Sorting Through the Snowden Aftermath

Public discussion of the Edward Snowden case has mostly been a dialog of the deaf, with defenders and critics largely talking past each other at increasing volume. But the disagreements became sharper and more interesting over the past week.

“Mr. Snowden is not a patriot. He is not a whistleblower. He is a criminal,” wrote the members of the House Intelligence Committee in a startling September 15 letter to the President, urging him not to pardon Snowden, contrary to the urging of human rights groups.

“The public narrative popularized by Snowden and his allies is rife with falsehoods, exaggerations, and crucial omissions,” the House Intelligence Committee wrote in the executive summary of an otherwise classified report on Snowden’s disclosures.

Remarkably, however, the House Committee report itself included numerous false statements and misrepresentations, according to an analysis by Barton Gellman, who had reported on Snowden’s disclosures for the Washington Post.

“The report is not only one-sided, not only incurious, not only contemptuous of fact. It is trifling,” wrote Gellman, who identified several apparent errors and falsehoods in the House Committee summary.

What is perhaps worse than what’s contained in the House document, though, is what is missing from it: Congressional intelligence overseers missed the opportunity to perform any reflection or self-criticism concerning their own role in the Snowden matter.

The fact that U.S. intelligence surveillance policies had to be modified in response to the public controversy over Snowden’s disclosures was a tacit admission that intelligence oversight behind closed doors had failed to fulfill its role up to that point. But since the Committee has been unwilling to admit any such failure, it remains unable to take the initiative to rectify its procedures.

Last week, a coalition of non-governmental organizations proposed various changes to House rules that they said would help to improve the quality of intelligence oversight and make it more responsive to congressional needs and to the public interest.

Meanwhile, several human rights organizations launched a campaign to urge President Obama to pardon Snowden.

“Thanks to his act of conscience, America’s surveillance programs have been subjected to democratic scrutiny, the NSA’s surveillance powers were reined in for the first time in decades, and technology companies around the world are newly invigorated to protect their customers and strengthen our communications infrastructure,” the petition website said. “Snowden should be hailed as a hero. Instead, he is exiled in Moscow, and faces decades in prison under World War One-era charges that treat him like a spy.”

However, aside from that oblique reference to the Espionage Act of 1917, the petition campaign does not acknowledge any defect in Snowden’s conduct or weigh counterarguments. (A somewhat more nuanced defense of a pardon was presented by Tim Edgar in Lawfare. A substantial rebuttal to the pardon proposal was offered by Jack Goldsmith also in Lawfare.)

But of course what complicates the Snowden matter is that his disclosures exceeded the boundaries of “democratic scrutiny” and went well beyond any identifiable “act of conscience.”

“The fact is, many of Snowden’s documents bore no resemblance to whistleblowing as the phrase is broadly understood,” wrote Fred Kaplan in a review of the new Oliver Stone movie about Snowden in Slate. Rather, he said, they represented “an attempt to blow U.S. intelligence operations.”

Advocacy journalist Glenn Greenwald replied with a debater’s point that Snowden is innocent of any such offense since he (Snowden) did not directly disclose anything at all to the public! Instead, he gave documents to newspapers that reported on his material, and those papers are responsible for any inappropriate disclosures.

“Snowden himself never publicly disclosed a single document, so any programs that were revealed were the ultimate doing of news organizations,” according to Greenwald.

In an oddly mercenary argument, he also wrote that it was hypocritical of the Washington Post editorial board to oppose a pardon for Snowden, considering that the Post had gained “untold millions of clicks” from his disclosures, and therefore somehow owed him a debt of loyalty.

But an effort to shift responsibility away from Snowden on to news reporters and editors proves too much. It implies that Snowden is not a whistleblower at all, since he himself didn’t blow any whistles, his journalistic collaborators did.

It seems more sensible to conclude that Snowden is responsible for his own actions as well as for the directly foreseeable consequences of those actions.

