WASHINGTON (AP) — Eight days before Hillary Clinton took office as secretary of state in January 2009, an aide to former President Bill Clinton quietly registered a new internet address for the couple. That trivial but deliberate online purchase is the earliest known hint of the private email system that now plagues the presumptive Democratic nominee's presidential campaign.
Buried in a footnote in a government watchdog's report released Wednesday, the reference to the registration of clintonemail.com was an early step toward building what became the private homebrew email system that has attracted an FBI investigation and raised questions about Clinton's judgment while serving as the nation's top diplomat.
The State Department inspector general's release of the 83-page report provides new insights into the server: Who knew about it, its vulnerabilities and the bureaucratic mismanagement that allowed the secret system to operate outside normal channels throughout Clinton's tenure.
The findings — more than a year in the making — also show how the use of private emails by Clinton and other top aides caused internal headaches for the few State Department officials who knew of its existence and for an agency that has long struggled to comply with federal cybersecurity and record-keeping requirements.
It would take six years after that simple domain registration in 2009 for Clinton to publicly acknowledge the existence of her private homebrew server, which The Associated Press first traced back to her home in Chappaqua, New York, in March 2015. Much of what is known about the system and why she used it remains clouded by the lack of documentary evidence and Clinton's own reluctance to discuss the sensitive topic.
Over time, through media accounts and now details in the inspector general's report, a clearer picture has emerged of Clinton's email system and its use: A basement computer, running Microsoft server software, directly connected to the internet to handle communications between Clinton and her aides. But it is still not clear how well her system was secured at the time, especially in light of new hacking attempts disclosed by the inspector general's report.
In the first months of Clinton's tenure, only her most trusted political-appointee aides used or were clued into the existence of her server, according to the report. Outside that privileged circle, other senior officials scattered across the department had "some awareness" of her use of private emails to communicate internally — often because her emails to them originated from a rotating cluster of private clintonemail.com addresses. Some State Department officials learned as early as March 2009 that Clinton was using a private server in the basement of her family's home.
Clinton declined to be interviewed for the inspector general report — despite Clinton saying as recently as this month that she was happy to "talk to anybody, anytime" about the matter and would encourage her staff to do the same. Three former senior aides, Huma Abedin, Cheryl Mills and Jake Sullivan, also declined. A fourth former top aide, Thomas Nides, did not reply to the inspector general's requests. Abedin and Sullivan are now Clinton campaign aides and Nides, currently vice chairman of the Morgan Stanley financial services firm, is a major Clinton fundraiser.
In late 2010, two State Department staff members raised concerns about Clinton's private email account in meetings with John A. Bentel, then director of the Office of Information Resources Management, the agency's computer services unit. Bentel, who is identified only by title in the report, also declined to be interviewed during the inspector general's review.
In one meeting with Bentel, a staff member worried that messages sent or received using the private server could contain documents that needed to be preserved under federal regulations.
Bentel told the staff member that State Department legal staff had "reviewed and approved" the server— though the inspector general's review found no evidence such a review had ever occurred. In that meeting and another that Bentel had with a different staff member who raised concerns, Bentel directed the staff members to "never to speak of the secretary's personal email system again."
Clinton's campaign has long insisted her system was well-protected. The AP reported last year that the server's security configuration could have allowed users to control it remotely, a practice that computer security experts widely say is vulnerable to hackers. And in January 2011, according to the inspector general report, a Bill Clinton aide wrote to Abedin that he had to shut down the system because Clinton's server had been targeted by outsiders.
"Someone was trying to hack us," the aide told Abedin. Later the same day, it happened again. "We were attacked again so I shut (the server) down for a few min," he said. The next day, Abedin warned Mills and Sullivan not to send Clinton "anything sensitive" in their emails.
Clinton told another aide in May of that year that she was worried about a suspicious link she found in her email. And that August, Clinton's email account was targeted at least five times one morning by infected emails known as "phishing" that originated in Russia and were disguised as New York state speeding ticket notices.
But in a March 2015 memo to reporters, shortly after the existence of Clinton's homebrew server was made public, her office said there was "no evidence there was ever a breach" of her system.
When Clinton acknowledged the existence of her extensive use of private emails last year she said she had "opted for convenience to use my personal email account."
But when Abedin told Clinton in November 2010 that her emails to the entire State Department were not being received because the agency system rejected her messages as spam, Clinton waved off suggestions to deal with the matter.
Abedin said "we should talk about putting you on State email or releasing your email address to the department." But Clinton rejected either idea, bluntly saying outsiders' access to her emails was her main worry — a statement at odds with her earlier explanation.
"I don't want any risk of the personal being accessible," Clinton said.