President Trump has publicly called for the Intelligence Community whistleblower whose complaint kicked off the impeachment inquiry to be identified. Senator Rand Paul has signaled that he is open to identifying the whistleblower on the Senate floor, claiming that there is no law that prohibits it. At least one congressional staffer allegedly attempted to leak the whistleblower’s identity. Donald Trump, Jr. retweeted an article that claims to identify the whistleblower. Devin Nunes, ranking member of the House Intelligence Committee, began his opening remarks on the third day of hearings yesterday in the public impeachment inquiry complaining about not knowing the identity of the whistleblower. And both Nunes and Rep. Jim Jordan later attempted to question one of the witnesses, Army Lt. Col. Alexander Vindman, about the identity of an Intelligence Community employee whom Vindman had told about President Trump’s phone call with the Ukrainian President, questioning that had the obvious intention of narrowing the whistleblower candidates.
All this activity in turn prompted reproaches from the whistleblower’s defenders, including an open letter last month from more than 100 former national security officials from Republican and Democratic administrations calling for protecting the whistleblower from retaliation.
Many of those seeking to protect the whistleblower argue that it is unlawful to publicly identify an anonymous whistleblower. Whether that is, in fact, the case is complicated and highlights a significant flaw in how the whistleblower protection laws actually apply.
Simply put, there is no clear, unambiguous provision in either the criminal or civil law generally prohibiting the disclosure of a whistleblower’s identity. Instead, a patchwork of laws apply, each of which focuses narrowly on either the characteristics of the whistleblower, the role or other attributes of the leaker who might reveal the identity, or the motivation of such a leaker. All that leaves huge holes in any protective mantle, although one option – the federal witness-tampering law – is a promising candidate for deterring and punishing the disclosure of this particular whistleblower’s identity during this particular investigation.
This piece will cover the four main categories of all the laws and rules which should be understood by anyone attempting to grasp the scope of whistleblower identity protections. First, I’ll address two commonly cited laws that actually have no relevance to this issue. The second part will discuss the one law that protects the identities of only certain intelligence personnel. Third, I’ll cover the three types of laws and rules that only prohibit certain people from disclosing the identity of a whistleblower. Last, I’ll address the two laws which implicitly prohibit such disclosures, but only in certain circumstances and for certain improper reasons.
I. Two False Leads: PPD-19 and the CIA Act
Before discussing the various laws and rules that provide some protections, it is first necessary to address and discount two laws that are frequently but erroneously cited by the whistleblower’s defenders. These laws do not actually contain any provisions shielding a whistleblower’s identity, and any relevance to this issue is purely illusory.
First, Presidential Policy Directive 19, which was codified in part by Congress at 50 U.S.C. § 3234, prohibits agencies from taking retaliatory personnel actions against Intelligence Community whistleblowers. Exposing the identity of an anonymous whistleblower, however, is not considered a personnel action (an employment-related action like firing, demotion, clearance revocation, etc.), and so there is no practical protection to be found here. The second – the CIA Act of 1949 – protects the names of CIA employees (which the whistleblower is reported to be), but only insofar as it provides that the CIA may not be compelled to release such a name; it does not actually prohibit the disclosure of a CIA employee’s name.
II. Secret Agents Get Special Protections: The IIPA
One of the most commonly cited sources for the argument in favor of a general prohibition against disclosing the identity of a confidential intelligence whistleblower is the Intelligence Identities Protection Act. But that law is far narrower than the name might suggest.
By its own terms, this statute only prohibits the unmasking of “covert agents,” which can be defined for our purposes as an intelligence employee whose affiliation with the Intelligence Community is classified and who has worked overseas in the last five years. The CIA has recently asked Congress to remove that second criterion, but even with that change, it would only be a crime to expose the identity of a whistleblower whose affiliation with an intelligence agency is classified, which is a small subset of intelligence personnel. In this particular case, it is virtually certain that the whistleblower is not such an individual, since it is extremely unlikely that a covert agent who served overseas in the last five years would possess the type of information provided in the complaint, or have access to officials at the White House as described in the complaint.
