People bypass the careful arrangements made for them by IT departments all the time: They forward corporate e-mail to private addresses on Gmail, Hotmail or Yahoo!; they insert untested USB sticks into machines; and they copy files onto their own devices. Usually they do these sorts of things in order to get work done more efficiently. In running a private mail server Hillary Clinton was doing a more complex version of the sort of thing millions of other Americans do.
Calling Clinton's setup "home brew" makes it sound as though she got someone's nephew to knock together some untested code running on a Raspberry Pi computer. The reality is she seems to have used well-known, well-regarded suppliers. Political point-scoring aside, the fact that many are calling her arrangement home brewed shows how much the widespread use of Web mail has changed expectations. As recently as a decade ago it was not uncommon for those with some technical ability to run their own mail servers. Now it's considered kind of weird, even among geeks who deplore the privacy-invasive centralization of such services.
I set my server up in 2003 to do three things: consolidate myriad historical e-mail addresses; reduce spam; and ensure I controlled my most critical communications function. My setup works just as well as Gmail or Hotmail but no one scans my messages to target advertising and no one can get the complete back archive by cutting a secret deal. Clinton's motivations are unlikely to be identical but I'd expect control to be on her list, especially given her political history. Having her own server also frees her from changing her address every time her work status changes. It also keeps her from being at the mercy of mass-market providers that chop and change services for their benefit, not hers.
The two main reasons for the public to be concerned about her decision to use a home-based e-mail server rather than the one officially maintained by the Department of State are transparency and security.
As a public official, Clinton is required to ensure that copies of her correspondence enter the historical record. At least in theory, running a private mail server gives Clinton the power to cherry-pick e-mails she chooses for the record, permanently withholding or deleting the rest. As millions can attest, however, you can never be sure there are no copies that will surface later. A smart government official wishing to keep communications secret would do best to avoid anything electronic. In this case, Clinton's situation mirrors our own: How far should employers—in this case, us—have the right to monitor their employees?
Security is more complex. E-mail is an inherently insecure medium with many moving parts, each of which may be compromised, attacked or misconfigured. Encryption is critical to protect messages from interception or alteration, both in transit and at rest. It's increasingly standard practice to configure mail servers to use the TLS (transport layer security) protocol to encrypt all incoming and outgoing channels. Although the National Security Agency as well as the U.K.’s Government Communications Headquarters have reportedly compromised TLS, it will still defeat most would-be snoops. A mail server using TLS has a bit of cryptographic code known as a certificate, which both e-mail software and other servers check at each connection to verify the server's identity. Most servers pay a few hundred dollars to a certificate authority for a unique certificate; however, many smaller ones sign their own. Experts quoted by Bloomberg report that Clinton's server used a self-signed certificate shipped with the device on which her server runs. This is a vulnerability sites such as Gawker, Wired and Gizmodo have called out, noting that the government itself uses much more powerful military-grade encryption and certificates. Message-level encryption, which is built into e-mail client software rather than servers themselves, is a separate issue—ideally you'd want the secretary of State to be using this, too. It's unknown whether Clinton did.
All of this is to protect against two main risks: interception and tampering. For a secretary of State communicating with high-level diplomats in other countries as well as her own staff, it's crucial that her messages reach only the intended recipients—but equally so to be sure only messages genuinely coming from her have been sent. For most of us, the danger that our e-mail has been spoofed ends with embarrassment and maybe some technical support to clean viruses off our click-happy friends' computers. For a secretary of State it could mean upsetting months of delicate negotiations.
Experts generally agree that even the best efforts won't protect you from serious, persistent, targeted attacks by actors with the size and resources of a nation-state who can, if online attacks fail, send someone to break into your house and install a key logger on your computer. It is fair to say that Clinton is unlikely to have the technical resources and funding the government does to protect her e-mail, although she could counter that with the 2011 leak of 250,000 U.S. diplomatic cables. And we can hope that she viewed e-mail as a poor channel for highly sensitive communications. Until we see the official record, it's hard to guess how scandalized we should be.