Back in 2012 (pre-Snowden!), we wrote about why Google should encrypt everyone's emails using end-to-end encryption (inspired by a post by Julian Sanchez saying the same thing). Since then, securing private communications has become increasingly important. That's why we were happy to see Google announce that it was, in fact, working on a project to enable end-to-end encryption on Gmail, though it was still in the early stages. In December of last year, Google moved that project to Github, showing that it was advancing nicely. As we noted at the time, one interesting sidenote on this was that Yahoo's Chief Security Officer, Alex Stamos, was contributing to the project as well.
Thus it's not surprising, but still great to see, that Stamos has now announced the availability of an end-to-end encryption extension for Yahoo Mail (also posted to Yahoo's Github repository). It appears to function similarly to existing third-party extensions (like Mailvelope), but it's still good to see the big webmail providers like Yahoo and Google taking this issue more seriously. It's still not ready for prime time, and it's unlikely that either provider is going to make this a default option any time soon, but offering more, better (and more user friendly) options to give everyone at least the option of doing end-to-end encryption is a very good sign.
It also raises a separate issue that I think is important: many have argued that companies like Yahoo and especially Google would never actually push for end-to-end encryption of emails, because it takes away the ability of those companies to do contextual advertising within those emails. But that's an exceptionally short-sighted view. If Google, Yahoo and others don't do enough to protect their users' privacy, those users will go elsewhere, and then it won't matter whether or not the emails are encrypted, because they won't see them anyway. Focusing on the user first is always going to be the right solution, and that includes encrypting emails, even if it means slightly less ad revenue in the short term. Hopefully, Google, Yahoo and others remember this simple fact.
Hey, politicians who read Techdirt... look, can we talk for a moment? As someone with a keen interest in DC machinations and politics on a national level, I feel like I know you guys well enough to have a heart to heart with you. And I get how the DC game is played. Some story comes out creating a national outrage with some percentage of the country and the whole thing seems designed to thieve the attention you might otherwise be getting from the press and the constituency. It's not only tempting, it's downright irresistible to react to such a story in an insane way, even if only to momentarily draw attention, any kind of attention, back on yourselves. I get it, believe me. When I first saw the trailer for the new Game of Thrones while sitting in my living room with my family, for instance, I immediately stood up, took my pants off, and ran around the block a few times until my wife clotheslined me on the third lap. Because, let's face it, that's how we roll, am I right?
But, guys, seriously...there's enough meat on the bone in the Hillary Clinton super-secret unofficial email fiasco-steak to work with. You really don't have to lose your minds and draw all the wrong kind of attention to yourselves as a result. For example, don't be Lindsey Graham.
If you click that link, there's a video of Senator Lindsey Graham (we'd embed it here, but NBC still hasn't figured out how to allow HTTPS embeds, because it doesn't care about your privacy, apparently). Here's the key part of Graham's exchange on Meet the Press.
Chuck Todd asked Graham, "Do you have a private e-mail address?"
Graham's answer: "I don't email. No, you can have every email I've ever sent. I've never sent one. I don't know what that makes me."
Well, Senator, it quite likely makes you the most unqualified member of the subcommittee on Privacy, Technology and the Law for starters. Because email is ubiquitous enough at this point that I'm not even sure it should be called "technology" without being prefaced by the qualifier "super old and probably due for displacement." To at once sit on that committee and proudly state that you've never sent an email during your time in office sounds like you're begging to be replaced on that committee.
But my point is a larger one: the Clinton email scandal is one that should not result in any thinking person believing that having never sent an email to anyone ever is a bragging point. Put this kind of reaction into other contexts and see how far it gets you. One wouldn't, for instance, react to the cluster-bomb that has become Obamacare by proudly stating, "I've never even gone to a doctor!" One wouldn't criticize our foreign policy in the Middle East by proudly shouting, "Dude, I've never even been out of our country!" That's just stupid.
