June 25, 2017

Classified material in the public domain: what's a university to do?

Yesterday I posted some thoughts about Purdue University’s decision to destroy a video recording of my keynote address at its Dawn or Doom colloquium. The organizers had gone dark, and a promised public link was not forthcoming. After a couple of weeks of hoping to resolve the matter quietly, I did some digging and decided to write up what I learned. I posted on the web site of the Century Foundation, my main professional home:

It turns out that Purdue has wiped all copies of my video and slides from university servers, on grounds that I displayed classified documents briefly on screen. A breach report was filed with the university’s Research Information Assurance Officer, also known as the Site Security Officer, under the terms of Defense Department Operating Manual 5220.22-M. I am told that Purdue briefly considered, among other things, whether to destroy the projector I borrowed, lest contaminants remain.

I was, perhaps, naive, but pretty much all of that came as a real surprise.

Let’s rewind. Information Assurance? Site Security?

These are familiar terms elsewhere, but new to me in a university context. I learned that Purdue, like a number of its peers, has a “facility security clearance” to perform classified U.S. government research. The manual of regulations runs to 141 pages. (Its terms forbid uncleared trustees to ask about the work underway on their campus, but that’s a subject for another day.) The pertinent provision here, spelled out at length in a manual called Classified Information Spillage, requires “sanitization, physical removal, or destruction” of classified information discovered on unauthorized media.

Two things happened in rapid sequence around the time I told Purdue about my post.

First, the university broke a week-long silence and expressed a measure of regret:

UPDATE: Just after posting this item I received an email from Julie Rosa, who heads strategic communications for Purdue. She confirmed that Purdue wiped my video after consulting the Defense Security Service, but the university now believes it went too far.

“In an overreaction while attempting to comply with regulations, the video was ordered to be deleted instead of just blocking the piece of information in question. Just FYI: The conference organizers were not even aware that any of this had happened until well after the video was already gone.”

“I’m told we are attempting to recover the video, but I have not heard yet whether that is going to be possible. When I find out, I will let you know and we will, of course, provide a copy to you.”

Then Edward Snowden tweeted the link, and the Century Foundation’s web site melted down. It now redirects to Medium, where you can find the full story.

I have not heard back from Purdue today about recovery of the video. It is not clear to me how recovery is even possible, if Purdue followed Pentagon guidelines for secure destruction. Moreover, although the university seems to suggest it could have posted most of the video, it does not promise to do so now. Most importantly, the best that I can hope for here is that my remarks and slides will be made available in redacted form — with classified images removed, and some of my central points therefore missing. There would be one version of the talk for the few hundred people who were in the room on Sept. 24, and for however many watched the live stream, and another version left as the only record.

For our purposes here, the most notable questions have to do with academic freedom in the context of national security. How did a university come to “sanitize” a public lecture it had solicited, on the subject of NSA surveillance, from an author known to possess the Snowden documents? How could it profess to be shocked to find that spillage is going on at such a talk? The beginning of an answer came, I now see, in the question and answer period after my Purdue remarks. A post-doctoral research engineer stood up to ask whether the documents I had put on display were unclassified. “No,” I replied. “They’re classified still.” Eugene Spafford, a professor of computer science there, later attributed that concern to “junior security rangers” on the faculty and staff. But the display of Top Secret material, he said, “once noted, … is something that cannot be unnoted.”

Someone reported my answer to Purdue’s Research Information Assurance Officer, who reported in turn to Purdue’s representative at the Defense Security Service. By the terms of its Pentagon agreement, Purdue decided it was now obliged to wipe the video of my talk in its entirety. I regard this as a rather devout reading of the rules, which allowed Purdue to “realistically consider the potential harm that may result from compromise of spilled information.” The slides I showed had been viewed already by millions of people online. Even so, federal funding might be at stake for Purdue, and the notoriously vague terms of the Espionage Act hung over the decision. For most lawyers, “abundance of caution” would be the default choice. Certainly that kind of thinking is commonplace, and sometimes appropriate, in military and intelligence services.

But universities are not secret agencies. They cannot lightly wear the shackles of a National Industrial Security Program, as Purdue agreed to do. The values at their core, in principle and often in practice, are open inquiry and expression.

