WHAT IS OVERCLASSIFICATION?
When people criticize overclassification of national security information, what exactly are they talking about? Is it too much secrecy? The wrong sort of secrecy? Classifying something at too high a level? Oddly, there is no widely-accepted definition of the term.
But since the solution to overclassification, if any, will naturally be shaped by the way the problem is understood, it is important to specify the problem as clearly as possible.
In 2010 Congress passed (and President Obama signed) the Reducing Over-Classification Act, which mandated several steps to improve classification practices in the executive branch. But in a minor act of legislative malpractice, Congress failed to define the meaning of the term “over-classification” (as it was spelled in the statute). So it is not entirely clear what the Act was supposed to “reduce.”
Among its provisions, the Act required the Inspectors General of all classifying agencies to perform an evaluation of each agency’s compliance with classification rules.
To assist them in their evaluations, the Inspectors General turned to the Information Security Oversight Office (ISOO) for a working definition of overclassification that they could use to perform their task. ISOO’s answer was cited by the Inspector General of the Department of Justice in its new report. (Audit of DOJ’s Implementation of and Compliance with Certain Classification Requirements, Inspector General Audit Report 13-40, September 2013.)
“Over-classification,” according to ISOO, means “the designation of information as classified when the information does not meet one or more of the standards for classification under section 1.1 of Executive Order (EO) 13526.” If something is classified in violation of the standards of the executive order– then it is “over-classified.”
So, for example, information that is not owned by the government, such as a newspaper article, cannot be properly classified under the terms of the executive order. And neither can information that has no bearing on national security, such as an Embassy dinner menu. And yet information in both categories has been known to be classified, which is indeed a species of overclassification.
Unfortunately, however, this ISOO definition presents the problem so narrowly that it misses whole dimensions of overclassification.
The most important and the most urgent aspect of overclassification pertains to classified information that does meet the standards for classification under the executive order, but that nevertheless should not be classified for one reason or another.
It is important to understand that the executive order on classification does not require the classification of any information at all. It is permissive, not mandatory. It consistently says that information “may” be classified under certain circumstances, not that it “must” be classified.
(Even some government officials who should know better sometimes get this wrong. The new DoJ Inspector General report states in passing that “Section 1.4 of EO 13526… includes intelligence sources or methods as a category of information that shall be classified” (p. 23, footnote 27, emph. added). That’s a mistake. Section 1.4 speaks of information that may or may not be “considered for classification,” including intelligence sources of methods, but it does not dictate the classification of such information.)
But while the executive order does not require classification of anything, it allows classification of an overwhelming, practically unlimited volume of information. And it is within this permissible range of classification, far more than outside of it, that overclassification needs to be addressed.
The new Department of Justice Inspector General report didn’t grapple with this core problem. It did find a surprisingly high number of errors in DOJ classification practices, including numerous errors in marking of classification records, as well as ignorance or misunderstanding of classification guidance (or faulty guidance), and inconsistencies in the application of classification controls. These are serious administrative flaws, which should be amenable to improvement through training. But fixing them will not do much to reduce overclassification.
Using the narrow ISOO definition of overclassification, the Justice Department Inspector General report said that it “did not find indications of widespread misclassification.”
But a more comprehensive and penetrating definition would have produced a different result, at DoJ and at other agencies. Such an alternative definition might go something like this:
Overclassification refers to the classification of information that should not be classified, even if it falls within the scope of the executive order, because doing so interferes with some other critical function, such as a desirable process of information sharing, or because it precludes the possibility of public consent to major national security activities.
This contrasts with the ISOO definition in two important ways: it applies to information that does meet the standards of the executive order, and it takes into account the adverse impact of classification on other important functions and values. The contrast can be extended to actual (over)classification judgments.
So, for example, the use of simulated drowning as a CIA interrogation technique (“water boarding”) or the Justice Department legal reviews of the subject would not have been considered overclassified by the ISOO standard, since these are clearly within the scope of national security information defined by the executive order. But they would be overclassified by the standard that requires an opportunity for public consent to major national departures from previously accepted norms.