And so is proudly claiming that you've never sent an email. You want to have some kind of massive reaction to get attention? Fine, just don't say stupid things like Lindsey Graham. My suggestion? Take your pants off and go for a jog. You'll feel better when you do, I promise.
Unfortunately, the lower-level officials and rank-and-file are abysmal at retaining emails subject to open records requests. In fact, they're so far under abysmal as to not even register on the Excellent-to-How-do-these-people-still-have-jobs? scale.
First, we have this:
A 2009 upgrade in the Department of State’s system facilitated the preservation of emails as official records.
Then we have this:
In 2011, employees created 61,156 record emails out of more than a billion emails sent.
Then… we have this:
Employees created 41,749 record emails in 2013.
Assuming around a billion emails for both the years quoted, State Department employees have managed to retain only .01% of emails created as FOIA-able "official records." Some of this is due to the lack of training or guidance on their responsibilities as public officials. But most of it is likely due to this, which is also related to the ongoing lack of training or guidance.
Some employees do not create record emails because they do not want to make the email available in searches or fear that this availability would inhibit debate about pending decisions.
"Inhibit debate." What a bunch of cowards. So scared of the American public that they shirk their responsibilities to the people who put roofs over their heads, gas in their cars and pension checks in their mailboxes. It's no surprise they haven't received the necessary training and guidance. Everyone from the Secretary of State on down suffers from the same fear of accountability. If they're not retaining records at the top level, those middle-managing aren't going to feel too compelled to make sure every employee takes care to retain emails as official records. "Lead by example," as the saying goes, and the example is… Hillary Clinton, etc.
The OIG discovered that, while every State Dept. office was pretty terrible about following retention rules, some were much worse than others.
The OIG team’s review of the Department’s records on record email use by missions and bureaus shows great variations (see Appendices C and D). For example, Embassy Singapore created 1,047 record emails in 2013; Embassy Islamabad created 121; and Embassy Beijing, only 47. Consulate General Lagos created 4,922 record emails, the most of any post in 2013.
The Department’s bureaus also vary widely in their use of record email. The Bureau of East Asian and Pacific Affairs created 736 record emails in 2013; the Bureau of International Organizations, 311; the Bureau of South and Central Asian Affairs, 26; and the Bureau of International Narcotics and Law Enforcement Affairs, only 22. IRM created 1,630 record emails, more than any other bureau in 2013.
Some bureaus increased usage when the OIG informed them that email retention could also work to their advantage. Not all paper trails are damning. Some are exculpatory. Certainly there are more of the former than the latter, hence the State Department's general reluctance to keep any more than .01% of its emails in any given year.
The OIG also noted that there is no centralized oversight of this system. Unsurprising, considering no one seems to want the job. Even when given a system that makes retention easy, the State Dept's staff -- from top to bottom -- has gone out of its way to avoid doing that very thing.
The OIG suggests further training, but that's not going to make much of a dent in the ingrained culture of secrecy common to many government agencies. It also suggests a handful of other bureaucratic fixes, many of which will likely be listed as "in the works" or "unstarted" when the next OIG report rolls around.
As for the report itself, it's quite possible this would never had been made public if not for recent events. It's marked "Sensitive but Unclassified" and carries this since-stricken warning in the opening pages.
IMPORTANT NOTICE: This report is intended solely for the official use of the Department of State or the Broadcasting Board of Governors, or any agency or organization receiving a copy directly from the Office of Inspector General. No secondary distribution may be made, in whole or in part, outside the Department of State or the Broadcasting Board of Governors, by them or by other agencies of organizations, without prior authorization by the Inspector General. Public availability of the document will be determined by the Inspector General under the U.S. Code, 5 U.S.C. 552. Improper disclosure of this report may result in criminal, civil, or administrative penalties.
In other words, the secretive agency's internal report about its transparency-thwarting was supposed to remain a secret. The OIG blows the lid off the agency's willing failure to retain email records, and the State Department -- with the OIG's tacit approval -- elects to keep constituents from learning how its government is actively working to keep them separated from records they have every right to demand.
