INDIANAPOLIS — Vice President Mike Pence routinely used a private email account to conduct public business as governor of Indiana, at times discussing sensitive matters and homeland security issues.
Emails released to The Indianapolis Star, part of the USA TODAY Network, in response to a public records request show Pence communicated via his personal AOL account with top advisers on topics ranging from security gates at the governor’s residence to the state’s response to terror attacks across the globe. In one email, Pence’s top state homeland security adviser relayed an update from the FBI regarding the arrests of several men on federal terror-related charges.
Cybersecurity experts say the emails raise concerns about whether such sensitive information was adequately protected from hackers, given that personal accounts like Pence's are typically less secure than government email accounts. In fact, Pence's personal account was hacked last summer.
Furthermore, advocates for open government expressed concerns about transparency because personal emails aren't immediately captured on state servers that are searched in response to public records requests.
Pence's office in Washington said in a written statement Thursday: "Similar to previous governors, during his time as Governor of Indiana, Mike Pence maintained a state email account and a personal email account. As Governor, Mr. Pence fully complied with Indiana law regarding email use and retention. Government emails involving his state and personal accounts are being archived by the state consistent with Indiana law, and are being managed according to Indiana’s Access to Public Records Act.”
Indiana Gov. Eric Holcomb's office released more than 30 pages from Pence's AOL account, but declined to release an unspecified number of emails because the state considers them confidential and too sensitive to release to the public.
That's of particular concern to Justin Cappos, a computer security professor at New York University's Tandon School of Engineering. “It’s one thing to have an AOL account and use it to send birthday cards to grandkids," he said. "But it’s another thing to use it to send and receive messages that are sensitive and could negatively impact people if that information is public.”
Indiana law does not prohibit public officials from using personal email accounts, although the law is generally interpreted to mean that official business conducted on private email must be retained for public record purposes.
Pence's office said his campaign hired outside counsel as he was departing as governor to review his AOL emails and transfer any involving public business to the state.
Concerns surrounded Hillary Clinton’s use of a private server and email account during her tenure as secretary of State, though Pence as governor would not have dealt with national security issues as sensitive or as broad as those handled by Clinton in her position or with classified matters.
Pence fiercely criticized Clinton throughout the 2016 presidential campaign, accusing her of trying to keep her emails out of public reach and exposing classified information to potential hackers.
Pence spokesman Marc Lotter called any comparisons between Pence and Clinton "absurd," noting that Pence didn't deal with federally classified information as governor. While Pence used a well-known consumer email provider, Clinton had a private server installed in her home, he said.
Cybersecurity experts say Pence’s emails were likely just as insecure as Clinton’s. While there has been speculation about whether Clinton's emails were hacked, Pence’s account was actually compromised last summer by a scammer who sent an email to his contacts claiming Pence and his wife were stranded in the Philippines and in urgent need of money.
Corey Nachreiner, chief technology officer at computer security company WatchGuard Technologies, said the email accounts of Pence and Clinton were probably about equally vulnerable to attacks.
"In this case, you know the email address has been hacked,” he said. “It would be hypocritical to consider this issue any different than a private email server.”
He and other experts say personal accounts such as the one Pence used are typically less secure than government email accounts, which often receive additional layers of monitoring and security, and are linked to servers under government control.
Indiana law requires all records dealing with state business to be retained and available for public information requests. Emails exchanged on state accounts are captured on state servers, which can be searched in response to such requests. But any emails Pence sent from his AOL account to another private account likely would have been hidden from public record searches unless he took steps to make them available.
Indiana Public Access Counselor Luke Britt, who was appointed by Pence in 2013, said he advises state officials to copy or forward their emails involving state business to their government accounts to ensure the record is preserved on state servers.
But there is no indication that Pence took any such steps to preserve his AOL emails until he was leaving the governor's office.
When public officials fail to retain their private-account emails pertaining to public business, "they're running the risk of violating the law,” Britt said. “A good steward of those messages and best practice is going to dictate they preserve those."
All of the emails provided to IndyStar were ones captured on state servers.
The emails were obtained after a series of public records requests that the Pence administration did not fulfill for nearly four months before Pence left office.
The administration of Pence’s successor, Gov. Eric Holcomb, released 29 pages of emails late last week. But it withheld others, saying they are deliberative or advisory, confidential under rules adopted by the Indiana Supreme Court or the work product of an attorney.
Holcomb’s office declined to disclose how many emails were withheld.
Cyber-security experts and government transparency advocates said Pence's use of a personal email account for matters of state business — including confidential ones — is surprising given his attacks on Clinton's exclusive use of a private email server.
On NBC's Meet the Press in September, for example, Pence called Clinton "the most dishonest candidate for president of the United States since Richard Nixon."
“What’s evident from all of the revelations over the last several weeks is that Hillary Clinton operated in such a way to keep her emails, and particularly her interactions while secretary of State with the Clinton Foundation, out of the public reach, out of public accountability,” Pence said. “And with regard to classified information she either knew or should have known that she was placing classified information in a way that exposed it to being hacked and being made available in the public domain even to enemies of this country.”
The experts told IndyStar that similar arguments about a lack of transparency could be made about Pence’s use of a personal email account.
“There is an issue of double standard here,” Gerry Lanosga, a professor at Indiana University and past president of the Indiana Coalition for Open Government. “He has been far from forthcoming about his own private email account on which it’s clear he has conducted state business. So there is a disconnect there that cannot be avoided.”