I do not claim I suffered any great harm when Purdue purged my remarks from its conference proceedings. I do not lack for publishers or public forums. But the next person whose talk is disappeared may have fewer resources.

More importantly, to my mind, Purdue has compromised its own independence and that of its students and faculty. It set an unhappy precedent, even if the people responsible thought they were merely following routine procedures.

One can criticize the university for its choices, and quite a few have since I published my post. What interests me is how nearly the results were foreordained once Purdue made itself eligible for Top Secret work.

Think of it as a classic case of mission creep. Purdue invited the secret-keepers of the Defense Security Service into one cloistered corner of campus (“a small but significant fraction” of research in certain fields, as the university counsel put it). The trustees accepted what may have seemed a limited burden, confined to the precincts of classified research.

Now the security apparatus claims jurisdiction over the campus (“facility”) at large. The university finds itself “sanitizing” a conference that has nothing to do with any government contract.

I am glad to see that Princeton takes the view that “[s]ecurity regulations and classification of information are at variance with the basic objectives of a University.” It does not permit faculty members to do classified work on campus, which avoids Purdue’s “facility” problem. And even so, at Princeton and elsewhere, there may be an undercurrent of self-censorship and informal restraint against the use of documents derived from unauthorized leaks.

Two of my best students nearly dropped a course I taught a few years back, called “Secrecy, Accountability and the National Security State,” when they learned the syllabus would include documents from Wikileaks. Both had security clearances, for summer jobs, and feared losing them. I told them I would put the documents on Blackboard, so they need not visit the Wikileaks site itself, but the readings were mandatory. Both, to their credit, stayed in the course. They did so against the advice of some of their mentors, including faculty members. The advice was purely practical. The U.S. government will not give a clear answer when asked whether this sort of exposure to published secrets will harm job prospects or future security clearances. Why take the risk?

Every student and scholar must decide for him- or herself, but I think universities should push back harder, and perhaps in concert. There is a treasure trove of primary documents in the archives made available by Snowden and Chelsea Manning. The government may wish otherwise, but that information is irretrievably in the public domain. Should a faculty member ignore the Snowden documents when designing a course on network security architecture? Should a student write a dissertation on modern U.S.-Saudi relations without consulting the numerous diplomatic cables on Wikileaks? To me, those would be abdications of the basic duty to seek out authoritative sources of knowledge, wherever they reside.

I would be interested to learn how others have grappled with these questions. I expect to write about them in my forthcoming book on surveillance, privacy and secrecy.

Comments

  1. I agree this is a pickle. So many overlapping policies and procedures, guidelines, security measures, etc. But u can’t just research or “investigate” a little and consider that a “thorough enough” job. That’s just ludicrus. It’s setting up some of the boldest & brightest, in their future & ours, 4 failure & discourages free & responsible thinking. Maybe that’s the whole point. Sorry. But I question everything. This definitely needs further looking into. Much.

  2. Many computer science students may be faced with a similar dilemma to the students you mention at the bottom of this article. Background checks have reacted to Snowden and Manning by asking stricter questions about viewing unauthorized documents, leaving each student to figure out what the correct course of action is regarding course material / lectures / discussion materials. How do you engage with the issues of the day without destroying future employability? I hope someone in the government is noticing the bright, eager, competent computer science students who might actually want to devote part of their careers to public service but are being turned away from government work by this “chilling effect.”

    • Joerg Karkosch says:

      Don’t worry about your future thinking of criminal or dumb people at management level. We will have much bigger problems as mankind as a whole.
      I remember one day in June 1989. A highranking politician of the former (and gone) GDR (German Democratic Republic) return from China. He state, that the protests mostly started off by students in Peking at the Tiananmen Square where driven by criminals that deserve to die. The killings conducted by the chinese government were the right answer to these people.
      So what to do as a student in the GDR? I studied mechanical engineering in the 4th year, ready to finish study 9 month later. Than I would have to find myself a job.
      Each louder protesting or argumenting or even a demo at the streets would destroy my future as an engineer – that’s for sure.
      Okay, I decided to just take a very large piece of paper (1m x 1,5m) and to write down a headline: “We demand state party to declare the murder of these students in Peking mass murder!” This paper I mounted to a wall in the main entrance of our faculty. About 80% of all students (some hundreds) signed in within 2 hours.
      Next day we had same main exams finishing this year of study. When the exams started 2 Stasi-guys showed up and took me to their headquarter for 9 hours of interrogation. I just missed the exams.
      I thought that I will be directed to jail or to an unskilled job forever. But it didn’t unfold this way. And before I finished my study the GDR broke down. The Berlin Wall came down.
      So don’t worry and take your stand. Be brave! …my hands are shanking remembering these days. Greeting from Germany. Joerg

