Amount of Classification is Highly Uncertain

One of the more encouraging changes in classification policy over the past decade has been the sharp reduction in the number of decisions to classify information reported each year by executive branch agencies.

In 2005 there were a total of 258,633 original classification actions, or new secrets, reported; in 2015, there were said to be 53,425 such actions. (See Number of New Secrets in 2015 Near Historic Low, Secrecy News, July 29, 2016).

Despite the misleading precision with which they are reported, these numbers — which are derived from agency reports to the Information Security Oversight Office and published in ISOO annual reports — were understood to be estimates, not precise tabulations.

Now, however, a new report from the State Department Inspector General suggests that State’s reporting of its classification activity to ISOO may not only be imprecise, but actually inaccurate and incorrect.

The Inspector General “found shortcomings with the count of classification decisions” reported to ISOO. The estimates that were generated were not validated, and they did not reflect the full scope of State Department classification activity.

So, “For example, classified documents created within the Office of the Secretary were not included” in the survey, the IG said. See Compliance Follow-up Review of the Department of State’s Implementation of Executive Order 13526, Classified National Security Information, Office of Inspector General, Department of State, September 2016.

The bottom line, the IG said, is that reported classification totals “will not accurately represent all of the Department’s classification decisions because not all decisions are being identified or sampled as part of the Department’s self-inspection program.”

William Cira, the acting director of the Information Security Oversight Office, said he was not surprised by the Inspector General findings, and not especially troubled.

He recalled that ISOO itself stated in its 2009 report that “the data reported has not truly reflected the changing ways agencies have generated and used classified information in the electronic environment.”

“It has been recognized, even long before we asked the agencies to include the electronic environment, that an actual count is not feasible,” Mr. Cira added. “The sampling and extrapolation technique described in that report has been in widespread use for a long time.”

“It is actually one of the suggested methods that we impart to the agencies when we send out our data collection request each year. Since FY 2009, ISOO has asked agencies to do their best to estimate the volume of all classified products in the electronic environment.”

“We have always acknowledged that this would not be easy.  We do ask them [agencies] to estimate, we do suggest that they sample and extrapolate, and we acknowledge that in almost all cases they will not have the resources to conduct a scientific survey as that is defined by professional statisticians.”

“This method may seem crude but we recognize that almost none of agency data collectors have trained statisticians to call upon, and there is no expectation that they hire one.” Still, “If the Dept. of State OIG believes that the Office of the Secretary should be included that is a welcome suggestion.”

“The one thing for certain is that this method has been consistently applied across many agencies for a very long time,” Mr. Cira said.

In other words, if the collection method is crude, at least it is consistent in its crudeness, and so perhaps some rough trend information may still be discerned within the noise.

But without real quantitative and qualitative clarity, effective management of agency classification activity will be beyond reach.

CIA Poke at DoD Intelligence Was Not “Substantiated”

In a dispute that pitted member agencies of the U.S. intelligence community against each other, the Central Intelligence Agency claimed that “a questionable intelligence activity” had been carried out in 2014 by agents of the Department of Defense.

But an investigation of the matter by the DoD Inspector General that was partially declassified last week failed to corroborate the CIA claim.

At issue was whether or not an unnamed individual had “conducted unauthorized intelligence activities in Europe on behalf of DoD,” as CIA had alleged.

“We were unable to substantiate the CIA allegation and could not find any evidence that [deleted] traveled to Europe or paid any sources on behalf of the DoD,” the Inspector General concluded.

“We could not find evidence of DoD intelligence tasking,” the IG investigative summary said. “In addition, we verified that [deleted] did not travel to Europe in 2014.”

The IG summary report, which had been classified Secret/Noforn, was partially declassified and released under the Freedom of Information Act last Friday.  See Investigative Results of a Questionable Intelligence Activity (redacted), DoD Inspector General report DODIG-2015-171, September 8, 2015.

Meanwhile, for his part, the alleged DoD culprit “asserts that the CIA fabricated the allegation that [deleted] had been conducting intelligence operations in Europe in order to ensure that [several words deleted] because [deleted] claimed [deleted] had previously identified and revealed analytical flaws within CIA analysis.”