In an interesting response to Jack Goldsmith, Marcy Wheeler wrote that it is possible to comprehend — if not to reconcile — the sharply opposing views of the Snowden case if they are understood as a clash between professed American values (such as openness, privacy, and internet freedom) and American interests and actions (such as global surveillance and projection of military power). The former, “cosmopolitan” view presumes, however, that the favored values transcend, and can be sustained apart from, their national and institutional roots.

2017 Intelligence Bill Would Constrain Privacy Board

The jurisdiction of the Privacy and Civil Liberties Oversight Board (PCLOB) would be restricted for the second year in a row by the Senate Intelligence Committee version of the FY2017 Intelligence Authorization Act (S.3017). Section 603 of the Act would specifically limit the scope of PCLOB’s attention to the privacy and civil liberties “of United States persons.”

Internal disagreements over the move were highlighted in the Committee report published last week to accompany the text of the bill, which was reported out of Committee on June 5.

“While the PCLOB already focuses primarily on U.S. persons, it is not mandated to do so exclusively,” wrote Senators Martin Heinrich and Mazie K. Hirono in dissenting remarks appended to the report. “Limiting the PCLOB’s mandate to only U.S. persons could create ambiguity about the scope of the PCLOB’s mandate, raising questions in particular about how the PCLOB should proceed in the digital domain, where individuals’ U.S. or non-U.S. status is not always apparent. It is conceivable, for example, that under this restriction, the PCLOB could not have reviewed the NSA’s Section 702 surveillance program, which focuses on the communications of foreigners located outside of the United States, but which is also acknowledged to be incidentally collecting Americans’ communications in the process,” they wrote.

“Over the past three years, the Privacy and Civil Liberties Oversight Board has done outstanding and highly professional work,” wrote Sen. Ron Wyden in his own dissent. “It has examined large, complex surveillance programs and evaluated them in detail, and it has produced public reports and recommendations that are quite comprehensive and useful. Indeed, the Board’s reports on major surveillance programs are the most thorough publicly available documents on this topic. My concern is that by acting to restrict the Board’s purview for the second year in a row, and by making unwarranted criticisms of the Board’s staff in this report, the Intelligence Committee is sending the message that the Board should not do its job too well.”

In support of the provision, the report said that “The Committee believes it is important for the Board to consider the privacy and civil liberties of U.S. Persons first and foremost when conducting its analysis and review of United States counterterrorism efforts.”

But the PCLOB already considers U.S. person privacy “first and foremost.” And the language of the Senate bill does not appear to permit even “secondary” consideration of the privacy of non-U.S. persons. Last year, the FY2016 intelligence authorization bill barred access by the Board to information deemed relevant to covert action.

On June 16, Sen. Patrick Leahy paid tribute to retiring PCLOB chair David Medine on the Senate floor. “[PCLOB] reports and Mr. Medine’s related testimony before the Senate Judiciary Committee have been tremendously beneficial to Congress and the American people in examining government surveillance programs,” he said.

Secrecy System to Undergo “Thoughtful Scrutiny”

The Obama Administration has begun a systematic examination of its national security classification policies, known as the Fundamental Classification Guidance Review (FCGR), in an effort to eliminate obsolete classification requirements and to reduce national security secrecy.

“The goal of the FCGR is to ensure agency classification guidance authorizes classification only in those specific instances necessary to protect national security,” wrote William A. Cira, Acting Director of the Information Security Oversight Office, in a March 17 memorandum to executive branch officials.

“A reasonable outcome of the review overall, though not necessarily in the case of each program or guide, is to expect a reduction in classification activity across government,” he wrote.

Indeed, the first FCGR that was conducted in 2010-12 led to the elimination of “approximately 20% of DoD’s non-compartmented SCGs [security classification guides],” according to a Department of Defense report, thereby removing them as authority for further classification.

And the first Review also appears to have contributed to a historic reduction in reported original classification activity (i.e. the creation of new national security secrets), which reached a record low in 2014.

Now, five years after the first Review, the exercise will be repeated. “The scope of this Review needs to be systematic, comprehensive and conducted with thoughtful scrutiny involving detailed data analysis,” Mr. Cira wrote in his memo to executive branch agencies.

