Clinton’s Email Server Isn’t Her Scandal

Hierarchical security levelsEarly last month, Edward Snowden criticized former Secretary of State Hillary Clinton for obviously and intentionally mishandling classified information by using a private email server. A recent Huffington post argues that, if true, Snowden’s comments could cost Clinton the Democratic Presidential nomination.

This rests on technical questions of security and classified information. Based on the information I have seen, Clinton committed no crime. Her security mistakes are typical of politicians of her (my) generation. She was exercising the authority and discretion (or lack thereof) belonging to her role as Secretary of State. I will explain why.

DISCLAIMER: I personally neither support nor oppose Hillary Clinton’s bid for a Presidential nomination.

UPDATE (March 22, 16): Richard Lempert, a professor of law and sociology, has posted a more detailed parsing of the laws and regulations to come to the same conclusion.

Breaking Laws

Observers say that former Secretary Clinton may have broken the law by disclosing “classified information” in her emails. This misinterprets the law.

There is little or no legislation that addresses classified information itself. No law explicitly says: “It is illegal to disclose information marked Confidential, Secret, or Top Secret to unauthorized people.” This curious oversight is blamed on our freedom of speech and press, codified in the First Amendment.

Contrast this with the United Kingdom and their Official Secrets Act. Absent the First Amendment, they successfully passed and enforced a law under which the government could make just about anything a secret, and throw people in jail for disclosure. You make something a secret through an administrative act, not through legislation. Bureaucrats invent felonies by making something secret.

US legislation talks about sensitive information and identifies particular types that must not be disclosed. The first and most important is the Espionage Act, which dates back to the First World War. The Act forbids disclosure of military information to adversaries. This is usually how people are prosecuted for disclosing classified information. The Atomic Energy Act of 1946 also made it illegal to disclose nuclear weapon secrets.

Other secret-keeping legislation relates to the “sources and methods” the CIA, NSA, and other intelligence agencies use to collect information. The legislation can’t and doesn’t say “it’s illegal to disclose information that carries classification markings.” This may also be a vestige of the Separation of Powers: legislation is the realm of the Legislative Branch, but the classification system is an invention of the Executive Branch.

Getting “Classified”

Security classification is defined by Executive Orders issued by the President. Each President fine-tunes the system based on what has happened in previous administrations. Some speed up the declassification of old, still-classified information, Others slow such declassification down, or re-classify previously public information.

All administrations try to limit the proliferation of classified information. It’s cumbersome, painful, and expensive to handle classified information. Over the past couple decades administrations have severely limited the authority to declare things classified in order to limit the amount of classified information. The only people with such authority are heads of major agencies and Cabinet members.

Secretary of State Clinton was the authority for classifying information inside the State Department. If the information involved her work at the State Department and she disclosed it, then she was acting within her authority.

This wouldn’t protect the Secretary if she had disclosed military secrets or certain intelligence “sources and methods.” Such secrets are covered by legislation.

Rank Hath Its Privileges

The National Archives has been trying to release Secretary Clinton’s emails. While reviewing them, the reviewers recommended that some emails be classified. This reflects a difference of opinion, not proof of wrongdoing. Clinton’s authority as Secretary of State allowed her to make her choice, just as later authorities may make different choices.

Last summer, Reuters quoted J. William Leonard, former director of the U.S. government’s Information Security Oversight Office (ISOO) under President G.W. Bush. Leonard described this now-classified information as “born classified.”  The information was received from foreign officials or heads of state and included in unprotected emails. According to Leonard, the Secretary should have treated the information as classified all along, according to her department’s rules.

It’s easy to over-interpret such rules. As written, they could make anything  a foreign official shares with a State Department official into classified information. It’s insanity to say that everything in that category must always be classified. The State Department routinely includes such information in press releases.

In practice, there are two types of “born classified” information. First, there are things covered by federal legislation. These include information about nuclear weapons and about certain intelligence sources and methods. Second, there are pieces of information covered by “classification guides.” These guides are documents meant to help workers identify classified information before it is accidentally released.