However, that counter-accusation “was outside the scope of our investigation and has been referred to the Intelligence Community Inspector General for review.”

The exact nature of the alleged questionable intelligence activity and the identity of the individual(s) involved were not declassified.

Nor would CIA elaborate on the public record.

“You can say CIA declined to comment,” said CIA spokesperson Ryan Trapani.  “We defer to DOD on the document.”

Sorting Through the Snowden Aftermath

Public discussion of the Edward Snowden case has mostly been a dialog of the deaf, with defenders and critics largely talking past each other at increasing volume. But the disagreements became sharper and more interesting over the past week.

“Mr. Snowden is not a patriot. He is not a whistleblower. He is a criminal,” wrote the members of the House Intelligence Committee in a startling September 15 letter to the President, urging him not to pardon Snowden, contrary to the urging of human rights groups.

“The public narrative popularized by Snowden and his allies is rife with falsehoods, exaggerations, and crucial omissions,” the House Intelligence Committee wrote in the executive summary of an otherwise classified report on Snowden’s disclosures.

Remarkably, however, the House Committee report itself included numerous false statements and misrepresentations, according to an analysis by Barton Gellman, who had reported on Snowden’s disclosures for the Washington Post.

“The report is not only one-sided, not only incurious, not only contemptuous of fact. It is trifling,” wrote Gellman, who identified several apparent errors and falsehoods in the House Committee summary.

What is perhaps worse than what’s contained in the House document, though, is what is missing from it: Congressional intelligence overseers missed the opportunity to perform any reflection or self-criticism concerning their own role in the Snowden matter.

The fact that U.S. intelligence surveillance policies had to be modified in response to the public controversy over Snowden’s disclosures was a tacit admission that intelligence oversight behind closed doors had failed to fulfill its role up to that point. But since the Committee has been unwilling to admit any such failure, it remains unable to take the initiative to rectify its procedures.

Last week, a coalition of non-governmental organizations proposed various changes to House rules that they said would help to improve the quality of intelligence oversight and make it more responsive to congressional needs and to the public interest.

Meanwhile, several human rights organizations launched a campaign to urge President Obama to pardon Snowden.

“Thanks to his act of conscience, America’s surveillance programs have been subjected to democratic scrutiny, the NSA’s surveillance powers were reined in for the first time in decades, and technology companies around the world are newly invigorated to protect their customers and strengthen our communications infrastructure,” the petition website said. “Snowden should be hailed as a hero. Instead, he is exiled in Moscow, and faces decades in prison under World War One-era charges that treat him like a spy.”

However, aside from that oblique reference to the Espionage Act of 1917, the petition campaign does not acknowledge any defect in Snowden’s conduct or weigh counterarguments. (A somewhat more nuanced defense of a pardon was presented by Tim Edgar in Lawfare. A substantial rebuttal to the pardon proposal was offered by Jack Goldsmith also in Lawfare.)

But of course what complicates the Snowden matter is that his disclosures exceeded the boundaries of “democratic scrutiny” and went well beyond any identifiable “act of conscience.”

“The fact is, many of Snowden’s documents bore no resemblance to whistleblowing as the phrase is broadly understood,” wrote Fred Kaplan in a review of the new Oliver Stone movie about Snowden in Slate. Rather, he said, they represented “an attempt to blow U.S. intelligence operations.”

Advocacy journalist Glenn Greenwald replied with a debater’s point that Snowden is innocent of any such offense since he (Snowden) did not directly disclose anything at all to the public! Instead, he gave documents to newspapers that reported on his material, and those papers are responsible for any inappropriate disclosures.

“Snowden himself never publicly disclosed a single document, so any programs that were revealed were the ultimate doing of news organizations,” according to Greenwald.

In an oddly mercenary argument, he also wrote that it was hypocritical of the Washington Post editorial board to oppose a pardon for Snowden, considering that the Post had gained “untold millions of clicks” from his disclosures, and therefore somehow owed him a debt of loyalty.