Even under the best of circumstances, agency classification guidance tends to become stale over time. The threat environment changes, policy deliberations or international relations demand fuller disclosure, information leaks or documents are declassified in response to FOIA requests, congressional direction, or historical declassification programs. Yet too often, the guidance itself remains static and unresponsive to changes in the external environment.

Faced with this growing disconnect between a realistic threat appraisal and the information security response, the Fundamental Classification Guidance Review represents the secrecy system’s own attempt at self-correction.

*

The FCGR was inspired by the Department of Energy Fundamental Classification Policy Review that was initiated by then-Secretary of Energy Hazel O’Leary in the mid-1990s, and which had notable success in updating DoE’s classification system. Following a year of deliberations, the DoE reviewers concluded that hundreds of categories of classified information should be declassified, and most of them were. (Some declassification actions proposed by the DoE FCPR — such as those involving historical nuclear weapons locations — were blocked at the time by the Department of Defense.)

“Perhaps the most remarkable feature of this exercise was that it mobilized the DoE bureaucracy itself as an agent of secrecy reform,” I suggested in a 2009 paper on Reducing Government Secrecy: Finding What Works that advocated broader application of this approach.

With the cooperation of William H. Leary at the National Security Council, a requirement to perform a Fundamental Classification Guidance Review throughout the executive branch every five years was incorporated in President Obama’s Executive Order 13526 (section 1.9) in December 2009. Over the coming year, its efficacy will be tested for a second time.

Mr. Cira’s memorandum directed agencies to “obtain the broadest possible range of perspectives” in their review of current classification guidance. He added significantly that “It is not sufficient to have a review conducted only by the pertinent original classification authority.”

But while the DoE Fundamental Review under Hazel O’Leary allowed for public input and feedback at the beginning and the end of the process, the FCGR does not explicitly provide for any public participation in the Review.

GAO Oversight of Intelligence Community Contractors

“We do not have the full picture of who is working for the Intelligence Community as contractors, or why,” said Senator Thomas Carper at a June 2014 hearing, the record of which was just published last week.

See The Intelligence Community: Keeping Watch Over Its Contractor Workforce, Senate Homeland Security and Governmental Affairs Committee, June 18, 2014, published March 18, 2016.

The hearing record is of particular interest as a reflection of the revived intelligence oversight role assumed by the Government Accountability Office (GAO) following the issuance of 2014 Intelligence Community Directive 114, which authorized GAO access to intelligence information under certain circumstances.

“That new Intelligence Community Directive, I think that did establish a good framework for us to move forward,” said GAO’s Timothy J. DiNapoli at the hearing. “It gave us an approach for a presumption of cooperation. It prevented the categorical denial of information, and access to much of the information on a more formal basis.”

And the Intelligence Community apparently responded to the GAO engagement constructively.

“We thought the responses to the draft report and the recommendations were solid,” Mr. DiNapoli said. “I actually thought that the Director [of National Intelligence] provided cogent responses saying here are some specific steps we are going to take with regard to improving information on the methodology; we are going to ask for that information so we will have a better handle on it.”

For her part, ODNI Principal Deputy Director Stephanie O’Sullivan also testified in support of the GAO role in intelligence oversight.

“The only way to really approach this–and this is what I tell my management organization–is by looking at this as an opportunity to see that which you are missing. It is that old adage of when you are in college and you typed a term paper, you could read that paper 50 times and read right over the typo every time. You just simply cannot see that which is the norm to you.”

“You need outside eyes to help you find problems,” Ms. O’Sullivan said, “and that is about the basic credo of IGs and GAO, to make the function of government more efficient and effective.”

A series of Questions for the Record appended to the newly published hearing volume addressed the issue of “Why have the number of contractors and the cost of contracts been classified?”

Help Wanted to Oversee the Classification System

The government is looking for a person to oversee, and perhaps sometimes to overrule, classification decisions made throughout the Executive Branch.

A job opening for the position of Director of the Information Security Oversight Office (ISOO) was announced in USA Jobs last week.

The ISOO director is appointed by the Archivist of the United States, since ISOO is housed at the National Archives. But ISOO takes policy direction from the National Security Council, and the director’s authority over classification and declassification policy extends throughout the executive branch.  The previous ISOO director, John P. Fitzpatrick, left for the National Security Council in January.