Similarly, the bulk collection of American telephone records by the National Security Agency and the Justice Department opinions that seek to justify such collection would not be overclassified under the ISOO definition. But they would be deemed overclassified under a standard that requires public consent to major intelligence initiatives affecting Americans’ own information.
On the other hand, not every mistaken classification decision is equally problematic, and many of them may be insignificant. If a particular component of a classified weapon program is classified Top Secret instead of Secret or Unclassified, it may not matter much at all. But very often, classification decisions do matter a lot, and new efforts are needed to get them right.
When President Obama spoke of “the problem of over-classification” (in a May 27, 2009 memorandum), he almost certainly was not thinking of the kind of administrative errors in marking classified documents discovered by the DoJ Inspector General, but of something far more consequential. It is a problem that still remains to be addressed in a systematic way.
If the classification process were exclusively a matter of information security, then it could be safely left to security professionals to implement as they see fit. But because the decision to classify often has broader implications for national policy and for democratic governance, it cannot properly be relegated to security officials alone; even when applied in good faith, the security perspective by itself is too narrow. And so is any other singular perspective.
But if one grants that classification decisions often involve a multiplicity of important interests (or “equities”), then it follows that a broader, more consensual approach to classification is needed than the existing reliance on the judgment of individual classifiers can provide. (I argued for such an approach here.)
In addition to the Department of Justice IG report, inspector general reports required under the Reducing Over-Classification Act have also been publicly released by the IGs of the Department of Homeland Security and the Department of Commerce. Others are pending.
Agency inspectors general “are now playing a significant role in monitoring national security practices curtailing individual rights,” according to a recent law review article on the subject. “IGs are well suited to increase transparency, evaluate the propriety of national security conduct, and reform internal practices; on the other hand, their independence can be undermined, they may avoid constitutional questions, and they rely on political actors to implement reforms.” See Protecting Rights from Within? Inspectors General and National Security Oversight by Shirin Sinnar, Stanford Law Review, Vol. 65, p. 1027, Spring 2013.
TELECOM (AND PRIVACY) STATUTES NEED UPDATING, AND MORE FROM CRS
The laws that govern and regulate the communications industry are substantially out of date and need to be revised, according to a new report from the Congressional Research Service.
“The communications sector does not look at all as it did when the Telecommunications Act was passed in 1996. Most significantly, consumer behavior in 2013 bears little resemblance to that in 1996,” the report says. See Updating the Statutory Framework for Communications for the Digital Age: Issues for Congress, September 30, 2013.
The new CRS report does not address communications privacy issues or surveillance-related concerns. However, the underlying statutes in these areas are no less obsolete and urgently in need of updating, almost everyone agrees. Related hearings earlier this year in the House Judiciary Committee have recently been published.
“The Electronic Communications Privacy Act of 1986, or ECPA, is complicated, outdated, and largely unconstitutional,” said Rep. James Sensenbrenner, chair of the Judiciary Committee, at the first hearing. “The 1986 law governing the Internet is like having a national highway policy drafted in the 19th century.” See ECPA (Part I): Lawful Access to Stored Content, March 19, 2013, and Electronic Communications Privacy Act (ECPA) (Part II): Geolocation Privacy and Surveillance, April 25, 2013.
Relatedly, a new report from the Brennan Center for Justice “takes a comprehensive look at the multiple ways U.S. intelligence agencies collect, share, and store data on average Americans.” See “What the Government Does with Americans’ Data,” October 8, 2013.
Here are some other new reports from the Congressional Research Service:
FY2014 Appropriations: District of Columbia, October 15, 2013
FY2014 Appropriations Lapse and the Department of Homeland Security: Impact and Legislation, October 11, 2013
Oil and Chemical Spills: Federal Emergency Response Framework, October 10, 2013:
Navy Aegis Ballistic Missile Defense (BMD) Program: Background and Issues for Congress, updated October 17, 2013