But an effort to shift responsibility away from Snowden on to news reporters and editors proves too much. It implies that Snowden is not a whistleblower at all, since he himself didn’t blow any whistles, his journalistic collaborators did.

It seems more sensible to conclude that Snowden is responsible for his own actions as well as for the directly foreseeable consequences of those actions.

In an interesting response to Jack Goldsmith, Marcy Wheeler wrote that it is possible to comprehend — if not to reconcile — the sharply opposing views of the Snowden case if they are understood as a clash between professed American values (such as openness, privacy, and internet freedom) and American interests and actions (such as global surveillance and projection of military power). The former, “cosmopolitan” view presumes, however, that the favored values transcend, and can be sustained apart from, their national and institutional roots.

2017 Intelligence Bill Would Constrain Privacy Board

The jurisdiction of the Privacy and Civil Liberties Oversight Board (PCLOB) would be restricted for the second year in a row by the Senate Intelligence Committee version of the FY2017 Intelligence Authorization Act (S.3017). Section 603 of the Act would specifically limit the scope of PCLOB’s attention to the privacy and civil liberties “of United States persons.”

Internal disagreements over the move were highlighted in the Committee report published last week to accompany the text of the bill, which was reported out of Committee on June 5.

“While the PCLOB already focuses primarily on U.S. persons, it is not mandated to do so exclusively,” wrote Senators Martin Heinrich and Mazie K. Hirono in dissenting remarks appended to the report. “Limiting the PCLOB’s mandate to only U.S. persons could create ambiguity about the scope of the PCLOB’s mandate, raising questions in particular about how the PCLOB should proceed in the digital domain, where individuals’ U.S. or non-U.S. status is not always apparent. It is conceivable, for example, that under this restriction, the PCLOB could not have reviewed the NSA’s Section 702 surveillance program, which focuses on the communications of foreigners located outside of the United States, but which is also acknowledged to be incidentally collecting Americans’ communications in the process,” they wrote.

“Over the past three years, the Privacy and Civil Liberties Oversight Board has done outstanding and highly professional work,” wrote Sen. Ron Wyden in his own dissent. “It has examined large, complex surveillance programs and evaluated them in detail, and it has produced public reports and recommendations that are quite comprehensive and useful. Indeed, the Board’s reports on major surveillance programs are the most thorough publicly available documents on this topic. My concern is that by acting to restrict the Board’s purview for the second year in a row, and by making unwarranted criticisms of the Board’s staff in this report, the Intelligence Committee is sending the message that the Board should not do its job too well.”

In support of the provision, the report said that “The Committee believes it is important for the Board to consider the privacy and civil liberties of U.S. Persons first and foremost when conducting its analysis and review of United States counterterrorism efforts.”

But the PCLOB already considers U.S. person privacy “first and foremost.” And the language of the Senate bill does not appear to permit even “secondary” consideration of the privacy of non-U.S. persons. Last year, the FY2016 intelligence authorization bill barred access by the Board to information deemed relevant to covert action.

On June 16, Sen. Patrick Leahy paid tribute to retiring PCLOB chair David Medine on the Senate floor. “[PCLOB] reports and Mr. Medine’s related testimony before the Senate Judiciary Committee have been tremendously beneficial to Congress and the American people in examining government surveillance programs,” he said.

Secrecy System to Undergo “Thoughtful Scrutiny”

The Obama Administration has begun a systematic examination of its national security classification policies, known as the Fundamental Classification Guidance Review (FCGR), in an effort to eliminate obsolete classification requirements and to reduce national security secrecy.

“The goal of the FCGR is to ensure agency classification guidance authorizes classification only in those specific instances necessary to protect national security,” wrote William A. Cira, Acting Director of the Information Security Oversight Office, in a March 17 memorandum to executive branch officials.

“A reasonable outcome of the review overall, though not necessarily in the case of each program or guide, is to expect a reduction in classification activity across government,” he wrote.

