Emailgate and you

Email has become a hot topic recently, with a string of headlines about that one presidential candidate who used a private email server for government business, combined work and private emails from a single account, produced an archive of digital-native documents in paper-printout form, and then wiped her server clean before any third-party review could be undertaken.

Most articles on this topic have taken a political slant, which is a shame because the multiple mistakes made should be a non-partisan lesson for all of us in how not handle our business and personal email. And if there’s a legitimate scandal to be found in this so-called “emailgate,” it should be appropriately framed in terms of technology.

Lesson One: Email Servers Are a Pain

When the news first came out about this person ran a private email server from home while serving as a government official, everyone’s initial response was, “Wait, what? A private server at home? You actually can do that?”

Yes, you can.

It takes a special kind of person to run an email server from home. Someone who is tech-savvy, naturally curious, and self-reliant. Someone with the time and talent to set up and run a dedicated box and to frequently update with security patches and bug fixes. And someone who has a support network of equally tech-savvy peers to help when things inevitably go wrong.

If you run a private email server in your home, you are probably doing it as a labor of love, and the added privacy, security, and control is just gravy. And partisan chides notwithstanding, just having a private email server doesn’t necessarily mean that you’re trying to hide any shady dealings.

But wiping tens of thousands of emails off of that server without first creating a backup copy, now that indicates to me that you’ve got something you’re trying to hide.

Zero Inbox is a worthy goal. Zero Archives is not.

Zero Inbox is a worthy goal. Zero Archives is not.

When you run an email server, or any other kind of server, you very quickly learn that regular backups are a must. This is equally true whether you are a corporate IT department or a weekend hobbyist. If you are doing things right, it shouldn’t be possible to make all of the emails on your server vanish irretrievably without deliberate intent and a whole lot of effort.

And if you’re not doing things right, your private email server isn’t working to your advantage. If a U.S. Secretary of State were to rely on a personal email server that was badly-maintained or easily compromised, that would be a gate-worthy scandal.

Lesson Two: Email is Insecure

We tend to think of email as analogous to paper mail, as if our “electronic mail” messages were also folded up, enclosed in an envelope, and entrusted to a delivery process that can’t be tampered with under penalty of Federal law. Web designers like myself are partially to blame, since we’ve spent decades spreading envelope-shaped icons across the web, but even Google, Apple, and Microsoft use an envelope or stamp in their mail program logos, and they really should know better.

Assorted metaphors in logo format.

Assorted metaphors in logo format.

Sending electronic mail is really more like mailing an electronic postcard, because the message can be read by anyone along the delivery route, but it’s even less secure than that. Email can be screened or intercepted by third parties. Email can be forwarded to unintended recipients. And there is no federally appointed Email Postmaster General ready to impose mandatory penalties for tampering.

Also, nobody ever got into trouble for accidentally hitting “reply to all” on a postcard.

Please, save the kittens.

Please, save the kittens.

Emailed secrets may not remain secret for long. Therefore, sensitive information should never be sent via unencrypted email. This includes banking information, passwords for your web accounts, trade secrets, and the personally identifiable information that crooks can use to forge your identity.

Incidentally, there are also some applications for which email is actually considered too private and too secure. If you are on a municipal board or committee, and you use email to communicate to your colleagues on matters that may come up for discussion or vote in the future, that serial email disclosure may violate the state’s Open Meeting Law—as members of Groton’s Board of Selectmen learned this past year.

If a U.S. Secretary of State were to regularly include sensitive or classified information in an unencrypted email, despite being surrounded by more secure methods of communication, that would be a gate-worthy scandal.

Lesson Three: Business Emails Are Business Records

In one of my other lives, I am also an attorney. In that capacity, I’ve handled document requests in a variety of legal actions. Maybe a company has been accused of price-fixing or securities fraud. Maybe two companies are merging into one. Maybe the company is party to a lawsuit. Maybe an employee is suspected of a crime. Or maybe the Department of Justice is just trolling with a wide net.