The ISOO director is endowed with some remarkable powers. “If the Director of the Information Security Oversight Office determines that information is classified in violation of this order, the Director may require the information to be declassified by the agency that originated the classification,” according to executive order 13526. Though this power has mostly been held in reserve, it is backed by presidential authority and retains its potency.

The ISOO director is also obliged by executive order to “consider and take action on complaints and suggestions from persons within or outside the Government with respect to the administration of the program established under this order.”

As a result, the ISOO directors have been the most publicly accessible agency heads anywhere in government. Each of them — Mr. Fitzpatrick (2011-15), Jay Bosanko (2008-2011), Bill Leonard (2002-2008), and Steve Garfinkel (1980-2002) — has in his own distinctive way been a dedicated public servant and has willingly engaged with critics, reporters and members of the general public. (The first ISOO director, former congressman Michael Blouin, did not leave much of a visible record in that position.)

But of course, classification policy remains in significant disarray, even within the government, and is a subject of almost daily public controversy. So the position of ISOO director is potentially even more important than ever before, and the next ISOO director could play a leading role in reconciling competing interests in secrecy and disclosure.

Applications for ISOO director are being accepted until March 28. A Top Secret/SCI clearance is needed. Senate confirmation is not.

ISOO Director Fitzpatrick Moves to NSC

John P. Fitzpatrick, the director of the Information Security Oversight Office (ISOO), left his position at the end of last week to join the National Security Council staff.

As ISOO director for the past four years or so, Mr. Fitzpatrick was responsible for oversight of national security classification and declassification activities government-wide.

“John led ISOO in carrying out the President’s programs to improve transparency, openness, and access to information while ensuring that classified national security information is properly protected,” wrote David S. Ferriero, Archivist of the United States, in a January 8 notice to employees of the National Archives, where ISOO is housed.

While there remains much to criticize in classification and declassification policy, Mr. Fitzpatrick presided over a four-year decline in original classification activity, such that by 2014 the number of new national security secrets created annually had dropped to the lowest ever reported by ISOO in its 35 year history.

The change in ISOO leadership comes at a delicate moment, since the entire national security classification system is supposed to go through a systematic recalibration, known as the Fundamental Classification Guidance Review, over the next 18 months. This secrecy re-booting process needs to be closely guided and nurtured if it is to yield optimal results.

But Mr. Fitzpatrick is not going very far, geographically or topically.

“Beginning Monday, 11 January, I will join the National Security Council Staff, Executive Office of the President, as Senior Director for Records Access and Information Security Management,” he wrote in an email message. “There I will assist the NSC/EOP with a portfolio of federal information security policies for classified and controlled unclassified information (classification, declassification, safeguarding, etc.), the National Industrial Security Program and other related security efforts.  I will also direct the staff who preserve, safeguard, review and help release NSC records via FOIA, automatic declassification and the like.  It promises to be an exciting challenge.”

Protecting the 2020 Census from Fraud

The national census in 2020 will be the first to rely primarily on the Internet for collecting census data, thereby creating new avenues for fraud and disruption.

A new report from the JASON scientific advisory panel describes the problem and outlines some solutions.

Why would anyone want to interfere with the constitutionally-mandated census, which maps the population of the United States every ten years and serves as the basis for apportioning congressional districts? The JASONs identified a number of reasons.

“Several distinguishable types of fraud against the census must be considered, including: hacking the census for fun or bragging rights; social media attempts to discredit the census and reduce cooperation; mimicry of the census forms or apps for purposes including phishing; city or district-level attempts to changes population numbers or distributions; large scale attempts to affect apportionment of the House of Representatives; individual mischief and anti-government protest.”

Not all of these threats are equally important.

“Non-organized fraud from random individuals (e.g. pet names listed as family members) is unlikely have any significant impact on the outcomes of the U.S. Census,” the JASONs said. And “individual mischief, for example, a response from Seymour Butts of 6 E. Psycho Path” is to be expected.

