News reports suggest that the FBI is nearing the end of its inquiry into the legal issues surrounding Hillary Clinton’s use of a personal server for government emails and into the legal ramifications of classified information found in messages to and from her. Most of the reporting—and virtually all political discussion—reads as if reporters and pundits know little about the rules regarding the classification of information and what they imply not just for the likelihood of a Clinton indictment but also for whether she violated other rules regarding the proper handling of classified information, whether or not the violations constitute crimes.
What follows reflects the knowledge and experience I have gained from working at the Department of Homeland Security from 2008 until 2011. While there, I took the lead in drafting a security classification manual for one of the divisions of the DHS science and technology directorate. In this discussion, I offer answers to questions about the former secretary of state’s email that have not been frequently asked, but should be.
What constitutes criminal conduct with respect to the disclosure of classified information?
Relevant law is found in several statutes. To begin with, 18 USC, Section 798 provides in salient part: “Whoever knowingly and willfully … [discloses] or uses in any manner prejudicial to the safety and interest of the United States [certain categories of classified information] … shall be fined … or imprisoned.”
The most important words in this statute are the ones I have italicized. To violate this statute, Secretary Clinton would have had to know that she was dealing with classified information, and either that she was disclosing it to people who could not be trusted to protect the interests of the United States or that she was handling it in a way (e.g. by not keeping it adequately secure) that was at least arguably prejudicial to the safety or interest of the United States.
The statute also provides a definition of what constitutes classified information within the meaning of the subsection described above: “[C]lassified information, means information which, at the time of a violation of this section, is specifically designated by a United States Government Agency for … restricted dissemination.”
Again, the most important words are the ones I have italicized. First, they indicate that the material must have been classified at the time of disclosure. Post hoc classification, which seems to characterize most of the classified material found on Clinton’s server, cannot support an indictment under this section. Second, information no matter how obviously sensitive does not classify itself; it must be officially and specifically designated as such.
Lesser penalties are provided under 18 USC 1924 which provides that an officer of the United States commits a criminal violation if that person possesses classified “documents or materials” and “knowingly removes such … materials without authority and with the intent to retain such … materials at an unauthorized location.”
This portion of an email from Hillary Rodham Clinton's private email account when she was secretary of state and released by the State Department on September 30, 2015, shows an email Clinton received early in the morning on Aug. 3, 2011.
Prosecutors would also encounter stumbling blocks if they charged Clinton under this law. First, it is unclear whether classified information conveyed in an email message would be considered a document or materials subject to removal. Moreover, with respect to information in messages sent to Clinton, it would be hard to see her as having “knowingly” removed anything, and the same is arguably true of information in messages that she originated. If, however, she were sent attachments that were classified and kept them on her server, this law might apply.
But even if this section did apply, a prosecutor would face difficulties. Heads of agencies have considerable authority with respect to classified information, including authority to approve some exceptions to rules regarding how classified information should be handled and authority to declassify material their agency has classified. It would also be hard to show that Clinton intended to retain any information sent to her if her usual response was to forward the information to another, and if she then deleted the material from her inbox, whether or not it was deleted from her computer.
Where Clinton’s legal position becomes shakier, and where her use of a personal server may enter into the analysis, is with respect to the provisions of Section 32 of the Code of Federal Regulations which provides in Section 2001.42 that persons who have access to classified information are responsible for:
a) Protecting it from persons without authorized access … to include securing it in approved equipment … whenever it is not under the direct control of an authorized person.
b) Meeting safeguarding provisions prescribed by the agency head; and
c) Ensuring that classified information is not communicated over unsecured voice or data circuits
It seems clear that any classified information on Clinton’s server was not on approved equipment, though it is less clear whether the information was not under the direct control of an authorized person. Clinton could argue that she was in control of this information while it was on her server and/or that whoever managed her email was authorized by her to control it. The best reading of the regulation is likely to be that the person who ran the server is the person with direct control over messages stored on it. Moreover, no person would be prima facie authorized to have such control unless that person had an appropriate-level security clearance. However, Clinton apparently relied on someone who worked for her at the State Department to set up the system, and he might well have had a top-level security clearance. In addition, as secretary of state, Clinton may have had the authority to approve access to and control of classified information even if the approved person had not been vetted by ordinary clearance processes.