Hillary Clinton and her team apparently felt that it was finally time to have the Candidate* address the whole email thing, which she did with a press conference, in which she tried to brush the whole thing off as nothing. Here's the key bit from her prepared remarks:
Now, I would be pleased to talk more about this important matter, but I know there have been questions about my email, so I want to address that directly, and then I will take a few questions from you.
There are four things I want the public to know.
First, when I got to work as secretary of state, I opted for convenience to use my personal email account, which was allowed by the State Department, because I thought it would be easier to carry just one device for my work and for my personal emails instead of two.
Looking back, it would've been better if I'd simply used a second email account and carried a second phone, but at the time, this didn't seem like an issue.
Second, the vast majority of my work emails went to government employees at their government addresses, which meant they were captured and preserved immediately on the system at the State Department.
Third, after I left office, the State Department asked former secretaries of state for our assistance in providing copies of work- related emails from our personal accounts. I responded right away and provided all my emails that could possibly be work-related, which totalled roughly 55,000 printed pages, even though I knew that the State Department already had the vast majority of them. We went through a thorough process to identify all of my work- related emails and deliver them to the State Department. At the end, I chose not to keep my private personal emails -- emails about planning Chelsea's wedding or my mother's funeral arrangements, condolence notes to friends as well as yoga routines, family vacations, the other things you typically find in inboxes.
No one wants their personal emails made public, and I think most people understand that and respect that privacy.
Fourth, I took the unprecedented step of asking that the State Department make all my work-related emails public for everyone to see.
I am very proud of the work that I and my colleagues and our public servants at the department did during my four years as secretary of state, and I look forward to people being able to see that for themselves.
Again, looking back, it would've been better for me to use two separate phones and two email accounts. I thought using one device would be simpler, and obviously, it hasn't worked out that way.
Later, in the Q&A session she added a few "details." On the question of which emails she kept private (which she says she deleted), she claimed it was just stuff that don't need to be shared, such as emails between herself and Bill Clinton:
And the process produced over 30,000 you know, work emails, and I think that we have more than met the requests from the State Department. The server contains personal communications from my husband and me, and I believe I have met all of my responsibilities and the server will remain private and I think that the State Department will be able, over time, to release all of the records that were provided.
As for the security of the emails, she insists they were fine because they were guarded by the Secret Service:
Well, the system we used was set up for President Clinton's office. And it had numerous safeguards. It was on property guarded by the Secret Service. And there were no security breaches.
So, I think that the -- the use of that server, which started with my husband, certainly proved to be effective and secure.
Now the proper follow up to that is how the hell do you know there were no security breaches. Having Secret Service agents guard the physical machine is one thing. Making sure there were no online breaches is another thing entirely. Trevor Timm, over at the Guardian, notes that Clintons statements only raise a lot more questions.
For example, she claims that the private emails were things like emails with Bill. But, as Timm points out, just hours earlier, Bill Clinton's spokesperson said that the President still doesn't use email.
The former president, who does regularly use Twitter , has sent a grand total of two emails during his entire life, both as president, says Matt McKenna, his spokesman. After leaving office, Mr. Clinton established his own domain that staff use–@presidentclinton.com. But Mr. Clinton still doesn’t use email himself, Mr. McKenna said.
So, was Hillary lying when she said other emails were just her and Bill chatting -- or was Bill's own spokesperson wrong?
Timm also digs in on that "no security breaches" claim, and finds that Clinton's people did a followup with a caveat: "there is no evidence there was ever a breach." Which could mean there was one, and they just never knew about it. Furthermore, the better question (and one a reporter in the press corp. should have asked) is not about the Secret Service guys guarding the box, but who set up the computer security for the email server. But no one did. Here's Timm:
Also: what type of security professionals were looking after the server? Clinton said the secret service guarded it, but we have no idea the expertise of the person actually running it. Experts have already pointed to basic holes in the email server’s security based on public data, and as any systems administrator will tell you, running your own email server is never simple.
