Vice President Mike Pence routinely used a private email account to conduct public business as governor of Indiana, at times discussing sensitive matters and homeland security issues.
Emails released to IndyStar in response to a public records request show Pence communicated via his personal AOL account with top advisers on topics ranging from security gates at the governor’s residence to the state’s response to terror attacks across the globe. In one email, Pence’s top state homeland security adviser relayed an update from the FBI regarding the arrests of several men on federal terror-related charges.
Cyber-security experts say the emails raise concerns about whether such sensitive information was adequately protected from hackers, given that personal accounts like Pence’s are typically less secure than government email accounts. In fact, Pence’s personal account was hacked last summer.
Furthermore, advocates for open government expressed concerns about transparency because personal emails aren’t immediately captured on state servers that are searched in response to public records requests.
Pence’s office in Washington said in a written statement Thursday: “Similar to previous governors, during his time as Governor of Indiana, Mike Pence maintained a state email account and a personal email account. As Governor, Mr. Pence fully complied with Indiana law regarding email use and retention. Government emails involving his state and personal accounts are being archived by the state consistent with Indiana law, and are being managed according to Indiana’s Access to Public Records Act.”
Indiana Gov. Eric Holcomb’s office released 29 pages of emails from Pence’s AOL account, but declined to release an unspecified number of others because the state considers them confidential and too sensitive to release to the public.
That’s of particular concern to Justin Cappos, a computer security professor at New York University’s Tandon School of Engineering. “It’s one thing to have an AOL account and use it to send birthday cards to grandkids,” he said. “But it’s another thing to use it to send and receive messages that are sensitive and could negatively impact people if that information is public.”
Indiana law does not prohibit public officials from using personal email accounts, although the law is generally interpreted to mean that official business conducted on private email must be retained for public record purposes.
Pence’s office said his campaign hired outside counsel as he was departing as governor to review his AOL emails and transfer any involving public business to the state.
Concerns also surrounded Hillary Clinton’s use of a private server and email account during her tenure as secretary of state. Pence as governor would not have dealt with national security issues as sensitive or as broad as those handled by Clinton in her position or with classified matters.
Pence fiercely criticized Clinton throughout the 2016 presidential campaign, accusing her of trying to keep her emails out of public reach and exposing classified information to potential hackers.
Pence spokesman Marc Lotter called any comparisons between Pence and Clinton “absurd,” noting that Pence didn’t deal with federally classified information as governor. While Pence used a well-known consumer email provider, Clinton had a private server installed in her home, he said.
Cybersecurity experts say Pence’s emails were likely just as insecure as Clinton’s. While there has been speculation about whether Clinton’s emails were hacked, Pence’s account was actually compromised last summer by a scammer who sent an email to his contacts claiming Pence and his wife were stranded in the Philippines and in urgent need of money.
Corey Nachreiner, chief technology officer at computer security company WatchGuard Technologies, said the email accounts of Pence and Clinton were probably about equally vulnerable to attacks.
“In this case, you know the email address has been hacked,” he said. “It would be hypocritical to consider this issue any different than a private email server.”
He and other experts say personal accounts such as the one Pence used are typically less secure than government email accounts, which often receive additional layers of monitoring and security, and are linked to servers under government control.
Indiana law requires all records dealing with state business to be retained and available for public information requests. Emails exchanged on state accounts are captured on state servers, which can be searched in response to such requests. But any emails Pence sent from his AOL account to another private account likely would have been hidden from public record searches unless he took steps to make them available.
Indiana Public Access Counselor Luke Britt, who was appointed by Pence in 2013, said he advises state officials to copy or forward their emails involving state business to their government accounts to ensure the record is preserved on state servers.
But there is no indication that Pence took any such steps to preserve his AOL emails until he was leaving the governor’s office.
When public officials fail to retain their private-account emails pertaining to public business,…