What's known, not known on Hillary Clinton's emails?
Donald Trump was unequivocal on the campaign trail: If elected, he would investigate Hillary Clinton and her use of a private email system while she was secretary of state.
"If I win, I am going to instruct my attorney general to get a special prosecutor to look into your situation," Trump said at a town-hall debate in October.
He later remarked to Clinton that if he became president, "you’d be in jail."
While it was rhetoric that played well among Trump’s supporters, many of whom shouted "lock her up!" in reference to Clinton and the email scandal, maybe that’s all it was.
Trump aide Kellyanne Conway told MSNBC on Nov. 22, 2016 that the president-elect did not want to investigate his former opponent.
"If Donald Trump can help her heal, then perhaps that’s a good thing," Conway said.
A week earlier Trump had said in an interview with "60 Minutes" that he didn’t want to hurt Clinton, but he declined to directly answer a question on whether he would proceed with a probe.
"She did some bad things," Trump said. "I mean she did some bad things."
Hours after Conway's interview, Trump indicated he had not ruled out investigating Clinton.
That sent us back to a statement we heard earlier this year from U.S. Rep. Sean Duffy (R-Wausau). Speaking at an August Trump rally in West Bend, Duffy told the crowd that Clinton had top-secret information on a server "that’s less secure than Gmail."
With reports out that Trump has opted not to pursue an investigation, here’s a closer look at Duffy’s claim — and what is publicly known and not known about the security of Clinton’s private email system.
Clinton’s email scandal
The New York Times revealed last year that Clinton had exclusively used personal email while secretary of state between 2009 and 2013.
During that time, Clinton relied on two email servers in the basement of her home in Chappaqua, New York. The first server ran on a Power Mac, but Clinton’s staff upgraded to a more advanced system in 2009 to handle more emails.
Clinton’s use of the private system matters for several reasons. For starters, Clinton violated State Department policy at the time that generally required government business be conducted on department computer systems, including official email accounts.
It’s also easier for public officials to evade record retention and disclosure rules by using private email services compared to official government accounts.
Indeed, those in the State Department responsible for processing Freedom of Information Act requests did not know Clinton had a private email account, according to one employee. An inspector general report also found that the department’s responses to FOIA requests were at times "inaccurate and incomplete" and that the department had failed to adequately search for email records while Clinton was in office.
Clinton has indicated that she used private email for convenience so she could handle both personal and government business on the same phone. But Clinton also expressed concern that using an official email account could make personal communications public.
The revelations about Clinton’s use of a private email system prompted multiple lawsuits and investigations, including an inquiry by the Federal Bureau of Investigation.
In July, FBI Director James Comey said the agency found "evidence of potential violations of the statutes regarding the handling of classified information." But Comey also said Clinton’s case was not appropriate for prosecution, in part because there was no evidence Clinton intended to break any laws.
Assessing Duffy’s claim
Duffy said Clinton had top-secret information on a server "that’s less secure than Gmail." The first part of that statement is on target: Clinton did have top-secret information in her private emails, according to the FBI.
In her defense, Clinton claimed that she had not emailed anything "marked classified," but that wasn’t entirely accurate. The FBI found 81 email chains with classified information, three of which had markings indicating such information was classified, although those three emails were not sufficiently labeled as classified, according to Comey.
Whether Clinton’s servers were less secure than Gmail is another story. When we asked Duffy’s office to provide support for that part of his statement, a spokesman cited a portion of Comey’s statement from July.
Here is what Comey said: "None of these emails should have been on any kind of unclassified system, but their presence is especially concerning because all of these emails were housed on unclassified personal servers not even supported by full-time security staff, like those found at Departments and Agencies of the U.S. Government — or even with a commercial service like Gmail."
But that part of Comey’s statement does not fully support Duffy’s claim. Comey was not commenting about the overall security of Clinton’s servers, but rather, he was talking about one narrow aspect of security.
Key facts also muddy the waters:
Comey noted in his statement that there was no "direct evidence" that Clinton’s servers had been hacked, but investigators did find evidence of hacking attempts — and it’s possible there were breaches that have gone undetected.
Google, meanwhile, has detected intrusions. In 2011, for instance, the company disclosed that a Chinese hacker accessed hundreds of its accounts.
Both Lin and Reed Stark said it’s impossible to say definitively whether Clinton’s servers were less secure than Gmail. They said they would need more information about the specific security protocols for both Clinton’s servers and Gmail to make the comparison.
Gmail in general has strong security, according to Lin, and Reed Stark said he suspects that a large technology firm such as Gmail would fare better in overall security features, intrusion detection and incident response compared to a server in the basement of a home.
Still, Lin said, "we really don't know conclusively."
Duffy said Clinton had top-secret emails on a server "that’s less secure than Gmail," but there is not enough publicly available information to definitely say whether that’s true.
On the one hand, investigators have found no evidence that Clinton’s servers were hacked, yet Gmail has been hacked in the past. On the other hand, two cybersecurity experts said Gmail generally has strong security and it’s possible Clinton’s servers have been breached without detection.
The experts said they would need to know more about the specific security protocols of both Clinton’s email servers and Gmail to conclusively say which one was more secure.
(Editor's note: This item was updated to note that hours after after Conway's statement, Trump indicated he had not ruled out seeking a special prosecutor in the matter)