Another point raised by Timm: Clinton seems to be willfully misstating the rules when she claims she didn't violate them:
Clinton also said at the press conference she “fully complied with every rule I was governed by”. Well, actually: a 2005 State Department directive said “It is the Department’s general policy that normal day-to-day operations be conducted on an authorized [Automated Information System], which has the proper level of security control to provide nonrepudiation, authentication and encryption, to ensure confidentiality, integrity, and availability of the resident information.”
Recently, there was something of a scare around GNU Privacy Guard (GPG), a "free implementation of the OpenPGP standard as defined by RFC4880 (also known as PGP)." An article on Propublica revealed that GPG was essentially the work of one person, who was running out of money. Just at the moment when we needed properly-implemented strong crypto most, it looked like the project was on the verge of collapse. Fortunately, that same article also succeeded in raising people's awareness of the situation, and enough money was pledged as a result to secure the future of GNU Privacy Guard, at least for the immediate future.
When I receive a GPG encrypted email from a stranger, though, I immediately get the feeling that I don't want to read it. Sometimes I actually contemplate creating a filter for them so that they bypass my inbox entirely, but for now I sigh, unlock my key, start reading, and -- with a faint glimmer of hope – am typically disappointed.
Eventually I realized that when I receive a GPG encrypted email, it simply means that the email was written by someone who would voluntarily use GPG. I don't mean someone who cares about privacy, because I think we all care about privacy. There just seems to be something particular about people who try GPG and conclude that it's a realistic path to introducing private communication in their lives for casual correspondence with strangers.
Increasingly, it’s a club that I don’t want to belong to anymore.
The rest of his interesting post goes on to describe the flaws of GPG. Basically, it is extremely hard to use, not widely deployed, and has turned into impenetrable, backward-looking code -- all of which are entirely reasonable criticisms. Marlinspike concludes:
GPG isn't the thing that's going to take us to ubiquitous end to end encryption, and if it were, it'd be kind of a shame to finally get there with 1990's cryptography. If there’s any good news, it's that GPG’s minimal install base means we aren't locked in to this madness, and can start fresh with a different design philosophy. When we do, let's use GPG as a warning for our new experiments, and remember that "innovation is saying 'no' to 1000 things."
In the 1990s, I was excited about the future, and I dreamed of a world where everyone would install GPG. Now I'm still excited about the future, but I dream of a world where I can uninstall it.
Again, those are all good points. And yet for all GPG's faults, and for all its failings, it seems somewhat ungrateful to berate it in these terms. I suspect that it has saved a good many people living in countries with oppressive and brutal regimes from arrest or worse; it has doubtless helped journalists to receive crucial information they might not otherwise have been sent, and to keep their sources safe; and it certainly made Snowden's revelations possible -- at least once Glenn Greenwald finally worked out how to install it. To say that it could have been better, or that its unintuitive approach may have prevented more people from using it misses the point, which is that in its own idiosyncratic way it was there when people really needed it, and that it did the job asked of it -- and for that, we should be hugely grateful, even while hoping that something better will come along soon.
from the how-hard-is-it-to-just-use-the-government's-email dept
So the whole Hillary Clinton email story is getting worse and worse for Clinton. We already noted that there was no way she couldn't have known that she had to use government email systems for government work, as there was a big scandal from the previous administration using private emails and within the early Obama administration as well. This morning we discovered that Clinton also gave clintonemail.com email addresses to staffers, which undermines the argument made by Hillary's spokesperson that it was okay for her to use her own email address because any emails with staffers would still be archived by the State Department thanks to their use of state.gov emails. But that's clearly not the case when she's just emailing others with the private email addresses.