      • So entirely correct and I applaud your integrity. We as citizens of the United States need not be afraid to stand up for what is right and plant feet firmly against what is clearly immoral abuse of governmental agencies. They want us to just keep quiet and be led like sheep to the slaughter. I agree with Snowden’s quote about evil. The only thing it takes for evil men to prevail is that good men do nothing. If we just turn and look the other way , we are just as guilty as those who initiated the evil. ‘We the People’ need to exercise our rights while we still have them.

  3. The classification rules are a bunch of baloney. They go much, much too far and end up hampering the researchers and folks who actually work with the material. How many hours at Purdue were wasted wondering just what was classified and whether it was leaked? The same thing goes on at NSA and CIA where they have special teams that put together special briefings that tell their employees just what they can say to family members at Thanksgiving. How many hours are wasted on these things?

    Enough.

  4. Joerg Karkosch says:

    This is blending up my mind. It’s grotesk and disgusting. Believe me – I am a German. We had 2 dictatorships: one fascist and one that was stalinistic at the beginning. For ordenary people it felt exactly the same. Your political system (speak: criminals corrupted by the military-industrial-financial complex) has gone far enough to deserve to be called fascitoid. Okay, I wasn’t just here (on that planet) when the Third Reich started off, but I studied this piece of history well.
    So don’t speak, don’t print, don’t show … (you know whom I speaking of – the Dark Lord Voldemord).
    Your country’s security DHS nightmare will collaps and be oversthrown.

  5. From here, far away (in Germany), it looks as if the USA are not anymore what they used to be (to write it mildly) = a free country and an idol for many other people in the world.
    Good that there are individuals inside the USA who try to keep the (former) freedom, against all the many secret services (NSA etc.), politicians, huge companies… . Thanks.

    • The US was never a free countey. That’s the dumbest pro-establishment propaganda one can imagine.

  6. Geoffrey de Galles says:

    In his 1978 memoir, Adventures of a Bystander, the maverick economist, political scientist, and journo Peter F. Drucker (* 1909) tells of how, some six or eight weeks after the Pearl Harbor attack in 1941, he took on a wartime job in Washington at an office where he found himself with a number of civilians like himself. Shortly thereafter they all received a visit from three uniformed individuals — and here I reproduce the last 1 1/2 paragraphs of Drucker’s book (p. 336): “… all three marched in. When they reached our office, the older man introduced himself as a colonel come to bring us a super-secret report — so secret that it could only be lent to us for a few days. After he had left, we opened with great trepidation the bundle he had brought and found a book inside: the first intelligence study of a European country. Then we read the opening sentence: “The Estonians are by nature monogamous,” and collapsed in laughter, none louder than the Estonian on our staff. —– One of the girls in the office who had been a commercial artist suggested that we inscribe this magnificent sentence in proper calligraphy on a sheet of paper and hang it over a badly discolored mildewy spot on the wall of the dilapidated room. Then we went back to our work — we had more urgent things to worry about than sex on the shores of the Baltic. A few days later the colonel came back to pick up the report. He chuckled when he saw our poster, then asked: “Where does this gem come from?” “It’s the opening sentence of the report you brought us the other day.” He turned white. “Take it down at once,” he said, “and shred it. It’s classified top secret.” — So, I regret to say, no paradigm shift here, Mr. Gellman. Not yet at any rate.

  7. herman_sampson says:

    The whole answer to this fiasco is by knowing who the president of Purdue is: Mitch Daniels, former budget director of W’s administration (during record deficits, preceeding the Great Reccession) and governor of Indiana, who in that office, selected the trustees of Purdue, who returned the favor after he left office.

  8. Carl Hansen says: