A couple of examples about how seriously the government takes even unclassified data and systems. (I've been primarily an Oracle database administrator since I left academia in the 1990''s). I've worked on a wide variety of databases, both in and out of government. There are a lot of things I can't discuss for contractual and ethical reasons, but I'll discuss a couple of scenarios in very general terms to underscore some of the issues in the Clinton and Trump scenarios.
The first example is the concept of leakage. I'm speaking in general terms here because I don't know nuances of Clinton's emails. But for many cleared personnel, they may have separate NIPRNet snd SIPRNet email accounts. Classified data are restricted in communication via the latter typically in a SCIF with restrictive access and specialized workstations. You cannot bring smart technology, like cellphones or things like recordable media,into the SCIF, generally no notes or printouts, etc. Even things like software update media have to undergo scrutiny to protect against malware. No doubt Hillary Clinton might find it inconvenient to access a SCIF given her heavy travel schedule, what if any accommodations are made, I don't know specifics. I assume secure connections may be available in embassies and military installations.
I cannot speak of the specifics but presumably her personal email was some sort of integration with NIPRNet. Now technically the government doesn't approve of using its email accounts for personal uses. Thus, for instance, many of us might check our cellphones on a lunch break away from a SCIF. My RN sister, a retired civil servant, once screamed at me for sending a personal email to her government email account. I didn't do it directly. I did a reply all to a niece's email and hadn't noticed her using her mom's work email.
So technically SIPRNet and NIPRNet email accounts are separate and don't talk to each other. You cannot (legally) paraphrase or otherwise restate classified data on NIPRNet, a process called derivative classification. (There are all sorts of rules to mix/matching differing security data, including marking sections and determining full document security status.) I don't know what documents Clinton got on her email (the purported 88 or so secret or higher); I seriously doubt she got, say, pdf's of original documents; probably it was derivative classified (which by itself is a serious infraction, at minimum by the person sending it an account not on SIPR (not just someone who is appropriately cleared but has a "need to know")). [Note as cited below the FBI didn't find properly marked classified documents in the emails; presumably they were derived and/or unconventionally marked, e.g., (c). I haven't seen a breakdown of emails by source, i.e., to or from Hillary. Obviously if Hillary is the source, it's particularly serious, because Clinton's server was not integrated with SIPRNet. Certainly if Hillary was the target,she had a professional, if not legal responsibility to report and escalate any security breach. At best, Clinton was incompetent and/or negligent.]
So the term that is usually used in describing how secret or higher data get into a lower system is "leakage". And a related incident reportedly occurred by user error on a database I once maintained on the NIPRNet. To this day, I don't know the specifics or how it was resolved (need to know); I got involved when a civilian IT manager had heard a rumor that Oracle had a technology which would resolve the issue; that was a false rumor but I ended up having to validate my conclusion through Oracle Tech Support. It has high management visibility for 2-3 weeks before somehow it was resolved.
The second incident haunts me to this day. A few years back, I was the primary administrator for 2 Oracle database machines (Oracle was the single source for everything including OS, hardware, software, etc.) The idea of a one-stop shop was appealing to government managers (not having vendors pointing to others over technical issues). There are various annual maintenance fees, including hardware.
Now let me explain some things that I would end up piecing together later. If a disk drive dies on a system, the government has a policy of not returning them but keeping them and .by basically physically altering the disk to an unusable status by degaussing them. Now the standard Oracle practice in its maintenance plan is to ship a replacement disk and have the customer ship back the failed disk. Now Oracle knew some of its security-minded customers, like the government, wanted to keep its failed disks and offered a policy waiving returning the disk (I don't recall the amount, but say $125/year). Long story short, the original Oracle reseller had originally bundled with the waive-disk-return policy. priced in for at least the first year (I wasn't on staff then), but some idiot, incompetent government manager, apparently looking to save a few bucks, discontinued the policy on first renewal.