But large-scale, organized fraud could pose a threat to the integrity of the census, and the threshold for effectively manipulating the census process is surprisingly low.

“Occasionally, small numbers of census responses determine the loss or gain of seats in the U.S. House of Representatives. For example, in the 2000 U.S. Census, Utah fell only 80 persons short of gaining a congressional seat, which was instead allocated to North Carolina.”

The JASON report, prepared for the U.S. Census Bureau, included several technical and procedural recommendations to impede fraudulent activity, to facilitate its detection, and to mitigate its consequences.

“The goal of the 2020 Decennial Census is… to count every person, exactly once, onApril 1, 2020, by the geographical location within the U.S. where they ‘live and sleep most of the time’ (or a similar formulation). The total number of people thus counted is expected to be about 335 million.”

A copy of the JASON report was obtained by Secrecy News. See Respondent Validation for Non-ID Processing in the 2020 Decennial Census, November 2015.

GAO Posts Titles of Restricted Reports

Updated below

The Government Accountability Office this week quietly published a list of titles of its restricted reports that have not been publicly released because they contain classified information or controlled unclassified information.  A new link to “Restricted Products” appears at the bottom of the GAO homepage (under Reports & Testimonies).

“This list is intended to keep Congress, federal agencies, and the public informed of the existence of these products. The list consists of all such classified or controlled products issued since September 30, 2014 and will be updated each time a new report is issued,” the GAO webpage says.

“We did not issue a statement or announcement” concerning the new listing, said Timothy L. Minelli of GAO Congressional Relations.

A congressional staffer said the move was prompted by concerns expressed by some Members of Congress and staff that they were unaware of the restricted reports, since they had not been indexed or archived by GAO.

Publication of the titles of restricted GAO reports “was not necessarily universally desired by everyone in Congress,” the staffer said, and “it took about a year” to resolve the issue. But “GAO deserves a lot of credit. They decided it was the right thing to do, and they did it.”

Although primarily aimed at congressional consumers, the new webpage also serves to inform the public. GAO is not subject to the Freedom of Information Act, but will usually entertain requests for records anyway. However, GAO is not authorized to release information that has been classified or controlled by an executive branch agency.

There are several limitations to the new disclosure policy. It does not reflect restricted GAO reports that were generated prior to 2014. It will not cite titles that are themselves classified. And it will not include reports that focus on an individual intelligence agency.

“We excluded titles of products primarily focused on an element of the intelligence community to be consistent with the general practices of the IG [Inspector General] Offices within that IC community, who generally don’t post these titles,” said Mr. Minelli of GAO. “Only titles of products that that are primarily focused on an element of the IC won’t be listed, which we believe will be a very small number, likely less than a handful per year.”

“More common are GAO products that address activities/operations of IC elements in the context of a broader set of questions we are answering, and the titles of these products are being posted,” he said.

“Finally, in a number of cases and pending the classification and sensitivity reviews conducted by the appropriate agencies, GAO will follow its usual practice of trying to issue public versions of classified and sensitive-but-unclassified  products that have had classified and SBU material removed.  These reports are posted on our website and publicly available,” he said.

Update: A listing of GAO restricted report titles from 1971-2011 was obtained and published by GovernmentAttic.org, which also obtained copies of the first page of each GAO report issued prior to 1972 that remains classified.

Intelligence Lessons from the 2009 Fort Hood Shooting

In 2010, then-Director of National Intelligence Dennis C. Blair convened a panel to review the November 2009 Fort Hood shooting committed by Army Maj. Nidal Hasan and the Christmas Day bombing attempt by Umar Farouk Abdulmutallab aboard Northwest Flight 253.

A redacted version of the resulting panel report was finally declassified and released this week. See Report to the Director of National Intelligence on the Fort Hood and Northwest Flight 253 Incidents, Intelligence Community Review Panel, 15 April 2010.  The panel was led by former Acting DCI John E. McLaughlin.

In a nutshell, the report found, “There were several missed opportunities that could have increased the odds of detecting Abdulmutallab or Hasan. The causes of the missteps ranged from human error to inadequate information technology, inefficient processes, unclear roles and responsibilities, and an occasional lack of individual inquisitiveness.”

