I have so far used the singular term, “e-mail server,” in describing the referral that began our investigation. It turns out to have been more complicated than that. Secretary Clinton used several different servers and administrators of those servers during her four years at the State Department, and used numerous mobile devices to view and send e-mail on that personal domain. As new servers and equipment were employed, older servers were taken out of service, stored, and decommissioned in various ways. Piecing all of that back together—to gain as full an understanding as possible of the ways in which personal e-mail was used for government work—has been a painstaking undertaking, requiring thousands of hours of effort. . . .
The FBI also discovered several thousand work-related e-mails that were not in the group of 30,000 that were returned by Secretary Clinton to State in 2014. We found those additional e-mails in a variety of ways. Some had been deleted over the years and we found traces of them on devices that supported or were connected to the private e-mail domain. Others we found by reviewing the archived government e-mail accounts of people who had been government employees at the same time as Secretary Clinton, including high-ranking officials at other agencies, people with whom a Secretary of State might naturally correspond.
This helped us recover work-related e-mails that were not among the 30,000 produced to State. Still others we recovered from the laborious review of the millions of e-mail fragments dumped into the slack space of the server decommissioned in 2013.
With respect to the thousands of e-mails we found that were not among those produced to State, agencies have concluded that three of those were classified at the time they were sent or received, one at the Secret level and two at the Confidential level. . . .
For example, seven e-mail chains concern matters that were classified at the Top Secret/Special Access Program level when they were sent and received. These chains involved Secretary Clinton both sending e-mails about those matters and receiving e-mails from others about the same matters. There is evidence to support a conclusion that any reasonable person in Secretary Clinton’s position, or in the position of those government employees with whom she was corresponding about these matters, should have known that an unclassified system was no place for that conversation. In addition to this highly sensitive information, we also found information that was properly classified as Secret by the U.S. Intelligence Community at the time it was discussed on e-mail (that is, excluding the later “up-classified” e-mails).
None of these e-mails should have been on any kind of unclassified system, but their presence is especially concerning because all of these e-mails were housed on unclassified personal servers not even supported by full-time security staff, like those found at Departments and Agencies of the U.S. Government—or even with a commercial service like Gmail.
Separately, it is important to say something about the marking of classified information. Only a very small number of the e-mails containing classified information bore markings indicating the presence of classified information. But even if information is not marked “classified” in an e-mail, participants who know or should know that the subject matter is classified are still obligated to protect it.
While not the focus of our investigation, we also developed evidence that the security culture of the State Department in general, and with respect to use of unclassified e-mail systems in particular, was generally lacking in the kind of care for classified information found elsewhere in the government.
With respect to potential computer intrusion by hostile actors, we did not find direct evidence that Secretary Clinton’s personal e-mail domain, in its various configurations since 2009, was successfully hacked. But, given the nature of the system and of the actors potentially involved, we assess that we would be unlikely to see such direct evidence. We do assess that hostile actors gained access to the private commercial e-mail accounts of people with whom Secretary Clinton was in regular contact from her personal account. We also assess that Secretary Clinton’s use of a personal e-mail domain was both known by a large number of people and readily apparent. She also used her personal e-mail extensively while outside the United States, including sending and receiving work-related e-mails in the territory of sophisticated adversaries. Given that combination of factors, we assess it is possible that hostile actors gained access to Secretary Clinton’s personal e-mail account. . . .
this is not to suggest that in similar circumstances, a person who engaged in this activity would face no consequences. To the contrary, those individuals are often subject to security or administrative sanctions. But that is not what we are deciding now.