There has been a lot of discussion of Hillary Clinton’s e-mails and her handling of classified material—a lot. Press coverage of Clinton has focused on the e-mail issue so much that it is the first thing people mention when pollsters ask about her. The topic is certainly worthy of discussion, but much of it has been misinformed, involving some combination of willful distortion and innocent misunderstanding about some fairly esoteric topics. I would like to take some time to examine some points about Clinton’s e-mails, the government classification system, and the reason why the State Department often does not follow its own rules when it comes to information security. This is not an exercise in excuse making but an effort to understand what has been happening at the State Department and why.
First, some people view FBI director James Comey’s public statement of July 5, 2016, explaining the FBI’s investigation and recommendation regarding Clinton’s handling of classified information, as an attack on Clinton. It is, I believe, more accurately understood as a preemptive defense of the FBI as an institution. So many exaggerated claims and assertions had been made about Clinton’s e-mails in terms of criminal liability that he would have opened his agency to attack if he had simply recommended against prosecution and left it at that.
Thus he went into an unusual degree of detail about the investigation and its thoroughness to prevent charges of bias. Comey said as much toward the end of his statement: “I know there will be intense public debate in the wake of this recommendation, as there was throughout this investigation. What I can assure the American people is that this investigation was done competently, honestly, and independently. No outside influence of any kind was brought to bear.” In a later memo to FBI employees, he stated: “The hard part was whether to offer unprecedented transparency about our thinking. . . . I struggled with that part, but decided the best way to protect the FBI, the Department of Justice, and the American people’s sense of justice was to announce it the way we did—with extraordinary transparency and without any kind of coordination.”
Despite what some people have suggested, Clinton’s use of a personal e-mail account, in and of itself, was not a violation of the law, nor was it necessarily unusual. Examining the period between 2001 and 2008, before Clinton came to the department, the State Department Office of Inspector General (OIG) “identified more than 90 Department employees who periodically used personal email accounts to conduct official business.” The OIG report—which addressed department-wide practices, not just Secretary Clinton—went on to quote a former department official as saying, “State’s technology is so antiquated that NO ONE uses a State-issued laptop and even high officials routinely end up using their home email accounts to be able to get their work done quickly and effectively.”
According to the OIG report, it was a violation of department policy to use an unauthorized system without seeking official guidance or approval from the department’s Bureau of Information Resource Management (IRM) and Bureau of Diplomatic Security (DS), which Clinton did not seek. (The report’s wording implies that the burden was on the secretary to initiate these actions, yet the IRM director was clearly aware of the situation.) Even there, however, the FBI report suggested some ambiguity: “While State policy during Clinton’s tenure required that ‘day-to-day operations [at State] be conducted on [an authorized information system]’ according to the Bureau of Information Security Management there was no restriction on the use of personal email accounts for official business. However, State employees were cautioned about security and records retention concerns regarding the use of personal e-mail. In 2011, a notice to all State employees was sent on Clinton’s behalf, which recommended employees avoid conducting State business from personal e-mail accounts due to information security concerns.” [Emphasis added; insertions and deletions made by FBI.] Was it required or recommended, or were there no restrictions? Apparently it is still hard to say.
The mishandling of classified material is a different matter. That can involve serious violations of the law, and that was the main focus of the FBI investigation. We shall return to that shortly, after reviewing a few intermediary points.
The State Department has two e-mail systems, a classified system for classified documents and an unclassified system (@state.gov) for other documents and messages. It is not permitted to transfer documents from the classified system to the unclassified system, and in any event they cannot be transferred without the direct assistance of system administrators.
Clinton regularly used the classified system for classified documents (or, more precisely, she assigned people to do it for her). The controversy arises from her use of a personal server in place of @state.gov and, more particularly, from the occasional use of that server—or any unclassified system—to communicate on classified topics. We will return to that topic below. First, why did she use a personal server?
My own initial assumption was that she wanted to control access to her communications. Clinton has been the target of political attacks for a quarter century, and some of those who attack her are not shy about taking information out of context or distorting it in the process. Thus one might expect her to want to limit access to her communications. Yet this does not seem to have been the case. Rather, just as she has said all along, she said to the FBI that she used the private server as a matter of convenience, and the FBI appears to have accepted this explanation.* The decision seems to be rooted in Clinton’s quite profound lack of expertise in, or curiosity about, information technology. She did not fully comprehend the possible consequences, and—probably because she was the secretary—no one forced her to confront them.
The decision to use a personal server, of course, raised two issues: possible exposure of her communications to hacking by hostile powers (or others) and complications concerning the proper archiving of what the State Department now calls “record emails.” Record e-mails are those that are to be marked for archiving. Not all e-mails are preserved. Department employees are instructed to delete personal e-mails and most “working emails,” which concern day-to-day administrative matters. Employees determine on their own which messages to delete and which to archive.
