This White House has had a lot of trouble with privacy and cybersecurity: Former communications director Hope Hicks lately claimed her email account was hacked, numerous staffers used possibly compromised personal email accounts despite the warnings of intelligence officials, and aides have repeatedly unintentionally revealed information like the secretary of defense’s phone number. Now, one staffer appears to have left their encrypted email password at a bus stop.
According to the Intercept’s Ryan Grim and (former Gawker Media writer) Sam Biddle, a source found a piece of paper with ProtonMail login information belonging to administration employee Ryan P. McAvoy, a staff assistant, on official stationery “at a bus stop near the White House.” The Intercept said it was able to confirm the authenticity of the account details, though it redacted the password in a photo.
ProtonMail is a free to use, encrypted email service; merely having the password might not have been enough to breach the account’s security if two-factor authentication was enabled, but losing it is at a minimum embarrassing.
Without more context it’s unknown whether McAvoy’s account was purely personal or could have been being used for official business. When administration officials like Jared Kushner have used private emails to do government work, it’s raised suspicions they were attempting to hide information from the public. As Wired noted last year, allegedly widespread use of encrypted messaging services like Confide in the White House raises legal questions if the intent of their use is to skirt regulations on the retention of federal records.
Per the Intercept, Democrats on the House Intelligence Committee—a GOP-controlled body which just finished its rubber-stamp investigation of Russian interference in the 2016 elections—released a letter this week outlining steps they would take to investigate whether White House officials are trying to avoid scrutiny via non-official communications channels. They specifically targeted Kushner, saying if they took control of the House during the upcoming 2018 midterms, they would seek to compel the release of “all messaging applications that Mr. Kushner used during the campaign as well as the presidential transition, including but not limited to SMS, iMessage, Whatsapp, Facebook Messenger, Signal, Slack, Instagram, and Snapchat.”
Later in the letter, the Democrats issued a now-familiar call for services including Apple and Facebook subsidiary WhatsApp to provide user records for encrypted chat services for persons of interest to the investigation. In the case of Apple, they said they would seek records “reflecting downloaded encrypted messaging apps for certain key individuals,” and they added they would subpoena WhatsApp “for messages exchanged between key witnesses of interest.” (WhatsApp makes heavy use of end-to-end encryption, meaning the company cannot simply furnish the chat logs, though it does hand over extensive metadata to authorities upon request.)
In any case, add this to the growing list of dumb ways Donald Trump’s team has gotten sloppy on security.
Update 3:10pm ET: As noted in the comments below, it’s worth mentioning that ProtonMail is foreign-owned, based in Switzerland, and advertises itself on its website as being particularly difficult for law enforcement services in “US and EU jurisdiction” to access due to the country’s strict privacy laws. As Wired wrote, that’s partially true—though Switzerland has a mutual legal assistance treaty relationship with the US which would compel Swiss authorities to cooperate in any international investigation. ProtonMail does insist even its own administrators are unable to decrypt user’s message in that scenario, though Wired added it is theoretically possible the government could compel the service to falsify keys or serve malicious Javascript to users in an attempt to gain entry.
Update 3/20/2018: ProtonMail has forwarded Gizmodo a statement in which it emphasized that extra “security is desirable for practically anyone that uses the internet,” as well as that the use of ProtonMail by a government official is not in and of itself illegal or indicative of illegal activity. The service also wanted to make it clear that nothing about ProtonMail makes it impossible to comply with public records laws and that “there is nothing out of the ordinary with possessing an account.”
“Emails, encrypted or not, can be subject to subpoenas,” ProtonMail added. “The difference is that when it comes to encrypted emails, it is not possible to obtain them from the service provider, and instead the subpoena must be served to the individual or organization under investigation.”