POLITICS

Pence used personal email for state business — and was hacked

Tony Cook
tony.cook@indystar.com
Vice President-elect Mike Pence speaks to members of the media while meeting with House Speaker Paul Ryan of Wis., on Capitol Hill in Washington, Wednesday, Nov. 30, 2016.

Vice President Mike Pence routinely used a private email account to conduct public business as governor of Indiana, at times discussing sensitive matters and homeland security issues.

Emails released to IndyStar in response to a public records request show Pence communicated via his personal AOL account with top advisers on topics ranging from security gates at the governor’s residence to the state’s response to terror attacks across the globe. In one email, Pence’s top state homeland security adviser relayed an update from the FBI regarding the arrests of several men on federal terror-related charges.

Cyber-security experts say the emails raise concerns about whether such sensitive information was adequately protected from hackers, given that personal accounts like Pence's are typically less secure than government email accounts. In fact, Pence's personal account was hacked last summer.

Furthermore, advocates for open government expressed concerns about transparency because personal emails aren't immediately captured on state servers that are searched in response to public records requests.

FRIDAY UPDATE: Pence turns over 13 boxes of emails

Pence's office in Washington said in a written statement Thursday: "Similar to previous governors, during his time as Governor of Indiana, Mike Pence maintained a state email account and a personal email account. As Governor, Mr. Pence fully complied with Indiana law regarding email use and retention. Government emails involving his state and personal accounts are being archived by the state consistent with Indiana law, and are being managed according to Indiana’s Access to Public Records Act.”

Indiana Gov. Eric Holcomb's office released 29 pages of emails from Pence's AOL account, but declined to release an unspecified number of others because the state considers them confidential and too sensitive to release to the public.

That's of particular concern to Justin Cappos, a computer security professor at New York University's Tandon School of Engineering. “It’s one thing to have an AOL account and use it to send birthday cards to grandkids," he said. "But it’s another thing to use it to send and receive messages that are sensitive and could negatively impact people if that information is public.”

Indiana law does not prohibit public officials from using personal email accounts, although the law is generally interpreted to mean that official business conducted on private email must be retained for public record purposes.

PENCE RESPONDSMike Pence: 'No comparison' between his, Hillary Clinton's use of emails

Pence's office said his campaign hired outside counsel as he was departing as governor to review his AOL emails and transfer any involving public business to the state.

Concerns also surrounded Hillary Clinton’s use of a private server and email account during her tenure as secretary of state. Pence as governor would not have dealt with national security issues as sensitive or as broad as those handled by Clinton in her position or with classified matters.

Pence fiercely criticized Clinton throughout the 2016 presidential campaign, accusing her of trying to keep her emails out of public reach and exposing classified information to potential hackers.

Pence spokesman Marc Lotter called any comparisons between Pence and Clinton "absurd," noting that Pence didn't deal with federally classified information as governor. While Pence used a well-known consumer email provider, Clinton had a private server installed in her home, he said.

Cybersecurity experts say Pence’s emails were likely just as insecure as Clinton’s. While there has been speculation about whether Clinton's emails were hacked, Pence’s account was actually compromised last summer by a scammer who sent an email to his contacts claiming Pence and his wife were stranded in the Philippines and in urgent need of money.

Corey Nachreiner, chief technology officer at computer security company WatchGuard Technologies, said the email accounts of Pence and Clinton were probably about equally vulnerable to attacks.

"In this case, you know the email address has been hacked,” he said. “It would be hypocritical to consider this issue any different than a private email server.”

He and other experts say personal accounts such as the one Pence used are typically less secure than government email accounts, which often receive additional layers of monitoring and security, and are linked to servers under government control.

Indiana law requires all records dealing with state business to be retained and available for public information requests. Emails exchanged on state accounts are captured on state servers, which can be searched in response to such requests. But any emails Pence sent from his AOL account to another private account likely would have been hidden from public record searches unless he took steps to make them available.

BEHIND THE STORY: IndyStar's long-running effort to obtain the Pence emails

Indiana Public Access Counselor Luke Britt, who was appointed by Pence in 2013, said he advises state officials to copy or forward their emails involving state business to their government accounts to ensure the record is preserved on state servers.

But there is no indication that Pence took any such steps to preserve his AOL emails until he was leaving the governor's office.

When public officials fail to retain their private-account emails pertaining to public business, "they're running the risk of violating the law,” Britt said. “A good steward of those messages and best practice is going to dictate they preserve those."

All of the emails provided to IndyStar, part of the USA TODAY Network, were ones captured on state servers.

The emails were obtained after a series of public records requests that the Pence administration did not fulfill for nearly four months before Pence left office.

The administration of Pence’s successor, Gov. Eric Holcomb, released 29 pages of emails late this past week. But it withheld others, saying they are deliberative or advisory, confidential under rules adopted by the Indiana Supreme Court or the work product of an attorney.

Holcomb’s office declined to disclose how many emails were withheld.

SELECTED PENCE EMAILS:  Here are some of Vice President Mike Pence's AOL emails

Cyber-security experts and government transparency advocates said Pence's use of a personal email account for matters of state business — including confidential ones — is surprising given his attacks on Clinton's exclusive use of a private email server.

On NBC's "Meet the Press" in September, for example, Pence called Clinton "the most dishonest candidate for president of the United States since Richard Nixon."

