Pence used personal email for state business — and was hacked

Tony Cook | The Indianapolis Star

Show Caption Hide Caption What was in private emails Mike Pence used for state business? Vice President Mike Pence reportedly used a private email account to conduct public business, including homeland security matters, while he was governor of Indiana. Records of the emails were obtained by IndyStar through a public records request.

INDIANAPOLIS — Vice President Mike Pence routinely used a private email account to conduct public business as governor of Indiana, at times discussing sensitive matters and homeland security issues.

Emails released to The Indianapolis Star, part of the USA TODAY Network, in response to a public records request show Pence communicated via his personal AOL account with top advisers on topics ranging from security gates at the governor’s residence to the state’s response to terror attacks across the globe. In one email, Pence’s top state homeland security adviser relayed an update from the FBI regarding the arrests of several men on federal terror-related charges.

Cybersecurity experts say the emails raise concerns about whether such sensitive information was adequately protected from hackers, given that personal accounts like Pence's are typically less secure than government email accounts. In fact, Pence's personal account was hacked this past summer.

► Related: Here are some of Mike Pence's AOL emails

► Related: Mike Pence asks Indiana high court to stay out of his redacted emails

Furthermore, advocates for open government expressed concerns about transparency because personal emails aren't immediately captured on state servers that are searched in response to public records requests.

Pence's office in Washington released a written statement Thursday:

Similar to previous governors, during his time as governor of Indiana, Mike Pence maintained a state email account and a personal email account.



As governor, Mr. Pence fully complied with Indiana law regarding email use and retention. Government emails involving his state and personal accounts are being archived by the state consistent with Indiana law and are being managed according to Indiana’s Access to Public Records Act.



Indiana Gov. Eric Holcomb's office released 29 pages from Pence's AOL account but declined to release an unspecified number of emails because the state considers them confidential and too sensitive to release to the public.

That's of particular concern to Justin Cappos, a computer security professor at New York University's Tandon School of Engineering.

“It’s one thing to have an AOL account and use it to send birthday cards to grandkids," he said. "But it’s another thing to use it to send and receive messages that are sensitive and could negatively impact people if that information is public.”

► Related: Vice President Pence in Cincinnati stop: 'Obamacare nightmare' to end

​► Related: Vice President Pence condemns vandalism at Jewish cemetery

Indiana law does not prohibit public officials from using personal email accounts, although the law is generally interpreted to mean that official business conducted on private email must be retained for public-record purposes.

Pence's office said his campaign hired outside counsel as he was departing as governor to review his AOL emails and transfer any involving public business to the state.

Concerns also surrounded Hillary Clinton’s use of a private server and email account during her tenure as secretary of state though Pence as governor would not have dealt with national security issues as sensitive or as broad as those Clinton handled in her position nor would he have dealt with classified matters.

Pence fiercely criticized Clinton throughout the 2016 presidential campaign, accusing her of trying to keep her emails out of public reach and exposing classified information to potential hackers.

Pence spokesman Marc Lotter called any comparisons between Pence and Clinton "absurd," noting that Pence didn't deal with federally classified information as governor. While Pence used a well-known consumer email provider, Clinton had a private server installed in her home, he said.

Cybersecurity experts say Pence’s emails likely were just as insecure as Clinton’s. While some have speculated about whether Clinton's emails were hacked, a scammer actually compromised Pence’s account this past summer, sending an email to his contacts claiming that Pence and his wife were stranded in the Philippines and in urgent need of money.

Corey Nachreiner, chief technology officer at computer security company WatchGuard Technologies, said the email accounts of Pence and Clinton were probably about equally vulnerable to attacks.

"In this case, you know the email address has been hacked,” he said. “It would be hypocritical to consider this issue any different than a private email server.”

► Related: Pence 'expects our allies to keep their word' on NATO costs

► Related: Pence vows to 'hold Russia accountable'

He and other experts say personal accounts such as the one Pence used typically are less secure than government email accounts, which often receive additional layers of monitoring and security and are linked to servers under government control.

Indiana law requires all records dealing with state business to be retained and available for public information requests. Emails exchanged on state accounts are captured on state servers, which can be searched in response to such requests.

But any emails Pence sent from his AOL account to another private account — anything from Gmail to a business — likely would have been hidden from public record searches unless he took steps to make them available.

Indiana Public Access Counselor Luke Britt, whom Pence appointed in 2013, said he advises state officials to copy or forward their emails involving state business to their government accounts to ensure the record is preserved on state servers.

But there is no indication that Pence took any such steps to preserve his AOL emails until he was leaving the governor's office.

When public officials fail to retain their private-account emails pertaining to public business, "they're running the risk of violating the law,” Britt said. “A good steward of those messages and best practice is going to dictate they preserve those."

All of the emails provided to The Indianapolis Star were ones captured on state servers.

The emails were obtained after a series of public records requests that the Pence administration did not fulfill for nearly four months before Pence left office.

The administration of Pence’s successor, Holcomb, released the 29 pages of emails late last week. But it withheld others, saying they are deliberative or advisory, confidential under rules adopted by the Indiana Supreme Court or the work product of a lawyer.

Holcomb’s office declined to disclose how many emails were withheld.

► Related: With Pence gone, fellow Republicans undo his work in Indiana

► Related: Wounded warriors thrilled by Super Bowl trip with the vice president

Cyber-security experts and government transparency advocates said Pence's use of a personal email account for matters of state business — including confidential ones — is surprising given his attacks on Clinton's exclusive use of a private email server.

