Four weeks ago, Bart Gellman of the Century Foundation delivered a keynote address at Purdue University’s “Dawn or Doom?” colloquium. His topic was “The NSA, Edward Snowden, and National Security Journalism.” As part of his lecture, Gellman displayed slides of a handful of the documents that Snowden leaked (some of which Gellman published in the Washington Post; others of which were published by Der Spiegel and the Intercept), which describe certain NSA data collection programs, including Upstream and PRISM. Purdue live-streamed the lecture, and told Gellman it would be posted online shortly.
But Purdue has not posted the Gellman lecture video. Nor, in all probability, will the video ever be posted . . . because it no longer exists: Purdue apparently “wiped” all copies of the lecture video from university servers because it contained screen shots of the Snowden documents. On October 8, the organizer of the conference, Dr. Gerry McCartney, from Purdue’s Chief Information Office, posted this statement on behalf of the university, offering an alarming excuse for Purdue’s actions:
Purdue has been recognized as a national leader in its commitment to freedom of expression and free and open inquiry and debate. We reject entirely the notion that complying with clear federal law is in any way an abridgment of those principles. We have already acknowledged that perhaps a better way to comply would have been to block only the classified information in question. And if we can correct that situation, we will. But a speaker’s decision to exercise civil disobedience does not obligate Purdue to join him in that act.
(A Purdue spokesperson later told Gellman that the university’s technical experts are “attempting to recover the video” — but if it is ever displayed, presumably it will be with redactions of any information the university identifies as classified. In the meantime, the Century Foundation has posted an audio recording of the lecture, together with its own posting of the referenced Snowden documents.)
Why did Purdue do this? What is the “clear federal law” that it thinks required such an unprecedented destruction of an invited speaker’s lecture? The university — apparently in consultation with the Department of Defense — concluded two things: (i) that at least some of the information in the Snowden documents remains classified; and (ii) that complete nondisclosure of classified information by anyone at the university is a condition of a “facility security clearance” that Purdue has received — a clearance that is required in order for Purdue researchers to contract with the federal government to do defense-related research. According to Purdue legal counsel Steve Schultz, “[w]hen the classified nature of some material was confirmed, Purdue’s security officer made a judgment call, based on a reading of regulations, that we shouldn’t disseminate it,” and “Purdue’s DSS industrial security representative [from DOD] confirmed the propriety of this assessment.”
The result, according to Gellman, is that Purdue has “set an unhappy precedent,” and “compromised its own independence and that of its students and faculty”: Whereas at first the university “accepted what may have seemed a limited burden, confined to the precincts of classified research,” Purdue now “finds itself ‘sanitizing’ a conference that has nothing to do with any government contract.”
Moreover, if Purdue were correct about its legal obligations, the problem would go well beyond the decision whether to post a lecture to YouTube, and would cut to the heart of the university’s commitment to open inquiry and learning. As Gellman says, “suppose a professor wants to teach a network security course, or a student wants to write a foreign policy paper, that draws on the rich public record made available by Snowden and Chelsea Manning—those cases will be hard to distinguish from mine.”
Can Purdue possibly be right that it is legally forbidden from posting the Gellman video online? Can it possibly be the case, as Purdue alleges, that Gellman’s lecture was an act of “civil disobedience”? What’s happening here? Let’s break this down into three basic questions:
(i) Is the information in the Snowden documents still classified?
(ii) If so, should it be?
(iii) If the information remains classified, does Purdue — and/or Gellman — have a legal obligation not to disclose it, even in the context of a lecture that uses slides of materials that are widely available online?
1. Is the information in the Snowden documents still classified?
At least some of it is not. Right after the Snowden revelations, for instance, on June 6, 2013, the Director of National Intelligence declassified certain information about the Section 215 telephony metadata collection program, and announced that the administration was “undertaking a careful and thorough review of whether and to what extent additional information or documents pertaining to this program may be declassified, consistent with the protection of national security.”
I do not know the extent to which the government has declassified other information on Gellman’s slides. In response to a question during his lecture, however, Gellman stated that the “documents, by and large, are still classified.” And Purdue representatives, perhaps in consultation with a DOD official, apparently agree. So let’s assume for present purposes that at least some of the information that Gellman discussed and displayed in his lecture does, in fact, remain classified.
2. Should the information in the Snowden documents remain classified?
Before turning to the question of Purdue’s obligations, let’s examine whether the U.S. government should, or must, declassify the information on the Snowden documents by virtue of the fact that the documents are now freely available on the Internet — something that would itself resolve the Purdue problem.
Classification and declassification of government information is governed by Executive Order 13526. That executive order does not itself impose any limitations on an individual’s dissemination of information. Such constraints are primarily a function of contractual obligations: government employees and contractors must sign nondisclosure agreements in order to obtain access from the government to classified information. The E.O. in turn, prescribes the basic rule for when government officials may convey classified information to others: Subsection 4.1(a)(2) provides that “[a] person may have access to classified information provided that . . . the person has signed an approved nondisclosure agreement.”
