<nettime> Barton Gellman: Scholarship, Security and 'Spillage' on Campus

[nettime's_dependent_insecurity_researcher <nettime@kein.org>]

<https://medium.com/@tcfdotorg/scholarship-security-and-spillage-on-campus-15aa8fb8f38>

Scholarship, Security and 'Spillage' on Campus

By Barton Gellman

This article first appeared on The Century Foundation's website.

	[http://www.tcf.org/blog/detail/scholarship-security-and-spillage-on-campus]


This is an adventure in classified speech at an academic
conference. If you know a story like it on another campus, please
get in touch. Send an email[*] or use my secure contacts[*] for
greater privacy.

	[http://www.tcf.org/experts/detail/barton-gellman]
	[https://www.bartongellman.com/pgp]

On September 24 I gave a keynote presentation[*] at Purdue
University about the NSA, Edward Snowden, and national security
journalism in the age of surveillance. It was part of the
excellent Dawn or Doom colloquium, which I greatly enjoyed. The
organizers live-streamed my talk and promised to provide me with
a permalink to share.

	[http://eventmobi.com/dawnordoom/agenda/90674/605774]

After unexplained delays, I received a terse email from the
university last week. Upon advice of counsel, it said, Purdue
"will not be able to publish your particular video" and will not
be sending me a copy. The conference hosts, once warm and
hospitable, stopped replying to my emails and telephone calls. I
don't hold it against them. Very likely they are under lockdown
by spokesmen and lawyers.

Naturally, all this piqued my curiosity. With the help of my
colleague Sam Adler-Bell,[*] I think I have pieced together most
of the story.

	[http://www.tcf.org/experts/detail/sam-adler-bell]

It turns out that Purdue has wiped all copies of my video and
slides from university servers, on grounds that I displayed
classified documents briefly on screen. A breach report was filed
with the university's Research Information Assurance Officer,
also known as the Site Security Officer, under the terms of
Defense Department Operating Manual 5220.22-M.[*] I am told that
Purdue briefly considered, among other things, whether to destroy
the projector I borrowed, lest contaminants remain.

	[http://www.dss.mil/documents/odaa/nispom2006-5220.pdf]

UPDATE: Just after posting this item I received an email from
Julie Rosa, who heads strategic communications for Purdue. She
confirmed that Purdue wiped my video after consulting the Defense
Security Service, but the university now believes it went too far.

	"In an overreaction while attempting to comply with regulations,
	the video was ordered to be deleted instead of just blocking the
	piece of information in question. Just FYI: The conference
	organizers were not even aware that any of this had happened
	until well after the video was already gone."

	"I'm told we are attempting to recover the video, but I have not
	heard yet whether that is going to be possible. When I find out,
	I will let you know and we will, of course, provide a copy to
	you."

Let's rewind. Information Assurance? Site Security?

These are familiar terms elsewhere, but new to me in a university
context. I learned that Purdue, like a number of its peers, has a
"facility security clearance" to perform classified U.S.
government research. The manual of regulations runs to 141 pages.
(Its terms[*] forbid uncleared trustees to ask about the work
underway on their campus, but that's a subject for another day.)
The pertinent provision here, spelled out at length in a manual
called Classified Information Spillage,[*] requires
"sanitization, physical removal, or destruction" of classified
information discovered on unauthorized media.
	[http://www.purdue.edu/bot/meeting-documents/2014/july/stated/sr.managerial%20group.pdf]
	[https://www.fas.org/sgp/library/cnssp-18.pdf]

If I had the spider sense that we journalists like to claim, I
might have seen trouble coming. One of the first questions in the
Q & A that followed my talk was:

"In the presentation you just gave, you were showing documents
that were TS/SCI [top secret, sensitive compartmented
information] and things like that. Since documents started to
become published, has the NSA issued a declass order for that?"

I took the opportunity to explain the government's dilemmas when
classified information becomes available to anyone with an
internet connection. I replied:

"These documents, by and large, are still classified. And in many
cases, if you work for the government and you have clearance,
you're not allowed to go look at them…"

"Now, it's perfectly rational for them to say, we're not going to
declassify everything that gets leaked because otherwise we're
letting someone else decide what's classified and what's not. But
it gets them wound up in pretty bad knots."

By way of example, I mentioned that the NSA, CIA, and Office of
the Director of National Intelligence "have steadfastly refused
to give me a secure channel to communicate with them" about the
Snowden leaks. Bound by rules against mingling classified and
unclassified communications networks, they will not accept, for
example, encrypted emails from me that discuss Top Secret
material. In service of secrecy rules, they resort to elliptical
conversation on open telephone lines.

My remarks did not answer the question precisely enough for one
post-doctoral research engineer. He stood, politely, to nail the
matter down.

"Were the documents you showed tonight unclassified?" he asked.

"No. They're classified still," I replied.

"Thank you," he said, and resumed his seat.

Eugene Spafford, a Purdue professor of computer science who has
held high clearances himself, wrote to me afterward: "We have a
number of 'junior security rangers' on faculty & staff who tend
to be 'by the book.' Unfortunately, once noted, that is something
that cannot be unnoted."

