Trump’s cybersecurity hypocrisy, in 10 tweets

For all of Donald Trump’s extended hand-wringing over Hillary Clinton’s emails, his concerns about her conduct appear to have merely been campaign rhetoric. Though Trump came down harshly and repeatedly on Clinton’s use of a private email server while secretary of state, he’s since remained silent about the lapses he and some of staff have had in cybersecurity.

Thursday morning, White House press secretary Sean Spicer tweeted a bizarre string of eight numbers and letters before deleting them shortly thereafter. Some on Twitter guessed that he may have accidentally broadcast his Twitter password.

This wasn’t Spicer’s first cryptic tweet since assuming the role of press secretary. The day before, he published a different unintelligible mix of letters, which he promptly deleted.

In the midst of Spicer’s tweeting, a New York Times article was published Thursday that detailed possible security risks President Trump himself could pose because of his continued use of an old, unsecured Android phone. (Trump uses it for, among other things, tweeting.) As the New York Times’s Cecilia Kang explains,

Twitter requires a connection to the internet, which exposes the device to security vulnerabilities if proper measures like two-factor authentication — a password and a code texted to a phone, for example — are not in place. If he uses the smartphone on an unsecure Wi-Fi network, he could be exposing his location and other personal information on the device.

Then, seemingly confirming the security vulnerabilities related to Trump’s Twitter habit, it was revealed that Trump’s account is tied to the private Gmail address of Dan Scavino, Trump’s head of social media. The recovery screen below, if authentic, indicates that Trump had not set up two-factor verification for his account, a simple procedure that helps users limit who is able to log in to their accounts and also whether personal information is shown if a password needs to be recovered.

Trump’s own fixation on hacking predates his presidential campaign and, like much of his discourse, is evidenced on Twitter. While many remember when Trump urged Russia to hack Clinton’s emails in July 2016 during a news conference, it’s worth noting that he also called for a hack of President Obama’s college records back in September 2014.

In 2015, he criticized the federal government after Chinese hackers stole Social Security numbers of federal employees.

And in 2016, he actually doubled down on his controversial invitation for Russia to hack Clinton, tweeting:

After his election, Trump criticized the Democratic National Committee for allowing itself to be hacked, arguing that the Republican National Committee was not hacked because it had better security. In fact, FBI Director James Comey told lawmakers that Russian hackers did execute a “limited penetration” of older RNC systems “no longer in use.”

Then earlier this month, ignoring evidence from US intelligence agencies that Russia was definitively behind the hacks, Trump tweeted:

At a news conference days later, Trump finally acknowledged that Russia was involved in election hacking, saying, “As far as hacking, I think it was Russia. Hacking’s bad, and it shouldn’t be done.” Still, he praised the results of Russia’s efforts. “But look at the things that were hacked, look at what was learned from that hacking,” he said, likely referring to Clinton campaign chair John Podesta’s emails.

Most recently, Trump called the dossier of unverified claims about Russia’s supposed information about him “FAKE NEWS,” and promised to release a “full report” on Russian hacking of the election within 90 days.

One would hope Trump is less keen on inviting foreign governments to hack federal agencies now that he holds the keys to the White House. Regardless, his entire administration should look into two-step verification for all of their accounts ASAP, at the very least.