Indeed, the first FCGR that was conducted in 2010-12 led to the elimination of “approximately 20% of DoD’s non-compartmented SCGs [security classification guides],” according to a Department of Defense report, thereby removing them as authority for further classification.

And the first Review also appears to have contributed to a historic reduction in reported original classification activity (i.e. the creation of new national security secrets), which reached a record low in 2014.

Now, five years after the first Review, the exercise will be repeated. “The scope of this Review needs to be systematic, comprehensive and conducted with thoughtful scrutiny involving detailed data analysis,” Mr. Cira wrote in his memo to executive branch agencies.

Even under the best of circumstances, agency classification guidance tends to become stale over time. The threat environment changes, policy deliberations or international relations demand fuller disclosure, information leaks or documents are declassified in response to FOIA requests, congressional direction, or historical declassification programs. Yet too often, the guidance itself remains static and unresponsive to changes in the external environment.

Faced with this growing disconnect between a realistic threat appraisal and the information security response, the Fundamental Classification Guidance Review represents the secrecy system’s own attempt at self-correction.


The FCGR was inspired by the Department of Energy Fundamental Classification Policy Review that was initiated by then-Secretary of Energy Hazel O’Leary in the mid-1990s, and which had notable success in updating DoE’s classification system. Following a year of deliberations, the DoE reviewers concluded that hundreds of categories of classified information should be declassified, and most of them were. (Some declassification actions proposed by the DoE FCPR — such as those involving historical nuclear weapons locations — were blocked at the time by the Department of Defense.)

“Perhaps the most remarkable feature of this exercise was that it mobilized the DoE bureaucracy itself as an agent of secrecy reform,” I suggested in a 2009 paper on Reducing Government Secrecy: Finding What Works that advocated broader application of this approach.

With the cooperation of William H. Leary at the National Security Council, a requirement to perform a Fundamental Classification Guidance Review throughout the executive branch every five years was incorporated in President Obama’s Executive Order 13526 (section 1.9) in December 2009. Over the coming year, its efficacy will be tested for a second time.

Mr. Cira’s memorandum directed agencies to “obtain the broadest possible range of perspectives” in their review of current classification guidance. He added significantly that “It is not sufficient to have a review conducted only by the pertinent original classification authority.”

But while the DoE Fundamental Review under Hazel O’Leary allowed for public input and feedback at the beginning and the end of the process, the FCGR does not explicitly provide for any public participation in the Review.

GAO Oversight of Intelligence Community Contractors

“We do not have the full picture of who is working for the Intelligence Community as contractors, or why,” said Senator Thomas Carper at a June 2014 hearing, the record of which was just published last week.

See The Intelligence Community: Keeping Watch Over Its Contractor Workforce, Senate Homeland Security and Governmental Affairs Committee, June 18, 2014, published March 18, 2016.

The hearing record is of particular interest as a reflection of the revived intelligence oversight role assumed by the Government Accountability Office (GAO) following the issuance of 2014 Intelligence Community Directive 114, which authorized GAO access to intelligence information under certain circumstances.

“That new Intelligence Community Directive, I think that did establish a good framework for us to move forward,” said GAO’s Timothy J. DiNapoli at the hearing. “It gave us an approach for a presumption of cooperation. It prevented the categorical denial of information, and access to much of the information on a more formal basis.”

And the Intelligence Community apparently responded to the GAO engagement constructively.

“We thought the responses to the draft report and the recommendations were solid,” Mr. DiNapoli said. “I actually thought that the Director [of National Intelligence] provided cogent responses saying here are some specific steps we are going to take with regard to improving information on the methodology; we are going to ask for that information so we will have a better handle on it.”

For her part, ODNI Principal Deputy Director Stephanie O’Sullivan also testified in support of the GAO role in intelligence oversight.

“The only way to really approach this–and this is what I tell my management organization–is by looking at this as an opportunity to see that which you are missing. It is that old adage of when you are in college and you typed a term paper, you could read that paper 50 times and read right over the typo every time. You just simply cannot see that which is the norm to you.”