While Clinton was aware of these issues, they did not cause her concern. With regard to archiving, she simply believed that her e-mails could be found in the archives of the officials with whom she communicated (which undermines my initial theory that she used the private server to prevent access to her communications). This is really not a satisfactory means of record keeping, but then many people underestimate the difficulty of maintaining records, and even if frustrating, it is not designed to prevent record keeping. After all, the FBI did find many of Clinton’s deleted e-mails by looking in the archives of people with whom she corresponded, just as she said they would. (Many of the deleted e-mails that were deemed to be business-related have turned out to be earlier versions of e-mail chains that had already been turned over.) Incidentally, this was the exact opposite of Colin Powell’s practice. According to an e-mail he sent to Clinton in January 2009, he used a personal e-mail account precisely in order to prevent his messages from becoming “an official record and subject to the law” and for that reason advised Clinton to avoid “systems that captured the data.”
As for security, Clinton did not consider it a problem. According to her FBI interview, “CLINTON understood the email system used by her husband’s personal staff had an excellent track record with respect to security and had never been breached.” Although the FBI could not find evidence of any breach of her account, Comey stated that the nature of the technology might have allowed talented hackers to enter without leaving traces (although the FBI did find evidence that another e-mail account on the server had been hacked). On the other hand, David Sanger reported in the New York Times (after 10 paragraphs of how vulnerable Clinton’s private server was) that the Russians had access to the @state.gov e-mail system that she was supposed to be using for more than seven years, from at least 2007 through the end of 2014, so they probably have her e-mails and everyone else’s anyhow.
For the record, Clinton has stated that it was a mistake to have used her own server. Given the hullabaloo over the decision, it is safe to assume that she is not likely to do this again.
The process of classifying and declassifying government documents is complex and highly arbitrary. The rules are vague enough to be open to interpretation, and the incentives generally favor “overclassification.” In other words, permitting the release of information that should have been classified has repercussions; classifying a document that did not require it does not. Thus there is a lot of material that is needlessly classified. Some analysts speak of a disconnect between the classification system and the actual needs of national security.
The arbitrariness of the system has been taken into account by people who deal with it regularly. For example, George Washington University’s National Security Archive, which frequently requests the declassification of old documents for historical purposes, routinely submits multiple requests for the same document in the hope that different officials will declassify different portions. On one occasion, the archive received the beginning and the end of a document from which the entire middle had been redacted. The very next day, in response to a separate request, it received a version of the same document with the middle intact but with the beginning and end removed. Thus within 24 hours the archive had received the entire document. The markings on the two copies indicated that both versions had been reviewed, redacted, and released by the same official.
The current Clinton case presents another example. The notes from Clinton’s FBI interview contain the sentence: “CLINTON believed information should be classified in the case of covert military action, the use of sensitive sources and where sensitive deliberations took place.” The FBI report, which was based in part on the interview and was released as part of the same package, contains virtually the same sentence except that the words “covert military action” have been redacted. Among the redactions from the interview notes, on the other hand, is Clinton’s date of birth.
That said, of course, not everything is overclassified, and the subject is not to be dismissed out of hand. Officially there are three levels of classification as defined by the National Security Act of 1947: Confidential (C), Secret (S), and Top Secret (TS). Bureaucrats often treat Confidential and Secret information in a fairly cavalier manner. This is the sort of thing that you read in the newspaper every day, attributed to a government official who will not give his name because he’s violating the law by giving classified information to a reporter. (Although, to be sure, some unauthorized leaks to the press are actually authorized releases masquerading as unauthorized leaks. Bureaucracy works in strange ways.)
Top Secret information is treated much more seriously. Fred Kaplan has related that when he began a job on Capitol Hill years ago, he was granted access to Confidential and Secret information from the first day, while he was restricted from seeing Top Secret material until his security clearance actually came through. Perhaps because there is only one category that everyone treats so seriously, a number of “unofficial” gradations have been invented within it, degrees of Top Secret, if you will. These include: Special Access Programs (SAP), Sensitive Compartmentalized Information (SCI), and the anatomically challenging EYES ONLY. Incidentally there are two grades of unclassified information as well, both of which may be sent on (authorized) unclassified systems: Unclassified (U) and Sensitive But Unclassified (SBU).**
Various categories of secretiveness can pile up. To take a random example, a 1991 assessment of the 1983 Able Archer war scare*** was marked: TOP SECRET UMBRA GAMMA WNINTEL NOFORN NOCONTRACT ORCON, which roughly translates as: Release Would Cause Exceptionally Grave Damage to National Security; Highly Sensitive Communications Intelligence; Contains Intercepts of Soviet Communications; Warning Notice—Intelligence Sources and Methods Involved; Not Releasable to Foreign Nationals; Not Releasable to Contractors or Consultants; Dissemination and Extraction of Information Controlled by Originator. As of last year, the document is freely available, albeit in redacted form.
*The argument that Clinton must have lied about it being convenient because she was really using multiple devices is false. She used multiple devices over the course of four years, one at a time.
**SBU is a State Department designation. Other agencies, including the FBI, use For Official Use Only (FOUO).
***Yes, there was a war scare in 1983, when the Soviets began to suspect that President Reagan was preparing to launch a nuclear missile strike and went on alert. Don’t feel bad, U.S. intelligence was not aware of it at the time either.