The DNC should never have been running its own email server.

The DNC Should Never Have Been Running Its Own Email Server

The DNC Should Never Have Been Running Its Own Email Server

The citizen’s guide to the future.
July 26 2016 12:00 PM
FROM SLATE, NEW AMERICA, AND ASU

The Democrats’ Other Server Problem

The DNC should have outsourced its email to Google, Yahoo, or another major company.

Democratic National Committee chair Debbie Wasserman Schultz stands in the media filing room before the Democratic presidential candidates debate at Saint Anselm College in Manchester, New Hampshire, December 19, 2015.
Democratic National Committee chair Debbie Wasserman Schultz at Saint Anselm College in Manchester, New Hampshire, in December 2015.

Gretchen Ertl/Reuters

One unlikely lesson of the 2016 presidential election turns out to be that you simply should not host your own email unless you really know what you’re doing. And odds are, if you’re running for office, or running a political party, you probably don’t.

It’s still unclear how exactly the Democratic National Committee email servers were compromised and whether anyone hacked into Hillary Clinton’s personal servers. But it seems like everyone’s email would probably have been better served by letting Google take care of it. (Set aside for a moment the rules governing how public records are stored for government officials. That’s an important issue, no doubt, but it’s not precisely a question of security.)

Advertisement

Outsourcing email management to a private company doesn’t solve all potential security threats. It’s still, of course, possible for an adversary to steal credentials and use them to access an individual’s email records. In fact, at least one DNC consultant’s personal email, operated by Yahoo, was reportedly targeted as part of the larger breach. But while corporate email servers and security measures won’t necessarily protect individual accounts from being compromised, they generally do a pretty good job protecting against someone trying to conduct a full sweep of every email on a server.

The thousands of DNC emails posted online by WikiLeaks do not read like the contents of an individual person’s inbox: They’re not all linked to a single sender or recipient. Instead, they read like the contents of a DNC-operated server. If this breach began by compromising someone’s credentials, that person seems to have been someone with administrative access to the entire server.

It’s anyone’s guess, at this point, how the emails were acquired. But inevitably, when we do find out what happened, there will be no shortage of people (including me) interested in dissecting where the DNC went wrong with its security. I think it’s reasonable to criticize an organization’s security posture in the wake of a high-profile breach. (Actually, I always think it’s reasonable to criticize an organization’s security posture.) But it’s also true that it’s hard to protect emails—or any kind of stored data—from a determined adversary.

Yes, it may well turn out there are some basic things people at the DNC could have done better: some phishing messages that they shouldn’t have fallen for, some attachments that should never have been downloaded. But to really do a good job flagging suspicious messages, or detecting anomalous log-in attempts, or guarding against other types of malicious activity, they would need to employ hundreds of dedicated security experts, offer easy-to-use multifactor authentication options, and have access to vast stores of data about phishing emails, attacker behaviors, and user locations and devices. In other words, they would need to be Google—or Microsoft, or Apple, or Yahoo.

Advertisement

The DNC is never going to be the equal of these companies employing thousands of engineers and managing millions of email accounts when it comes to security, so perhaps it should stop trying and let the experts take over.

That’s a suggestion bordering on sacrilege to many people who care about security, who believe real security and strong encryption are possible only when you manage your own data and encryption keys yourself. And it’s true that trusting a company to manage your email reduces your security in some ways. For one thing, it certainly means that company has access to all your email messages. For another, it may mean that law enforcement or intelligence officials can access those messages without your knowledge through court orders or mutual agreements with that company. So there are definitely trade-offs, and if those are the security threats you’re most worried about, and you’re equipped to configure your own server setup, then you probably should not entrust your email to a third-party provider.

If, however, you’re more concerned about your email being read by external attackers in, say, Russia, then the perceived security of handling all your own email may do more harm than good. And if your area of expertise is political strategizing and maneuvering, rather than encryption protocols and firewall configurations, you would almost certainly be better off delegating responsibility for your email to a company that knows what it’s doing.

Alternatively, you can decide never ever to send another email that contains anything snarky, stupid, condescending, embarrassing, or rude. I, for one, solemnly make this vow after every published breach of email correspondence (I will never send another email that I would not be comfortable seeing printed on the front page of the New York Times), and it lasts roughly three minutes, until I’m seized by the need to share a particularly pointed insult of someone with my college roommate. So for those of us who will never be able to completely sanitize our inboxes, it’s worth thinking carefully about who we want protecting them.

Advertisement

There’s something reassuring about owning your own email: It seems intuitively more secure than handing it over to someone else. I imagine that’s part of the reason Hillary Clinton operated her own server for so long. But for most people—and even many organizations—that’s simply not true. Running your own email server doesn’t make your email more secure unless you have security expertise to rival Google’s, or you view Google and its cooperation with the U.S. government as the real threat.

I’m not eager to live in a world where all email accounts are operated by a single company or even a few companies. The fact that email communication, unlike Skype or iMessage or WhatsApp, is not a proprietary, company-owned technology is important and valuable. It’s good for people and companies to have the option to run their own email systems and beneficial that some of them are willing to devote the necessary time and resources to doing so. But protecting email is a serious responsibility. It’s not easy, and it’s not for everyone.

This article is part of Future Tense, a collaboration among Arizona State University, New America, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, follow us on Twitter and sign up for our weekly newsletter.

Josephine Wolff is an assistant professor of public policy and computing security at Rochester Institute of Technology and a faculty associate at the Harvard Berkman Center for Internet and Society. Follow her on Twitter.