As we noted yesterday, there are two separate key issues here, neither of which look good for Clinton. First, is the security question. There's no question at all that as Secretary of State she dealt with all sorts of important, confidential and classified information. Doing that on your own email server seems like a pretty big target for foreign intelligence. In fact, Gawker points out, correctly, that Hillary's private email address was actually revealed a few years ago when the hacker "Guccifer" revealed the inbox of former Clinton aide Sidney Blumenthal. So it was known years ago that Clinton used a private email account, and you have to think it was targeted.
Anonymous State Department "cybersecurity" officials are apparently shoving each other aside to leak to the press that they warned Clinton that what she was doing was dangerous, but couldn't convince her staff to do otherwise:
“We tried,” an unnamed current employee told Al Jazeera. “We told people in her office that it wasn't a good idea. They were so uninterested that I doubt the secretary was ever informed.”
It was unclear whom Clinton hired to set up or maintain her private email server, which the AP traced to a mysterious identity, Eric Hoteham. That name does not appear in public records databases, campaign contribution records or Internet background searches. Hoteham was listed as the customer at Clinton's $1.7 million home on Old House Lane in Chappaqua in records registering the Internet address for her email server since August 2010.
The Hoteham personality also is associated with a separate email server, presidentclinton.com, and a non-functioning website, wjcoffice.com, all linked to the same residential Internet account as Mrs. Clinton's email server. The former president's full name is William Jefferson Clinton.
While Eric Hoteham may be a mysterious non-entity, as Julian Sanchez points out, an early Clinton staffer was named Eric Hothem. Of course, Stanford cybersecurity guru Jonthan Mayer also notes that Hillary's old home server is still online and running Windows Server 2008 R2.
However, the AP reports that the email has moved around a bit over the past few years:
In November 2012, without explanation, Clinton's private email account was reconfigured to use Google's servers as a backup in case her own personal email server failed, according to Internet records. That is significant because Clinton publicly supported Google's accusations in June 2011 that China's government had tried to break into the Google mail accounts of senior U.S. government officials. It was one of the first instances of a major American corporation openly accusing a foreign government of hacking.
Then, in July 2013, five months after she resigned as secretary of state, Clinton's private email server was reconfigured again to use a Denver-based commercial email provider, MX Logic, which is now owned by McAfee Inc., a top Internet security company.
That likely means the email was much more secure after July of 2013, but it certainly raises questions about how secure it was for years before that.
Though, we do know that it was secure from one thing: FOIA requests. That is the second of the two big issues raised by this whole thing. By using her own email setup, she was clearly able to hide important documents from FOIA requests. In fact, as Gawker notes, her staff's defense of the use of her private email, actually now confirms emails as legit that the State Department denied existed back when Gawker made a FOIA request years ago.
That's because following that Guccifer hack, Gawker filed a FOIA for those emails and was told they don't exist. Yet, now Clinton staffers point to that old Gawker article to suggest that the private email address is "old news," thus confirming that the emails were legit, even though the State Department denied them.
The Clinton camp’s claims about the email account being above-board is also contradicted by the State Department’s response to Gawker’s inquires two years ago. After we published the story about Blumenthal’s correspondence with Clinton, we filed a FOIA request with the agency for all correspondence to date between Hillary Clinton and Sidney Blumenthal, specifically including any messages to or from the email@example.com account. The screenshots and other documents released by Guccifer—which have now been validated by Clinton’s spokesman—confirmed that such messages existed.
But the State Department replied to our request by saying that, after an extensive search, it could find no records responsive to our request. That is not to say that they found the emails and refused to release them—it is conceivable, after all, that the State Department might have attempted to deny the release of the Clinton-Blumenthal correspondence on grounds of national security or Blumenthal’s own privacy. Instead, the State Department confirmed that it didn’t have the emails at all.
Which is exactly why Clinton used a non-State Department email server to conduct her official business.
According to the NY Times, the State Department says that it won't go back to correct the FOIA requests that it responded to in the past, saying that such records didn't exist. Instead, it will only now search the emails that have been turned over by Clinton's staff. That is another 50,000 emails, but no one knows what emails the staff removed or refused to turn over.