Sure enough, someone filed a report with the above-mentioned
Information Assurance Officer, who reported in turn to Purdue's
representative at the Defense Security Service. By the terms of
its Pentagon agreement, Purdue was officially obliged to be
_shocked to find that spillage is going on_ at a talk about
Snowden and the NSA. Three secret slides, covering perhaps five
of my ninety minutes on stage, required that video be wiped in
its entirety.

This was, I think, a rather devout reading of the rules. (Taken
literally, the rules say Purdue should also have notified the
FBI. I do not know whether that happened.) A more experienced
legal and security team might have taken a deep breath and
applied the official guidance to "realistically consider the
potential harm that may result from compromise of spilled
information."

Or perhaps not. Yes, the images I displayed had been viewed
already by millions of people online.[*] Even so, federal funding
might be at stake for Purdue, and the notoriously vague terms[*]
of the Espionage Act hung over the decision. For most lawyers,
"abundance of caution" would be the default choice.

	[https://www.washingtonpost.com/people/barton-gellman]
	[http://fas.org/irp/congress/2012_hr/071112sales.pdf]

This kind of zeal is commonplace in the military and intelligence
services. They have periodically forbidden personnel[*] -- and
even their families -- to visit mainstream sites such as the
Washington Post and the New York Times for fear of exposure to
documents from Snowden or Wikileaks.

	[http://www.huffingtonpost.com/2010/08/05/us-military-banned-from-v_n_671967.html]
	[http://www.wired.com/2011/02/air-force-its-illegal-for-your-kids-to-read-wikileaks/]

But universities are not secret agencies. They cannot lightly
wear the shackles of a National Industrial Security Program,[*]
as Purdue agreed to do. The values at their core, in principle
and often in practice, are open inquiry and expression.

	[http://www.dss.mil/isp/index.html]

I do not claim I suffered any great harm when Purdue purged my
remarks from its conference proceedings. I do not lack for
publishers or public forums. But the next person whose talk is
disappeared may have fewer resources.

More importantly, to my mind, Purdue has compromised its own
independence and that of its students and faculty. It set an
unhappy precedent, even if the people responsible thought they
were merely following routine procedures.

Think of it as a classic case of mission creep. Purdue invited
the secret-keepers of the Defense Security Service into one
cloistered corner of campus ("a small but significant fraction"
of research in certain fields, as the university counsel put
it[*]). The trustees accepted what may have seemed a limited
burden, confined to the precincts of classified research.
	[https://www.purdue.edu/bot/meeting-documents/2014/july/stated/sr.managerial%20group.pdf]

Now the security apparatus claims jurisdiction over the campus
("facility") at large. The university finds itself "sanitizing" a
conference that has nothing to do with any government contract.
Where does it stop? Suppose a professor wants to teach a network
security course, or a student wants to write a foreign policy
paper, that draws on the rich public record made available by
Snowden and Chelsea Manning? Those cases will be hard to
distinguish from mine.

If the faculty and trustees are comfortable with this
arrangement, I honestly do not know how.

Some are not, I discovered.

"There is a fundamental conflict between the role of the
university and the application of the [facility clearance]
rules," Spafford told me. "I'm not sure if the university is
taking them too far, or if the rules are too constraining and
they didn't understand what they were getting into."

Before writing this post, I reached out to a vice president and
other senior figures I met on campus. I hoped to find that there
had been some mistake. I received no reply.

Then I left word for Mitch Daniels, the former Indiana governor
who became Purdue's president two years ago. Daniels had
introduced my talk and asked me to speak again for guests at a
dinner he held that night. He was a delightful, well-read and
open-minded host, but he has not returned my messages either. I
sent one last note, detailing my main points here, to Purdue's
assistant vice president for strategic communications. I'll
update with her reply if she sends one.

The irony is that the Dawn or Doom colloquium was Daniels's own
personal project. Two of the organizers told me he is fascinated
by the contradictory responses -- from celebration to
alarm -- that tend to accompany big technological advances. He
proposed to convene Purdue faculty members and leading national
experts to explore the risks and promises of artificial
intelligence, robotics, and Big Data surveillance,[*] among other
developments.

	[http://eventmobi.com/dawnordoom/agenda/90674/groups/139407]

In his own view, Dawn or Doom is not a hard question. Daniels and
I chatted about that theme as we stood in the wings off stage,
shortly before my talk.

"The answer always turns out to be, it's dawn," he said.

I wonder.

Postscript: Someone is bound to suggest I post the Purdue talk
here. I wish I could, but I did not write it out. Nor are the
slides self-explanatory. Most of them are just amusing images,
intended to make my remarks sound wittier than they probably are.
On the other hand: If you have a samizdat copy of the video,
please send it my way. I'll be glad to publish it.

#  distributed via <nettime>: no commercial use without permission
#  <nettime>  is a moderated mailing list for net criticism,
#  collaborative text filtering and cultural politics of the nets
#  more info: http://mx.kein.org/mailman/listinfo/nettime-l
#  archive: http://www.nettime.org contact: nettime@kein.org