Beyond a detailed recounting of what was known by U.S. intelligence about the perpetrators, much of which has been withheld, the report fills a gap in the literature of intelligence reform with a look at systemic issues such as the state of information technology in the intelligence community (as of 2011), the process of watch-listing, and disagreements over the handling of U.S. person information.

“Inadequate information technology runs through both the Fort Hood and the NW Flight 253 narratives, particularly the inability of IT systems to help analysts locate relevant reporting in a sea of fragmentary data or to correct for seemingly minor human errors.”

“NCTC [National Counterterrorism Center] analysts, for example, have access to more than 28 separate databases and systems, each of which, for the most part, has a separate log-on. This means analysts have to search each database separately before trying to identify connections among their results.”

The existing search capacity “is intolerant of even simple mistakes in the queries and does not enable questions like: list everyone that is potentially affiliated with AQAP and has a passport or visa that would permit entry to the United States or UK.”

But the problem is not purely one of technology, the report said. “The Community cannot realize the potential of information technology to assist the counterterrorism mission without clarifying… procedures for sharing information on US persons.”

The report reflects a view that restrictions on collecting and disseminating US person information had become onerous and counterproductive.

“Many of the people we interviewed assessed that policy on handling US Persons data… was limiting the Intelligence Community’s ability to aggregate and exploit available data, especially information pertaining to critical domestic-foreign nexus issues.”

“We noticed a strong belief among collectors and analysts that restrictions on collecting, disseminating, accessing, and analyzing data on US Persons impede mission performance…. We also saw a surprising level of disagreement — even among experienced practitioners — on whether current US Person authorities allow intelligence officers to accomplish their missions, or whether new legal authorities are needed.”

(“Sharing US Person information with foreign partners, and tasking them to collect on US Persons appeared at various points,” the report says at the start of an otherwise redacted paragraph.)

“We see a need to simplify, harmonize, update, and modify the Community’s procedures relating to US persons,” the McLaughlin panel wrote.

What exactly this might mean in practice was not spelled out, but it didn’t seem to entail tightening, narrowing or curtailing the use of US person information, or increasing oversight of it.

“The report’s finding on the Intelligence Community’s ‘caution’ and ‘risk aversion’ in the collection of US persons information is particularly notable,” said Christian Beckner, Deputy Director, GW Center for Cyber & Homeland Security, “leading the review group to worry that ‘the next terrorist surprise could be the result of confusion or excessive caution about how to manage this issue.’  This finding is in striking contrast to much of the public dialogue following the Snowden leaks about intelligence activities related to US persons.”

The panel report also includes various incidental observations of interest.

“The panel is concerned that the overlap between CTC [the CIA Counterterrorism Center} and NCTC [the National Counterterrorism Center] extends beyond healthy competition and that the turf battles, duplications, and clashes are a drain on the resources and creative energy of both organizations.”

Furthermore, “It appears that much of the tension between the two organizations centers on issues related to the President’s Daily Brief (PDB) — everything from who takes the lead to what is said in the articles.”

The report cites inaccuracies in news media coverage of the Fort Hood shootings and Christmas Day bombing “that have skewed the discussions.” For example, contrary to some accounts, “There is no evidence indicating that [Anwar al] Aulaqi directed Hasan.”

The report also presents a previously unreleased 2010 DNI directive on “lanes in the road” (included as Appendix D to the report) that “establishes the responsibilities and accountability of leaders of major organizations with counterterrorism analytic missions.” In other words, it assigned specific counterterrorism roles to each of the relevant intelligence agencies.

“Each organization within the IC with a significant counterterrorism analytic effort is expected to work seamlessly with its counterparts, drawing on the specific strengths and advantages of partners, but is also expected to place particular emphasis on those missions they are uniquely positioned to conduct,” wrote DNI Dennis C. Blair in the April 7, 2010 memorandum.

CIA Classification Practices Challenged

The Central Intelligence Agency has improperly classified and withheld from release at least five categories of information related to its post-9/11 rendition, detention and interrogation program, according to a detailed complaint filed by Openthegovernment.org with the Information Security Oversight Office.