“You need outside eyes to help you find problems,” Ms. O’Sullivan said, “and that is about the basic credo of IGs and GAO, to make the function of government more efficient and effective.”

A series of Questions for the Record appended to the newly published hearing volume addressed the issue of “Why have the number of contractors and the cost of contracts been classified?”

Help Wanted to Oversee the Classification System

The government is looking for a person to oversee, and perhaps sometimes to overrule, classification decisions made throughout the Executive Branch.

A job opening for the position of Director of the Information Security Oversight Office (ISOO) was announced in USA Jobs last week.

The ISOO director is appointed by the Archivist of the United States, since ISOO is housed at the National Archives. But ISOO takes policy direction from the National Security Council, and the director’s authority over classification and declassification policy extends throughout the executive branch.  The previous ISOO director, John P. Fitzpatrick, left for the National Security Council in January.

The ISOO director is endowed with some remarkable powers. “If the Director of the Information Security Oversight Office determines that information is classified in violation of this order, the Director may require the information to be declassified by the agency that originated the classification,” according to executive order 13526. Though this power has mostly been held in reserve, it is backed by presidential authority and retains its potency.

The ISOO director is also obliged by executive order to “consider and take action on complaints and suggestions from persons within or outside the Government with respect to the administration of the program established under this order.”

As a result, the ISOO directors have been the most publicly accessible agency heads anywhere in government. Each of them — Mr. Fitzpatrick (2011-15), Jay Bosanko (2008-2011), Bill Leonard (2002-2008), and Steve Garfinkel (1980-2002) — has in his own distinctive way been a dedicated public servant and has willingly engaged with critics, reporters and members of the general public. (The first ISOO director, former congressman Michael Blouin, did not leave much of a visible record in that position.)

But of course, classification policy remains in significant disarray, even within the government, and is a subject of almost daily public controversy. So the position of ISOO director is potentially even more important than ever before, and the next ISOO director could play a leading role in reconciling competing interests in secrecy and disclosure.

Applications for ISOO director are being accepted until March 28. A Top Secret/SCI clearance is needed. Senate confirmation is not.

ISOO Director Fitzpatrick Moves to NSC

John P. Fitzpatrick, the director of the Information Security Oversight Office (ISOO), left his position at the end of last week to join the National Security Council staff.

As ISOO director for the past four years or so, Mr. Fitzpatrick was responsible for oversight of national security classification and declassification activities government-wide.

“John led ISOO in carrying out the President’s programs to improve transparency, openness, and access to information while ensuring that classified national security information is properly protected,” wrote David S. Ferriero, Archivist of the United States, in a January 8 notice to employees of the National Archives, where ISOO is housed.

While there remains much to criticize in classification and declassification policy, Mr. Fitzpatrick presided over a four-year decline in original classification activity, such that by 2014 the number of new national security secrets created annually had dropped to the lowest ever reported by ISOO in its 35 year history.

The change in ISOO leadership comes at a delicate moment, since the entire national security classification system is supposed to go through a systematic recalibration, known as the Fundamental Classification Guidance Review, over the next 18 months. This secrecy re-booting process needs to be closely guided and nurtured if it is to yield optimal results.

But Mr. Fitzpatrick is not going very far, geographically or topically.

“Beginning Monday, 11 January, I will join the National Security Council Staff, Executive Office of the President, as Senior Director for Records Access and Information Security Management,” he wrote in an email message. “There I will assist the NSC/EOP with a portfolio of federal information security policies for classified and controlled unclassified information (classification, declassification, safeguarding, etc.), the National Industrial Security Program and other related security efforts.  I will also direct the staff who preserve, safeguard, review and help release NSC records via FOIA, automatic declassification and the like.  It promises to be an exciting challenge.”

Protecting the 2020 Census from Fraud

The national census in 2020 will be the first to rely primarily on the Internet for collecting census data, thereby creating new avenues for fraud and disruption.

A new report from the JASON scientific advisory panel describes the problem and outlines some solutions.