Either way, there are two huge problems here. Clinton likely exposed her emails to foreign spies, while keeping them away from the American public.
There has been quite a kerfuffle around the apparent fact that Hillary Clinton solely used her personal email account for government business. This piqued my curiosity, especially since I've been playing with a service called Conspire lately.
Conspire is a startup that analyzes your email and then seeks to provide you with an email chain with which to introduce you to the desired person. So, say I wanted to email my current business crush, Marcus Lemonis, Conspire's system found a path with which I could ask for an introduction. In my case, my friend Espree could email her friend Nathan for an introduction to Marcus. Neat. I can definitely see how Conspire could become a useful tool, albeit one that raises some very interesting privacy questions.
So, I looked for Hillary Clinton's now firstname.lastname@example.org email address in Conspire. No luck. Conspire is still growing, so I suppose it makes sense that none of its members have yet to email Hillary. But then I tried just the clintonemail.com domain in the search, and got one hit. Huma Abedin, Hillary's long-time aide, had an email address with the clintonemail.com domain in Conspire's records. Unfortunately, I have no connection path to Ms. Abedin, so I can't ask the system to facilitate an introduction, but it is fascinating. What other Clinton staffers were using email addresses at the clintonemail.com domain? Seems like at least one was.
To be fair, Abedin not only was Clinton's deputy chief of staff in the State Department, but she also continued to work for Clinton after Clinton left office. It is possible that she only got the email address after leaving the government, but it certainly raises some serious questions about whether or not other State Department staffers were provided private clintonemail addresses to avoid transparency requirements. In fact, Politico is reporting specifically that Abedin and other staffers used non-government email addresses while in the State Department, which suggests the clintonemail address may have come earlier:
Clinton’s personal aide, Huma Abedin, and her communications adviser, Philippe Reines, regularly used unofficial email accounts for work-related email, former colleagues said.
This also makes me wonder what other new communications mediums our government officials are using. Could world leaders be SnapChatting each other? Or perhaps sending international YO's? Or trolling each other on YikYak? And, if they are, are they complying with records retention laws?
Hillary Rodham Clinton exclusively used a personal email account to conduct government business as secretary of state, State Department officials said, and may have violated federal requirements that officials’ correspondence be retained as part of the agency’s record.
Mrs. Clinton did not have a government email address during her four-year tenure at the State Department. Her aides took no actions to have her personal emails preserved on department servers at the time, as required by the Federal Records Act.
This is dumb on many, many levels and there appears to be no excuse for it happening. First off, using a personal email as Secretary of State seems like a massive privacy and security risk. While one hopes that there was at least some attempt to better secure her personal account by government security experts, it's still almost certainly less secure. Given how much sensitive information the Secretary of State has to deal with, it seems inexcusable that she was allowed to conduct official business via her personal account. That to me seems like an even bigger deal than the part that everyone else is focused on: the failure to preserve her emails as required by law.
Of course, the failure to preserve the emails is a big deal as well. But here's the really stunning thing: there is simply no way that Clinton and others in the administration didn't know that she was supposed to be using a government email address and preserving those emails. That's because both the previous administration and others in her own administration got in trouble for using personal email addresses. As Vox notes, towards the end of the Bush administration there was a similar scandal involving a variety of high level administration members using personal email to conduct government business and to avoid transparency requirements.
That scandal unfolded well into the final year of Bush's presidency, then overlapped with another email secrecy scandal, over official emails that got improperly logged and then deleted, which itself dragged well into Obama's first year in office. There is simply no way that, when Clinton decided to use her personal email address as Secretary of State, she was unaware of the national scandal that Bush officials had created by doing the same.
That she decided to use her personal address anyway showed a stunning disregard for governmental transparency requirements. Indeed, Clinton did not even bother with the empty gesture of using her official address for more formal business, as Bush officials did.