Moreover, these provisions are not criminal statutes. They are part of the Code of Federal Regulations (CFR) and cannot create crimes beyond those Congress has by statute created. My search revealed no evidence that Congress has made failures to comply with the provisions of 32 CFR 2001 crimes.
Former United States Secretary of State Hillary Clinton speaks to the media after keynoting a Women's Empowerment Event at the United Nations on March 10, 2015 in New York City.
Also relevant are several provisions of Executive Order (EO) 15326 that establish standards and basic procedures for classifying and declassifying information, and for marking and protecting it. EO 15326 provides:
Officers and employees of the United States Government … shall be subject to appropriate sanctions if they knowingly, willfully, or negligently
1) disclose to unauthorized persons information properly classified under this order or predecessor orders
It is possible that some of those to whom Clinton sent classified information lacked the clearance needed to access it, but unless it could be shown that Clinton knew she was transmitting classified information or was unreasonably careless in doing so, she would not have run afoul of this subsection. Moreover, while the section lists administrative sanctions that may be meted out to violators, it does not provide for criminal penalties and cannot unless a statute does. In this connection it is interesting to note that 18 USC 798 penalizes disclosures that are knowing or willing but not those that are merely negligent. Finally, it is not clear whether the encompassing word “officers” is meant to include department heads. Ambiguity exists because in language that follows, agency heads are given the final authority to decide on sanctions. They can hardly be expected to sanction themselves.
What determines whether information is classified?
Standards for classifying information and procedures to be followed are found in EO 15326 and elaborated on in later regulations. The regulations provide that information “may be originally classified” only if classified by an “original classification authority” and if certain conditions relating to the source of the information and the need to protect it are met. The regulations also provide that “[i]f there is significant doubt about the need to classify information, it shall not be classified.” Within the State Department, Secretary Clinton was the original classification authority and those in the department who had original classification authority had it only by virtue of a delegation from her. As the font of their authority Clinton could legally override any classification determination a subordinate made.
These standards make it difficult to conclude that Clinton violated any law regarding the disclosure of classified information. As indicated by the word “may,” which I italicized, the regulations do not require that any information, no matter how sensitive, be classified. They also indicate that when in doubt information should not be classified or should be classified at the lowest level consistent with national security. Not only was Secretary Clinton the ultimate authority within the State Department to determine whether State Department information should be classified, but she was also the ultimate authority in determining whether classified information should be declassified. Moreover, declassification when done at the highest level appears to require no formal procedure. Indeed, we have a history of high-level officials engaging in “instant declassification,” most notably by leaking classified information to the press for political or strategic advantage. Since the leakers are typically speaking off the record or on deep background, some disclosures may have been made by people lacking the authority to declassify information, instantly or otherwise. No such leaker has been criminally prosecuted, and so long as the authorization to reveal classified information was approved at the cabinet level, it is unlikely that anyone could be.
Are there no constraints on what a cabinet secretary can declassify?
The government’s ultimate classification authority is the president. An agency head cannot declassify anything that the president has originally classified. More to the point, an agency head is the senior classification authority only in her own department. Any classified information received from and originally classified by another agency cannot be declassified by the head of a different agency. Within the receiving agency the information is derivatively classified. Thus if there was even a colorable case against Clinton, it would most likely have to be based on information that originated in and was classified by another agency. This is why the CIA’s classification decisions appear to have been central in the investigation.
How does a person know if information she has received is classified?
There are elaborate rules for marking and protecting information, depending on its level of classification. For example, a letter containing confidential information can be sent by ordinary mail. If it contained secret information it would have to be sent by certified mail, and if it contained top-secret information, except in special circumstances, a courier would have to deliver it rather than the U.S. mail.
Similarly, the government has specially secure, and different, computer systems for transmitting or discussing secret or top-secret information, and high security locales, called Sensitive Compartmented Information Facilities or SCIFs, where secret and top-secret discussions can be held, and where an agency’s employees can access its secure computer systems. The key to knowing whether information is classified and at what level are markings to be attached to documents, whether paper or electronic. Secretary Clinton has claimed, so far without leaked contradiction, that no message she received or sent was marked so as to indicate that it was classified.
Shouldn’t Clinton have known that some of information in her emails must have been classified?
