There were two ironies to the revelation that Vice President Pence had a private AOL email account that he used as recently as last year while serving as governor of Indiana. The first, and most obvious, is that the campaign that elevated Pence to his current position spent an awful lot of time criticizing Hillary Clinton for her use of a private email system while she was at the State Department. The second is that Pence’s situation was apparently actually worse: While hackers tried to access Clinton’s server, they were unsuccessful. Pence’s account, the Indianapolis Star reported, “was hacked.”
Apparently. While the two scenarios are dissimilar in a lot of important ways, there’s one way in which they might be the same: It’s not entirely clear that Pence’s email was actually hacked.
If Pence’s account was hacked, that’s a serious problem. While he wasn’t trading in international diplomacy (as Clinton was), he was still conducting official business from the account. (The Star published some of the official correspondence it received from a public records request.) A hack of any email is a problem. A hack of a government official’s is worse.
So here’s what we know. We know that, last summer, people who knew Pence were sent an email describing a trip to the Philippines that had gone bad, and asking for money to be sent to the stranded Pences so that they could get home. The Star got a copy of that email, too, which it published last June, before Pence was tapped to run with Trump. It’s signed “Mike & Karen,” Karen being Pence’s wife.
We also know that immediately after Pence discovered that the emails had been sent, he closed that email account. That point was reinforced to me by Marc Lotter, press secretary to Pence, when we spoke by phone on Friday. But when I asked if knew with certainty that Pence’s account had actually been hacked, he said he didn’t.
The thing about email is that it’s extremely easy to fake. Email generally enjoys all of the security of a postcard sent through the mail; any server it stops at can see an unencrypted message that’s being sent. But the return address can also be faked, just like on an envelope. It’s trivial to set up a system to send out an email that appears to come from any address in the world. To see where it really came from, you need to check the equivalent of the cancellation, the hidden data that describes how the email was routed to you.
Spammers figured this out early. Instead of getting an email from buyV1agra@hotmail.com, you could get one that looked like it was coming from firstname.lastname@example.org. Eventually, spammers figured out an even-better improvement. By accessing people’s email address books, they could send messages to one person on the list and make it look like it came from someone else on that list. This tactic has the dual advantages of using a real email address as the origin and, on many occasions, connecting two people who actually know each other in real life. (How many people in your address book know the other people who are in it?)
This is called spoofing, and it doesn’t require access to Pence’s account at all. (AOL has a page helping users understand and detect spoofed emails.) In the opinion of Michael Borohovski, CTO of California-based Tinfoil Security, it’s as likely that the people who received that email from the Pences about the Philippines were victims of a spoofed message as it is that someone broke into Pence’s account to send it out.
“If his account was compromised,” Borohovski said, “the email could have been much more interestingly targeted.” A scam-tracking website reported emails circulating with the exact language used in the Pence email a few months prior to its being sent, with the exception that the Pence email was in the plural (“we” vs. “I”). Had someone accessed Pence’s account specifically, they could have used the information in the account to target specific people with specific messages. The use of a cookie-cutter message about the Philippines suggests that the senders may not have had access to more information.
How did the senders know the name of Pence’s wife? Remember: One possible source of the email was someone’s address book. If Pence’s email was in a family friend’s address book as “Mike & Karen,” that could be how the message was sent out.
There’s another option, pointed out by Borohovski. It’s possible that Pence accidentally downloaded malware to his desktop or phone that then sent out messages from his account. This wouldn’t necessarily require the account itself to be compromised.
It’s important to note that in 2014, AOL suffered a breach of its email system, with information about some 500,000 accounts — about 2 percent of the total — accessed. Pence would have been prompted to change his email after that breach, and the small scale of affected accounts makes it unlikely that his was among them. Among the data that was stolen? Address book contacts.
As the Star report notes, if the email was sent only to people in Pence’s address book, that’s evidence that the account was compromised. It’s not clear, though, that this was the case. It’s very hard to know for sure whether Pence’s account was hacked without seeing a copy of the email. The email itself would show us if the email was sent from AOL’s servers, as it would have been if his account had been hacked, or if it was sent through some other server — a forged return address. (If you received the Philippines email from Pence, let me know!)
Borohovski noted that the situation with Pence potentially being hacked was “fundamentally different” than the situation with Clinton. Access logs indicated that hackers had tried to access her email server. There are no such fingerprints for Pence.
If you take nothing else away from this story, make it this: Email is a very, very fraught method of communication. Everyone, particularly those in positions of public trust, should be very wary about the security of the emails they send — not to mention the authenticity of questionable messages they receive.