But that's not all. What the Vox report doesn't note is that the scandal actually carried over to the Obama administration also, as the White House's first Deputy CTO was reprimanded for using his personal email address as well, early in 2010. So there was both a scandal about the similar use of private email accounts in the previous administration and in the Obama administration. It's impossible to believe that Clinton or the other key people who worked for her in the State Department were unaware of one or both of these issues while she was using her personal email address.
While the White House's email system may be clunky and annoying to use (as I've heard repeatedly), there's simply no excuse for Clinton not to have used it at all -- and for the emails she did send not to be preserved as required under the law. A few years ago, we mocked Homeland Security boss Janet Napolitano for refusing to use email entirely -- though at least she was upfront about the reason. She didn't want to be held accountable for what she said -- though, the reality was she would still have staff members send emails for her. Clinton appears to have wanted to be free of that accountability as well, but to still have the benefits of direct electronic communication herself. In short, she purposely ignored the law for her own benefit.
There are multiple ways to handle a super-sensitive situation like this one. The following is none of them. [via CJ Ciaramella]
Far too many politicians and legislators aren't happy with the fact that their emails are subject to public records requests. Some attempt to dodge this layer of accountability by using personal email accounts to handle official business. Oregon governor John Kitzhaber is one such politician.
Gov. John Kitzhaber’s office last week requested state officials destroy thousands of records in the governor’s personal email accounts, according to records obtained by WWand 101.9 KINK/FM News 101 KXL.
Rumors of possible influence peddling led to this public records request. Kitzhaber's last-minute attempt to set fire to his email legacy doesn't exactly plant a halo over his head, seeing as it came one day before the Oregon DOJ opened up an investigation into these allegations. But he might have gotten away with it if only his own executive assistant hadn't completely sabotaged the coverup.
Records show the request to destroy Kitzhaber’s emails came from Jan Murdock, Kitzhaber’s executive assistant. She wanted all emails from Kitzhaber’s personal email accounts removed from state servers.
Let that sink in for a moment.
There has been no word as to whether Kitzhaber required emergency surgery to remove his face from his palm after his assistant informed him that she had EMAILED orders to delete his EMAILS to EMAIL accounts that were subject to open records requests.
But then again, maybe Kitzhaber would have been out of luck anyway. Restoring a bit of faith in the system were the responses from staffers to this unusual request.
The prospect of deleting thousands of emails clearly made Osburn’s supervisor, Arian Turpin, uncomfortable.
“Guys, hold on processing this request until we receive approval from a higher authority,” Turpin wrote in a Feb. 5, 2015 email at 6:52 pm. “Given the unusual nature of the request, I’m reluctant to have my team move forward without the active awareness and consideration of the possibilities and a direct approval from higher levels of the action.”
Turpin kicked this up to the next level, and the next level (Turpin's supervisor, Shawn Wagoner) was similarly hesitant to be Kitzhaber's accomplice. He ordered those involved to "take no action at this time" while he kicked it up yet another level to his boss (Gary Krieger) -- who also felt there was something inherently wrong with vanishing the Governor's emails.
Krieger told his supervisor, Michael Rogers, that he would not destroy the emails.
“I am not willing to make the call to delete information out of the email archive,” Krieger wrote on Feb. 5 at 7:24 pm. “As I stated we will need to discuss.”
The lesson here is: if you want to run a successful coverup, you need to make sure you've got more than oneperson on board with your plan. And you need to make sure that oneperson won't cheerfully pitch in with "help" that only hurts.
The man who built the free email encryption software used by whistleblower Edward Snowden, as well as hundreds of thousands of journalists, dissidents and security-minded people around the world, is running out of money to keep his project alive.
Werner Koch wrote the software, known as Gnu Privacy Guard, in 1997, and since then has been almost single-handedly keeping it alive with patches and updates from his home in Erkrath, Germany. Now 53, he is running out of money and patience with being underfunded.