The Federation of American Scientists published a 2005 guide from the Department of State. Section III B uses three pages to explain classification of information shared by foreign governments. The discussion makes it clear that these are guidelines and not black-and-white rules. These guides are directed at the rank-and-file State Department employees. Interpretation is left to the Secretary of State.

Snowden’s Comment on Secretary Clinton’s Behavior

In his September interview with Al Jazzera, NSA whistleblower Edward Snowden criticized Secretary Clinton’s actions. According to the article, Snowden said that:

lower-level government employees would ‘not only lose their jobs,” but “would very likely face prosecution” for doing the same thing

This is probably true. It is also irrelevant. As Secretary of State, Hillary Clinton was the classification authority for the Department of State. She essentially made the rules and could break them as needed in her position.

This is hard on journalists. If the Secretary discloses (“leaks”) something sensitive about foreign affairs in a press interview, then the information is legitimately released. If a senior official with classification authority leaks it, then again, no foul. If a lower-level executive leaks the same information ahead of the official release, then the executive is violating security rules. The journalist might also be in trouble if the information was known to be classified or otherwise restricted.

Legal, Predictable, and Sensible?

I’ve made technical arguments for why Secretary Clinton’s actions were legal within her position as Secretary of State.  Now let’s look at it from two other angles:

  1. As the act of a modern politician using technology to make her job easier
  2. As a cybersecurity trade-off

Email in the Government

Government cybersecurity tries to build “enclaves” to hold sensitive activities, like emails within the Office of the Secretary of State. This typically yields a highly restricted email system. Secretary Clinton can’t use the system for everything; she requires an outside email server for personal and non government (i.e. political) messages.

She undoubtedly used her personal email a lot of official business. Given her age and activities, she may have spent little or no time thinking about the cybersecurity risks tied to this outside email system. Any cybersecurity expert would tell the Secretary to assume her adversaries were reading every email she sent through that server.

So far, no email review has found that Secretary Clinton herself sent any bona fide classified information. Perhaps she made very calculated use of her unofficial server. She has never commented about her cybersecurity knowledge and intentions in detail. Maybe she failed to spill secrets because she was careful, or maybe she was lucky.

Unfortunately, another email review has allegedly uncovered Top Secret information on the Clinton server. The offending emails were sent to the Secretary by a subordinate.

This underscores a fundamental risk in a free society: leaks can happen when your work straddles both the classified and unclassified realms. The subordinate probably saw the information in a classified area and repeated it while typing email on an unclassified network.

This mistake could have happened just as easily with an unclassified State Department email server. The risks might have been smaller if both the Secretary and the subordinate were using equipment under US Government control, but emails still might have leaked.

Email and Politicians

I’ll simply point out that countless politicians make use of “unofficial” email services. Some have used them extensively for government business. This may generate bad publicity, but it’s not clear how much people take this seriously.

The Cybersecurity Tradeoff

Here is the real Presidential question here: did Secretary Clinton show significantly bad judgement in her use of the external email server?

I’ve already noted that lots of politicians rely on unofficial email servers when their IT departments and governmental archives tell them to use the official government email system.

If you have ever used “secure” government technology, you know why people prefer unofficial servers. The secure alternative is usually too restricted and cumbersome for general-purpose use. They probably don’t work with your smart phone or tablet. There is also the problem of “legal use of government resources.” Many government entities forbid the use of government services for personal, private, or political purposes.

President Obama insisted on keeping a smart phone when he took office. This required a lot of scrambling by the NSA and other security organizations. But they succeeded in outfitting him with somewhat modern tech.

A 2013 review of Presidential gadgets showed him using an iPad and a Macbook Pro for following social media. Other photos showed him using Dell laptops for classified work. One image showed then-Secretary Clinton in front of a Dell laptop inside the highly classified Situation Room. She uses classified systems when working on classified material.

I understand why Secretary Clinton wanted a more practical email server. I also understand why the National Archives wanted her to use the official email system. The alternative official system would still have been “unclassified.” Careless messages shared there could still land in unauthorized hands. Clinton probably saw no point in having two separate systems for unclassified email.