Hillary Clinton’s Shadow IT Problem

As you likely know, when Hillary Clinton was Secretary of State, she set up a private email server at home and used it for her email communication, passing up a secure government account. This was a bad idea, for a number of reasons, primary among them the fact that sensitive information could be leaked on this less secure system, and that Freedom of Information Act (FOIA) requests could be bypassed. But the burning question, at a time when Clinton looks likely to be nominated as the Democratic candidate for President, is what her motivation was for setting up the server in the first place. Was it to bypass the Freedom of Information Act? Was it to easily trade classified materials, as her most critical accusers suspect? Or was it, as she claims, because she had a lot of personal email to send and she didn’t want to manage two accounts? 

This post doesn’t seek to answer those questions. Instead, it pitches yet another theory: that Clinton’s motivations might have had everything to do with technology and little to do with politics. Judicial Watch, a conservative foundation looking for evidence that Clinton broke laws in her handling of the email, received some fascinating information in response to a recent FOIA request. 

Upon joining the State Department in early 2009, Clinton immediately requested a Blackberry smartphone. Having used one extensively during her 2008 Presidential campaign, she, like almost every attorney in that decade, had fallen in love with her Blackberry, hence the request. After all, Condoleezza Rice, her predecessor as Secretary of State, had used one. President Obama had a special secure one that the NSA had developed for him. But they said no. Even after being called to a high level meeting with Clinton’s top aide and five State Department officials, they still said no.The NSA offered Clinton an alternative. But it was based on Windows CE, a dramatically different, less intuitive smartphone operating system. A month later, Clinton started using her own server. Judicial Watch claims that this info proves that Clinton knew that her email was not secure, but I think that she has already admitted that. But it also reveals something much more telling.

As a three plus decade technology Director/CIO (working primarily with Attorneys), I can tell you that people get attached to specific types of technology. I know a few Attorneys who still swear to this day that Wordperfect 5.1 for DOS was the best word processing software ever released. And there are millions who will tell you that their Blackberry was their virtual right arm in the 2000’s.

How devoted are people to their favorite applications and devices? I worked for a VP who was only comfortable using Word, so when she did her quarterly reports to the board, she had her assistant export huge amounts of information from our case management system. Then she modified all of it in Word. Once delivered, she had her assistant manually update the case management system in order to incorporate her changes. Efficient? Not at all. But she loved herself some Word. I’ve seen staff using seven year old laptops because they know them and don’t want to have to learn and set up a new one. And it wasn’t until the bitter end of 2014 that both my boss and my wife finally gave in and traded up their Blackberries for iPhones.

Again, the point here is not that Clinton should have ditched the secure, government system in order to use her phone of choice. In her circumstances, the security concerns should have outweighed her personal comfort. But for many, the desire to stick with tech that they know and love is often counter to logic, efficiency, security and policy. And most of us work in environments where bucking the system isn’t quite as dire as it could be for the nation’s top diplomat.

“Shadow IT” is technology that users install without company approval because they prefer it to what’s offered. What I know is that I can’t secure my network if it’s packed with technology that my users hate. Smart people will bypass that security in order to use the tools that work for them. An approach to security that neglects usability and user preference is likely to fail. In most cases, there are compromises that can be made between IT and users that allow secure products to be willingly adopted. In other cases, with proper training, hand-holding, and executive sponsorship,  you can win users over. But when we are talking about Blackberries in the last decade, or the iPhone in this one, we have to acknowledge that the popularity of the product is a serious factor in adoption that technologists can’t ignore. And if you don’t believe me, just ask Hillary Clinton.