The Private Channel
The fantasy is always the same: if I control the server, I control the information.
On May 25, 2016, the State Department's Inspector General published a report on Hillary Clinton's use of a private email server during her tenure as Secretary of State. Seventy-eight pages of politely worded documentation that this had been, start to finish, a bad idea—against policy, inadequately secured, and opaque to the records preservation requirements.
The shadow IT playbook is familiar to anyone who works in enterprise tech. Institutional systems are slow, bureaucratic, and visible to the wrong people. So you route around them. You set up something private. You tell yourself it's actually more secure because you control it. You don't tell IT. You don't tell Legal. You definitely don't tell anyone who might say no.
The IG report found that State Department security staff had raised concerns about the server configuration. Those concerns were dismissed. In some cases, people were told to stop raising them. The infrastructure meant to provide independence became a liability large enough to follow Clinton through a presidential election.
Here's the pattern worth recognizing: the private channel always gets scrutinized more than the official one. Institutional infrastructure exists in a documented, auditable chain. Shadow IT lives outside that chain—which means when something goes wrong, everything becomes exceptional. Every email is suddenly evidence. Every routing decision requires explanation. The "control" you thought you had is revealed as the absence of the structures that would have protected you.
Clinton's server was, by some technical assessments, less secure than Gmail. The IG report—conducted by a State Department official appointed by the Obama administration—found the server configuration wasn't properly reviewed, that sensitive information was transmitted in ways that wouldn't have passed standard security evaluation, and that requests for a proper security assessment had been refused.
The tech lesson is not complicated. Running your own infrastructure doesn't make you more secure. It makes you more responsible for security in a context where you have fewer resources, less expertise, and no institutional backup when the threat model is a foreign intelligence service rather than a forgotten password. "I control it" is not a security posture.
What haunts this from a systems perspective is the records problem. Government email systems exist partly so that official communications can be archived, retrieved under FOIA, and preserved for historical record. A private server with private deletion policies breaks that chain. Some of that correspondence is probably gone—not classified material, just the routine documentation of someone who was Secretary of State for four years. The institutional memory evaporated because someone preferred a private channel.
The server gave Clinton the feeling of control. What it actually gave her was a basement server room and a category of political liability that ran through 2016 and didn't stop.
Control and security are not the same thing. The people who believe they are tend to find out in public.
i · sources
source · State Department Inspector General report — Clinton email server, May 25 2016
threaded with
- beat · Tech
The Camera They Can't Quit
Dayton put trash bags over its Flock cameras — not because they broke, but because the contract says you cannot just leave. This is what surveillance vendor lock-in looks like at street level.
today
- beat · Tech
The School Deepfakes Ate
A $250 app from the App Store. Five victims. One harassment charge. Every institution in Radnor's deepfake chain made a defensible choice. Together they produced nothing.
yesterday
- beat · Tech
The Lobotomized Companion
Character.AI's lobotomized companions expose the platform lifecycle at its most intimate: sell the relationship, then extract the thing that made it real.
2 days ago