III. Certain People Have Certain Restrictions: The ICWPA, Congressional Rules, the Privacy Act, and Clearance Rules
The good news is that there are specific prohibitions against the disclosure of the identity of a confidential national security whistleblower; the bad news is that those prohibitions only apply to select offices, committees, or individuals. Such prohibitions can be found in the Intelligence Community Whistleblower Protection Act, congressional rules, and the Privacy Act. Additionally, such a disclosure can be held against the person revealing the information by revoking or denying a security clearance.
Intelligence Community Whistleblower Protection Act
Section (g)(3)(A) of the Intelligence Community Whistleblower Protection Act is likely to be the law most people are thinking of when they assert the existence of a prohibition against disclosure. But, like the Inspector General Act that preceded it, this act only prohibits Inspectors General and their employees from disclosing the identity of a confidential whistleblower without consent. Anyone else outside the Office of an Inspector General is not covered by the express prohibition against disclosure.
Yet Section (g)(3)(B) of that statute also provides that “no action constituting a reprisal, or threat of reprisal, for making such complaint or disclosing such information to the Inspector General may be taken by any employee in a position to take such actions.” This is relevant because the statute does not define “action constituting a reprisal,” and in fact implies that Congress expected that term to apply broadly. In the preceding discussion of what constitutes an “urgent concern,” the statute explains that one such urgent concern would be:
An action, including a personnel action described in [the Whistleblower Protection Act], constituting reprisal or threat of reprisal prohibited under subsection (g)(3)(B) of this section in response to an employee’s reporting an urgent concern in accordance with this paragraph.
The fact that Congress specifically stated that “an action … constituting reprisal” includes the types of prohibited personnel actions traditionally considered to be the subject of whistleblower protection law suggests that Congress intended to broadly preclude any act of retaliation against a national security whistleblower, not just the types of adverse personnel actions delineated in 50 U.S.C. § 3234 and its implementing regulations.
Accordingly, a case could be made that publicly unmasking a confidential national security whistleblower would be “an action constituting reprisal” prohibited by this statute. On paper, then, it is arguably correct to say that the Intelligence Community Whistleblower Protection Act prohibits a government official from publicly identifying a confidential whistleblower as reprisal for their whistleblowing.
However, since there is no private right of action allowing a victim to sue a violator and no penalty at all for “an action constituting reprisal,” this is difficult to enforce in practice, and so it is unlikely that any agencies would adopt such a broad reading of the prohibition.
Congress, for its part, does have rules that could apply in the case of this particular whistleblower, but they only apply to members and their staffs, and then only for certain committees. The best example is Rule 12(a)(1)(B) of the Rules of the House Permanent Select Committee on Intelligence, which prohibits any member or staffer from disclosing “any information received by the Committee in executive session” without the permission of the chair. “Executive session” is a term of art which generally means any closed meeting, so this rule would definitely prohibit members of this committee or committee staff from publicly disclosing the whistleblower’s identity, since they would almost certainly have learned that information in a closed meeting.
Rule 9.7 of the Rules of the Senate Select Committee on Intelligence contains a comparable prohibition. But, since Sen. Paul is not a member of that committee, this rule would not apply to him. (Likewise, the House Intelligence Committee rules would not apply to a non-member of that committee.)
The Privacy Act is the only statute that both focuses on the disclosure of personal information and includes a criminal liability element, but even that law falls short of a general prohibition, even within the executive branch. While it might appear that the Privacy Act would obviously prohibit the disclosure of such a sensitive piece of personally identifiable information as the fact that a person was a confidential whistleblower, that statute only applies to executive branch agencies; it does not cover Congress, contractors, or even the White House, let alone the public. It does include “oral” disclosures of personal information as prohibited conduct, but on the other hand, it only prohibits the disclosure of personal information from a “system of records,” which is a special term of art limited to records systems designed to be searched by a person’s name or similar unique identifiers.
