The State Department's Office of Inspector General has released its report about Hillary Clinton's use of a private email server while she was secretary of state. Though the report uncovers no smoking guns -- no records of Clinton saying "Heh, heh, heh, they'll never FOIA my emails NOW!!!!" -- what it does lay out is deeply troubling, even though her supporters have already begun the proclamations of "nothing to see here, move along."
It lays to rest the longtime Clinton defense that this use of a private server was somehow normal and allowed by government rules: It was not normal, and was not allowed by the government rules in place at the time. "The Department's current policy, implemented in 2005, is that normal day-to-day operations should be conducted on an authorized Automated Information System (AIS), which "has the proper level of security control to ensure confidentiality, integrity, and availability of the resident information."
It also shreds the defense that "Well, Colin Powell did it too" into very fine dust, and then neatly disposes of the dust. As the report makes very clear, there are substantial differences between what the two secretaries of State did:
-- Powell says he set up a private email account, in addition to his internal account, because at the time the State Department "email system in place only only permitted communication among Department staff. He therefore requested that information technology staff install the private line so that he could use his personal account to communicate with people outside the Department."
This is a quite plausible reason that, around the turn of the millennium, a secretary of state would have wanted to use his own account. Powell seems not to have done enough to ensure that those records were maintained, which is a problem (though it's not clear that he was aware that he should have turned those emails over). But as far as I can tell, the most plausible explanation of Clinton's behavior is that she set up her email server expressly to keep those emails from being archived as records (and subject to Freedom of Information Act requests), which is a great deal more problematic than setting up an inadequately archived email system because there's no other way to use an increasingly vital communications technology.
-- Powell had an outside line set up in his office, into which he plugged a laptop, which he used alongside his State Department computer. The IT department was, in other words, aware that this was going on, and it seems to have come up in discussions of his drive to get everyone at State access to the Internet at their desk. While the quality of information about Powell's Internet usage is not as high as it is about Clinton's (after 10 years, memories fade, people become hard to contact, and records degrade), there's no indication that he was less than transparent with staff. But folks at State clearly had no idea what was going on with Clinton's email server and, troublingly, at least two people who asked about it were apparently told to shut up and never raise the subject again.
-- Three things have changed pretty dramatically since Powell's day: the magnitude (and appreciation) of cybersecurity threats, the quality of the State Department systems and government rules surrounding both recordkeeping and cybersecurity. One can argue that Powell should not have used a private computer during his tenure, but he seems to have done so in consultation with the IT folks, at a time when the policy surrounding these things was "very fluid" and the State Department "was not aware of the magnitude of the security risks associated with information technology."
-- The OIG found only three instances in which State employees had relied exclusively on personal email: Powell, Clinton and Ambassador J. Scott Gration, U.S. emissary to Kenya from 2011 to 2012. Gration, who served under Clinton, was in the middle of a disciplinary process initiated against him for this email use (among other things) when he resigned. So it is impossible to argue not only that this was somehow in compliance with State's guidelines but also that Clinton might have thought it was in compliance, unless she somehow failed to notice when or why her ambassador to Kenya went missing.
-- The OIG found evidence that the server was attacked and that Clinton's staff members (and presumably Clinton herself) were aware of it. (Clinton at one point seems to have expressed concern that people might be trying to hack her email.)
-- This is the most profoundly amazing part of the whole story: Clinton's server administrator was hired by State as a political appointee, from which position he continued to provide support to Clinton's private email server during working hours, without telling anyone this was happening.
Contact Megan McArdle, a Bloomberg View columnist writing on economics, business and public policy, at email@example.com