By now we should be annoyed every time we discover that yet another public servant has used a private e-mail address for official business. During the Bush administration, 88 White House staffers had e-mail addresses from the Republican National Committee. According to a report by the House Committee on Oversight in 2007, back when Democrat Henry Waxman was chair, much of this e-mail traffic was destroyed by the RNC, making it hard for investigators and historians to know what happened in the White House. Something similar occurred when Mitt Romney was governor of Massachusetts and used a Hotmail account.
And on Thursday, Gina McCarthy, President Obama’s nominee for head of the Environmental Protection Agency, spent part of a confirmation hearing defending the agency’s inconsistent habit of using external e-mail accounts with aliases. This was clearly bad practice. It is by now well established that improper use of an external e-mail address makes an easy target for congressional oversight and watchdog groups. If you work for the government, “do not use your own e-mail account” should be understood as clearly as “do not frequent brothels.” In both cases, people still do, but they should at least know that they’ll get in trouble if someone finds out.
And yet something at the hearing sticks out. McCarthy explained that when she travels to her house in Boston, she uses her personal e-mail to send documents to print and review at home. It wasn’t clear from the testimony why she does this. Either the EPA doesn’t have a cloud-based system to read and print documents at home, or it does, and it doesn’t work very well. Regardless, the problem is so universal that McCarthy felt perfectly justified telling a Senate panel she does it. McCarthy is not embarrassed or evasive about this use of her personal e-mail address. She assumed the Senate, and the rest of us, would understand. We simply accept that countries all over the world are desperately trying to recreate innovation hubs on the model of Silicon Valley, but Washington can’t figure out how to let agency officials print securely at home.
It’d be easy to laugh at government inefficiency, but this is a problem in many large organizations. There’s a natural tension between security and usability in any system. If you are an IT professional, the prospect of intrusion or a data leak in your company/agency’s system is what disturbs your sleep. The possibility that your secure system is inconvenient and hard to use outside the office is a more remote concern. But inconvenience leads to exasperation, and ultimately to the very insecure practice of e-mailing documents to your personal account. Again, this doesn’t just happen at government agencies, it happens at large companies, too. I have worked for some of them.
There are three solutions to this problem. The first is enforcement: Make sure employees don’t do it. This doesn’t seem to be working perfectly at the EPA. The second comes from Alaska’s Supreme Court, which ruled last October that the use of private e-mail for public work is not illegal. But the e-mails must be preserved and discoverable. That is, if government employees are shifting to private e-mail accounts, the law should follow them there. But that creates both practical and legal complications. How do you decide which e-mails in a Gmail account are public? And how does Google (GOOG) respond to a request for discovery?
Here’s a third idea: Government agencies and private employers should worry about usability. A fortress-secure system often requires multiple logins and verification. People work remotely, and they’re busy, and multiple logins are, frankly, a pain. This goes for e-mail and for document storage. If you, IT professional, are not making it easy for your employees to use your platforms, you’re encouraging them to just not use your system at all. What they do use might be less secure, as well as ethically or even legally questionable. A plea from the employees of the world: Usability is a security problem.