If the material she received was unmarked, the answer is most likely “no.” Some classified information, no matter how sensitive, may appear sensitive only to those aware of a larger context. A report that Iran had received a ton of apricots from Turkey might, for example, be classified as top secret not because there is anything sensitive about the apricot shipment but because if Iran knew we had this information, it would know we had found a way to penetrate a secret shipping network. Yet few but the report’s originator would have reason to think the information was classified. The government also has rules regarding classified information that strike many people as silly. Following the WikiLeaks and Snowden incidents, for example, references to documents containing top-secret information were the subject of television and press reports. But the fact that hundreds of millions of people around the world knew the once closely held information did not change its classification status, as I was reminded in a memo sent to DHS employees, which went on to tell its recipients that they should avoid exposure to news referencing these documents.
So if some Clinton messages discussed classified information in leaked CIA documents, she would be in technical violation of the rules regarding the safeguarding of classified information, but surely no one would think she should be held criminally accountable for the breach. Moreover, no matter how sensitive the information, if no one has taken steps to classify it, the rules for safeguarding classified information cannot be violated despite the harm that might be caused by disclosure. When documents are unmarked, it is difficult to prove that a person knew or should have known that what they were reading was classified.
Does the retroactive classification of messages mean they should have been classified when they were sent?
Not necessarily, although perhaps some should have been. Retroactive classification, which is authorized by EO 13526, happens more than occasionally when security sensitive agencies respond to Freedom of Information Act (FOIA) requests. This does not mean that the earlier failure to classify the information was wrong. Although the passage of time usually means that the sensitivity of information diminishes, the opposite can happen.
For example, suppose a still high ranking government official had sent a message six years ago suggesting that Marine Le Pen, the leader of France’s National Front, had fascist tendencies. When sent, the message might not have been sensitive. But in 2016 when her party has become a force in French politics and a President Le Pen is no longer unthinkable, the message might well be classified secret. Retrospective classification may also be appropriate due to developments since a message was sent. For example, a reference that seemed innocuous when written might be far more revealing when read alongside documents that Edward Snowden stole.
A further reason for post hoc classification is that when documents are turned over in response to a FOIA request, their provenance is indisputable. Not only do we know, for example, that a message came from the secretary of state, but the link cannot be denied in the way it could have been had the information been illegally leaked. Lack of deniability can increase the harm that a release of information might do, so it too may justify post hoc classification.
Also, despite the president’s instruction that when in doubt information should not be classified or should be classified at the lowest reasonable level, many claim that security agencies err on the side of caution. Indeed, it has been suggested that overclassification is rampant in government. Some post hoc classification may reflect this security agency bias, as disputes between the State Department and the CIA over what portions of what released messages should be classified suggests. It is also the case that most classified messages on Clinton’s server were classified “Confidential,” the lowest level of full classification. Material classified at this level is often near the borderline of what should and should not be protected.
Does the fact that the classified information was on Clinton’s personal server rather than a State Department server effect the analysis?
In most ways it shouldn’t. While Clinton’s use of a personal server has, no doubt, harmed her politically, her use of a personal server most likely has little bearing on questions relating to the improper transmission of classified information. Had Clinton not used her personal server for the messages in question, she would presumably have had a personal account on the same system that other Department employees use for State Department business. Neither Clinton’s personal server nor ordinary State Department systems are properly secured for the transmission of classified information. The one way in which using a personal server might make a difference is that EO 13526 provides, “An official or employee leaving agency service may not remove classified information from the agency's control.” By maintaining classified messages on her server, Clinton was arguably not complying with this provision. I use the word “arguably” because lawyers could argue over whether the fact that the State Department never had control of the information on her server meant she could not remove it, but I expect this is an argument Clinton would lose. However, if Clinton is to be believed, she didn’t know that classified messages were on her server, and no criminal sanctions attach to violations of this provision regardless.
This Tuesday, August 18, 2015 photo shows the front entrance of Platte River Networks, a Colorado-based technology services company that began managing Hillary Rodham Clinton's private computer server in 2013, north of downtown Denver.
