Jeh Johnson, the secretary of homeland security, and 28 of his senior staffers have been using private Web-based e-mail from their work computers for over a year, a practice criticized by cybersecurity experts and advocates of government transparency.
The department banned such private e-mail on DHS computers in April 2014. Top DHS officials were granted informal waivers, according to a top DHS official who said that he saw the practice as a national security risk. The official said the exempt staffers included Deputy Secretary Alejandro Mayorkas, Chief of Staff Christian Marrone and General Counsel Stevan Bunnell.
Asked about the exceptions on Monday, the DHS press secretary, Marsha Catron, confirmed that some officials had been exempted. “Going forward,” she said, “all access to personal webmail accounts has been suspended.”
Future exceptions are to be granted only by the chief of staff. Catron said that a “recent internal review” had found the chief of staff and some others were unaware that they had had access to webmail.
The DHS rule, articulated last year after hackers first breached the Office of Personnel Management, states: “The use of Internet Webmail (Gmail, Yahoo, AOL) or other personal email accounts is not authorized over DHS furnished equipment or network connections.” Johnson and the 28 other senior officials sought and received informal waivers at different times over the past year, the official said. Catron said exceptions were decided on a case-by-case basis by the chief information officer, Luke McCormack. DHS employees are permitted to use their government e-mail accounts for limited personal use.
Erica Paulson, a spokeswoman for the DHS Office of the Inspector General, said that the office does not confirm or deny the existence of any open investigations.
It remains unclear whether Johnson and the other officials conducted DHS business on their private webmail accounts. (The DHS spokeswoman said “the use of personal e-mail for official purposes is strictly prohibited.”) If even one work-related e-mail was sent or received, they could be in violation of regulations and laws governing the preservation of federal records, said Jason R. Baron, a former director of litigation at the National Archives and Records Administration.
“I suppose it is remotely conceivable that in seeking a waiver, 20 or more government officials could all be wishing to talk to each other through a Web-based e-mail service about such matters as baseball games or retirement luncheons they might be attending,” he said. “But it is simply not reasonable to assume that in seeking a waiver that the officials involved were only contemplating using a commercial network for personal (that is, non-official) communications.”
In March, the New York Times reported that as secretary of state, Hillary Clinton had used a private e-mail server exclusively to conduct her State Department business. Clinton said she had not violated any transparency laws because the Federal Records Act states that officials are permitted to use private e-mail, so long as they forward on any government-related communications to their government accounts so they can be archived and used to respond to requests under the Freedom of Information Act.
In November 2014, the Federal Records Act was amended to impose a 20-day limit on the time an official has to transfer records from private e-mail to government systems. Clinton transferred over 30,000 e-mails from her private server to the State Department in early 2015. She deleted another 30,000 e-mails on her private server, claiming they were all strictly personal.
It is unclear how Johnson and the other officials used their webmail accounts, and whether they forwarded any messages about government business to their official accounts.
Johnson has used his personal Gmail for government business at least once, before he was head of DHS; that was disclosed during the scandal that led to David Petraeus’s resignation as CIA director. The Justice Department is fighting to keep Johnson from having to give a video deposition in that case.
Anne Weismann, executive director of the Campaign for Accountability and a former Justice Department official dealing with FOIA litigation, said that even by seeking the waivers at DHS, Johnson and the other officials created at least an appearance and opportunity for impropriety.
“How could they possibly justify exempting the secretary and the most senior people from the policy?
“How could they possibly justify exempting the secretary and the most senior people from the policy? You are allowing the people who are most likely to create e-mails that are most worthy of preservation to bypass the system that would ensure their preservation,” she said.
The issue of top government officials using private e-mail is widespread and the rules barring such practices are rarely enforced, said Weismann. “What they really want is to have the ability to have off-the-record discussions,” she said. “It creates problems for record keeping and it puts it out of the reach of FOIA.”
Cybersecurity experts said that allowing the use of commercial webmail on otherwise secure computers increases the risk that those computers could be penetrated by hackers, foreign intelligence services or malware. Webmail messages are often stored without encryption, leaving them vulnerable to theft by anyone who gains access to the webmail server.
“The fundamental issue is that these commercial webmail systems were not designed with the threat in mind that is present when government officials are using consumer tools,” said Johannes B. Ullrich, dean of research for the SANS Technology Institute.
The threat is not just theoretical. In 2008, Sarah Palin’s Yahoo e-mail account was hacked by someone who used a password reset function to gain access, he said.
There’s also a moral hazard.
“If there are just certain individuals being exempted here, it’s setting a bad precedent for the rest of the department. If you say, ‘Hey, it doesn’t apply to everybody over a certain pay grade,’ the idea of these controls gets diminished and people look for workarounds,” said Ullrich.
Aside from the legal risk and the national security risk, exceptions to the department’s policies reinforce the narrative that the Obama administration lets senior officials skirt the rules, including by keeping their communications secret. The pattern was present in the previous administration as well, but after the OPM hacks and the deletion of Clinton’s e-mails, it is widely criticized and hard to defend.