On NBC's Meet the Press in September, Pence called Clinton "the most dishonest candidate for president of the United States since Richard Nixon."

“What’s evident from all of the revelations over the last several weeks is that Hillary Clinton operated in such a way to keep her emails, and particularly her interactions while secretary of state with the Clinton Foundation, out of the public reach, out of public accountability,” Pence said. “And with regard to classified information, she either knew or should have known that she was placing classified information in a way that exposed it to being hacked and being made available in the public domain even to enemies of this country.”

► Related: Pence vows Senate vote on high court nominee 'one way or the other'

► Related: Elusive funding for Pence’s bicentennial projects dogs his home state

The experts said similar arguments about a lack of transparency could be made about Pence’s use of a personal email account.

“There is an issue of double standard here,” Gerry Lanosga, a professor at Indiana University and past president of the Indiana Coalition for Open Government. “He has been far from forthcoming about his own private email account on which it’s clear he has conducted state business.

"So there is a disconnect there that cannot be avoided,” Lanosga said.

Security concerns

As governor, Pence oversaw Indiana's state police, national guard and department of homeland security, all of which collaborate with federal authorities and handle sensitive information.

The emails provided to The Star show that Pence corresponded with his then-chief of staff, Jim Atterholt, and his top public safety and homeland security adviser John Hill, on subjects including Pence’s efforts to prevent the resettlement of Syrian refugees and the state’s response to a shooting at Canada’s national parliament building.

“I just received an update from the FBI regarding the individuals arrested for support of ISIS,” the Islamic State of Iraq and Syria, Hill wrote to Pence in a Jan. 8, 2016, email with the subject, “Arrests of Refugees.”

At that time, the Pence administration was embroiled in a lawsuit over the governor’s effort to block the resettlement of Syrian refugees in Indiana.

Hill went on to explain how many people were arrested, on what charges and in which cities before adding in underlined type: “ Both of the earlier referenced refugees are reported now as ‘Iraqi’ — not Syrian. ”

Much if not all of that information appears to have been reported in the media at the time. But questions remain about the more sensitive information contained in Pence’s AOL account that the Holcomb administration declined to release.

Experts say high-profile security lapses have involved AOL email accounts in the past. The company reported a major breach of its email in 2014 affecting hundreds of thousands of users.

The following year, messages that hackers obtained from then-CIA Director John Brennan’s personal AOL account were posted on WikiLeaks.

Pence’s own account was compromised in June when a hacker sent the counterfeit email to his contacts claiming Pence and his wife had been attacked on their way back to their hotel in the Philippines, losing their money, bank cards and mobile phone.

► Related: At anti-abortion rally, Mike Pence is a beacon of hope

► Related: Pence tells Congress to 'buckle up' and get ready to enact major change

In response, Pence sent email to those who had received the fake communication apologizing for any inconvenience. He also set up a new AOL account.

Because the hacker appears to have gained access to Pence’s contacts, experts say it is likely that the account was penetrated, giving the hacker access to Pence’s inbox and sent messages.

The nature of that hack suggests it was part of a broad, impersonal attack — not one carefully crafted to target Pence in particular, Cappos said.

“It’s particularly concerning that someone who didn’t do a very particular, very specific attack was able to hack this account,” he said.

That's especially true given that at least some of the emails Pence sent or received have been deemed confidential or exempt from public disclosure.

“The fact that these emails are stored in a private AOL account is crazy to me,” Cappos said, “This account was used to handle these messages that are so sensitive they can’t be turned over in a records request.”

As governor, Pence was less likely than the U.S. secretary of state to encounter national security secrets, said Adam Segal, director of the digital and cyberspace policy program at the Council on Foreign Relations.

But much of the rationale behind the criticism of Clinton's emails would apply to Pence, too, he said.

“A large part of the criticism of (Hillary Clinton’s) personal server by the GOP — that it was unsafe or that it was to circumvent oversight — would be misplaced if Pence was using an AOL account,” he said. “The secretary of state would be in possession of secrets that had more of a national impact, but at a lower level a private email account has the same implications.”

Transparency issues

In addition to security issues, Pence's personal email account also raises new concerns about transparency, according to ethics experts and government accountability advocates.

Pence already is fighting in state court to conceal the contents of emails involving his decision to join a 2014 lawsuit challenging then-President Obama's executive order on immigration. William Groth, a Democrat and labor lawyer who says he wants to expose waste in the Republican administration, is seeking the email.

Richard Painter, former chief ethics lawyer to President George W. Bush, said it's bothersome that Pence is only now transferring his AOL emails to the state. It raises questions about whether those emails were included in previous responses to public records requests.

"That’s a problem that should have been dealt with back then," Painter said. "The existence of the private email account should have been dealt with at the time the record requests were made."

The use of personal email accounts by public officials — including governors — is nothing new. But the increased risk that hackers, including foreign actors, could break into the account of someone as high ranking as the vice president of the United States is disconcerting, he said.

"Clinton did it. The Bush White House was doing it. It’s nothing new. But it’s a bad idea," Painter said, noting that Pence's account was vulnerable to a low-level hacker.

"If they can get in there, ex-KGB agents can get in there," Painter said. "It’s a bad idea because of the hacking thing and the potential destruction of records."

Lanosga of the Indiana Coalition for Open Government said the problem seems to cross party lines.

"Officials are eager to point the finger at a lack of transparency when it happens on the other side," he said. "But they dodge those issues when it comes to their own side."

Contributing: Maureen Groppe, USA TODAY. Follow Tony Cook on Twitter: @indystartony