.
Fortunately, not everybody will be of interest to another country’s spooks. “If you aren’t a target like a corporate exec, government official, or security consultant/analyst, then you don’t need to worry as much,” Mogull told me.
In April I took my phone and laptop to speak on a panel at the IFA Global Press Conference in Hong Kong and its affiliated CE China show across the border in Shenzhen. While in China, I used Truphone SIM loaned by that London firm, I only used my laptop on the hotel’s WiFi, I installed no apps or app updates and I set OS X’s firewall to refuse all incoming connections. Somehow, almost every U.S. site worked on both devices.
This is why encryption matters
But a secretary of state is a giant target who can’t take a technology sabbath when she leaves the country. She must stay in touch, securely.
Considering how long ago this began, Clinton’s phone probably didn’t incorporate a level of encryption that would scramble its data even if the device were lost or stolen — the level that stymied the FBI’s attempt to get into the iPhone used by one of the San Bernardino shooters until security researchers found a software flaw it could exploit. Fortunately, cabinet secretaries with security details should face zero risk of a phone going astray.
(While in China, I was amused to see one local phone vendor make “crypto” a selling point: CE China exhibits included a phone by Shanghai’s Vargo Technology that touted a variety of encryption features. I could not find anybody from the Ministry of State Security to grade their effectiveness.)
It’s more important whether Clinton’s mail system used encryption to secure messages on their way to and from the mail server, then across the Internet to her correspondents. We don’t know that either; Comey didn’t even use the word “encryption” in his statement.
But while most mail systems now support these kinds of encryption, historically that wasn’t the case. I must note here that Yahoo Mail trailed competitors such as Gmail (commended by Comey in his talk for its focus on security) in this regard until a couple of years ago.
That said, we also don’t know if the State Department’s own email would have offered more protection, considering its sorry record of being hacked—in November of 2014, State briefly shut down its unclassified-mail system after one intrusion.
I would like to think that Clinton will listen to the IT department’s advice from now on. But there’s also a lesson to be learned from this debacle about encryption’s importance. Has it adequately informed Clinton’s tech policy? The vague statements in it about crypto suggest we don’t know that either.