Why does, or can, a government agency designate information as classified? Under E.O. 13526, an agency can only classify information if it determines that the unauthorized disclosure of the information, i.e., a revelation by someone who has been given the information on the condition that she will not disclose it, “reasonably could be expected to result in damage to the national security, which includes defense against transnational terrorism, and the original classification authority is able to identify or describe the damage” (section 1.1(a)(4)). Much or all of the information on Gellman’s slides was classified long before the Snowden leaks, because the relevant agencies determined that disclosure of the information “reasonably could be expected to result in damage to the national security.”
The Executive Order also requires, however, that the classifying authority declassify that same information when that standard is no longer satisfied: “Information shall be declassified as soon as it no longer meets the standards for classification under this order” (section 3.1(a)). Accordingly, if disclosure of the information by someone who has agreed not to disclose it no longer “reasonably could be expected to result in damage to the national security,” or if the original classification authority is no longer “able to identify or describe the damage” that could reasonably be expected to result, then the E.O. mandates declassification, even if the original classification decision was proper.
So what happens, in terms of classification status, when someone such as Snowden breaches his obligation and leaks classified information, which then becomes freely available online?
One thing is clear: The leak itself does not automatically serve to declassify the information. See E.O. section 1.1(c) (“Classified information shall not be declassified automatically as a result of any unauthorized disclosure of identical or similar information.”). It remains the obligation of the classifying authority to make the declassification decision. And it’s easy to see why there would be many cases in which the standard for classification would continue to be satisfied even after a leak.
Take, for example, the daily occurrence of orally leaked information, attributed to an anonymous government source. In such a case there might remain a good deal of public uncertainty about whether the information is accurate — uncertainty (or ambiguity) that would be eliminated if the information were to be declassified, which might possibly harm national security. Moreover, even when the public widely assumes the accuracy of the information, and relevant parties act or otherwise rely upon that assumption, there might still be compelling reasons for the government not to officially acknowledge U.S. involvement in the activity in question, wholly independent of any damage caused by the revelation of the information itself. See generally Wilson v. CIA, 586 F.3d at 197-200 (Katzmann, J., concurring) (2d Cir. 2009); and my post here. Accordingly, an agency might well decide, even after such a leak, that further disclosure by U.S. employees or contractors could reasonably be expected to result in further damage to the national security . . . in which case declassification would not be required.
But what about a case such as the Snowden leaks, in which the government documents themselves are posted online? Can the legal standard for continued classification possibly be met in such a case, where the documents are freely and notoriously available for all to see?
I suppose that, in theory, there might be some uncertainty about the authenticity of one or more of the documents, such that government confirmation of their authenticity “reasonably could be expected to result in damage to the national security.” But that’s quite doubtful here: How likely is it that any persons whose actions might affect national security are hesitating to act based upon doubts about the authenticity of the Snowden documents? Not very likely.
Nor is this a case such as the one I describe above involving orally leaked information, in which there remains great uncertainty about the accuracy of the leaked information, or in which official government acknowledgement of U.S. actions might itself do damage to the national security. The governmental confirmation of what NSA was doing appears in the Snowden documents themselves (assuming their authenticity): that damage has already been done, and thus it’s hard to see why it would be reasonable to conclude that further “disclosure” of the information by government employees and contractors “could be expected to result” in any further “damage to the national security.”
If this is correct, then it would appear the government is required, under E.O. 13526, to declassify the information in the Snowden documents that is freely available online.
To be clear, such declassification would not mean that employees and contractors could freely say whatever they wished about the NSA programs at issue. There might well remain a national security interest in prohibiting employees and contractors from disclosing additional classified information, related to the information contained in the Snowden documents but not contained therein: For example, presumably there would be a national security interest in prohibiting such persons from disclosing the extent to which the NSA continues to engage in certain operations described in the Snowden documents.
But prohibiting government employees from accessing the Snowden documents on the Web? Prohibiting universities with government grants from allowing speakers, students and faculty to display and discuss the documents themselves, and the particular information contained in them? Unless I’m missing something, it is very difficult to see how such activities “reasonably could be expected to result in damage to the national security,” when everyone else in the world may freely access and use such documents. And if such uses of the information could not “reasonably . . . be expected to result in damage to the national security,” then the Executive Order requires declassification of that publicly available information.
3. If the information remains classified, does Purdue — and/or Gellman — have a legal obligation not to disclose it, even in the context of a lecture that uses slides of materials that are widely available online?
OK, but whether or not the government must declassify the information going forward, let’s assume, as explained above, that some of the information in the Snowden documents remains classified for now, properly or not. Does this mean that everyone at Purdue University is prohibited from disseminating or publicly discussing such classified information, and from displaying or quoting from the Snowden documents, even if they obtain the documents and information from the Web rather than from the government? That Gellman himself is prohibited from displaying and discussing the documents?
As for Gellman, the answer is easy: No. Members of the public can freely use, and disseminate, the information found in the documents that are widely available online, without breaking any law, even if the information in the documents is classified.* Therefore Purdue’s accusation that Gellman has engaged in “civil disobedience” is absurd.
