There are two separate criticisms being made of Hillary Clinton's use of a personal email account while she was secretary of state.
The first is a transparency concern: her personal email address wasn't automatically archived by the government, and even though she promises she's turning over all the relevant messages — she says she directed her staff to "err on the side of providing anything that could be possibly viewed as work-related" — we have no choice but to take her word for it. Asked if she would submit her emails for a third-party review, she refused.
The second is a security concern: her personal email address was a so-called "homebrew" operation. It was set up through her husband's office, and the email was stored on a physical server on the Clintons' property. Clinton was a prime target for determined hackers — and in using her own systems, rather than the government's hardened systems, she made herself a particularly easy mark.
One of these criticisms gets to a real scandal in Clinton's email usage. But the other gets to a scandal that is less about Clinton than it is about the way all of official Washington evades transparency laws.
Hillary Clinton and Washington's transparency theater
At her press conference on March 10, Clinton was asked, "Can you explain how you decided which of the personal emails to get rid of, how you got rid of them, and when?"
Her answer sounded ridiculous. "For any government employee," she replied, "it is that government employee's responsibility to determine what's personal and what's work-related. I am very confident of the process we conducted and the emails that were produced."
As David Graham wrote at the Atlantic, "Her response amounted to this: You've just got to trust me."
This answer is frustrating. But the truth is that Clinton's not the only one whose word the public has to take on faith. Virtually all government officials use personal emails, and, as most reporters know, sensitive communication routinely comes over that email rather than the official channel — or, even more frequently, it comes in a phone call or an in-person meeting. Public officials know what they don't want archived.
So we shouldn't fool ourselves into believing that government officials with voluminous email trails are actually abiding by the Federal Records Act. Most simply avoid disclosure in a more targeted fashion than Clinton: they use their official email for routine business and anodyne communication, and they use in-person meetings, cellphone calls, and private email accounts for more sensitive discussions.
In principle, Clinton should have used a government email, but in practice, the difference between her and her peers is smaller than it looks.
Hillary Clinton's unsafe emails
You can name a couple of people who might have been a more interesting target for hackers than Hillary Clinton. President Obama, sure. German Chancellor Angela Merkel, maybe. You could have made a lot of money if you were able to watch Federal Reserve Chair Ben Bernanke's communications.
But there's probably no one in the world who was a more enticing target for hackers and who was also routing all their email through a homebrew system and storing it on a local server.
What's almost worse is that Clinton doesn't even seem to realize how unsafe her email really was. In this, Clinton's response to a question about security concerns was sadly telling:
The system we used was set up for President Clinton's office. And it had numerous safeguards. It was on property guarded by the Secret Service. And there were no security breaches.
So, I think that the -- the use of that server, which started with my husband, certainly proved to be effective and secure.
Saying the server was guarded by the Secret Service reveals a distinctly analogue vision of digital threats — "as if the primary risk was not cybertheft but rather burglars sneaking in to steal floppy disks," snarks the Washington Post editorial board.
But the real tell is her definitive comment that "there were no security breaches," and as such, the system "proved to be effective and secure." What Clinton doesn't seem to realize is that if there was a successful security breach she almost certainly wouldn't know about it. Digital eavesdropping isn't like physical theft: there are no broken windows; nothing is taken.
As Tim Lee writes, "If a foreign intelligence agency had managed to hack into her server, they wouldn't have told anyone. Instead, they would have silently collected copies of her communications and sent them back home for analysis."
This is where Clinton's practice really did diverge from that of her peers. Government email systems are powerfully secure. That doesn't mean they never get hacked — cybersecurity is an arms race between hackers finding new vulnerabilities and security experts shoring up defenses — but it means there are highly skilled computer experts spending night and day figuring out how to protect sensitive information. In using a homebrew system, Clinton really was cavalier in exposing her communications to risks she clearly didn't fully understand. And that is a scandal.