Classification of this information has impeded government accountability for the controversial CIA programs and derailed a full public reckoning over abuses that occurred, the complaint said.

“Secrecy regarding ‘black sites’ and torture has played a major role in ensuring that no CIA personnel could be prosecuted for torture, war crimes, destruction of evidence, or other relevant federal crimes. It has ensured that civil courts were closed to victims of torture, indefinitely delayed trials of the accused perpetrators of the September 11 attacks, and put the United States in breach of its obligations under the Convention Against Torture,” wrote Katherine Hawkins, National Security Fellow at Openthegovernment.org, who authored the complaint.

She specified five categories of information that she said had been classified in violation of the executive order governing classification policy and redacted from the summary of the Senate Intelligence Committee report on interrogation:

*     The pseudonyms and titles, and in some cases the names, of CIA officials and contractors implicated in the torture program.

*     The names of countries that hosted black sites (i.e. unacknowledged locations of CIA detention centers abroad).

*     Former CIA detainees’ descriptions of the details of their own torture.

*     The CIA’s involvement in the torture of prisoners in Iraq.

*     The CIA’s rendition of prisoners to torture in foreign custody.

The 38-page complaint presents extensive arguments that certain particular information in each of these categories was improperly classified by the CIA.

“There is strong evidence that classification of evidence regarding the torture program violated the Executive Order, in some cases willfully so,” Ms. Hawkins wrote. “It is important that there be consequences for this abuse of the classification power to deter similar violations in the future. But it is even more important that the cover-up end, and that ISOO act to oversee ongoing CIA classification decisions regarding the rendition, detention and interrogation program.”

John P. Fitzpatrick, the director of the Information Security Oversight Office (ISOO), which oversees the classification system, said his office has already begun “digging into the complaint in detail…. I don’t yet know what level of effort this will require.”

Under Executive Order 13526 (section 5.2(6)), the ISOO director is authorized and required to “consider and take action on complaints and suggestions from persons within or outside the Government with respect to the administration of the [classification] program established under this order.”

As a practical matter, ISOO’s capacity to investigate classification errors is limited by the Office’s size and budget.

Nevertheless, Mr. Fitzpatrick said, “handling complaints like this is part of our mission, so we will have to see what can be done.”

The immediate next steps, he said, include identifying the specific claims advanced by the complaint and the parts of the executive order they may relate to; gathering relevant facts that would support or refute the claims; and performing analysis to reach a conclusion. Considering the length and detail of the complaint, reviewing it “will take time.”

*    *    *

If there is a systemic solution to the problem of overclassification, it is likely to involve the kind of independent review that has been urged on ISOO by Openthegovernment.org in this case.

Government agencies that are left to their own devices will almost always classify more information than is necessary or appropriate. Without assuming any malign intent on their part, it is simply the path of least resistance.

However, when an agency is required to justify its classification activity to an impartial reviewer, even on a non-adversarial basis, a reduction in the scope of classification results more often than not. This has been confirmed repeatedly.

*    Between 1996 and 2014, the Interagency Security Classification Appeals Panel directed the declassification of information in 71 percent of the documents presented to it by members of the public whose direct requests to agencies had been denied, ISOO reported in 2014.

*    Documents concerning covert actions that the CIA had refused to acknowledge on its own were approved for declassification and publication in the Foreign Relations of the United States series after deliberation by the so-called High-Level Panel composed of representatives of the National Security Council, State Department and CIA.

*    CIA classification of many records related to the JFK assassination could not withstand review by the independent Assassination Records Review Board. The Board ordered declassification of tens of thousands of assassination-related records including millions of pages.

*    Even within individual agencies, the process of challenging classification decisions has borne fruit to a surprising extent. Government employees challenged the classification status of various items of information in 813 cases in FY2014, the Information Security Oversight Office reported. Their classification was overturned in whole or in part in 453 of those cases.

It follows that new venues and new procedures for independently evaluating disputed classification decisions would help to reduce or eliminate spurious classification.