A new reality has set in to political campaigns: Candidates must expect that their private email accounts will be hacked, and the contents splashed onto the internet, possibly squandering their chances of victory or exposing personal secrets.
Email hacking is now an entrenched tactic for practitioners of political sabotage.
Whether politicians are swapping tales of town halls, dishing on their opponents or sharing intimacies with spouses — or others — they now know that a private conversation can explode on to the internet.
Digital Access for only $0.99
For the most comprehensive local coverage, subscribe today.
Sitting senators have responded in different ways.
“I usually keep my emails pretty well minimized,” said Sen. Jon Tester, a Montana Democrat who is up for re-election in a state that President Donald Trump won in 2016. “Most of them I dump as soon as I get them.”
Tester said the Senate uses a two-step authentication process to sign on.
"But are we where we need to be? We can never put enough due diligence to this because I think they're going to continue to hack," he said.
If anecdotes are any indication, some senators rely less on email than before.
"If I have anything sensitive to discuss, that's why God made telephones," said Sen. John Kennedy, a Louisiana Republican, quickly adding, "but even then, that may not be safe."
Hacked accounts have roiled politics since 2016, when the radical transparency group WikiLeaks published tens of thousands of emails of John Podesta, chairman of Hillary Clinton’s presidential campaign, opening a window on the inner workings of her campaign. WikiLeaks declined to say how it got the hacked emails.
A year later, French candidate Emmanuel Macron saw more than 20,000 campaign emails turn up on the internet before his election as president.
While the culprits have not been identified, blame falls heavily on Russian state hackers who U.S. intelligence officials say mounted a vast campaign to favor Donald Trump for the White House and to disrupt politics in Europe.
“Every Western country must assume that they will see a rise in these efforts in every election cycle moving forward,” said Parham Eftekhari, executive director of the Institute for Critical Infrastructure Technology, a cybersecurity think tank.
He said it is imperative that candidates and their staffs “be on high alert and practice strong cyber hygiene at an individual level.”
Hackers can take control of a private internet account through several means. A common one is to send a “phishing” email to a target, posing as a friend or co-worker. The email may contain a malicious attachment. Other tainted emails may appear to be queries from a bank or internet service provider and request a user to log on again. Once the target clicks on the link or offers a new login, the hacker can take control of the account.
Even those with deep training in security, like White House Chief of Staff John Kelly, can get duped. Buzzfeed News this month published one of Kelly’s emails, obtained after a lawsuit filed under the Freedom of Information Act, in which he acknowledged that one of his personal email accounts was hacked.
One freshman lawmaker, Rep. James Comer, R-Ky., said many legislators “learned a lesson from the Hillary emails.”
“The mindset for politicians these days is don't put anything in an email that you wouldn't want to read on the front page of the paper,” Comer said.
He said a bigger fear is of being hacked on social media and someone posting bogus information, which he said happened to one of his Facebook pages during the last campaign.
"We got it down and Facebook fixed it and no one made a big issue out of it," he said.
But for email, he said, "I don't think anybody puts things in email that they wouldn't want leaked out because it's going to get leaked out, one way or another. If you've made it to this level in politics, it's something you've figured out."
Comer's confidence may not bear out, given that Hillary Clinton had been first lady, secretary of State and a U.S. senator when her emails were hacked; Kelly was a four-star Marine general and the secretary of the Department of Homeland Security, and Podesta was a seasoned political operative.
Some legislators don’t bother with changing passwords.
Sen. Tammy Baldwin, D-Wisc., who is up for re-election in a state that Trump won in 2016, said she hasn't changed her password in "forever," and said it was set up by a young relative. "I still have it," she said, laughing.
Sen. Tim Scott, R-S.C. said he doesn't change his email password any more frequently either, but subscribes to the theory that "anything you send via email you should expect that someone else has seen it."
“I think you should always be careful on what you send through email. Always," he said.
Hackers who get into a politician’s email will be looking for “inappropriate texts,” including those revealing discriminatory or sexist attitudes, or financial misdealing, said Robert Rodriguez, who spent two decades in the Secret Service and later founded the Security Innovation Network, a San Francisco-based tech community that battles cybersecurity threats.
A good creed to follow on internet usage is: “We have no privacy anymore, zero,” Rodriguez said.
When personal information or email is divulged, for citizens and politicians alike, it is a tactic known as doxxing and it can be humiliating.
"Doxxing is a nasty, nasty, nasty thing to have happen,” Ford said. “Even my personal email, which is relatively benign— it’s mostly letters to my wife telling her I miss her when I’m on the road — would be embarrassing to me were it published."
Some experts said activists and smaller groups, not just foreign governments, could try their hand at hacking, and politicians have not adequately prepared.
“It’s a powerful technique and I don’t think that steps have been taken to deter those kinds of activities,” said Jennifer Kavanagh, a political scientist at RAND Corp., a nonprofit global policy think tank in Santa Monica, California.
Kavanagh said future dumps of supposedly hacked emails of political figures may generate even more confusion. Fake emails might be mixed in with real hacked ones.
"It’s increasingly easy to manipulate information, to make information look like it's real when it is not, and that includes emails,” she said. “I think the problem is only getting worse.”