So the problem occurred maybe 3-4 year later. The government initially wanted to build a redundant architecture across (unclassified) servers but eventually decided to use the second machine as a test/development server. I usually tested the consolidated patches against the non-production box. This one patch failed, and it turned out the cause was a failed disk. (It really didn't touch the database on the box, but the security folks didn't care--they have a simple rule,) It was a DIY replacement with a shipped disk cartridge. I had to jump through hoops to access the physical server. Long story short, the replacement worked but Oracle starts harassing me about returning the disk. My civilian supervisor says no way, government policy. Our security group starts pressuring me to hand over the cartridge. The problem is, the government doesn't own the disk; Oracle does.BY CONTRACT.
In this case, the owning organization is different than mine. So the "real" client is pressing me for a couple of things from Oracle: how much to keep the disk, and how can we reinstate the waive-disk-return coverage. And Oracle is totally unresponsive to the cost estimate; it was like, "We don't know; this hasn't happened before. You still have (say, up to 45 days) to return the disk. An invoice will be issued when the invoice is issued." In the interim, I'm told the client to regain coverage is going to have to backfill the lapsed payments. I finally get a price quote for the disk. Only the client manager says, "Sorry; I've got no budget."
Finally, he gets the budget, but now I get an unexpected call from an idiot government auditor from hell. Like, "Who the hell are you, lowly unauthorized contractor, to get off purchasing a disk without going through a government competitive purchasing bid?" I may have found the one government employee even stupider than the one who let the waiver-disk-return coverage lapse. The lady couldn't get it through her condescending head we were dealing with a contract stipulation, not a procurement. She hung up on me.
I don't know what happened because I had a separate issue with my contractor management and left my position soon thereafter, [My civilian supervisor knew the status and where I was holding the disk; I was waiting for payment confirmation from Oracle to turn in the disk.] When a later job offer fell through, I couldn't help hut wonder if the auditor had filed a complaint against me.
I'm not saying my experiences are representative, but when I look at Clinton and Trump's issues over classified data, it's like, give me a break! There are thousands of us civilians and contractors who go through hell in compliance with the classified system and if we make a mistake, we can lose our job and could face prosecution in a federal court, facing steep fines and/or prison time.
Now I don't want to go into the debate on Clinton's emails, which I probably did a few years back. I still don't know what motivated her to try to use her own email for US government business as Secretary of State beyond personal convenience. [See below; it could be the Clinton's opposed transparency of emails.] As I recall, this was in the aftermath of the Sarah Palin Yahoo email hack and publication on WikiLeaks. Palin, then Alaska's governor, did state business using her Yahoo account. I do not understand the hubris of why Clinton, as one of the highest ranking government officials in the Obama Administration, would not only violate her own department's standard of using professionally-managed government email (typically today, the government uses multi-factor authentication (something you have, e.g., a CAC, and something you know, e.g., a passcode) for email access) but use her own questionably maintained email server.
The Federal Records Act requires that all communication in certain branches of government be recorded on government servers, and it forbids the use of a personal email account for government business, unless those emails are then copied and archived. ...
When she was appointed secretary of state in 2009, Clinton began using the email address hdr22@clintonmail.com, tied to a personal server. Clinton’s personal email server was first discovered in 2012, by a House committee investigating the attack on the American Consulate in Benghazi. In 2013, hacker Guccifer claimed to have accessed Clinton’s personal email account and released emails that were allegedly related to the Benghazi attack.
