For politicians, is it now a case of live by the private email account, die by the private email account?
That is among the information security and transparency questions that spring to mind on the heels of news that Vice President Mike Pence used his personal AOL email account while governor of Indiana to conduct official business, and his account was hacked.
At the minimum, that finding should lead to government bodies - national and state - reviewing officials' use of personal email accounts to conduct public business. While such use is not illegal - provided emails get logged into government record-retention systems - information security experts have long warned that personal email accounts remain at much greater risk of being hacked, and especially being hacked without anyone knowing, than government-issued accounts.
Throughout the 2016 U.S. presidential campaign, for example, Pence said that Hillary Clinton's use of a personal email server while she served as secretary of state had put classified secrets at risk. He also accused her of using private email to hide communications that she didn't want to become public. To date, there has been no proof that Clinton's email server was hacked, and the FBI has not charged her with any crime.
Pence's AOL account, meanwhile, was hacked last summer, resulting in a scammer sending an email to his contacts, using the account to claim that Pence and his wife were stuck in the Philippines and needed money urgently, reports the Indianapolis Star newspaper. Pence dumped that account and opened a new one with AOL.
Double Standard Alleged
Clinton's use of a private email server became a flashpoint during the 2016 U.S. presidential elections and rallying cry for her opponents.
In October 2016, Pence lauded FBI Director James Comey for reopening, just days before the presidential election, an investigation into Clinton's use of a private email server.
"Literally Hillary Clinton had classified information on a private server that she said she didn't have ... that, to me, is the kind of double standard that the American people are weary of," Pence said at the time.
.@realDonaldTrump and I commend the FBI for reopening an investigation into Clinton's personal email server because no one is above the law.— Mike Pence (@mike_pence) October 28, 2016
What Information Was Exposed?
As a governor, Pence likely wasn't privy to much classified information. But a public records request with the state of Indiana filed by the Indianapolis Star found that Pence had used his personal email account to communicate with top advisers on a range of sensitive topics, including how the state was responding to terror attacks, as well as attempts to block the settlement of Syrian refugees in the state.
To be clear, Pence apparently broke no laws. As the newspaper reports: "Indiana law does not prohibit public officials from using personal email accounts, although the law is generally interpreted to mean that official business conducted on private email must be retained for public record purposes."
In a statement, Pence's office in Washington says that while he was governor, "Pence fully complied with Indiana law regarding email use and retention" and that "government emails involving his state and personal accounts are being archived by the state consistent with Indiana law, and are being managed according to Indiana's Access to Public Records Act."
Records Retention Rules
But the Indianapolis Star notes that Pence appears to have waited to move his AOL emails into the state's record-retention system until the end of his tenure as governor, despite having used it for official business from 2013 until this year.
Complying with record-retention laws remains an ongoing concern for government officials. In January, several senior staff members of Trump's transition team were reportedly still using a private Republican National Committee email server to conduct official business after they began working at the White House.
Pence was also a member of the House of Representatives from 2001 to 2013 and perhaps also used his AOL account during that time. But Congress continues to exempt itself from the email retention rules that it has imposed on federal agencies.
AOL Accounts Got Hacked
Pence's choice to use a personal email account to conduct official business, and the choice of AOL in particular, was a risky move. In 2014, AOL warned that an online attack had compromised 2 percent of its accounts, and it urged tens of millions of account holders to change their passwords.
Of course, Pence is far from the only person in government who has used a private email account to conduct official business. In 2015, the now-former director of the Central Intelligence Agency, John Brennan, had his personal AOL email account hacked, apparently by an American teenager who stole emails and attachments. As a result of the breach, personal information for some top U.S. intelligence and national security officials ended up being leaked by WikiLeaks.
At the time, it was unclear what was more embarrassing for Brennan - that the CIA director's personal email account got hacked, or that the nation's clandestine intelligence chief was still using AOL. While the service was big in the 1990s, many were surprised to learn that it still existed.