Sooner or later, it’s very possible that your business emails will be scraped off of whatever server they are housed on, reviewed by outside counsel, and produced to adverse parties, law enforcement, or regulatory agencies.

I’ve been paid to read through other people’s business emails. Entire archives of business emails, in some cases going back over a decade and including employees that have long-since left the company, have been dumped on me by duly-authorized IT departments. Among the hateful chain letters, industry newsletters, and love notes from intra-office romances, I’ve sometimes even found evidence of the wrongdoing I’ve been hired to detect.

Haystack, meet needle.

Haystack, meet needle.

If email is a postcard, your email account is a file cabinet. A locked file cabinet, perhaps, but one to which many other people have a key. If there’s anything you wouldn’t write on a slip of paper in your boss’s file cabinet, you also shouldn’t include it in your business emails.

And just as it would be a crime to burn a file cabinet of relevant documents in the face of pending litigation, for example, the same is true for deleting your relevant emails.

In the course of my review, I’ve come across some hair-raising, eye-popping personal information that should never have been included in professional correspondence. Keeping separate accounts for your personal and business emails is a must, for your own protection and for the sanity of anyone who must later read through your inbox. If you receive a personal message to your business email account, or a business message to your personal email account, you should forward it onward to the correct account and delete it from the other before you reply.

If a U.S. Secretary of State were to blur the lines between personal email and government email to the extent that it becomes impossible for reasonable recipients to tell personal opinions from official policy, that would be a gate-worthy scandal.

Lesson Four: Government Emails Are Part of the Public Record

Just as business emails are discoverable business records, government emails in a transparent, accountable democracy are public records.

Ideally, all emails to or from government officials in their official capacity should be housed in servers under government control. Ideally, government emails should be made available to the public or press through reasonable requests, subject to reasonable limitations. Ideally, government emails should be archived to permanent storage.

If a U.S. Secretary of State were to deliberately withhold or destroy emails that represent important historical documents, that would be a gate-worthy scandal.

Lesson Five: Digital vs. Paper

I was once tasked with reviewing data that a client had stored on a floppy disk, back when floppy disks still existed. “Send me a copy of the disk,” is what I said.

I received four pieces of paper stapled together: a photocopy of the front side of the sleeve, a photocopy of the back side of the sleeve, a photocopy of the front side of the floppy, and a photocopy of the back side of the floppy.

In case you've never seen one.

In case you’ve never seen one, perhaps in a museum.

Fifteen years later, I needed to review an archive. “Send me a copy of the archive,” is what I said.

I received a single sheet of paper: the printout of an email from the IT department to the CEO including an icon representing the zip-file email attachment.

The point is, it’s hard to represent digital-native files in paper form.

When you print an email, you lose the ability to search and filter. You lose the ability to follow links—especially links to ephemeral pages or ones that change over time. You may lose the ability to read files attached to the email. You may lose the context of the email within a chain of other emails. You may lose the metadata—the sometimes vital record of when, where, who, how, and why that exist outside the content of the email itself.

If you are producing the data from digital-native files in paper format, the printouts may not be good enough for review purposes, but they will definitely not suffice for archival purposes.

And that’s a problem, because there is not yet a digital storage medium that lasts as long as ink on paper. Over the span of decades, your thumb drives, SSDs, and CD-ROMs will disintegrate and lose their data.

If a U.S. Secretary of State were to produce an archive of emails in paper format, that could arguably be the best available state-of-the-art for long term data storage–but there are some printed formats that preserve more information than others, and one would hope that the digital version would also be kept, pending the development of improved long-term digital media.

In Conclusion

Email is an important mode of expression for business and personal use. It’s not going away any time soon, and we can all be smarter about how we use it. Using best email practices can help preserve your identity, your reputation, and your chance to ever become President of the United States.

Posted in Security
Tagged with: ,

Leave a Reply