“What’s evident from all of the revelations over the last several weeks is that Hillary Clinton operated in such a way to keep her emails, and particularly her interactions while Secretary of State with the Clinton Foundation, out of the public reach, out of public accountability,” Pence said. “And with regard to classified information she either knew or should have known that she was placing classified information in a way that exposed it to being hacked and being made available in the public domain even to enemies of this country.”

The experts told IndyStar that similar arguments about a lack of transparency could be made about Pence’s use of a personal email account.

“There is an issue of double standard here,” said Gerry Lanosga, a professor at Indiana University and past president of the Indiana Coalition for Open Government. “He has been far from forthcoming about his own private email account on which it’s clear he has conducted state business. So there is a disconnect there that cannot be avoided.”

PENCE'S RESPONSEMike Pence: 'No comparison' between his, Hillary Clinton's use of emails

Security concerns

As governor, Pence oversaw Indiana's state police, national guard and department of homeland security, all of which collaborate with federal authorities and handle sensitive information.

The emails provided to IndyStar show that Pence corresponded with his then-chief of staff, Jim Atterholt, and his top public safety and homeland security adviser John Hill, on subjects including Pence’s efforts to prevent the resettlement of Syrian refugees and the state’s response to a shooting at Canada’s national parliament building.

“I just received an update from the FBI regarding the individuals arrested for support of ISIS,” Hill wrote to Pence in a Jan. 8, 2016 email with the subject, “Arrests of Refugees.”

At that time, the Pence administration was embroiled in a lawsuit over the governor’s effort to block the resettlement of Syrian refugees in Indiana.

Hill went on to explain how many people were arrested, on what charges and in which cities before adding in underlined type: “Both of the earlier referenced refugees are reported now as ‘Iraqi’ — not Syrian.”

PENCE'S OTHER EMAIL ISSUEMike Pence asks Indiana Supreme Court to stay out of his redacted emails

Much if not all of that information appears to have been reported in the media at the time. But questions remain about the more sensitive information contained in Pence’s AOL account that the Holcomb administration declined to release.

Experts say there have been high-profile security lapses involving AOL email accounts in the past. The company reported a major breach of its email in 2014 affecting hundreds of thousands of users. The following year, messages hackers obtained from then-CIA Director John Brennan’s personal AOL account were posted on WikiLeaks.

Pence’s own account was compromised in June when a hacker sent a counterfeit email to his contacts claiming Pence he and his wife had been attacked on their way back to their hotel in the Philippines, losing their money, bank cards and mobile phone.

In response, Pence sent an email to those who had received the fake communication apologizing for any inconvenience. He also set up a new AOL account.

Because the hacker appears to have gained access to Pence’s contacts, experts say it is likely that the account was actually penetrated, giving the hacker access to Pence’s inbox and sent messages.

The nature of that hack suggests it was part of a broad, impersonal attack — not one carefully crafted to target Pence in particular, Cappos said.

“It’s particularly concerning that someone who didn’t do a very particular, very specific attack was able to hack this account,” he said.

That's especially true given that at least some of the emails Pence sent or received have been deemed confidential or exempt from public disclosure.

“The fact that these emails are stored in a private AOL account is crazy to me,” Cappos said. “This account was used to handle these messages that are so sensitive they can’t be turned over in a records request.”

As governor, Pence was less likely than the U.S. secretary of state to encounter national security secrets, said Adam Segal, director of the digital and cyberspace policy program at the Council on Foreign Relations.

But much of the rationale behind the criticism of Clinton's emails would apply to Pence, too, he said.

“A large part of the criticism of (Hillary Clinton’s) personal server by the GOP — that it was unsafe or that it was to circumvent oversight — would be misplaced if Pence was using an AOL account,” he said. “The Secretary of State would be in possession of secrets that had more of a national impact, but at a lower level, a private email account has the same implications.”

Transparency issues

In addition to security issues, Pence's personal email account also raises new concerns about transparency, according to ethics experts and government accountability advocates.

Pence is already fighting in state court to conceal the contents of emails involving his decision to join a 2014 lawsuit challenging then-President Barack Obama's executive order on immigration. The emails are being sought by William Groth, a Democrat and labor lawyer who says he wants to expose waste in the Republican administration.

Richard Painter, former chief ethics lawyer to President George W. Bush, said it's bothersome that Pence is only now transferring his AOL emails to the state. It raises questions about whether those emails were included in previous responses to public records requests. "That’s a problem that should have been dealt with back then," he said. "The existence of the private email account should have been dealt with at the time the record requests were made."

The use of personal email accounts by public officials — including governors — is nothing new. But the increased risk that hackers, including foreign actors, could break into the account of someone as high-ranking as the vice president of the United States is disconcerting, Painter said.

"Clinton did it. The Bush White House was doing it. It’s nothing new. But it’s a bad idea," he said, noting that Pence's account was vulnerable to a low-level hacker.  "If they can get in there, ex-KGB agents can get in there. It’s a bad idea because of the hacking thing and the potential destruction of records."

Lanosga of the Indiana Coalition for Open Government said it's a problem that seems to cross party lines.

"Officials are eager to point the finger at a lack of transparency when it happens on the other side," he said, "but they dodge those issues when it comes to their own side."

Reporter Maureen Groppe contributed to this story.

Call IndyStar reporter Tony Cook at (317) 444-6081. Follow him on Twitter and Facebook.

Mike Pence's redacted emails could head to Indiana Supreme Court

Mike Pence's choice of AOL earns laughs

What's Mike Pence hiding in his emails?

With Pence gone, fellow Republicans undo his work in Indiana