WASHINGTON — The State Department’s inspector general has sharply criticized Hillary Clinton’s exclusive use of a private email server while she was secretary of state, saying she had not sought permission to use it and would not have received it if she had.
In a report delivered to members of Congress on Wednesday, the inspector general said that Mrs. Clinton “had an obligation to discuss using her personal email account to conduct official business” with officials responsible for handling records and security but that inspectors found “no evidence” that she had.
The review “found no evidence” that Mrs. Clinton had requested or received approval from anyone at the department to conduct her state business on a personal email.
It said that she “had an obligation” to do so, given the well-known security risks involved in using a personal account. And it also said that department officials “did not — and would not — approve her exclusive reliance on a personal email account to conduct Department business.”
It also added new detail about Mrs. Clinton’s motivation for using the private server, which she has said was set up for convenience. In November 2010, her deputy chief of staff for operations prodded her about “putting you on state email or releasing your email address to the department so you are not going to spam.” Mrs. Clinton, however, replied that she would consider a separate address or device “but I don’t want any risk of the personal being accessible.”
The report, as well as an F.B.I. investigation and other legal challenges seeking information about her use of the server, is certain to keep alive a controversy that has shadowed Mrs. Clinton’s campaign for the presidency. The events have all come to a climax just as she is close to defeating Senator Bernie Sanders for the Democratic presidential nomination.
Mrs. Clinton and her aides have played down the inquiries, saying that she would cooperate with investigators to put the email issue behind her. Even so, through her lawyers, she declined to be interviewed by the State Department’s inspector general as part of his review. So did several of her senior aides.
Mrs. Clinton’s campaign spokesman, Brian Fallon, issued a statement emphasizing the findings that the problems with record keeping extended beyond Mrs. Clinton’s tenure.
“Contrary to the false theories advanced for some time now, the report notes that her use of personal email was known to officials within the Department during her tenure, and that there is no evidence of any successful breach of the Secretary’s server,” Mr. Fallon said in the statement.
The report broadly criticized the State Department as well, saying that officials had been “slow to recognize and to manage effectively the legal requirements and cybersecurity risks” that emerged in the era of emails, particularly those of senior officials like Mrs. Clinton.
It said that “longstanding systemic weaknesses” in handling electronic records went “well beyond the tenure of any one secretary of state” but the body of the report focused on the 30,000 emails that Mrs. Clinton sent and received on her private server.
The State Department issued numerous warnings dating back a decade about the cyber-security risks of using personal emails accounts for government business, the report said, and Mrs. Clinton was personally sent a memo in 2011 warnings of hackers trying to target unclassified, personal email accounts. She was also given a classified, in-person briefing on the dangers, the report said.
The report found that while dozens of State Department employees used personal email accounts periodically over the years, only three officials were found to have used it “exclusively” for day-to-day operations: Mrs. Clinton; Colin Powell, the secretary of state under President George W. Bush; and Scott Gration, the ambassador to Kenya from 2011 to 2012.
The review “found no evidence” that Mrs. Clinton had requested or received approval from anyone at the department to conduct her State Department business on a personal email. But it said that she “had an obligation” to do so, given the well-known security risks involved in using a personal account. And it also said that department officials “did not — and would not — approve her exclusive reliance on a personal email account to conduct Department business.”
But while State Department officials never directly told Mrs. Clinton or Mr. Powell that they needed to end their use of personal email, the report found, they did do so with Mr. Gration, a lower-level diplomat who did not have their political clout.
The response to Mr. Gration’s situation “demonstrates how such usage is normally handed when Department cybersecurity officials become aware of it,” the report said.
State Department security officials warned Mr. Gration in 2011 that he was not authorized to be using personal email for government business in Kenya. He continued doing so anyway, however, and the State Department initiated disciplinary action against him over “his failure to follow these directions” and several other undisclosed infactions, the report said. He resigned in 2012 before any discipline was imposed.
The report did not delve deeply into the issue that has become the focus of the F.B.I.’s investigation — the references in dozens of emails to classified information, including 22 emails that the Central Intelligence Agency considered “top secret.”
But it called into question the security risk of using a private server for what were clearly sensitive discussions of the nation’s foreign policy. It noted that Mrs. Clinton sent or received most of the emails that traversed her server from a mobile device, her BlackBerry.
It said a “nondepartmental adviser” to Bill Clinton, apparently Bryan Pagliano, informed the department that he had shut down the server because “someone was trying to hack us and while they did not get in, I didn’t want to let them have a chance.”
The attack continued later that day, prompting another official to write to two of Mrs. Clinton’s top aides, Cheryl Mills and Jake Sullivan, to warn them not to send Mrs. Clinton “anything sensitive.” She explained that she would “explain more in person.”
The report also criticized Mrs. Clinton for not adhering to the department’s rules for handling records under the Federal Records Act once she stepped down in January 2013.
“Secretary Clinton should have surrendered all emails dealing with Department business before leaving government service and, because she did not do so, she did not comply with the Department’s policies that were implemented in accordance with the Federal Records Act,” the report said.
The inspector general also said that while Mrs. Clinton had turned over her email, she had not included those she sent and received in her first months as secretary from January to April 2009. In 2015, the Department of Defense also turned over 19 emails between Mrs. Clinton and David H. Petraeus that had been sent from his official email account to her private account but had not been included among those turned over.
Mrs. Clinton belatedly turned over 55,000 pages of emails to the State Department — which she said were all the records “in her custody.”
But investigators determined that her production of those records was “incomplete,” and they found gaps in the documents that she turned over.
The controversy over Mrs. Clinton’s emails could force significant changes in the department, which has face new scrutiny about its handling of records, including from the conservative watchdog organization, Judicial Watch. The inspector general made a series of recommendations for the department, and a spokesman, Mark Toner, said they would be implemented.
Secretary of State John Kerry also acknowledged to the inspector general that he had used a personal account at times during his transition between leaving the Senate and joining , but that after becoming secretary and discussing the issue with aides, he “began primarily using his Department email account to conduct official business.”
Mr. Kerry said that while he occasionally responded to people who emailed him on his personal account, he would preserve the records.