"I'm too idealistic," he told me in an interview at a hacker convention in Germany in December. "In early 2013 I was really about to give it all up and take a straight job." But then the Snowden news broke, and "I realized this was not the time to cancel."
Like many people who build security software, Koch believes that offering the underlying software code for free is the best way to demonstrate that there are no hidden backdoors in it giving access to spy agencies or others. However, this means that many important computer security tools are built and maintained by volunteers.
Now, more than a year after Snowden's revelations, Koch is still struggling to raise enough money to pay himself and to fulfill his dream of hiring a full-time programmer. He says he's made about $25,000 per year since 2001 — a fraction of what he could earn in private industry. In December, he launched a fundraising campaign that has garnered about $43,000 to date — far short of his goal of $137,000 — which would allow him to pay himself a decent salary and hire a full-time developer.
The fact that so much of the Internet's security software is underfunded is becoming increasingly problematic. Last year, in the wake of the Heartbleed bug, I wrote that while the U.S. spends more than $50 billion per year on spying and intelligence, pennies go to Internet security. The bug revealed that an encryption program used by everybody from Amazon to Twitter was maintained by just four programmers, only one of whom called it his full-time job. A group of tech companies stepped in to fund it.
Koch's code powers most of the popular email encryption programs GPGTools, Enigmail, and GPG4Win. "If there is one nightmare that we fear, then it's the fact that Werner Koch is no longer available," said Enigmail developer Nicolai Josuttis. "It's a shame that he is alone and that he has such a bad financial situation."
The programs are also underfunded. Enigmail is maintained by two developers in their spare time. Both have other full-time jobs. Enigmail's lead developer, Patrick Brunschwig, told me that Enigmail receives about $1,000 a year in donations — just enough to keep the website online.
GPGTools, which allows users to encrypt email from Apple Mail, announced in October that it would start charging users a small fee. The other popular program, GPG4Win, is run by Koch himself.
Email encryption first became available to the public in 1991, when Phil Zimmermann released a free program called Pretty Good Privacy, or PGP, on the Internet. Prior to that, powerful computer-enabled encryption was only available to the government and large companies that could pay licensing fees. The U.S. government subsequently investigated Zimmermann for violating arms trafficking laws because high-powered encryption was subject to export restrictions.
In 1997, Koch attended a talk by free software evangelist Richard Stallman, who was visiting Germany. Stallman urged the crowd to write their own version of PGP. "We can't export it, but if you write it, we can import it," he said.
Inspired, Koch decided to try. "I figured I can do it," he recalled. He had some time between consulting projects. Within a few months, he released an initial version of the software he called Gnu Privacy Guard, a play on PGP and an homage to Stallman's free Gnu operating system.
Koch's software was a hit even though it only ran on the Unix operating system. It was free, the underlying software code was open for developers to inspect and improve, and it wasn't subject to U.S. export restrictions.
Koch continued to work on GPG in between consulting projects until 1999, when the German government gave him a grant to make GPG compatible with the Microsoft Windows operating system. The money allowed him to hire a programmer to maintain the software while also building the Windows version, which became GPG4Win. This remains the primary free encryption program for Windows machines.
In 2005, Koch won another contract from the German government to support the development of another email encryption method. But in 2010, the funding ran out.
For almost two years, Koch continued to pay his programmer in the hope that he could find more funding. "But nothing came," Koch recalled. So, in August 2012, he had to let the programmer go. By summer 2013, Koch was himself ready to quit.
But after the Snowden news broke, Koch decided to launch a fundraising campaign. He set up an appeal at a crowdsourcing website, made t-shirts and stickers to give to donors, and advertised it on his website. In the end, he earned just $21,000.
The campaign gave Koch, who has an 8-year-old daughter and a wife who isn't working, some breathing room. But when I asked him what he will do when the current batch of money runs out, he shrugged and said he prefers not to think about it. "I'm very glad that there is money for the next three months," Koch said. "Really I am better at programming than this business stuff."