In other words, if a federal official in a covered agency learned the whistleblower’s identity from a source besides an agency “system of records,” such as from a congressional staffer or office rumors or through his own deductive reasoning, then the prohibition would not apply. An official would only be liable if he knew that the information in question – the fact that a particular person was a confidential whistleblower – was accurate and in an official record located in a “system of records.” An official who saw the complaint or a memorandum describing it would meet this standard, since those would undoubtedly be located in a “system of records.” However, as a stark example, an official who learned the identity of a whistleblower from an email would likely not be liable if he publicly disclosed it, since email systems are generally considered by courts not to be “systems of records” for the purpose of the Privacy Act. Courts tend to be very reluctant to find that agencies or individuals are civilly liable – let alone criminally liable – for violating the Privacy Act prohibitions on disclosure, mainly because the definition of “system of records” is so broken and the burden so great to prove that someone got the information in question from such a system.
The guidelines for who can receive a security clearance are significantly more discretionary than any other rules discussed herein. Any intelligence agency likely would deny a security clearance to – or revoke the security clearance of – any individual who willfully exposed the identity of a confidential national security whistleblower. Such an action would demonstrate “questionable judgment, untrustworthiness, unreliability, lack of candor, unwillingness to comply with rules and regulations, or other characteristics indicating that the individual may not properly safeguard classified or sensitive information,” making them a prime candidate for denial under Guideline E of the Adjudicative Guidelines.
Guideline E sweeps far more broadly than classified or even governmental information and instead allows agencies to deny clearances to people who just “don’t respect confidentiality,” which would assuredly apply in such a case. However, this is not so much a prohibition on disclosure as it is a consequence of disclosure, and as with the other authorities discussed above, it only applies to a certain subset of society, namely, people who have or need security clearances.
IV: Disclosures for the Wrong Reasons Are Still Wrong: Witness Tampering and Retaliation
If one were to try to fashion a criminal case against a person who leaked the identity of a confidential whistleblower, their best bet would be to ignore all of the authorities stated above and focus on the laws governing witness tampering and retaliation. The two main statutes in this area – 18 U.S.C. §§ 1512(d) and 1513(e) – could each come into play, but they both focus on the motivation of the act in question and only cover disclosure insofar as it fits within that mold.
The most promising candidate is 18 U.S.C. § 1512(d), since it generally targets any person who “intentionally harasses another person and thereby hinders, delays, prevents, or dissuades any person from … attending or testifying in an official proceeding.” Publicly exposing a confidential whistleblower’s identity is clearly harassment, especially when doing so will subject that person to threats. In this particular case, it already has dissuaded the whistleblower from personally testifying in an official proceeding. This law would apply equally to government officials and members of the public, although it is uncertain how well it would apply to a Member of Congress or a congressional staffer, since constitutional protections under the Speech or Debate Clause might apply. In such a case, the key consideration would be whether the Member or staffer was acting in a legislative capacity when they disclosed the identity: for example, disclosing it on the floor of the Senate would likely be protected, but disclosing it on Fox News would not.
Similarly appropriate in such a case is 18 U.S.C. § 1513(e). It targets any person who “knowingly, with the intent to retaliate, takes any action harmful to any person, including interference with the lawful employment or livelihood of any person, for providing to a law enforcement officer any truthful information relating to the commission or possible commission of any federal offense.” This statute applies broadly to “harmful” retaliatory actions, which would easily include public exposure, but is second to 18 U.S.C. § 1512(d) because it only protects whistleblowers who report violations of criminal statutes, as opposed to non-criminal or even impeachable misconduct. It also only applies to “law enforcement officers,” which some courts might read to exclude inspectors general or congressional staff.
As the impeachment inquiry proceeds and President Trump’s allies grow more desperate, the risk of someone exposing the whistleblower’s identity grows. Recognizing this risk, many in Congress and the public have condemned this possibility, but many of those well-meaning advocates also seem unclear on exactly what protections and prohibitions exist. People who cite the wrong laws run the risk of being labeled “fake news” and ignored.
It is important for everyone involved on both sides to understand that there are punishments – especially under 18 U.S.C. § 1512(d) – for disclosing the identity of this whistleblower, but also that the entire system needs to be rethought to make a list like this unnecessary the next time around. The greatest way to ensure whistleblower anonymity is for those who would expose a whistleblower to easily understand that such an action would be unlawful so that they are deterred from doing so. To do that, Congress needs to enact a better, clearer whistleblower protection regime, especially for the Intelligence Community.