There is the interesting question of whether the inadvertently transferred classified emails were more or less secure because they were on Clinton’s server rather than on a State Department server. The FBI investigation may provide an answer. From a distance, it seems possible that Clinton’s messages were more secure on her server than they would have been on the State Department’s servers, even if the latter were protected by a technically superior firewall. The State Department’s systems are reportedly regular targets of hackers. Few knew that Clinton used a personal server for business emails, so hacker attacks may have been far less common if they happened at all. Also hackers often gain access to systems by fooling users into downloading malicious programs or clicking on malicious web sites. Since few people had accounts that accessed Clinton’s servers, the chance that someone might inadvertently open a door to hackers is most likely much less. Finally, after a few months, transactions with Clinton’s servers were reportedly encrypted. Because of the difficulties posed by the need to accommodate different server and computer generations, the government has lagged behind the private sector in encryption.
I also cannot help observing that it is the party that regularly declares that government doesn’t work that tells us that when it comes to computer security we can trust the government more than the private sector to get things right.
Do others do it—send classified information over insecure systems?
I know of no study that answers this question, but I will nonetheless assert the answer is “yes.” I do not mean to suggest that marked classified documents are sent as attachments over insecure systems or that people who learn of classified information by reading marked documents or participating in secure discussions in SCIFs immediately relay what they learned using insecure email accounts. Rather, I expect that when information is known to be classified, great care is usually taken to protect it.
However, people learn information from many sources, and may not recall that the source for certain information was classified. Accurate recall is further complicated because a single document can contain unclassified information as well as information classified at different levels. The unclassified information may be freely discussed; other information may have to be treated as confidential, while still other information may be secret or top secret. Consider, for example a statement in an embassy report from country X saying it is trying to gather information about the country’s weapons purchases. This information may be so widely known that it remains unclassified, and people may freely discuss it in messages sent over unsecure systems. But a sentence in the same report saying “we are particularly interested in chemical weapons” may be marked “confidential”; another sentence saying “we have recruited a spy with information about chemical weapons purchases” may be marked “secret,” and the name of the spy may be marked “top secret.” Six months after reading this report a person might send an insecure message asking whether we have learned anything more about Country X’s effort to purchase chemical weapons, recalling that not all the message was classified, but mistakenly recalling the reference to chemical weapons as unclassified information.
Classified information can also appear in news stories or be known to and discussed by people with no access to classified sources. Thus, even a person with good memory may not know, when writing an email message, that information she refers to is classified, and she may have learned it from an unclassified source. In addition, it can be time consuming to enter a SCIF to use a secure computer system. Human nature being what it is, it would be astonishing if people did not sometimes send messages referencing classified matters using ordinary channels, and thinking that if they were cryptic enough in their references, they were doing no harm. To fairly assess Clinton’s behavior and the behavior of her correspondents, a control group would be useful. Someone should FOIA all originally unclassified emails sent to and from their department’s general use servers by the last several secretaries of state, defense, and homeland security. Such a study would allow us to gain perspective on the flap surrounding Clinton’s email.
Is there one rule for agency heads like Clinton and another rule for the rest of us?
Yes, more or less. This is true both literally and as a practical matter. When it comes to classified information, agency heads have special responsibilities and special privileges. They have plenary authority to classify or declassify information. If rules regarding classified information are broken, they have the authority to determine administrative punishments. Unless they go so far as to break the law, no one is authorized to administratively punish them. But beyond this, rules are always different for those at the very top of organizations. Government leaders like business leaders are chosen for their judgment and discretion. They must be free to exercise both. In the public sphere, problems arise because laws and administrative rules and regulations are often written in ways that admit of no exception. Moreover, some laws, like laws against corruption or against spying, should admit of no exceptions. But for the most part heads of agencies do what they think best, and if we want an effective government, this is as it should be. If leaders behave badly, appropriate sanctions are less likely to be criminal sanctions than pressure to resign or even impeachment.
Should Clinton be indicted?
Based on what has been revealed so far, there is no reason to think that Clinton committed any crimes with respect to the use of her email server, including her handling of classified information. While it is always possible that information not revealed will change this picture, at the moment Clinton’s optimism that she will not be criminally charged appears justified. The same is not necessarily true of those who sent her classified information. If it could be shown that they knowingly acquired information from classified sources and sent it unmarked to an unapproved server, their fate may be less kind than Clinton’s is likely to be.