Why would anyone want to interfere with the constitutionally-mandated census, which maps the population of the United States every ten years and serves as the basis for apportioning congressional districts? The JASONs identified a number of reasons.

“Several distinguishable types of fraud against the census must be considered, including: hacking the census for fun or bragging rights; social media attempts to discredit the census and reduce cooperation; mimicry of the census forms or apps for purposes including phishing; city or district-level attempts to changes population numbers or distributions; large scale attempts to affect apportionment of the House of Representatives; individual mischief and anti-government protest.”

Not all of these threats are equally important.

“Non-organized fraud from random individuals (e.g. pet names listed as family members) is unlikely have any significant impact on the outcomes of the U.S. Census,” the JASONs said. And “individual mischief, for example, a response from Seymour Butts of 6 E. Psycho Path” is to be expected.

But large-scale, organized fraud could pose a threat to the integrity of the census, and the threshold for effectively manipulating the census process is surprisingly low.

“Occasionally, small numbers of census responses determine the loss or gain of seats in the U.S. House of Representatives. For example, in the 2000 U.S. Census, Utah fell only 80 persons short of gaining a congressional seat, which was instead allocated to North Carolina.”

The JASON report, prepared for the U.S. Census Bureau, included several technical and procedural recommendations to impede fraudulent activity, to facilitate its detection, and to mitigate its consequences.

“The goal of the 2020 Decennial Census is… to count every person, exactly once, onApril 1, 2020, by the geographical location within the U.S. where they ‘live and sleep most of the time’ (or a similar formulation). The total number of people thus counted is expected to be about 335 million.”

A copy of the JASON report was obtained by Secrecy News. See Respondent Validation for Non-ID Processing in the 2020 Decennial Census, November 2015.

GAO Posts Titles of Restricted Reports

Updated below

The Government Accountability Office this week quietly published a list of titles of its restricted reports that have not been publicly released because they contain classified information or controlled unclassified information.  A new link to “Restricted Products” appears at the bottom of the GAO homepage (under Reports & Testimonies).

“This list is intended to keep Congress, federal agencies, and the public informed of the existence of these products. The list consists of all such classified or controlled products issued since September 30, 2014 and will be updated each time a new report is issued,” the GAO webpage says.

“We did not issue a statement or announcement” concerning the new listing, said Timothy L. Minelli of GAO Congressional Relations.

A congressional staffer said the move was prompted by concerns expressed by some Members of Congress and staff that they were unaware of the restricted reports, since they had not been indexed or archived by GAO.

Publication of the titles of restricted GAO reports “was not necessarily universally desired by everyone in Congress,” the staffer said, and “it took about a year” to resolve the issue. But “GAO deserves a lot of credit. They decided it was the right thing to do, and they did it.”

Although primarily aimed at congressional consumers, the new webpage also serves to inform the public. GAO is not subject to the Freedom of Information Act, but will usually entertain requests for records anyway. However, GAO is not authorized to release information that has been classified or controlled by an executive branch agency.

There are several limitations to the new disclosure policy. It does not reflect restricted GAO reports that were generated prior to 2014. It will not cite titles that are themselves classified. And it will not include reports that focus on an individual intelligence agency.

“We excluded titles of products primarily focused on an element of the intelligence community to be consistent with the general practices of the IG [Inspector General] Offices within that IC community, who generally don’t post these titles,” said Mr. Minelli of GAO. “Only titles of products that that are primarily focused on an element of the IC won’t be listed, which we believe will be a very small number, likely less than a handful per year.”

“More common are GAO products that address activities/operations of IC elements in the context of a broader set of questions we are answering, and the titles of these products are being posted,” he said.

“Finally, in a number of cases and pending the classification and sensitivity reviews conducted by the appropriate agencies, GAO will follow its usual practice of trying to issue public versions of classified and sensitive-but-unclassified  products that have had classified and SBU material removed.  These reports are posted on our website and publicly available,” he said.

Update: A listing of GAO restricted report titles from 1971-2011 was obtained and published by, which also obtained copies of the first page of each GAO report issued prior to 1972 that remains classified.