In early 2015, the New York Times reported that Clinton had been using her personal email exclusively, and never had a government email address. A federal watchdog group issued an 83-page report condemning the “systemic weaknesses” of Clinton’s email practices in May. [I]n the summer of 2015, the State Department began asking Clinton for her emails correspondence, and she responded by delivering boxes containing more than 30,000 printed emails. Clinton handed over 30,000 emails to the State Department, of which 110 contained classified information at the time they either were sent or received, according to the FBI’s findings. During the investigation, though, Clinton asserted that none of the emails she sent or received were classified at the time
After a years-long FBI investigation, it was determined that Clinton's server did not contain any information or emails that were marked classified. Federal agencies did, however, retrospectively determine that 100 emails contained information that should have been deemed classified at the time they were sent, including 65 emails deemed "Secret" and 22 deemed "Top Secret". An additional 2,093 emails were retroactively designated confidential by the State Department.
Among other defenses, Clinton asserted predecessors didn't use government email addresses.
[D]uring my historical review of email use in the White House as part of Where Have All The Emails Gone?, it became clear that the Clinton White House not only did not want its own email messages to be made public, but as far back as 1993, it defended George H.W. Bush's attempts in the U.S. Court of Appeals to classify email messages as something other than records so email messages wouldn't be subject to the record-preservation requirements of the Presidential Records and Federal Records Acts.
I didn't check the Federal Records Act to see when Ms. Clinton's emails were due, but she ended her term as Secretary of State in early February 2013. In the case of Presidents, it's the last day of (any consecutive) term in office. We know her use of a personal email account came out in 2012, and I'm not sure why there's almost a 3-year gap before NARA or the State Department asked for her emails. I didn't like the self-report nature of Clinton deciding which emails were government property
Now what about the comparison and contrast of Trump with Clinton? I've written multiple posts on Trump and this scandal and I'm not going to repeat the details here. But in overview: overview: we know that Trump actively resisted against document retention without the knowledge and consent of NARA: he tore documents up, flushed them down the toilet, and put them in burn bags; he was counseled many times by his chief of staff, lawyers etc. about the act and the fact he had to turn over materials by the end of his term, we know that NARA tried for a year to get the material back and he finally conceded when NARA threatened going to Congress or DOJ: NARA picked up 15 boxes in January, got more documents following a subpoena by June, and still more documents after the August MAL search. We know they found 3 documents in Trump's desk, suggesting he knowingly withheld documents from the government. Just as alarming: he didn't store the documents securely. In the months following the NARA pickup, the government had to press him to padlock the storage room and put it under surveillance. We don't know if uncleared people or others without a need to know (including Trump) accessed the documents, copied or even destroyed them. (As I write, there are reports of empty document folders.)
Unambiguously the 300+ documents are USG property, not Trump's. Trump came in with a late, recent claim that he had a standing order to declassify all documents accompanying. him. Technically he had authority to declassify individual documents, but there is no evidence he modified declassification executive orders and none of the documents showed revisions that the document statuses had been changed. Any arbitrary order doing declassification without due diligence would likely be unconstitutional. Let's be clear: even if somehow Trump's claim held up,, that doesn't clear him from a charge of stealing government documents.
In comparing Clinton and Trump, I would have to make simplifying assumptions. We don't know if anybody without access or need to know got access to the documents at Mar-a-Logo, if they were reproduced and/or posted online, if Trump tried to profit or use access to the information. Any of those would complicate the situation. I think both Clinton and Trump failed to comply with federal sunshine laws st least until they complied under government pressure. I do think Trump is particularly hypocritical because he politically attacked Clinton over her email kerfuffle. But technically, the security vulnerability for Trump was physical access at Mar-a-Lago, while technically any number of hackers could have accessed Clinton's emails. On the other hand, although we don't know specifics, the nature and extent of nation secrets for Trump's material was probably more serious and extensive, over 3 times Clinton's volume.
The part of me which has complied with classification policies thinks both Clinton and Trump should have had to face equal treatment for violating policy, but as far as I can tell, the secrets have not been exposed and caused damage to national security. So I might simply declare victory over getting the records back and let the process serve as a deterrent to others. There are some tweaks I might make to the acts, e.g., periodic pickups of documents, cc'ing copies of emails to a repository, more rigorous enforcement of classification handling processes at the White House, etc.