Purdue itself, however, apparently does have contracts with the government to do defense- and national security-related research, as part of what is known as the “National Industrial Security Program (NISP)”; and the government almost certainly conveys classified information to individuals at the university who have security clearances in order to facilitate such NISP research. Therefore Purdue, like countless other universities and other government contractors, must agree to abide by the provisions of DoD Manual 5220.22-M, the “National Industrial Security Program Operating Manual (NISPOM).”
The baseline requirement of the Manual, contained in section 1-200, is that “[c]ontractors shall protect all classified information to which they have access or custody.” The remainder of the Manual is, in effect, over 100 pages of detailed rules for implementing that basic norm. One of those rules is section 5-511, entitled “Disclosure to the Public,” which reads:
Contractors shall not disclose classified or unclassified information pertaining to a classified contract to the public without prior review and clearance as specified in the Contract Security Classification Specification for the contract or as otherwise specified by the [government contracting representative].
Such a nondisclosure condition makes perfect sense, and is legally unobjectionable, with respect to classified information the university receives from the government itself (or its agents) for purposes of the research it has contracted to perform — i.e., with respect to what section 5-511 refers to as “information pertaining to a classified contract.” See Seattle Times v. Rhinehart; Snepp v. United States.
But what about classified information that a contractor university’s faculty and students — and invited lecturers — has lawfully obtained not from the government itself, but instead from other sources, including from the Internet, as in the Gellman case?
Some parts of the NISPOM, such as section 5-511, quoted above, suggest that the nondisclosure conditions are inapposite in such a case — that they apply only to classified information the government provides to the contractor for purposes of the contract. The Undersecretary of Defense’s Foreword, for instance, on the very first page of the Manual, states that the Manual “provides baseline standards for the protection of classified information released or disclosed to industry in connection with classified contracts under the NISP.” Likewise, the first sentence of section 1.02(b), defining the “scope” of the Manual, states that the Manual “applies to and shall be used by contractors to safeguard classified information released during all phases of the contracting, licensing, and grant process, including bidding, negotiation, award, performance, and termination.”
The very next sentence of section 1.02(b), however, states that the Manual “also applies to classified information not released under a contract, license, certificate or grant . . . .” See also section 9-305 (“All classified intelligence information in the contractor’s possession shall be safeguarded and controlled according to the provisions of this manual for classified information of the same classification level . . . .”).
It’s likely that this second sentence is the source of the confusion at Purdue. Purdue officials probably read this language to prohibit the entire university from publicly showing, or discussing, all classified information — even classified information that members of the community (or invited speakers, such as Gellman) obtain independently of Purdue’s contractual relationships with the government.
Is this a proper reading of the Manual? There are reasons to doubt that it is. After all, if the university had no contracts with the government, its faculty and students and lecturers would generally be free to use and disseminate such information, at least if they obtained it lawfully (which would be the case for the Snowden documents, which are available on public websites). It’s unlikely the government intends to use its grant leverage to restrict what the university’s faculty, students and visitors could lawfully do in the absence of the contract. Indeed, if the government did try to do that, it would raise very serious First Amendment concerns. Cf., e.g., Butterworth v. Smith (holding that although a state can prohibit a grand jury witness from divulging information he obtained as a result of his participation in the proceedings of the grand jury, he has a First Amendment right to publicly disclose information that he knew before his testimony, even if he also conveyed it to the grand jury).
It is perhaps understandable why Purdue, or even some DoD contracting officials, might read section 1.02(b) of the Manual to restrict a contractor’s use of classified information that it has lawfully obtained from independent sources — information it would have obtained even absent the government contract. But that reading would lead to implausible and probably unconstitutional results, as the Purdue example demonstrates. Can it truly be the case, for instance, that Purdue students and faculty without security clearances cannot read and analyze and share the Snowden documents?
Of course not. Contrary to Purdue’s statement, there is no “clear federal law” that prohibits persons at the university from making such use of the Snowden documents. Just to be sure, however, and order into correct any misimpression that section 1.02(b) might convey, the government should clarify to university contractors that the NISPOM does not impose such restrictions.
* To be sure, 18 U.S.C. 798(a)(3) nominally makes it unlawful to “knowingly and willfully communicate, furnish, transmit, or otherwise make available to an unauthorized person, or publish, . . . any classified information—. . . concerning the communication intelligence activities of the United States or any foreign government.” And the Snowden documents undoubtedly describe “communication intelligence activities of the United States.” As I’ve explained previously, however, section 798(a)(3) has in effect become a dead letter with respect to the publication of classified information concerning U.S. communication intelligence activities by persons who are not responsible for leaking that information, even in cases where the information was not previously available to the public — which is why Bart Gellman and the Washington Post concluded that it was safe for them to publish the Snowden revelations. With respect to information that already is available online, it’s even more inconceivable that anyone would be prosecuted for further communicating the information, not least because it would raise very serious First Amendment problems.